A Screen object, which is created or modified through the configuration editor or the Administration GUI, maintains information about each Screen in the network and the relationships between the Screens.
The Screen object allows for an optional description of 256 characters or less in the comment field. It is also possible to edit:
Miscellaneous Screen parameters
SNMP information
HA and CMG parameters
Mail Proxy configuration
SunScreen Install automatically creates a local Screen object and gives it a name based on the output of uname -n. Additional Screen objects must be created when setting up a High Availability (HA) cluster or a Centralized Management Group (CMG).
The Screen named * is created by default and cannot be modified in any way. This name is reserved and is used to indicate any Screen when an object or rule requires a Screen name to be specified.
There are various flags that can be set within a Screen object when you use the configuration editor. These flags indicate:
Whether or not Destination Address Checking is enabled (DEST_CHECK)
If the Screen will allow or deny routing traffic (RIP)
Which naming services it will use (DNS, NIS or none)
Whether the Screen uses SKIP certificate discovery protocol (CDP)
Destination address checking checks the destination IP address of each packet coming out of a Screen. The packet is allowed to go out only if its destination IP address is defined on the interface. Those addresses are defined by listing them in the valid addresses for an interface. See "Interface Object" for a discussion of valid addresses. Destination address checking protects against sending packets out on the wrong interface.
Destination address checking is an attribute of the Screen object. You enable or disable it Screen-wide. You can't enable it on only some interfaces.
The size of the log file (LOGSIZE) is an optional parameter which is specified in megabytes. If no size is specified, the default size is 100 MB.
If the Screen is configured in stealth mode, the network that it partitions and the netmask must be specified. In the configuration editor this is accomplished using the STEALTH_NET #.#.#.# #.#.#.# keyword, where the first #.#.#.# is the network address and the second #.#.#.# is the netmask. In the administration GUI, these parameters are the Stealth Net Address and Stealth Netmask, respectively, in the Miscellaneous tab of the Screen object.
In order to issue SNMP alerts, a list of SNMP receivers and their respective IP addresses must be specified. The SNMP time status indicator can also be enabled by setting the SNMP timer interval in minutes. These parameters are set in the configuration editor with the SNMP and SNMP_TIMER keywords, or in the administration GUI under the SNMP tab of the Screen object.
The following SNMP traps are supported:
An action on a packet that matches a particular rule
A default drop action on an interface
Time status indicator traps
The first two types include the following data:
interface - The SunScreen network interface number on which the packet was received.
interfaceName - The SunScreen network interface name on which the packet was received.
errorReason - The reason the alert was generated. (See the sunscreen.mib file for a complete list of reasons.)
packetLength - The actual length of the packet in bytes.
lengthLogged - The length of the data logged in bytes.
packetData - The packet data.
The SNMP timed status indicator trap uses the same receivers database as other types of SNMP traps. There is only one database with a maximum of five receivers. These receivers are specified as variable to the screen object.
The following data are in the SNMP timed status indicator. These data cannot be modified and new data cannot be added:
cpuUsage - Average percentile CPU usage
memoryAvail - Current swap space available, in kilobytes
swapIn - Current swap ins
swapOut - Current swap outs
scanRate - Current scan rate
tcpUsage - Current number TCP connections in the SunScreen state table
ipUsage - Current number IP connections in the SunScreen state table
udpUsage - Current number UDP connections in the SunScreen state table
rootUsage - Disk usage of the root partition, /
varUsage - Disk usage of the var partition, /var
etcUsage - Disk usage of the etc partition, /etc
tmpUsage - Disk usage at the tmp partition, /tmp
Only these SNMP traps are supported. No get or set operations are supported.
If you want the Screen to use SNMP time status indicator, you must set the SNMP_TIMER keyword with a time value in minutes. You must have defined the SNMP receivers to use this feature. If it is not set, it is not enabled.
SunScreen 3.2 supports four syntaxes for ranges:
STEALTH_NET a.b.c.d e.f.g.h
STEALTH_NET a.b.c.d - e.f.g.h (same as above, spaces optional around '-')
STEALTH_NET a.b.c.d/m.n.o.p (m.n.o.p is the network+subnet mask)
STEALTH_NET a.b.c.d/# (# is CIDR, number of network+subnet bits)
When a Screen is part of a High Availability (HA) cluster or Centralized Management Group (CMG) , it is classified as either a Primary or Secondary Screen. Primary and Secondary are defined as follows:
Primary - One of the Screens in the collection must be the primary Screen, and all other Screens are Secondary. The primary Screen is used for all administration: it holds the configuration data and is responsible for communicating with the Secondary Screens in order to update their policies.
Secondary - A Secondary Screen receives all its policy information from the primary Screen. A Secondary Screen must indicate the name of the primary Screen in its Screen object. This name is specified with the MASTER keyword in the configuration editor or the Primary Name field under the Primary/Secondary tab in the administrative GUI.
The primary Screen object has no Primary name specified, but is recognized as the primary Screen if its name appears in the Primary Name field of at least one other Screen.
If the Screen is part of a centralized management group or is administered remotely, you must specify the following field:
ADMIN_IP - An IP address that can be used to communicate with the Screen for administrative traffic. You specify it as an IP address in the form #.#.#.#.
ADMIN_CERTIFICATE - The name of the certificate that can be used to secure administrative traffic to the Screen
KEY, DATA, MAC, and COMPRESSION - The algorithms to control how data are encrypted between the Screens in the administrative group
TUNNEL - (Optional) This field specifies if tunneling is being used. It is the name of an address object.
If IKE is used to protect these data communications, you must also specify the following fields:
IKE ("name of Certificate", "name of Algorithm", "name of Algorithm", "name of Algorithm") - The name of a certificate that can be used to secure administrative traffic to the Screen when using the IPsec/IKE protocol. IKE is used if both IKE and SKIP are specified.
ESP ("name of Algorithm", "name of Algorithm") -
AH ("name of Algorithm") -
If the Screen is part of an HA cluster, the HA_PRIMARY or HA_SECONDARY options must be specified in the configuration editor. This can also be accomplished in the administrative GUI using the High Availability field of the Primary/Secondary tab.
If the Screen is specified as the HA Primary, the High Availability IP Address (HA_IP #.#.#.#) and Ethernet Address (HA_ETHER #:#:#:#:#:#) must also be specified.
If the Screen is specified as an HA Secondary, the primary Screen name (MASTER) and High Availability IP Address (HA_IP #.#.#.#) must also be specified.
In the administrative GUI, it is possible to modify the mail proxy spam restrictors in the Mail Proxy tab of the Screen Object window. Note, however, that manipulating this information in the configuration editor is not done through the Screen object, but through the mail_spam subcommand of ssadm edit. For more information about the Mail Proxy, see "SMTP Proxy Operation".