Documentation

Proxedo Network Security Suite 2 Administrator Guide

12.6. Availability Checker

Hide Sidebar Previous | Up | Next

Previous Up Next
 Home 

Copyright: © 2021 Balasys IT Security
Send your comments to support@balasys.hu

  • Contents
  • Search
loading table of contents...
  • Preface
    • 1. Summary of contents
    • 2. Target audience and prerequisites
    • 3. Products covered in this guide
    • 4. Contact and support information
      • 4.1. Sales contact
      • 4.2. Support contact
      • 4.3. Training
    • 5. About this document
      • 5.1. Feedback
  • 1. Introduction
    • 1.1. What PNS is
    • 1.2. Who uses PNS?
  • 2. Concepts of the PNS Gateway solution
    • 2.1. Main components of the PNS Gateway solution
      • 2.1.1. PNS
      • 2.1.2. Management Server (MS)
      • 2.1.3. Transfer Agent
      • 2.1.4. Management Console (MC)
      • 2.1.5. Authentication Server (AS)
      • 2.1.6. The concept of the CF framework
        • 2.1.6.1. Content Filtering with CF
        • 2.1.6.2. Supported modules
      • 2.1.7. Virtual Private Networking (VPN) support
      • 2.1.8. Native services
      • 2.1.9. High Availability
      • 2.1.10. Operating system
      • 2.1.11. Linux groups used by components
    • 2.2. The concepts and architecture of PNS firewalls
      • 2.2.1. Access control
      • 2.2.2. Operation modes of PNS
      • 2.2.3. Proxying connections
      • 2.2.4. Traffic analysis with proxies
      • 2.2.5. Proxy customization
      • 2.2.6. Modular architecture
  • 3. Managing PNS hosts
    • 3.1. MS and MC
      • 3.1.1. Defining a new host and starting MC
    • 3.2. MC structure
      • 3.2.1. Configuration tree
        • 3.2.1.1. Site
        • 3.2.1.2. Host
        • 3.2.1.3. Component
          • 3.2.1.3.1. Adding new configuration components to host
      • 3.2.2. Main workspace
      • 3.2.3. Menu & status bars and Preferences
        • 3.2.3.1. Configuring general MC preferences
        • 3.2.3.2. Configuring PNS Class Editor preferences
        • 3.2.3.3. Configuring PNS Rules preferences
        • 3.2.3.4. Configuring MS hosts
        • 3.2.3.5. PKI menu
        • 3.2.3.6. Variables menu
          • 3.2.3.6.1. Defining variables
          • 3.2.3.6.2. Editing variables
          • 3.2.3.6.3. Deleting variables
        • 3.2.3.7. Status bar
    • 3.3. Configuration and Configuration management
      • 3.3.1. Configuration process
        • 3.3.1.1. Configuring PNS - the general process
      • 3.3.2. Configuration buttons
        • 3.3.2.1. Commit and Revert
        • 3.3.2.2. Upload current configuration
        • 3.3.2.3. Control service
        • 3.3.2.4. View and Check current configuration
        • 3.3.2.5. Files
      • 3.3.3. Committing related components
      • 3.3.4. Recording and commenting configuration changes
      • 3.3.5. Multiple access and lock management
      • 3.3.6. Status indicator icons
        • 3.3.6.1. Site-level indicators
        • 3.3.6.2. Host and cluster-level indicators
          • Transfer and Monitor connection
          • Key distribution
          • Configuration
        • 3.3.6.3. Component-level status indicators
      • 3.3.7. Copy, paste and multiple select in MC
      • 3.3.8. Links and variables
      • 3.3.9. Disabling rules and objects
      • 3.3.10. Filtering list entries
    • 3.4. Viewing PNS logs
      • 3.4.1. The command bar of the log viewer
  • 4. Registering new hosts
    • 4.1. Bootstrap a new host
    • 4.2. Reconnecting to a host
      • 4.2.1. Reconnecting MS to a host
  • 5. Networking, routing, and name resolution
    • 5.1. Configuring networking interfaces
      • 5.1.1. General interface configuration
        • 5.1.1.1. Configuring a new interface
        • 5.1.1.2. Dynamic interfaces
      • 5.1.2. Configuring virtual networks and alias interfaces
        • 5.1.2.1. Creating a VLAN interface
        • 5.1.2.2. Creating an alias interface
      • 5.1.3. Configuring bond interfaces
      • 5.1.4. Configuring bridge interfaces
      • 5.1.5. Interface options and activation scripts
        • 5.1.5.1. Configuring interface activation scripts
          • 5.1.5.1.1. Creating interface activation scripts
        • 5.1.5.2. Interface groups
          • 5.1.5.2.1. Creating interface groups
        • 5.1.5.3. Other interface options
          • 5.1.5.3.1. Configuring interface parameters
      • 5.1.6. Interface status and statistics
        • 5.1.6.6.
    • 5.2. Managing name resolution
    • 5.3. Managing client-side name resolution
      • 5.3.1. Configure name resolution
    • 5.4. The routing editor
      • 5.4.1. Routes
      • 5.4.2. Sorting, filtering, and disabling routes
        • 5.4.2.1. Filtering routes
      • 5.4.3. Managing the routing tables locally
  • 6. Managing network traffic with PNS
    • 6.1. Understanding Application-level Gateway policies
    • 6.2. Zones
      • 6.2.1. Managing zones with MC
      • 6.2.2. Creating new zones
      • 6.2.3. Zone hierarchies
        • 6.2.3.1. Organizing zones into a hierarchy
      • 6.2.4. Using hostnames in zones
      • 6.2.5. Finding zones
      • 6.2.6. Exporting zones
      • 6.2.7. Importing zones
      • 6.2.8. Deleting a zone or more zones simultaneously
    • 6.3. Application-level Gateway instances
      • 6.3.1. Understanding Application-level Gateway instances
      • 6.3.2. Managing Application-level Gateway instances
      • 6.3.3. Creating a new instance
      • 6.3.4. Configuring instances
      • 6.3.5. Instance parameters — general
      • 6.3.6. Instance parameters — logging
      • 6.3.7. Instance parameters — Rights
      • 6.3.8. Instance parameters — miscellaneous
      • 6.3.9. Increasing the number of running processes
    • 6.4. Application-level Gateway services
      • 6.4.1. Creating a new service
      • 6.4.2. Creating a new packet filtering Service (PFService)
      • 6.4.3. Creating a new DenyService
      • 6.4.4. Creating a new DetectorService
      • 6.4.5. Routing — selecting routers and chainers
        • 6.4.5.1. Setting routers and chainers for a service
        • 6.4.5.2. TransparentRouter
          • 6.4.5.2.. Use client address as source
          • 6.4.5.2.. Target address overridable by the proxy
          • 6.4.5.2.. Modify target port
          • 6.4.5.2.. Modify source port
        • 6.4.5.3. DirectedRouter
          • 6.4.5.3.. Use client address as source
          • 6.4.5.3.. Target address overridable by the proxy
          • 6.4.5.3.. Modify source port
        • 6.4.5.4. InbandRouter
          • 6.4.5.4.. Use client address as source
          • 6.4.5.4.. Modify source port
        • 6.4.5.5. ConnectChainer
          • 6.4.5.5.. Connection timeout
          • 6.4.5.5.. Protocol action
        • 6.4.5.6. FailoverChainer
          • 6.4.5.6.. Keep availability state for
          • 6.4.5.6.. Connection timeout
          • 6.4.5.6.. Protocol action
        • 6.4.5.7. RoundRobinChainer
          • 6.4.5.7.. Keep availability state for
          • 6.4.5.7.. Connection timeout
          • 6.4.5.7.. Protocol action
        • 6.4.5.8. SidestackChainer
          • 6.4.5.8.. Side-stacked proxy
          • 6.4.5.8.. Final chainer
        • 6.4.5.9. AvailabilityChainer
        • 6.4.5.10. RoundRobinAvailabilityChainer
    • 6.5. Configuring firewall rules
      • 6.5.1. Understanding Application-level Gateway firewall rules
        • 6.5.1.1. Evaluating firewall rules
      • 6.5.2. Transparent and non-transparent traffic
      • 6.5.3. Finding firewall rules
      • 6.5.4. Creating firewall rules
      • 6.5.5. Tagging firewall rules
      • 6.5.6. Configuring nontransparent rules with inband destination selection
      • 6.5.7. Connection rate limiting
    • 6.6. Proxy classes
      • 6.6.1. Customizing proxies
        • 6.6.1.1. Derive a new proxy class
        • 6.6.1.2. Customizing proxy attributes
        • 6.6.1.3. Customized proxies and the services
      • 6.6.2. Renaming and editing proxy classes
      • 6.6.3. Analyzing embedded traffic
        • 6.6.3.1. Stack proxies
    • 6.7. Policies
      • 6.7.1. Creating and managing policies
      • 6.7.2. Detector policies
      • 6.7.3. Encryption policies
        • 6.7.3.1. Understanding Encryption policies
      • 6.7.4. GeoIP policies
      • 6.7.5. GeoLocationLimit
      • 6.7.6. GeoPacketLimit
      • 6.7.7. Limit policies
      • 6.7.8. PacketLimit
      • 6.7.9. Matcher policies
        • 6.7.9.1. Matching domain names with DNSMatcher
        • 6.7.9.2. WindowsUpdateMatcher
        • 6.7.9.3. RegexpMatcher
        • 6.7.9.4. RegexpFileMatcher
        • 6.7.9.5. Verifying e-mail addresses with the SmtpInvalidMatcher
        • 6.7.9.6. Making complex decisions with the CombineMatcher
        • 6.7.9.7. Using matcher classes in proxy classes
      • 6.7.10. NAT policies
        • 6.7.10.1. Configuring NAT in Application-level Gateway
          • 6.7.10.1.1. Configuring NAT
        • 6.7.10.2. Types of NAT policies
        • 6.7.10.3. NAT and services
        • 6.7.10.4. NAT and other policy objects
      • 6.7.11. Resolver policies
      • 6.7.12. Stacking providers
    • 6.8. Monitoring active connections
    • 6.9. Traffic reports
      • 6.9.1. Configuring PNS reporting
  • 7. Logging with syslog-ng
    • 7.1. Introduction to syslog-ng
      • 7.1.1. Global options
      • 7.1.2. Sources
      • 7.1.3. Destinations
      • 7.1.4. Filters
    • 7.2. Configuring syslog-ng with MC
      • 7.2.1. Configure syslog-ng
      • 7.2.2. Configuring syslog-ng components through MC
        • 7.2.2.1. Configuring global options
          • 7.2.2.1.1. Set global options
        • 7.2.2.2. Configuring sources
          • 7.2.2.2.1. Create sources
          • 7.2.2.2.2. Create drivers
        • 7.2.2.3. Configuring destinations
        • 7.2.2.4. Configuring filters
          • 7.2.2.4.1. Set filters
        • 7.2.2.5. Configuring routers
          • 7.2.2.5.1. Configure routers
      • 7.2.3. Configuring TLS-encrypted logging
  • 8. The Text editor plugin
    • 8.1. Using the Text editor plugin
      • 8.1.1. Configure services with the Text editor plugin
      • 8.1.2. Use the additional features of Text editor plugin
  • 9. Native services
    • 9.1. BIND
      • 9.1.1. BIND operation modes
      • 9.1.2. Configuring BIND with MC
        • 9.1.2.1. Configuring BIND with MC
      • 9.1.3. Setting up split-DNS configuration
    • 9.2. NTP
      • 9.2.1. Configuring NTP with MC
      • 9.2.2. Status and statistics
    • 9.3. Postfix
      • 9.3.1. Configuring Postfix with MC
        • 9.3.1.1. Configuring Postfix with MC
    • 9.4. Local services on PNS
      • 9.4.1. Enabling access to local services
  • 10. Local firewall administration
    • 10.1. GNU/Linux
    • 10.2. Login to the firewall
    • 10.3. Editing configuration files
    • 10.4. Network configuration
    • 10.5. System logging
    • 10.6. NTP
    • 10.7. BIND
    • 10.8. Updating and upgrading your PNS hosts
    • 10.9. Packet filter
    • 10.10. PNS configuration
      • 10.10.1. Policy.py and instances.conf
        • 10.10.1.1. Edit the Policy.py file
      • 10.10.2. Application-level Gateway control
    • 10.11. Managing core dump files
  • 11. Key and certificate management in PNS
    • 11.1. Cryptography basics
      • 11.1.1. Symmetric and asymmetric encryption
        • 11.1.1.1. Symmetric encryption
        • 11.1.1.2. Asymmetric encryption
        • 11.1.1.3. Authentication and public key algorithms
          • Web of trust and centralized PKI
        • 11.1.1.4. Usage of encryption algorithms for secure communication
          • 11.1.1.4.1. Procedure of encrypted communication and authentication
        • 11.1.1.5. Hashing
        • 11.1.1.6. Digital signature
    • 11.2. PKI Basics
      • 11.2.1. Centralized PKI system
        • 11.2.1.1. CA chains and Root CAs
      • 11.2.2. Digital certificates
      • 11.2.3. Creating and managing certificates
        • 11.2.3.1. Creating a certificate
      • 11.2.4. Verifying the validity of certificates
      • 11.2.5. Verification of certificate revocation state
        • 11.2.5.1. Certificate Revocation List - CRLs
        • 11.2.5.2. Online Certificate Status Protocol (OCSP) stapling
      • 11.2.6. Authentication with certificates
      • 11.2.7. Digital encryption in work
      • 11.2.8. Storing certificates and keys
      • 11.2.9. Using Hardware Security modules
    • 11.3. PKI in MS
      • 11.3.1. Committing changes and locking in PKI
      • 11.3.2. The certificate entity
      • 11.3.3. Rules of distribution and owner hosts
      • 11.3.4. Trusted groups
      • 11.3.5. The PKI menu
        • 11.3.5.1. Site Preferences
        • 11.3.5.2. Distribution of certificates
        • 11.3.5.3. The Edit Certificates menu
      • 11.3.6. PKI management
        • 11.3.6.1. The command bar of PKI management
      • 11.3.7. Trusted CAs
        • 11.3.7.1. The command bar of Trusted CAs
        • 11.3.7.2. Creating a new CA
        • 11.3.7.3. Managing trusted groups
        • 11.3.7.4. Signing CA certificates with external CAs
      • 11.3.8. Managing certificates
        • 11.3.8.1. The Certificates command bar
        • 11.3.8.2. Creating certificates
        • 11.3.8.3. Revoking a certificate
        • 11.3.8.4. Deleting certificates
        • 11.3.8.5. Exporting certificates
        • 11.3.8.6. Importing certificates
        • 11.3.8.7. Signing your certificates with external CAs
        • 11.3.8.8. Importing certificates with external private key
        • 11.3.8.9. Monitoring licenses and certificates
  • 12. Clusters and high availability
    • 12.1. Introduction to clustering
    • 12.2. Clustering solutions
      • 12.2.1. Fail-Over clusters
        • 12.2.1.1. Service IP transferring
        • 12.2.1.2. IP with MAC address takeover
        • 12.2.1.3. Sending RIP messages
      • 12.2.2. Load balance clusters
        • 12.2.2.1. DNS load balancing
        • 12.2.2.2. Load balancing with external devices
        • 12.2.2.3. Multicast load balancing
    • 12.3. Managing clusters with MS
    • 12.4. Creating clusters
      • 12.4.1. Creating a new cluster (bootstrapping a cluster)
      • 12.4.2. Adding new properties to clusters
      • 12.4.3. Adding a new node to a PNS cluster
      • 12.4.4. Converting a host to a cluster
    • 12.5. Keepalived for High Availability
      • 12.5.1. Functionality of Keepalived
      • 12.5.2. Prerequisites for configuring Keepalived
      • 12.5.3. Configuring Keepalived
        • 12.5.3.1. Configure Keepalived
      • 12.5.4. Configuration examples and best practices for Keepalived configuration
        • 12.5.4.1. Simple Cluster with 2 nodes
        • 12.5.4.2. Testing or Pilot node
        • 12.5.4.3. Multiple backup nodes
        • 12.5.4.4. Multiple VRRP groups in the same cluster
        • 12.5.4.5. Managing individual OpenVPN tunnels
    • 12.6. Availability Checker
      • 12.6.1. Prerequisites for configuring the Availability Checker plugin
      • 12.6.2.
        • 12.6.2.1. Configuring the Availability Checker
  • 13. Advanced MS and Agent configuration
    • 13.1. Setting configuration parameters
      • 13.1.1. Configuring user authentication and privileges
        • 13.1.1.1. Adding new users to MS
        • 13.1.1.2. Deleting users form MS
        • 13.1.1.3. Changing passwords in MS
        • 13.1.1.4. Configuring user privileges in MS
          • 13.1.1.4.1. Editing user privileges in MS
        • 13.1.1.5. Configuring authentication settings in MS
          • 13.1.1.5.1. Modifying authentication settings
      • 13.1.2. Configuring backup
        • 13.1.2.1. Configuring automatic MS database backups
        • 13.1.2.2. Restoring a MS database backup
      • 13.1.3. Configuring the connection between MS and MC
        • 13.1.3.1. Configuring the bind address and the port for MS-MC connections
      • 13.1.4. Configuring MS and agent connections
      • 13.1.5. Configuring MS database save
      • 13.1.6. Setting configuration check
      • 13.1.7. Configuring CRL update settings
      • 13.1.8. Set logging level
      • 13.1.9. Configuring SSL handshake parameters
    • 13.2. Setting agent configuration parameters
      • 13.2.1. Configuring connections for agents
      • 13.2.2. Configuring connection to engine
      • 13.2.3. Configuring logging for agents
      • 13.2.4. Configuring SSL handshake parameters for agents
    • 13.3. Managing connections
      • 13.3.1. Setting up initial connection with management agents
      • 13.3.2. Configuring connection with agents
      • 13.3.3. Administering connections
      • 13.3.4. Configuring recovery connections
    • 13.4. Handling XML databases
  • 14. Virus and content filtering using CF
    • 14.1. Content Filtering basics
      • 14.1.1. Quarantining
    • 14.2. Content Filtering with CF
      • 14.2.1. Creating module instances
        • 14.2.1.1. Creating a new module instance
        • 14.2.1.2. CF modules
          • The clamav module
          • The HTML module
          • The NOD32 module
          • The mail header filtering (mail-hdr) module
          • The mime module
          • The program module
          • The stream editor (sed) module
          • The spamassassin module
          • The ModSecurity module
      • 14.2.2. Creating scanpaths
        • 14.2.2.1. Creating a new scanpath
        • 14.2.2.2. Scanpath options
          • Quarantine and oversized file options
          • Configuring trickle mode
          • Automatic decompression and error handling
      • 14.2.3. Routers and rule groups
        • 14.2.3.1. Creating and configuring routers
        • 14.2.3.2. Router actions and conditions
      • 14.2.4. Configuring PNS proxies to use CF
        • 14.2.4.1. Configuring communication between PNS proxies and CF
      • 14.2.5. Managing CF performance and resource use
        • 14.2.5.1. Logging in CF
        • 14.2.5.2. Memory and disk usage of CF
    • 14.3. Quarantine management in MC
      • 14.3.1. Information stored about quarantined objects
      • 14.3.2. Configuring quarantine cleanup
  • 15. Connection authentication and authorization
    • 15.1. Authentication and authorization basics
      • 15.1.1. Inband authentication
      • 15.1.2. Outband authentication
        • 15.1.2.1. Outband authentication using the Authentication Agent
    • 15.2. The concept of AS
      • 15.2.1. Supported backends and authentication methods
    • 15.3. Authenticating connections with AS
      • 15.3.1. Configuring AS
        • 15.3.1.1. Configuring backends
          • 15.3.1.1.1. Creating a new instance
          • The AS_db backend
          • The htpass backend
          • The Pluggable authentication module (PAM) backend
          • The RADIUS backend
        • 15.3.1.2. Configuring routers
      • 15.3.2. Authentication of PNS services with AS
        • 15.3.2.1. Configuring communication between PNS and AS
        • 15.3.2.2. Configuring PNS Authentication policies
      • 15.3.3. Authorization of PNS services
        • 15.3.3.1. Configuring authorization policies
        • 15.3.3.2. Authorization models of PNS
          • BasicAccessList
          • NEyes authorization
          • Pair authorization
          • PermitGroup
          • PermitUser
          • PermitTime
      • 15.3.4. Configuring the Authentication Agent
    • 15.4. Logging in AS
  • 16. Virtual Private Networks
    • 16.1. Virtual Private Networking basics
      • 16.1.1. Types of VPN
      • 16.1.2. VPN topologies
      • 16.1.3. The IPSec protocol
      • 16.1.4. The OpenVPN protocol
    • 16.2. Using VPN connections
      • 16.2.1. Using VPN connections
    • 16.3. Configuring IPSec connections
      • 16.3.1. Configuring IPSec connections
      • 16.3.2. IPSec options
      • 16.3.3. Global IPSec options
    • 16.4. Configuring SSL (OpenVPN) connections
      • 16.4.1. Configuring SSL connections
      • 16.4.2. SSL options
        • 16.4.2.1. Configuring the VPN management daemon
        • 16.4.2.2. Push options
          • The Redirect gateway option
  • 17. Integrating PNS to external monitoring systems
    • 17.1. Monitoring PNS with Munin
    • 17.2. Installing a Munin server on a MS host
    • 17.3. Monitoring PNS with Nagios
  • Appendix A. Keyboard shortcuts in Management Console
    • A.1. Function keys
    • A.2. Shortcuts
    • A.3. Access keys
  • Appendix B. Further readings
    • B.1. PNS-related material
    • B.2. General, Linux-related materials
    • B.3. Postfix documentation
    • B.4. BIND Documentation
    • B.5. NTP references
    • B.6. SSH resources
    • B.7. OpenSSL resources
    • B.8. TCP/IP Networking
    • B.9. Netfilter/nftables
    • B.10. General security-related resources
    • B.11. syslog-ng references
    • B.12. Python references
    • B.13. Public key infrastructure (PKI)
    • B.14. Virtual Private Networks (VPN)
  • Appendix C. Proxedo Network Security Suite End-User License Agreement
    • C.1. 1. SUBJECT OF THE LICENSE CONTRACT
    • C.2. 2. DEFINITIONS
    • C.3. 3. LICENSE GRANTS AND RESTRICTIONS
    • C.4. 4. SUBSIDIARIES
    • C.5. 5. INTELLECTUAL PROPERTY RIGHTS
    • C.6. 6. TRADE MARKS
    • C.7. 7. NEGLIGENT INFRINGEMENT
    • C.8. 8. INTELLECTUAL PROPERTY INDEMNIFICATION
    • C.9. 9. LICENSE FEE
    • C.10. 10. WARRANTIES
    • C.11. 11. DISCLAIMER OF WARRANTIES
    • C.12. 12. LIMITATION OF LIABILITY
    • C.13. 13.DURATION AND TERMINATION
    • C.14. 14. AMENDMENTS
    • C.15. 15. WAIVER
    • C.16. 16. SEVERABILITY
    • C.17. 17. NOTICES
    • C.18. 18. MISCELLANEOUS
  • Appendix D. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License
 

Search Highlighter (On/Off)