4.1.2. Procedure – Configuring the pns-common package

Purpose: 

If you are installing CF, then configure the vavupdate tool that updates the databases of the virus filtering engines:

Steps: 

1. HTTP proxy: The vavupdate application can download database updates through HTTP. Type the URL of the HTTP proxy to be used (or leave blank if the updates can be downloaded directly without using a proxy server).

   

   Figure 4.3. Configuring pns-common - Configuring the HTTP proxy for database updates

2. Send update logs in email: vavupdate can send the logs of the periodic antivirus (AV) update to the administrator through email. Type the address of the administrator and the subject to be used in these emails. If you do not want email notifications, leave it blank.

   

   Figure 4.4. Configuring pns-common - Specifying the administrator's email address

   Note
   It is not advised to use a personal email address. Instead, use an address of a shared folder that can be accessible to whom it belongs. It can also be the address of a mailing list. In this way, more than one administrator can be notified at the same time, and the archive of the messages can be accessed by more than one administrator.

3. Specifying email prefix: vavupdate can add a prefix to the subject of the emails it sends to make sorting the messages easier for the administrator. Type a prefix (for example the name of the host in square brackets), or leave these fields blank. You can use command subtitution using backticks (`) to include the output of any Linux shell command in the subject. This command will be run before sending the email and the output of the command will be the prefix of the email.

   Note

   This setting can only be changed manually later. Therefore, make sure that you enter a value that you will not want to change. As a best practice, use a command rather than a fixed name. A command will dynamically follow the changes to your infrastructure, however, a fixed name will not. For example, if you use the name of the host myhost1 and later you rename your host myhost2, you will still be receiving emails with the myhost1 prefix and that can be confusing.

   

   Figure 4.5. Configuring pns-common - Specifying a prefix for the administrator's email messages

   In practice, it can be used in your mail client (or on the mail server) to move these mails (with the given prefix) automatically to a subfolder in the inbox. Also, it can be used to differentiate between emails originating from several firewalls. This can be especially useful if, for example, you have several firewalls and you want to easily identify the firewall that had an unsuccessful update.

   Example 4.1.
   For example, if you use hostname --long as prefix, you can later determine the exact origin of the message from the prefix, because it will display the Fully Qualified Domain Name (FQDN) of the host.

   Note
   If you want to change this setting later, you can reconfigure pns-common with the following terminal command: dpkg-reconfigure pns-common

4. Verbosity level of vavupdate: Select the level of verbosity of vavupdate.

   First the vavupdate options are displayed:

   

   Figure 4.6. Configuring pns-common - Configuring the verbosity of vavupdate log level

   Each level includes the logs of the levels above, for example, verbose will include all errors and successful update messages too.

   • none: Logging is disabled.

   • errors: Only error messages are logged,

   • normal: Error messages and successful updates are logged,

   • verbose: Detailed logging,

   • all: Everything is logged, including the output of the update programs of ClamAV and/or NOD32.

5. Specify the firewall's BalaSys Support System technical account username and password to enable the firewall to access the PNS repository and to download the updates.

   

   Figure 4.7. Configuring pns-common - Specifying the user name for the technical user to access PNS repository

   

   Figure 4.8. Configuring pns-common - Specifying the technical user’s password to access PNS repository

6. Configuring vavupdate: Specify the actual minutes when the vavupdate process shall start in every hour. In case the necessary licenses are also purchased for the URL filter database, the upgrade for the URL database will also be performed as part of the vavupdate process. The upgrade for the URL filter database though will be performed only in the hours being specified in the next step.

   

   Figure 4.9. Configuring vavupdate - Specifying the actual minutes for the vavupdate process to start

7. Specify the timing for the URL filter database: The actual hours when the upgrade of the URL filter database shall take place. Provide the actual hours for the time of the upgrade.

   

   Figure 4.10. Specifying the exact time for the upgrade

8. Fill in this field only if it is required. (optional step)

   In specific cases, based on an agreement between Balasys and the customer, the customer has a mirror URL filtering database. The location of this mirror database can be specified here.

   In any other cases, please leave this field empty.

   

   Figure 4.11. Configuring pns-common - Updating URL filtering database

9. Choose the size of the URL filter database.

   At this stage, the administrator can choose the size of the URL filtering database. The database can be a smaller-sized, optimized database (the recommended version) for usual scenarios, which requires 1 GiB storage space and 300 MiB daily update traffic, or a normal database for more extensive scenarios, which requires 6 GiB storage space and 2 GiB daily update traffic. If there are no specific needs, we recommend to choose the optimized database.

   

   Figure 4.12. Configuring pns-common - Selecting the size of the URL filtering database

10. Specify the IP address of your MS/MC, depending on the role of your host:

    

    Figure 4.13. Specifying the IP addresses of the machines running MS/MC

    • Application-level Gateway: The IP address of the MS host used to manage the firewall.

    • Management Server: The IP address of the MC used to manage the MS host (that is, the machines from where the firewall administrators will connect to MS). If managing MS is allowed from multiple hosts, separate the IP addresses of these hosts with spaces.

    Warning
    Make sure that you type the IP adresses of the MS/MC hosts correctly. Otherwise, the machine will not be accessible from MS/MC. In this case, you must manually correct the configuration of nftables.