Copyright © 1996-2024 Balasys IT Zrt. (Private Limited Company)
Copyright © 2024 Balasys IT Zrt. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Balasys.
This documentation and the product it describes are considered protected by copyright according to the applicable laws.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)
Linux™ is a registered trademark of Linus Torvalds.
Windows™ 10 is registered trademarks of Microsoft Corporation.
The Balasys™ name and the Balasys™ logo are registered trademarks of Balasys IT Zrt.
The Zorp™ name and the Zorp™ logo are registered trademarks of Balasys IT Zrt.
AMD Ryzen™ and AMD EPYC™ are registered trademarks of Advanced Micro Devices, Inc.
Intel® Core™ and Intel® Xeon™ are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.
All other product names mentioned herein are the trademarks of their respective owners.
DISCLAIMER
Balasys is not responsible for any third-party websites mentioned in this document. Balasys does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. Balasys will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.
May 30, 2024
Table of Contents
- Preface
- Summary of changes
- 1. Introduction
- 2. Concepts of the Zorp Gateway solution
- 3. Managing Zorp hosts
- 3.1. ZMS and ZMC
- 3.2. ZMC structure
- 3.3. Configuration and Configuration management
- 3.3.1. Configuration process
- 3.3.2. Configuration buttons
- 3.3.3. Committing related components
- 3.3.4. Recording and commenting configuration changes
- 3.3.5. Multiple access and lock management
- 3.3.6. Status indicator icons
- 3.3.7. Copy, paste and multiple select in ZMC
- 3.3.8. Links and variables
- 3.3.9. Disabling rules and objects
- 3.3.10. Filtering list entries
- 3.4. Viewing Zorp logs
- 4. Registering new hosts
- 5. Networking, routing, and name resolution
- 6. Managing network traffic with Zorp
- 6.1. Understanding Zorp policies
- 6.2. Zones
- 6.3. Zorp instances
- 6.3.1. Understanding Zorp instances
- 6.3.2. Managing Zorp instances
- 6.3.3. Creating a new instance
- 6.3.4. Configuring instances
- 6.3.5. Instance parameters — general
- 6.3.6. Instance parameters — logging
- 6.3.7. Instance parameters — Rights
- 6.3.8. Instance parameters — miscellaneous
- 6.3.9. Increasing the number of running processes
- 6.4. Zorp services
- 6.5. Configuring firewall rules
- 6.6. Proxy classes
- 6.7. Policies
- 6.8. Monitoring active connections
- 6.9. Traffic reports
- 7. Logging with syslog-ng
- 8. The Text editor plugin
- 9. Native services
- 10. Local firewall administration
- 11. Key and certificate management in Zorp
- 11.1. Cryptography basics
- 11.2. PKI Basics
- 11.2.1. Centralized PKI system
- 11.2.2. Digital certificates
- 11.2.3. Creating and managing certificates
- 11.2.4. Verifying the validity of certificates
- 11.2.5. Verification of certificate revocation state
- 11.2.6. Authentication with certificates
- 11.2.7. Digital encryption in work
- 11.2.8. Storing certificates and keys
- 11.3. PKI in ZMS
- 12. Clusters and high availability
- 13. Advanced ZMS and Agent configuration
- 13.1. Setting configuration parameters
- 13.1.1. Configuring user authentication and privileges
- 13.1.2. Configuring backup
- 13.1.3. Configuring the connection between ZMS and ZMC
- 13.1.4. Configuring ZMS and agent connections
- 13.1.5. Configuring ZMS database save
- 13.1.6. Setting configuration check
- 13.1.7. Configuring CRL update settings
- 13.1.8. Set logging level
- 13.1.9. Configuring SSL handshake parameters
- 13.2. Setting agent configuration parameters
- 13.3. Managing connections
- 13.4. Handling XML databases
- 14. Virus and content filtering using ZCV
- 15. Connection authentication and authorization
- 16. Virtual Private Networks
- 17. Integrating Zorp to external monitoring systems
- A. Packet Filtering
- B. Keyboard shortcuts in Zorp Management Console
- C. Further readings
- C.1. Zorp-related material
- C.2. General, Linux-related materials
- C.3. Postfix documentation
- C.4. BIND Documentation
- C.5. NTP references
- C.6. SSH resources
- C.7. TCP/IP Networking
- C.8. Netfilter/IPTables
- C.9. General security-related resources
- C.10. syslog-ng references
- C.11. Python references
- C.12. Public key infrastructure (PKI)
- C.13. Virtual Private Networks (VPN)
- D. Zorp Professional End-User License Agreement
- D.1. 1. SUBJECT OF THE LICENSE CONTRACT
- D.2. 2. DEFINITIONS
- D.3. 3. LICENSE GRANTS AND RESTRICTIONS
- D.4. 4. SUBSIDIARIES
- D.5. 5. INTELLECTUAL PROPERTY RIGHTS
- D.6. 6. TRADE MARKS
- D.7. 7. NEGLIGENT INFRINGEMENT
- D.8. 8. INTELLECTUAL PROPERTY INDEMNIFICATION
- D.9. 9. LICENSE FEE
- D.10. 10. WARRANTIES
- D.11. 11. DISCLAIMER OF WARRANTIES
- D.12. 12. LIMITATION OF LIABILITY
- D.13. 13.DURATION AND TERMINATION
- D.14. 14. AMENDMENTS
- D.15. 15. WAIVER
- D.16. 16. SEVERABILITY
- D.17. 17. NOTICES
- D.18. 18. MISCELLANEOUS
- E. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License
List of Examples
- 3.1. Referring to components with variables
- 5.1. Referencing static and dynamic interfaces in firewall rules
- 6.1. Using the Internet zone
- 6.2. Subnetting
- 6.3. Finding IP networks
- 6.4. Customized logging for HTTP accounting
- 6.5. Overriding the target port SQLNetProxy
- 6.6. Overriding the target port SQLNetProxy
- 6.7. RFC-compliant proxying in Zorp
- 6.8. Virus filtering and stacked proxies
- 6.9. Defining a Detector policy
- 6.10. DNSMatcher for two domain names
- 6.11. Defining a RegexpMatcher
- 6.12. Blacklisting e-mail recipients
- 6.13. SmtpProxy class using a matcher for controlling relayed zones
- 6.14. Address translation examples using
- 6.15. Defining a Resolver policy
- 6.16. Using HashResolver to direct traffic to specific servers
- 7.1. Selecting log messages from Postfix using filter
- 7.2. Setting up a router
- 9.1. Forward-only DNS server
- 9.2. Split-DNS implementation
- 9.3. Special requirements on mail handling
- 10.1. Specifying the target IP address of a TCP destination
- 15.1. BasicAccessList
- A.1. Chaining
- A.2. Protection against spoof
List of Procedures
- 2.1.6.1. Content vectoring with ZCV
- 3.1.1. Defining a new host and starting ZMC
- 3.2.1.3.1. Adding new configuration components to host
- 3.2.3.1. Configuring general ZMC preferences
- 3.2.3.2. Configuring Zorp Class Editor preferences
- 3.2.3.3. Configuring Zorp Rules preferences
- 3.2.3.4. Configuring ZMS hosts
- 3.2.3.6.1. Defining variables
- 3.2.3.6.2. Editing variables
- 3.2.3.6.3. Deleting variables
- 3.3.1.1. Configuring Zorp - the general process
- 3.3.4. Recording and commenting configuration changes
- 4.1. Bootstrap a new host
- 4.2.1. Reconnecting ZMS to a host
- 5.1.1.1. Configuring a new interface
- 5.1.2.1. Creating a VLAN interface
- 5.1.2.2. Creating an alias interface
- 5.1.3. Configuring bond interfaces
- 5.1.4. Configuring bridge interfaces
- 5.1.5.1. Configuring spoof protection
- 5.1.6.1.1. Creating interface activation scripts
- 5.1.6.2.1. Creating interface groups
- 5.1.6.3.1. Configuring interface parameters
- 5.3.1. Configure name resolution
- 5.4.2.1. Filtering routes
- 6.2.2. Creating new zones
- 6.2.3.1. Organizing zones into a hierarchy
- 6.2.6. Exporting zones
- 6.2.7. Importing zones
- 6.2.8. Deleting a zone or more zones simultaneously
- 6.3.3. Creating a new instance
- 6.3.4. Configuring instances
- 6.3.9. Increasing the number of running processes
- 6.4.1. Creating a new service
- 6.4.2. Creating a new packet filtering Service (PFService)
- 6.4.3. Creating a new DenyService
- 6.4.4. Creating a new DetectorService
- 6.4.5.1. Setting routers and chainers for a service
- 6.5.3. Finding firewall rules
- 6.5.4. Creating firewall rules
- 6.5.5. Tagging firewall rules
- 6.5.7. Connection rate limiting
- 6.6.1.1. Derive a new proxy class
- 6.6.1.2. Customizing proxy attributes
- 6.6.2. Renaming and editing proxy classes
- 6.6.3.1. Stack proxies
- 6.7.1. Creating and managing policies
- 6.7.5.1.1. Configuring NAT
- 6.9.1. Configuring Zorp reporting
- 7.2.1. Configure syslog-ng
- 7.2.2.1.1. Set global options
- 7.2.2.2.1. Create sources
- 7.2.2.2.2. Create drivers
- 7.2.2.4.1. Set filters
- 7.2.2.5.1. Configure routers
- 7.2.3. Configuring TLS-encrypted logging
- 8.1.1. Configure services with the Text editor plugin
- 8.1.2. Use the additional features of Text editor plugin
- 9.1.2.1. Configuring BIND with ZMC
- 9.1.3. Setting up split-DNS configuration
- 9.2.1. Configuring NTP with ZMC
- 9.3.1.1. Configuring Postfix with ZMC
- 9.4.1. Enabling access to local services
- 10.8. Updating and upgrading your Zorp hosts
- 10.10.1.1. Edit the Policy.py file
- 11.1.1.4.1. Procedure of encrypted communication and authentication
- 11.2.3.1. Creating a certificate
- 11.3.7.2. Creating a new CA
- 11.3.7.4. Signing CA certificates with external CAs
- 11.3.8.2. Creating certificates
- 11.3.8.3. Revoking a certificate
- 11.3.8.4. Deleting certificates
- 11.3.8.5. Exporting certificates
- 11.3.8.6. Importing certificates
- 11.3.8.7. Signing your certificates with external CAs
- 11.3.8.8. Monitoring licenses and certificates
- 12.4.1. Creating a new cluster (bootstrapping a cluster)
- 12.4.2. Adding new properties to clusters
- 12.4.3. Adding a new node to a Zorp cluster
- 12.4.4. Converting a host to a cluster
- 12.5.3.1. Configure Heartbeat
- 12.5.3.2. Configure additional Heartbeat parameters
- 12.5.4. Configuring Heartbeat resources
- 12.5.5. Configuring a Service IP address
- 12.6.3.1. Configure Keepalived
- 12.6.4.1. Simple Cluster with 2 nodes
- 12.6.4.2. Testing or Pilot node
- 12.6.4.3. Multiple backup nodes
- 12.6.4.4. Multiple VRRP groups in the same cluster
- 12.6.4.5. Managing individual OpenVPN tunnels
- 12.7.2.1. Configuring the Availability Checker
- 13.1.1.1. Adding new users to ZMS
- 13.1.1.2. Deleting users from ZMS
- 13.1.1.3. Changing passwords in ZMS
- 13.1.1.4.1. Editing user privileges in ZMS
- 13.1.1.5.1. Modifying authentication settings
- 13.1.2.1. Configuring automatic ZMS database backups
- 13.1.2.2. Restoring a ZMS database backup
- 13.1.3.1. Configuring the bind address and the port for ZMS-ZMC connections
- 13.1.3.2. Using linking for the IP address
- 13.1.4. Configuring ZMS and agent connections
- 13.1.5. Configuring ZMS database save
- 13.1.8. Set logging level
- 13.1.9. Configuring SSL handshake parameters
- 13.2.3. Configuring logging for agents
- 13.2.4. Configuring SSL handshake parameters for agents
- 13.3.3. Administering connections
- 13.3.4. Configuring recovery connections
- 14.2.1.1. Creating a new module instance
- 14.2.2.1. Creating a new scanpath
- 14.2.3.1. Creating and configuring routers
- 14.2.4.1. Configuring communication between Zorp proxies and ZCV
- 15.1.2.1. Outband authentication using the Zorp Authentication Agent
- 15.3.1.1.1. Creating a new instance
- 15.3.2.1. Configuring communication between Zorp and ZAS
- 15.3.2.2. Configuring Zorp Authentication policies
- 15.3.3.1. Configuring authorization policies
- 15.3.4. Enabling Kerberos authentication in ZAS
- 16.2.1. Using VPN connections
- 16.3.1. Configuring IPSec connections
- 16.3.4. Forwarding IPSec traffic on the packet level
- 16.4.2. Configuring SSL connections
- 16.4.3.1. Configuring the VPN management daemon
- 17.1. Monitoring Zorp with Munin
- 17.2. Installing a Munin server on a ZMS host
- 17.3. Monitoring Zorp with Nagios
- A.4.4.1. Using Rule Search
Published on May 30, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu
