Panda GateDefender Performa - User Guide
Transcription
Panda GateDefender Performa - User Guide
User Guide Panda GateDefender Performa User Guide If your company has acquired this program and you do not have a CORPORATE USER LICENSE, please contact Panda Software so that you can extend the use of this program to more than one computer. Copyright Notice © 2010 Panda Security. All rights reserved. Neither the documentation nor the programs included in this package may be copied, reproduced, translated or reduced to any medium or electronic or machine-readable support without prior written consent from Panda Security. Trademarks Panda Security is a registered trademark owned by Panda Security. Windows is a registered trademark of Microsoft Corporation. Other product names that are mentioned in this guide may be registered trademarks of their respective owners. © 2010 Panda Security. All Rights reserved. Printed in the European Union. Printed in 2010. 1008-PGDPMA-US-02 2 Panda GateDefender Performa-User Guide Table Of Contents INTRODUCTION ................................................................................... 9 KEY FEATURES OF PANDA GATEDEFENDER PERFORMA ..........................................................9 FUNCTIONS.................................................................................................................11 PROTECTION ...............................................................................................................12 NEW FEATURES ON THIS VERSION ................................................... 13 INTRODUCTION ...........................................................................................................13 IMPROVED DESIGN AND USABILITY .................................................................................13 PROTECTION IMPROVEMENTS .........................................................................................14 Improvements to the anti-malware protection ...............................................................14 Improvements to the Content Filter and anti-spam protection .........................................15 Web and IM/P2P/VoIP filter .........................................................................................15 OTHER IMPROVEMENTS .................................................................................................16 New security reports and improvements to the filtering and............................................16 Improvements to quarantine management ....................................................................16 Integration of new proxy for HTTP/HTTPS.....................................................................16 New agent to identify domain users ..............................................................................17 New Quality of Service (QoS) feature............................................................................17 Collective Intelligence..................................................................................................17 IMPLEMENTATION ............................................................................. 19 ACTIVATING PANDA GATEDEFENDER PERFORMA ...............................................................19 CONFIGURING THE APPLIANCE .......................................................................................19 Points to bear in mind before configuring the appliance..................................................19 Data required to configure the appliance.......................................................................20 Default settings...........................................................................................................21 CREATING THE USB INSTALLER......................................................... 22 DOWNLOADING FILES AND PREPARING THE USB DEVICE ....................................................22 Preparing the USB device.............................................................................................22 CREATING THE USB INSTALLER ......................................................................................23 COMMAND LINE INTERFACE (CLI)..................................................... 27 COMMAND LINE INTERFACE (CLI)..................................................................................27 Readonly role .............................................................................................................27 Admin role..................................................................................................................27 Access........................................................................................................................27 3 Panda GateDefender Performa-User Guide COMMANDS ALLOWED IN READ-ONLY MODE ......................................................................27 COMMANDS ALLOWED IN ADMINISTRATOR MODE ...............................................................28 STATUS SCREEN ................................................................................. 29 INTRODUCTION ...........................................................................................................29 Warnings....................................................................................................................29 Protection...................................................................................................................29 System.......................................................................................................................29 LICENSE MANAGEMENT .................................................................................................29 Products contracted ....................................................................................................30 PROTECTION STATUS ....................................................................................................30 Preferences for viewing the protection status.................................................................30 Scan and detection statistics ........................................................................................31 Details of the anti-malware protection...........................................................................32 Details of the Content Filter protection ..........................................................................33 Details of the anti-spam protection ...............................................................................34 Information on Web filtering ........................................................................................35 IM/P2P/VoIP filter details .............................................................................................37 VERSION DETAILS ........................................................................................................38 SYSTEM STATUS ...........................................................................................................38 INTRODUCTION TO THE SETTINGS ................................................... 41 Protection settings ......................................................................................................41 System settings ..........................................................................................................42 PROTECTION SETTINGS..................................................................... 43 ANTI-MALWARE PROTECTION .........................................................................................43 Malware types ............................................................................................................43 Anti-malware protection settings ..................................................................................43 Antivirus protection settings .........................................................................................44 Heuristic protection settings .........................................................................................48 Anti-phishing protection settings...................................................................................49 Protection against other security risks settings...............................................................50 Trusted sites and domains settings in the anti-malware protection ..................................51 CONTENT FILTER PROTECTION .......................................................................................52 Content Filter protection settings ..................................................................................52 HTTP/S and FTP protection settings..............................................................................52 Mail and news protection settings .................................................................................54 Trusted sites and domains settings in the Content Filter protection..................................57 ANTI-SPAM PROTECTION ...............................................................................................57 Anti-spam protection settings .......................................................................................57 4 Panda GateDefender Performa-User Guide Spam white list and blacklist ........................................................................................60 Advanced SMTP anti-spam protection settings ...............................................................60 WEB AND IM/P2P/VOIP FILTER ..................................................................................70 Web filtering...............................................................................................................70 IM/P2P/VoIP application filter.......................................................................................74 USERS EXEMPT FROM FILTERING .....................................................................................75 Users excluded from web filtering.................................................................................75 Users exempt from P2P/IM filtering ..............................................................................76 Export/Import a list of computers. ................................................................................77 PROFILES ...................................................................................................................77 Configuration by profiles ..............................................................................................77 Managing settings .......................................................................................................77 Creating and modifying protection profiles.....................................................................78 Centralized protection settings .....................................................................................78 SYSTEM SETTINGS ............................................................................. 83 GENERAL SETTINGS ......................................................................................................83 Introduction ...............................................................................................................83 Console access settings ...............................................................................................83 Load balancing/high availability ....................................................................................86 System clock...............................................................................................................92 Explicit proxy ..............................................................................................................92 HTTPS connections and certificates...............................................................................93 Advanced settings .......................................................................................................96 Quality of Service (QoS) settings ..................................................................................96 NETWORK SETTINGS ...................................................................................................102 Network environment ................................................................................................102 Network interfaces ....................................................................................................103 Additional port settings..............................................................................................104 Managing internal networks .......................................................................................105 Managing internal domains ........................................................................................106 CONFIGURING THE UPDATES ........................................................................................106 Introduction to updates .............................................................................................106 Updating the protection software................................................................................107 Updating the system software ....................................................................................108 Hotfix management...................................................................................................108 DOMAIN USERS .........................................................................................................109 Managing LDAP servers .............................................................................................109 Management of servers with validation .......................................................................110 User management.....................................................................................................111 5 Panda GateDefender Performa-User Guide DEFINITIONS ............................................................................................................112 Introduction .............................................................................................................112 Managing IP addresses..............................................................................................113 Domain management ................................................................................................114 WARNINGS ...............................................................................................................114 Introduction .............................................................................................................114 Events to report settings............................................................................................115 Syslog warnings settings............................................................................................116 SNMP warnings settings.............................................................................................117 EMAIL WARNINGS ......................................................................................................117 Email warnings settings .............................................................................................117 Recipient mail account details ....................................................................................118 Periodic activity notification........................................................................................118 Periodic activity notification settings............................................................................120 CUSTOMIZING THE TEXTS/PAGES ..................................................................................120 Customizing the texts ................................................................................................120 Customization of the substitute HTTP/S page ..............................................................121 QUARANTINE ................................................................................... 122 INTRODUCTION TO QUARANTINE ..................................................................................122 MALWARE QUARANTINE ..............................................................................................122 Possible actions in malware quarantine .......................................................................123 Malware quarantine settings ......................................................................................124 Items excluded from quarantine .................................................................................124 CONTENT FILTER QUARANTINE .....................................................................................125 Possible actions in content-filter quarantine .................................................................126 Content Filter quarantine settings ...............................................................................126 SPAM QUARANTINE ....................................................................................................127 Possible actions in spam quarantine............................................................................128 Spam quarantine settings ..........................................................................................128 QUARANTINE FILTERS .................................................................................................129 Introduction .............................................................................................................129 Malware quarantine filtering.......................................................................................130 Content-filter quarantine filtering................................................................................130 Span quarantine filtering............................................................................................130 REPORTS .......................................................................................... 132 INTRODUCTION .........................................................................................................132 CONFIGURING AND FILTERING REPORTS ........................................................................132 Report settings .........................................................................................................132 Filtering information in the reports..............................................................................133 6 Panda GateDefender Performa-User Guide Stored filters.............................................................................................................134 Additional features in the report views ........................................................................135 PROTECTION REPORTS ................................................................................................135 Introduction .............................................................................................................135 Protection report .......................................................................................................136 SECURITY REPORTS ....................................................................................................137 Introduction .............................................................................................................137 Report on access restricted by the explicit proxy ..........................................................138 Report on invalid SSL certificates ................................................................................139 SYSTEM REPORT ........................................................................................................139 System report ...........................................................................................................139 TOOLS .............................................................................................. 141 INTRODUCTION .........................................................................................................141 DIAGNOSIS TOOLS .....................................................................................................141 Ping .........................................................................................................................141 Traceroute................................................................................................................142 DNS resolution..........................................................................................................142 Connectivity with Panda Security ................................................................................143 Display system network status ...................................................................................143 Packet capture..........................................................................................................143 INTERNAL LOG FILES ..................................................................................................144 ONLINE SERVICES ......................................................................................................145 EXPORTING/IMPORTING THE SETTINGS .........................................................................145 Exporting the current settings ....................................................................................146 Importing settings.....................................................................................................146 SENDING STATISTICS .................................................................................................146 RESTARTING THE SYSTEM SERVICES ..............................................................................147 COMPLETE SYSTEM RESTART ........................................................................................147 SHUTTING DOWN THE SYSTEM ......................................................................................148 HOW DO I......................................................................................... 149 ACTIVATING PANDA GATEDEFENDER PERFORMA .............................................................149 HOW DO I KNOW WHEN MY LICENSE EXPIRES?................................................................149 HOW DO I UPDATE THE PRODUCT? ................................................................................150 HOW DO I MODIFY THE WARNING MESSAGES? ................................................................150 ENABLING AND DISABLING REPORT GENERATION .............................................................150 INSTALLING SEVERAL UNITS IN LOAD BALANCING MODE ....................................................150 EXPORTING/IMPORTING THE SETTINGS .........................................................................151 Exporting the current settings ....................................................................................151 Importing settings.....................................................................................................152 7 Panda GateDefender Performa-User Guide TRUSTED SITES AND DOMAINS SETTINGS IN THE ANTI-MALWARE PROTECTION ......................152 RESTORING THE INITIAL VALUES FOR SIGNING IN TO THE WEB CONSOLE. ............................153 RESTORING THE APPLIANCE .........................................................................................153 RESCOVERY VIA CD ...................................................................................................153 RESTORING USING THE LIVE DVD ................................................................................154 Using the Live DVD ...................................................................................................154 RECOVERY WITH A USB DEVICE ...................................................................................155 THE LCD SCREEN: DEFINITION AND USE ........................................................................156 CONFIGURING INTERNAL NETWORKS .............................................................................157 CONFIGURING INTERNAL DOMAINS ...............................................................................158 USING THE BASIC ANTI-SPAM SETTINGS .........................................................................158 USING THE ADVANCED ANTI-SPAM SETTINGS ..................................................................159 8 Panda GateDefender Performa-User Guide Introduction Panda GateDefender Performa Panda GateDefender Performa is a scalable and ultra-reliable SCM (Secure Content Management) perimeter security appliance. It delivers maximum proactive protection in the gateway against contentbased Web and email threats. It blocks all types of malware, spam, undesirable content and other Internet threats before they enter the company. Its simple "connect and forget" operation and complete anti-malware protection, along with content filtering, anti-spam, Web filtering and IM/P2P/VoIP filtering, make Panda GateDefender Performa a highly effective security solution. Key features of Panda GateDefender Performa • Complete protection It includes best-of-breed protection against malware, potentially dangerous content, spam, inappropriate Web content, and IM, P2P and VoIP protocols. It scans inbound and outbound traffic in all protocols (HTTP/S, FTP, SMTP, POP3, IMAP4 and NNTP) helping enforce security policies, and doesn’t require additional protection or supporting devices, therefore reducing complexity and operational costs. • Modular structure It provides specific protection for different threats, reinforcing the risk management systems where necessary. The cost is optimized since the organization only purchases the protection required. • Integrated proactive technology 9 Panda GateDefender Performa-User Guide Heuristic engines, Collective Intelligence and Quarantine combined in the perimeter optimize threat detection, ensuring reception of important information. • High performance The hardware is designed to operate transparently in the perimeter, scanning large traffic volumes in real-time. Each unit’s performance adapts to each organization’s traffic, optimizing the risk management system. Its high performance improves user productivity, making sure that standard security policies are met and ensuring business continuity. • Zombie detection Outbound SMTP detection allows administrators to identify internal computers that are infected and which are sending spam and malware to clients and contacts without users’ knowledge. • This improves corporate image and reputation with clients. • Automatic updates Updates are automatically carried out every hour in the case of malware and every minute in the case of spam. The protection is always updated against the latest threats, constantly improving the risk management system. The solution does not require continuous administration, thereby reducing complexity and operational costs. • 'Connect and Forget' It operates as a transparent bridge, and as installation does not require changes or redirections in the network settings, complexity is reduced. Once connected, it starts to work immediately, reducing operational costs. • Guaranteed reception of data Panda GateDefender Performa scans, disinfects, restores and resends files containing unknown malware without administrator intervention, reinforcing the risk management system. It also prevents critical information losses and protects the organization against known and unknown threats, helping enforce security policies. Additionally, it ensures business continuity and reduces operational costs. • Console access levels Different console access levels reinforce security in the risk management system, as security settings are protected and business continuity is ensured. Access permission adapts to users’ different needs and reduces complexity for non-expert users. • Guaranteed traffic flow 10 Panda GateDefender Performa-User Guide The hardware models for large organizations include a bypass option to ensure traffic flow continues in the case of system failure. Functions The main functions of Panda GateDefender Performa include: • Load balancing Automatic, native load balancing ensures high service availability in the event of unexpected failure, optimizes investment in the organization’s computers, and improves the risk management system. It also prevents traffic reception delays, improving user productivity and ensuring business continuity. As it is native and automatic, it eliminates configuration complexity and reduces operational costs. • Customizable security policies Different user profiles and groups can be defined to establish different security policies for each network user, reinforcing the risk management system. This way, user productivity is optimized and security policies are enforced. • Integration with LDAP/AD Due to integration with directory systems, the user responsible for each action taken on the network is identified and the risk management system is improved. In addition, monitoring of internal users enforces security policies. • Centralized settings All the units deployed can be configured from a single console. Centralized configuration of different access points improves the risk management system and reduces complexity. • Detailed graphic reports The real-time activity graphic reports significantly reinforce the risk management system. Administrators and operators therfore have important information to hand, reducing complexity and operational costs. • Quarantine It stores potentially dangerous files and messages in quarantine if they are suspected of containing unknown malware or are considered to be spam or probable spam. The aim of quarantine is to ensure access to any important files or emails. • Malware quarantine Reserved for contaminated files that cannot be disinfected or are suspected of containing unknown malware. • Spam quarantine 11 Panda GateDefender Performa-User Guide Reserved for emails classified as spam or probable spam. • Content Filter quarantine Reserved for files or messages blocked by the application of security policies. Protection The protection units offered by Panda GateDefender Performa are: • Anti-malware Detects and blocks damaging threats before they enter the corporate network: viruses, worms, Trojans, spyware, dialers, jokes, phishing, hacking tools, security risks and -through its heuristic engine- threats not yet cataloged. • Content Filter The Content Filter lets you customize the types of files and messages to be filtered. It applies filters such as maximum file size, maximum number of compressed files, password protection… With respect to messaging it analyzes and filters by content, subject, type, etc. • Anti-spam protection It includes advanced spam detection techniques, such as DNSBL, anti-backscatter and SMTP Relay, minimizing the impact of spam on user productivity. • Web filtering The Web filter can restrict access to Web pages with unproductive content simply by selecting prohibited categories. It therefore optimizes resource usage and improves user productivity. • IM, P2P and VoIP protocol filter Used to block attempts to access applications that can represent security holes. These include instant messaging (IM), peer-to-peer (P2P) and Voice over IP (VoIP), whose use from inside the network can be restricted. 12 Panda GateDefender Performa-User Guide New Features on this version Introduction This new version of Panda GateDefender Performa contains a series of new features and improvements making it one of the most advanced and complete perimeter security solutions for SMBs on the market. The development of this version of Panda GateDefender Performa has been undertaken with a special effort to make configuration as simple as possible, and reduce the total cost of ownership derived from maintenance of the solution. At the same time, new technologies have been integrated for scanning your company's traffic, in order to adapt the platform to the cloud computing ethos, essential in order to handle the increasing volume of malware circulating on the Internet. In addition to this commitment to improve the usability of the Web console, other functional aspects have been improved, enhancing the reliability and efficiency of Panda GateDefender Performa and better adapting it to the needs of users. The new agent for identifying domain users and the integrated proxy for HTTP/HTTPS are just two examples. This help file contains information about all features of Panda GateDefender Performa. We hope you find this documentation useful. Welcome to the new version of Panda GateDefender Performa. Improved design and usability Panda Security has completely redesigned the product administration console, simplifying configuration, and making the information clearer and more accessible. It is now much more intuitive and simpler to manage, speeding up and easing technical decision-making regarding corporate security. Administratororiented experience improvements have been complemented by extending user Help files, containing clear and specific examples and cases of basic and more advanced configuration. Improvements to the Status screen The warnings in the Status screen are now classified (in different colors) depending on their severity. This will allow your network administrator to easily detect the most important problems threatening your network security. In addition to the problem description, the recommended action is implemented through a link that is redirected to the console screen where the problem can be effectively solved. Resolution optimized up to 1024x768 pixels and support for new browsers In order to present additional information without compromising clarity, the administration console is adapted to 1024x768 resolution and takes advantage of new browser features to present improved activity graphs with plenty of information available through the mouse pointer. Simpler and more manageable menu at the top of the page Given the increased technical complexity of the tools provided by Panda Security, and in order to improve usability, the Web administration console menus have been overhauled, in order to minimize the time spent searching or navigating through the application. Numerous links to the most frequently used sections have been included, in order to speed up and simplify the operation of Panda GateDefender Performa. 13 Panda GateDefender Performa-User Guide Protection improvements Improvements to the anti-malware protection HTTPS protocol scanning As there is now more malware affecting user interaction with banking applications, and this type of communication is usually encrypted, Panda GateDefender Performa scans encrypted HTTPS traffic through “man-in-the-middle” technology. This will allow administrators to detect attempts made to send or receive malware in Web connections marked as safe. Integration of Collective Intelligence with queries to the cloud and integrated cache of queries With so much diverse malware in existence, it is impossible for a single network computer or appliance to make reliable detections. Panda Security has opted to move all scanning and malware detection intelligence out of the client's infrastructure and into the cloud, while respecting data confidentiality at all times. The system means that any item suspected of containing malware can be checked against Panda Security's cloud database. Panda GateDefender Performa intelligently uses this resource, combining the benefits provided by ‘total detection’ with increased detection speed resulting from an intelligent internal cache of previously scanned items. This way, the data flow required to detect and disinfect malware is reduced to a minimum. Latency reduction in HTTP/HTTPS navigation In the past, files had to be downloaded in order to reliably determine whether they contained dangerous malware. This caused an annoying slowdown of Web content delivery. This was because Panda GateDefender Performa required the whole file to scan before delivering it to the user. In this new version of Panda GateDefender Performa, the detection algorithm for dangerous items has been updated, and so delays are reduced to a minimum, making the service practically transparent to end-users. Cache of infected URLs in HTTP/HTTPS navigation In order to save network resources, Panda GateDefender Performa stores any URLs with malware, in order to avoid the files being downloaded and scanned every time they are requested by a corporate network user. Additionally, intelligent management of the URL cache allows the items to be accessed once the malware is eliminated from the server, preventing the resource from being inaccessible for an indefinite period. Customization of the page displayed on detecting malware in HTTP/HTTPS In order to improve the feedback returned to end-users, the screen displayed on accessing an item suspect of containing malware can be customized. 14 Panda GateDefender Performa-User Guide Improvements to the Content Filter and anti-spam protection Improvements to the Content Filter protection The HTTPS protocol has been added to the numerous Content Filtering options available since the first versions of Panda GateDefender Performa. Now users are protected against all malicious items included by third parties on Web pages marked as secure, generally those belonging to banks and financial institutions, and which are specifically targeted by criminals trying to obtain confidential user data (account numbers, passwords, etc.) The customization improvement mentioned in the previous section also applies to the Content Filter protection. Improvements to the anti-spam protection Spam detection was no longer an issue with Panda GateDefender Performa once the anti-spam engine was implemented. However, the invention and application of new spam generation methods make it necessary to frequently check mail scanning methods in order to meet the 99% detection commitment to Panda Security clients and reduce the false positive detection ratio. Consequently, Panda GateDefender Performa implements self-learning technologies to report emails that have been incorrectly classified as spam and update its detection algorithms with the new information. The new version of the anti-spam engine, already integrated in previous versions through the cloud, leverages a huge database of knowledgeand is updated in real-time with new detections of spam reported by users. This system offers the security of enjoying a clean email service, with the peace of mind of knowing that you will not be losing messages that could be important for your company. Web and IM/P2P/VoIP filter Improvements to the Web filter As the amount of malware and spam increases, so there are more and more websites with dangerous or inappropriate content, and it is difficult for a single computer to store information about all such sites. Panda Security updates the Web filter engine responsible for classifying downloaded pages in the cloud, and allows you to apply standard actions (block, report, etc.). This way, Panda Security is coherent with the rest of the detection engines, and also sends any knowledge accumulated to the cloud. Given that cloud resources are virtually unlimited, the number of potentially inappropriate website categories has been increased as well as the number of sites themselves. There are also greater guarantees that any access to the Web will conform to the needs of the company. In addition, your company can contribute actively to the cloud knowledge base, reporting any new inappropriate websites. As with the malware and content filtering, in this version of Panda GateDefender Performa, Web filtering includes HTTPS, and the substitute page displayed (when necessary) can be customized, as with the rest of the filters. Improvements to the filtering of IM/P2P/VoIP applications 15 Panda GateDefender Performa-User Guide One of the most significant problems when calibrating the bandwidth required for your company’s activities, is to ensure there is sufficient bandwidth available to cover your employees’ needs. To this end, the quick and accurate identification of restricted protocols -such as p2p (emule, bittorrent), VoIP (Skype), messaging (Messenger-) and others is vital. Access to these protocols and applications not only affects your bandwidth but also your company's productivity, and so it is essential to accurately determine which should be allowed and which not. Due to the constant evolution of these applications, Panda GateDefender Performa updates the set of rules that allow the detection of these types of data transfers, so that new versions of messaging and P2P programs are correctly identified and managed (block or report). Given that not everyone's needs are the same, Panda GateDefender Performa lets you define individual protection profiles for each user for P2P and messaging applications. Other improvements New security reports and improvements to the filtering and presentation of current reports The increasing amounts of malware being received and detected by companies means that there is also more information to make available to network administrators. Because of this, Panda Security provides search tools and filters for presenting reports as well as new types of reports. These new reports concern the SSL certificates and the explicit proxy, in addition to those offered in previous versions. The reports screen has been redesigned to jointly display a breakdown of the malware detected for all the protection modules purchased, minimizing the time spent navigating through the administration console. The limits for storing old reports have also been updated and expanded, in line with the increase in the amount of malware on the Web and the considerable increase in the information provided by Panda GateDefender Performa regarding each security problem. Now, Panda GateDefender Performa maximizes the potential of the reports, so that these show all possible details about each of the protection and the new features implemented. Improvements to quarantine management Apart from the improvements made to malware detection and reports, the space used for the quarantine of items suspect of containing malware has been increased. It is now easier to search for items, restore them and to download messages. Integration of new proxy for HTTP/HTTPS In the case of networks that do not have a proxy Web server, Panda GateDefender Performa implements a Web cache server that speeds up page and file downloads via HTTP and HTTPS, saving data flow and allowing you to delay decisions on expanding resources. Additionally, by implementing authentication methods that use local databases or LDAP, its use can be restricted to specific network users, integrating with the user management infrastructure already installed in your company. 16 Panda GateDefender Performa-User Guide Finally, the integrated proxy helps in the configuration and deployment of protection profiles, avoiding the need for validation servers in your corporate network, optimizing the number of servers and therefore the reducing the overall TCO. New agent to identify domain users In order to complement the deployment of protection profiles, Panda Security provides a Windows application which can be installed on your main or secondary domain controller to help Panda GateDefender Performa correctly identify users in your network domain. This way, all domain users are identified and the selected protection profile is applied. New Quality of Service (QoS) feature As a perfect complement to the explicit proxy, and the Web filtering and IM/P2P/VoIP filtering tools, Panda GateDefender Performa implements QoS technology in this version. This technology allows you to prioritize Internet access for data flows marked as important by your company. This way, traffic can be identified by type, and minimum and maximum bandwidth use can be assigned, in addition to priorities, in order to effectively manage the use of the data flow delivered to local network users. Collective Intelligence Panda GateDefender Performa supports Collective Intelligence, meaning that the detection capacity of the anti-malware protection is significantly increased as it is also based on queries to the Panda Security knowledge server (“the cloud”). This server is continually updated and contains all Panda Security's information about malware and security threats. How does the Collective Intelligence scanning/detection process work? Collective Intelligence implies a new type of logic in the scan, which acts in the following way: 1. The signatures stored in the appliance are consulted. 2. If the sample is not found among the signatures, the local cache is consulted. 3. If the information is not in the local cache, a query is made to the server. 4. If malware is identified, the Collective Intelligence server returns the identifier and the generic type of malware. To complete the information, for example with the name of the malware and other useful data, a query is made to the Panda Security extended information server. 5. If there are any changes to the knowledge available, the Collective Intelligence server automatically communicates the updates to the appliances, specifying those samples of goodware that have recently undergone changes, or completely emptying the cache. Collective Intelligence cache The use of Collective Intelligence involves maintaining a local cache in the appliance storing the results of queries to the cloud. Malware-positive or suspicious results stored in the cache will expire in 24 hours, even if during this time there has been frequent access to the item or even if the cache has not exceeded the limit. This means that there will have to be a query to the cloud if the expired item is scanned again. The cache is persistent, i.e. the content is maintained between restarts of the appliance and its processors, but it is automatically emptied whenever a manual update is launched through the "Update now", button in the Update screen of the Web console. 17 Panda GateDefender Performa-User Guide In the case of several load-balancing appliances, the cache of each of them operates as an independent entity. Control over cloud connections To avoid unnecessary delays in the case of connection problems, the connection to the cloud will be interrupted for five-minute periods without impacting the scan in progress. The cloud availability status will be monitored every 60 seconds, and a system event will be generated if there is a problem. During this period of disconnection, the signatures and local cache will still be consulted. The action policy will depend on the network of each user, por lo que el ajuste de la configuración de los tiempos máximos de acceso a la nube está disponible in the Advanced Settings page of the Web console. Three parameters can be configured in the "remote scan timers" section: • Maximum time for cloud queries regarding the Internet (2 seconds by default). • Maximum time for cloud queries regarding SMTP (10 seconds by default). • Maximum time for cloud queries regarding other items (3 seconds by default). Calculation of maximum scan times is based on maximum response times for each intercepted protocol, grouped into three classes: HTTP/S/FTP, SMTP and POP3/IMAP4/NNTP. Periodic scanning of items in malware quarantine uses the maximum time defined for SMTP, which would normally be greater than for the Internet and interactive mail, as an immediate response is not needed in this case. In the following cases, events are generated in the system report and sent to the administrator via SMTP, SNMP and Syslog: • Cloud queries disabled Cloud queries re-enabled Extended information system The detection results contain only the identifier and the generic type of malware, both for results from the local cache and from the cloud. To complete the data with a name and a specific type of malware, a query is made to an extended information server. So the report and the notifications on malware detected, quarantine and the malware activity details page in the Web console have all the information they need. If the extended information system fails, the basic format is then used to display the report, using the identifier to link to the Panda Security Malware Information Center website, where all the information is available online. Checking connectivity with the cloud You can check connectivity with the cloud servers using the “Connectivity with Panda Security” tool in the Web console. Detection of malicious URLs The system can detect malicious URLs, preventing users from accessing phishing pages or those harboring malware. This protection is configured through a special Web filter category: "Malicious websites". 18 Panda GateDefender Performa-User Guide Implementation Activating Panda GateDefender Performa 1. 2. Click My license, next to the system clock. In the window that appears, click Registration/activation details. 3. 4. A new window appears: Enter theuser name and password provided by Panda Security. Click Save. Panda GateDefender Performa will contact the Panda Security server to get license information (wait 10 seconds before consulting the information). If an error occurs, a message will be displayed. on the link (here) that appears under More information. Configuring the appliance Points to bear in mind before configuring the appliance The correct configuration of Panda GateDefender Performa ensures optimum protection of your corporate network and improves your appliance’s performance. Therefore, before configuring Panda GateDefender Performa, it is important that you have a clear idea of the following: 1. Who will be able to change the settings and from which computers. 2. What type of malware you want Panda GateDefender Performa to detect. 3. What protocols you want to protect. 4. Whether a specific type of file to be allowed to enter or leave your organization through a certain protocol (for example, executable files via email). 5. What type of warnings you want to receive (whether Panda GateDefender Performa should warn you every time it detects a virus, updates, has connection problems, etc). 6. Who should receive the warnings. 7. Whether you want warning messages to display an explanatory text and the text it should include. 8. Whether there are trusted domains that will never send you malware. 9. Whether there are domains from which you never want to receive any email messages, as they will always be spam. You can configure automatic blocking - without scanning- of the messages received from those domains and optimize the performance of the appliance. 10. Whether you want to restrict access to certain Internet contents and what type of content. 11. Whether you want to allow access to a certain URL, regardless of whether it contains restricted contents or not. 12. Whether you want to deny access to a certain URL, regardless of whether it contains restricted contents or not. 13. Whether you want advanced log files with more detailed information. Having a clear idea about these issues will allow you to configure the solution for optimized performance from the start, the network traffic will adapt to your needs and you probably won’t need to change the settings at a later stage. 19 Panda GateDefender Performa-User Guide Before configuring the appliance, don't forget to have the necessary data to hand. Once Panda GateDefender Performa is installed, access to the Web console is configured and the product is activated you can start to configure the system and the protection. Data required to configure the appliance Before starting to configure the appliance for the first time, it is advisable to have the following data to hand: To establish the network connections 1. 2. 3. 4. 5. Name of Panda GateDefender Performa: Name of the unit that allows it to be identified. This name must be unique. If you have more than one appliance in your organization, make sure that each of them has a different name. The default name is MachineName. IP address and net mask: Use a free IP address and net mask associated to the in the network in which the appliance has been installed. These must allow Panda GateDefender Performa to access the Internet in order to activate and update, and connect with an SMTP server in order to send warning messages. The default IP is 192.168.1.1 and the default net mask is 255.255.255.0 . This is the IP address used to establish connection and is totally different from the Configuration IP , which is only used to access the Web administration console. Default gateway: Default gateway for connecting to other networks without static routes established (Internet). By default, the gateway is 192.168.1.200. Additional routing table. Allows static routes to be defined for accessing computers or networks that cannot be reached through the default gateway. For example, for sending warning messages to an SMTP server in a different subnet, which cannot be accessed through the default gateway. You must specify the IP address and net mask associated to the target network or computer and the IP of the gateway that will be used to establish the connections. If the target is a computer, leave the net mask field blank or use the value 255.255.255.255 . DNS servers: Panda GateDefender Performa can be configured with up to three DNS servers. Firstly, Panda GateDefender Performa uses the primary DNS server. If the connection fails, it will try to use the rest of the servers configured. You probably won’t need to change the default settings. If you have your own DNS servers or DNS servers provided by your ISP, you can configure Panda GateDefender Performa to use them. The appliance uses these DNS servers to establish its own connections, update, send warnings and validate licenses, etc. As a result, if these servers are not configured correctly, Panda GateDefender Performa will not work properly. 6. Proxy server IP address and authentication data: If Panda GateDefender Performa is going to connect to the Internet through an HTTP proxy, you will need to activate it here and specify the IP address of the server and the port and if it requires authentication, activate this option and enter the user name and password. 20 Panda GateDefender Performa-User Guide To specify who can change the settings: 1. 2. User name: Defines the user name that must be entered whenever a user tries to access the console. Password: Defines the password that must be entered whenever a user tries to access the console. The password can include letters and numbers and must be six to twelve characters long. Configuration IP address: This is the IP address used to access the Web administration console. The default address is 172.16.1.1. For more information, click here. To activate Panda GateDefender Performa. 1. 2. Registration details – User name: This is the user name provided by Panda Security with the appliance. This will identify your appliance in the updates server. Registration details – Password: This is the password provided by Panda Security with the appliance. This will identify your appliance in the updates server. The user name and password are different from the user details for accessing the Web console. These are the details identifying the registered user of Panda Security and which offer access, among other things, to the update servers. provided these when you bought the appliance. To configure sending of warnings 1. 2. 3. 4. Email addresses: Email address or addresses to which Panda GateDefender Performa must send alerts. SMTP server: DNS-resolvable IP address or name of the SMTP to use to send warnings. Port: Port number if the SMTP server uses a different port from the standard port (25). Authentication details: If the SMTP server requires authentication, keep the user name and password that Panda GateDefender Performa must use to identify itself to hand. Default settings The default settings defined are: • Appliance name: MachineName. • Network IP address: 192.168.1.1. • Net mask: 255.255.255.0. • Default gateway: 192.168.1.200. • Primary DNS server: 207.200.7.21 Console login • • • • User name: defaultuser. Password: defaultpass. Configuration IP address: 172.16.1.1. Net mask: 255.255.255.0. 21 Panda GateDefender Performa-User Guide Creating the USB installer Downloading files and preparing the USB device The first step to create a USB installer with which to install or restore the ISO image of Panda GateDefender Performa involves getting the files required as well as the tool with which to create the installer. The ISO and the unetbootin tool to create the installer are available at the following URL: http://www.pandasecurity.com/spain/enterprise/downloads/clients/default.htm Preparing the USB device You will then need to prepare the USB on which you are going to create the installer. It is IMPORTANT to ensure that the USB device does not contain data that you want to keep, as all information will be deleted when the process of creating the installer is complete. Follow these steps: 1. 2. 3. Insert the device in the USB port and find the assigned drive in your file explorer. (Windows Explorer-> My Computer-> Removable drives). Right-click the removable drive icon and click Format. Select FAT32 as the file system and click Start. You will then see a warning about the loss of data from the device after formatting. If you are sure there is no important data on the device, click OK to format it. 22 Panda GateDefender Performa-User Guide Once formatting is complete you will see the corresponding notification: Click OK. Creating the USB installer Once the required files have been downloaded and the USB device prepared, it is time to create the installer. To do this: 1. 2. 3. 4. 5. Copy the ISO of the CD downloaded previously to the root folder of your USB device. Extract the compressed file with the Unetbootin tool to a folder on your computer el comprimido que contiene la herramienta Unetbootin. In the same folder, extract the compressed file Performa-4.00.00.buildnumber.FILES4USB.zip. Start the process by double-clicking the Unetbootin executable file In the screen that appears, select Custom, and in the Kernel field enter the complete path of the vmlinuz file, and in Initrd, enter the complete path of the file initrd.gz. 23 Panda GateDefender Performa-User Guide 6. 7. 8. Make sure the value of the Type field is USB drive and the value of the Drive field corresponds to that of the USB device. Click OK. Once this process has finished, click Exit. Click OK. The selected ISO image will be copied to the USB device. Click Exit . IMPORTANT: Do not click Restart now, as this will cause all the data on the computer to be lost. 24 Panda GateDefender Performa-User Guide Remember to use the Safely remove hardware option to remove the USB device. Then, 1. 2. 3. 4. 5. follow the steps below: Export the current settings of Panda GateDefender Performa to a file. Insert the USB device in one of the appliance ports. To continue with the process, connect a screen to the VGA socket in the appliance. Also, connect a keyboard. Restart the appliance. Once the restart is complete, the restore process will start. When it has finished, you will see the following notice: 25 Panda GateDefender Performa-User Guide To complete the restore process, press ENTER and remove the USB device. Do not shut down the system while the appliance is working, other the entire system will be corrupted. The recovery process must not be interrupted once it has started. Panda GateDefender Performa will display the factory settings. Import the settings file that you have just exported to apply the settings defined before restoring the appliance. 26 Panda GateDefender Performa-User Guide Command Line Interface (CLI) Command Line Interface (CLI) The Command Line Interface (CLI) in Panda GateDefender Performa is a useful function in those situations in which you can't access the console. To access the Command Line Interface there are two types of profiles or roles with different permissions. Readonly role This is a user with read-only permissions on a limited shell. This user cannot edit the appliance status or settings. The prompt is >. Admin role This is an administrative user with access to all commands and who can edit information relative to all of them. After logging in, the user will have limited access to the shell, but with administer rights, using the command enable. The prompt in administrator mode is # And to leave administrator mode: “exit” Access The CLI can be accessed through SSH as a serial port. In some appliances, access via VGA is also allowed, which requires connecting a keyboard and monitor. Click here to see the list of commands allowed in read-only mode. Click here to see the list of commands allowed in administrator mode. For more information about any of the commands, enter the name of the command and then the character “?” (without quotation marks). Commands allowed in read-only mode date Show current date DNS DNS configuration enable Enter admin mode exit Exit this CLI session interception Interception rules meminfo Report memory usage information netstat Network statistics network Network configuration ntp NTP configuration password Change password ping Ping other machine quit Exit this CLI session 27 Panda GateDefender Performa-User Guide snmp SNMP configuration stats Statistics status Status syslog Syslog configuration tcpdump Show traffic top Show top processes uptime Show uptime vmac Virtual MAC configuration vmstat Report generic statistics Commands allowed in administrator mode date Show current date DNS DNS configuration hotfix Hotfix utilities exit Exit this CLI session interception Interception rules meminfo Report memory usage information netstat Network statistics network Network configuration ntp NTP configuration password Change password ping Ping other machine quit Exit this CLI session reboot Reboot system reset Reset services restore Restore factory settings shutdown Shutdown snmp SNMP configuration stats Statistics status Status syslog Syslog configuration tcpdump Show traffic top Show top processes uptime Show uptime vmac Virtual MAC configuration vmstat Report generic statistics 28 Panda GateDefender Performa-User Guide Status screen Introduction The Status screen is the first screen that users access after logging in to the administration console and it allows them not only to check that the appliance is operating correctly, but also Panda GateDefender Performa protection statistics. The screen header, which is common to all the console screens, shows the system clock, the Disconnect option and the My license link. This takes you to the License management screen where you can check or edit your registration or activation details and see the technical specifications of the appliance. You will also see information about the products you have contracted and the corresponding expiry dates. You will find the following areas in the Status screen: Warnings The Warnings area will be displayed when there are certain problems and will offer recommendations and advise you on the action to take. Protection Click the title of the section to display or hide the content. This section contains graphs with statistical information about scanning and detections performed by the protection modules. It also includes data about updates, licenses and quarantine. You can see details of the contents of the graphs through the corresponding options and export content to .csv format. To the left of the title of each protection (Anti-malware, Content Filter, Anti-spam, Web filter and IM/P2P filter) there will be a red icon if the protection is disabled, green if it is enabled, and orange if it is partially enabled. If you pass the cursor over the protection title, and it is partially enabled, you will see the actual status. System Use the arrow at the end of the title bar of the section to display or hide the content. Here you will see the system connections and network card traffic. You will also see a graph of the network load history, uninterrupted runtime, and load-balancing (if enabled). You can enlarge the graphs using the corresponding option, and export the content to .csv format. Restart statistics Use this button, at the bottom of the window, to restart the system graphic statistics. Obviously, on restarting the statistics the data displayed in the Status window will change. License management The License management screen lets you check the status of your licenses for each of the modules contracted. You can access the screen in two ways: 1. 2. By clicking the My license link, in the console header, next to the system clock. By clicking the date in Updates and licenses > Updates and services expire:, in the Status screen. 29 Panda GateDefender Performa-User Guide Products contracted Bear the following in mind: 1. • • The anti-malware license covers the following types of protection: Anti-malware Content Filter 2. The anti-spam license covers the protection against junk mail (spam). 3. The Web filter license covers the following types of protection: Web filtering Filtering of IM (instant messaging), P2P (file-sharing) and VoIP (Voice over IP). • • When the license for a module has expired or is about to expire, Panda GateDefender Performa will display the Renew license option, which will give you direct access to the renewals area on Panda Security’s website. If you do not have a license for a certain type of protection, Panda GateDefender Performa will indicate the protection is Without a license and give you the option to Get a license. Registration/activation details After installing the Panda GateDefender Performa software and accessing the console, activate the appliance. To do this, enter the activation details provided by Panda Security. Click the link to activate the product or consult activation details.. If you want to check these details after activating the unit, you can use the link in this section. Technical specifications This shows the serial number and hardware platform of the connected unit. Protection status Preferences for viewing the protection status You can configure viewing preferences in the Status window: 1. Values viewed: Lets you select the type of data you want to see. Use the drop-down menu: • Percentage: Shows percentage data in the status graphs. • Absolute: Shows absolute data in the status graphics. Default mode. 2. Period viewed: Use the drop-down menu to select a time period for the status graphics: • Last 24 hours. Default mode. • Last 7 days. • Last month. • Last year. • Specify dates: If you select this option, text boxes will be enabled that will allow you to specify the start and end dates. 30 Panda GateDefender Performa-User Guide Click OK to save the changes. Otherwise, click Cancel. Scan and detection statistics Protection activity graphs display detailed statistics about the activity of the protection modules. They also show the percentage occupation of quarantine and information about updates. Use the Enlarge link to expand the graphs. This link is visible when you place the mouse cursor over the graph.The Export option lets you export the content of the graph to .csv format. By clicking Details you can see more in-depth data about the selected protection module. Anti-malware This displays real-time statistics on the anti-malware (viruses, jokes, dialers , spyware, hacking tools, security risks and phishing). It shows the following information: • • • • • • • • • Total files scanned. Malware detected. Files in which some kind of malicious code has been detected, in both Mail and News and for both HTTP and FTP. The number of files detected and their percentage of the total items scanned is also displayed. Evolution graph. This shows the evolution of the detections made by the protection. These are divided into two categories: Detections in Mail and News (red line) and Detections in HTTP and FTP (green line). Click Enlarge to expand the graph. View details. Lets you consult the Anti-malware protection details screen in the console with more detailed and complete information. Content Filter. This allows you to access real-time statistics on the content filter. Items scanned by Panda GateDefender Performa. Items filtered: Files in which some kind of unwanted content has been detected, in both Mail and News and for both HTTP and FTP. The number items filtered and their percentage of the total items scanned is also displayed. Evolution graph.This shows the evolution of the filtering applied by the protection. This is divided into two categories: Detections in Mail and News (red line) and Detections in HTTP and FTP (green line). Click Enlarge to expand the graph. View details: Lets you consult the Content Filter protection details screen in the console with more detailed and complete information. Anti-spam This displays real-time statistics on the anti--spam scan. It shows the following information: • Messages scanned. • Spam messages. Number of messages classified as spam and the percentage of the total messages scanned. • Evolution graph. This shows the evolution of the detections made by the protection. Click Enlarge to expand it. • View details. If you click on this link, the Details of the anti-spam protection will be displayed with more detailed and complete information. Web filtering • Total pages scanned. • Pages blocked: The number of access attempts blocked or monitored (access to URLs restricted by the administrator, which have not been blocked by Panda GateDefender Performa but are logged in the report). The number of events detected is displayed along with their percentage of the total items scanned. 31 Panda GateDefender Performa-User Guide • • Evolution graph. This shows the evolution of the pages blocked by the protection. Click Enlarge to expand the graph. View details. If you click on this link, the Details of the Web filtering protection will be displayed with more detailed and complete information. IM/P2P/VoIP access filter This displays real-time data on the activity of the Web filter and IM/P2P filters. • Total access scanned. • Restricted access: The number of access attempt to IM/P2P protocols and the percentage of the total is also displayed. • Evolution graph. This shows the evolution of the accesses to Web pages and IM/P2P applications blocked by the protection. Click Enlarge to expand the graph. • View details. Click to consult the Web and IM/P2P application filter protection details screen in the console with more detailed and complete information. • Quarantine status. It displays the percentage occupation of quarantine. For more information about the items in quarantine, click the percentage occupation figure. Update and licenses Information about the date of the last update and the date in which the updates and services expire. This section allows you to check the system update status and the expiry date of the contracted antivirus protection and services: 1. 2. Last update: This shows the date that Panda GateDefender Performa last updated the signature files. Updates and services expire:This specifies the expiry date of the license contracted. If the appliance has not been activated, the Updates and services expire: field displays the text Not activated. and will not change until the contracted protection has been activated ( License management ) screen). Click the dates to access the Version details and License management screens. Details of the anti-malware protection The details of the activity of the anti-malware protection can be displayed in a graph. These details can be selected by protocol or by a specific date. The graphs will vary depending on the selection criteria. View selection You can select the details according to the following values: • • • Protocol in which malicious code was detected (HTTP/S, FTP, SMTP -default mode-, POP3, IMAP4 or NNTP). Values of the data you want to see. Use the drop-down menu: • Percentage: Shows percentage data in the status graphs. • Absolute: Shows absolute data in the status graphics (default mode). Period. You can specify that the graphs must only show the malware detections during a certain interval. • Last 24 hours. • Last 7 days. • Last month. 32 Panda GateDefender Performa-User Guide • • Last year. Specify dates: If you select this option, text boxes will be enabled that will allow you to specify the start and end dates. The system uses cookies to remember youir preferences. Graphs Panda GateDefender Performa shows the results of the filter applied in the previous section as a graph. • Percentages and evolution. This section shows two graphs. The pie chart shows the number and percentage of detections for a specific type of malware. Each type of malware is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Malware type: Viruses, dialers, jokes, phishing (only in SMTP, POP3, IMAP4 and NNTP), hacking tools, security risks or spyware. 2. Total number of detections of this type of malware. 3. Percentage of detections of this type of malware with respect to the total files scanned. The evolution graph shows the evolution of each type of malware during a specific period of time. The color of each line corresponds with the color of each type of malware. • Top 10 detections. A pie chart shows the top ten types of malware most frequently detected, taking into account the filtering criteria. Each type of malware is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Malware name. 2. Malware type (viruses, dialers, jokes, phishing, hacking tools, security risks or spyware). 3. Total number of detections of this type of malware. 4. Percentage of detections of this type of malware with respect to the total detections included in the Top Ten. • Top 10 detections by user. A pie chart shows the ten IP addresses of the computers or the email address of the recipients of the most malicious codes that have been detected, bearing in mind the filtering criteria. Each computer is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. IP address (for HTTP/S and FTP) of the affected computer or Email address (for mail and new protocols) of the affected recipient. 2. Total number of detections. 3. Percentage of detections of this computer with respect to the total detections included in the Top Ten. Details of the Content Filter protection The details of the activity of the Content Filter protection can be displayed in a graph. View selection You can select the details according to the following values: • • Protocol in which malicious code was detected (HTTP/S, FTP, SMTP -default mode-, POP3, IMAP4 or NNTP). Values of the data you want to see. Use the drop-down menu: • Percentage: Shows percentage data in the status graphs. 33 Panda GateDefender Performa-User Guide • • Absolute: Shows absolute data in the status graphics (default mode). Period. You can specify that the graphs must only show the events that occurred on a certain date. • Last 24 hours. • Last 7 days. • Last month. • Last year. • Specify dates: If you select this option, text boxes will be enabled that will allow you to specify the start and end dates. Graphs Panda GateDefender Performa shows the results of the filter applied in the previous section as a graph. The information displayed is the following: • Percentages and evolution. This section shows two graphs. The pie chart shows the amount and percentage of the items filtered. Each item is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Event type. Items allowed and filtered. 2. Total number of times this type of event has been filtered. 3. Percentage with respect to the total files scanned. The evolution graph shows the evolution of each item filtered during a specific period of time. The color of each line corresponds with the color of each item. • Top 10 content filtered. A pie chart shows the top ten most frequent content filtering events, taking into account the filtering criteria. Each item is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Item name. 2. Type of filter applied. 3. Total number of times the item has been filtered. 4. Percentage with respect to the total of the Top 10. Details of the anti-spam protection The details of the activity of the anti-spam protection can be displayed in a graph. These details can be selected by protocol or by a specific date. The graphs will vary depending on the selection criteria. View selection You can select the details according to the following values: • • • Protocol (SMTP (default), POP3, IMAP4 or NNTP). Values of the data you want to see. Use the drop-down menu: • Percentage: Shows percentage data in the status graphs. • Absolute: Shows absolute data in the status graphics (default mode). Period. You can specify that the graphs must only show the messages detected in a certain interval. • Last 24 hours. • Last 7 days. • Last month. • Last year. 34 Panda GateDefender Performa-User Guide • Specify dates: If you select this option, text boxes will be enabled that will allow you to specify the start and end dates. Graphs Panda GateDefender Performa shows the results of the filter applied in the previous section as a graph. The information displayed is the following: • Percentages and evolution. This section shows two graphs. The pie chart shows the number and percentage of detections for a specific type of message. Each type of message is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Classification of the message (mail allowed, spam and probably spam). 2. Total number of detections of this type of message. 3. Percentage of detections of this type of message with respect to messages scanned. The evolution graph shows the evolution of each type of message during a specific period of time. The color of each line corresponds with the color of each type of message. • Top 10 recipients of spam. A pie chart shows the top ten recipients of spam, taking into account the filtering criteria. Each recipient is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Recipient’s email address. 2. Total number of messages classified as spam. 3. Percentage of detections of this spam for this recipient with respect to the total Top Ten. Messages classified as probable spam are not included in this graph. • Top 10 recipients of spam. A pie chart shows the top ten senders of spam, taking into account the filtering criteria. Each sender is assigned a color, which corresponds to a section of the pie chart. The data is classified into: 1. Sender’s email address. 2. Total number of messages classified as spam. 3. Percentage of detections of this spam for this sender with respect to the total Top Ten. Messages classified as probable spam are not included in this graph. Information on Web filtering The details of the activity of the Web filtering can be displayed in a graph. These details can be selected by a specific date. The graphs will vary depending on the selection criteria. View selection You can select the details according to the following values: • Values of the data you want to see. Use the drop-down menu: • Percentage: Shows percentage data in the status graphs. • Absolute: Shows absolute data in the status graphs (default mode). • Period. You can specify that the graphs must only show the access to restricted Web pages detected in a certain period. 35 Panda GateDefender Performa-User Guide • • • • • Last 24 hours. Default mode. Last 7 days. Last month. Last year. Specify dates: If you select this option, text boxes will be enabled that will allow you to specify the start and end dates. Graphs Panda GateDefender Performa shows the results of the filter applied in the previous section as a graph. • Percentages and evolution of pages. This section shows two graphs. The pie chart shows the number and percentage of detections for a specific type of page. Each type of page is assigned a color, which corresponds to a section of the pie chart. The data is classified into: 1. Classification of the pages (pages allowed and restricted pages). 2. Total number of detections of this type of page. 3. Percentage of detections of this type of page with respect to the total pages scanned. The evolution graph shows the evolution of each type of page during a specific period of time. The color of each line corresponds with the color of each type of page. • Top 10 filtered pages visited. A pie chart shows the top ten restricted pages visited, taking into account the filtering criteria. Each page is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Page URL. 2. Category by which it has been filtered. 3. Total number of visits. 4. Percentage of visits to this page with respect to the total in the Top 10. • Top 10 most visited domains. Shows the top ten most visited domains, taking into account the filtering criteria. Each domain is assigned a color, which corresponds to a section of the pie chart. It displays the data as follows: 1. Domain. 2. Category to which the domain corresponds. 3. Total number of visits. 4. Percentage visits with respect to the Top Ten. • Top 10 users that most browse the Web. Shows the top ten users that most use the Internet, taking into account the filtering criteria. Each user is assigned a color, which corresponds to a section of the pie chart. The data can be classified as follows: 1. User. 2. Total number of visits. 3. Percentage visits with respect to the Top Ten. • Top 10 user access to blocked pages. A pie chart shows the top ten users that have most frequently visited blocked pages, taking into account the filtering criteria. Each user is assigned a color, which corresponds to a section of the pie chart. The data is classified into: 1. IP address. IP address of the user that accesses the restricted pages. 2. Total number of blocked pages visited. 3. Percentage with respect to the total of the Top 10. If Panda GateDefender Performa is installed between the Internet and a Web proxy, only access of the proxy IP will be logged. 36 Panda GateDefender Performa-User Guide IM/P2P/VoIP filter details This offers a graphic display of the activity of the instant messaging, P2P and VoIP protocol filter. These details can be selected by a specific date. The graphs will vary depending on the selection criteria. View selection You can select the details according to the following values: • • Values of the data you want to see. Use the drop-down menu: • Percentage: Shows percentage data in the status graphs. • Absolute: Shows absolute data in the status graphs (default mode). Period. You can specify that the graphs must only show the access to restricted Web pages detected in a certain period. • Last 24 hours. Default mode. • Last 7 days. • Last month. • Last year. • Specify dates: If you select this option, text boxes will be enabled that will allow you to specify the start and end dates. The system uses cookies to remember youir preferences. Graphs Panda GateDefender Performa shows the results of the filter applied in the previous section as a graph. • Percentages and evolution. This section shows two graphs. The pie chart shows the number and percentage of detections for each type of protocol. Each type is assigned a color, which corresponds to a section of the pie chart. The data is classified into: 1. Protocol classification 2. Total number of detections for this type of protocol. 3. Percentage of detections for this type of protocol with respect to all traffic analyzed. The evolution graph shows the evolution of each type of protocol during a specific period of time. The color of each line corresponds with the color of each type. • Percentages and evolution of the applications. This section shows two graphs. The pie chart shows the number and percentage of detections for a specific type of access. Each type of access is assigned a color, which corresponds to a section of the pie chart. The data is classified into: • Classification of the applications (connections or access of protocols allowed and restricted). • Total number of detections of this type of access generated by the protocols specified. • Percentage of detections of this type of access generated by the specified protocols, with respect to all access. The evolution graph shows the evolution of each type of protocol during a specific period of time. The color of each line corresponds with the color of each type of protocol. • Top 10 restricted protocols . A pie chart shows the top ten restricted resources accessed, taking into account the filtering criteria. Each application is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Protocol name 2. Category by which it has been filtered. 37 Panda GateDefender Performa-User Guide 3. 4. • Total number of visits. Percentage of visits to this application with respect to the total in the Top 10. Top 10 user access to restricted protocols . A pie chart shows the top ten users that have most frequently visited restricted protocols, taking into account the filtering criteria. Each user is assigned a color, which corresponds to a section of the pie chart. The data is classified into: 1. IP address. IP address of the user that accesses the restricted protocols. 2. Total number of restricted protocols visited. 3. Percentage with respect to the total of the Top 10. If Panda GateDefender Performa is installed between the Internet and a Web proxy, only access of the proxy IP will be logged. Version details In order to check the version of the different modules incorporated in Panda GateDefender Performa: 1. Select the Status menu in the console main window. 2. Click the icon next to Last update. You can also access the screen by going to Status > Updates and licenses > Last updates. A window appears with the following data: • • • • • • Date of the signature files and version of the anti-malware engine. Date of the signature files and version of the anti-spam engine. Version of the Web filtering engine. Date of the IM/P2P/VoIP protocol filter rules. IM/P2P/VoIP protocol filter engine version. System software version (firmware). System status This displays all information about system operation, through the following graphs: • System connections • System load • Network interface cards • System data 38 Panda GateDefender Performa-User Guide System connections Indicates the number of current connections, as well as the graphic with data on the number of connections established and failed. • Connections established Shows the number of connections successfully established through the appliance for the protocols that the device is scanning. • Simultaneous connections. This is the number of connections open at the same time. In this case, it will indicate the average number of connections open at the same time for a given period. This information is particularly useful in order to know the workload of Panda GateDefender Performa at any given moment. System load Graph showing the CPU load. • Load balancing If you have more than one unit working in load balancing mode, this section will allow you to view the rest of the units and access their Web administration consoles. You can also check the status (master or slave) of all units. To access the consoles of the other Panda GateDefender Performa units, you must: 1. 2. Click the Open console link next to the name of the other unit. Enter the user name and password for accessing the console of the device you want to access. Network card zone 39 Panda GateDefender Performa-User Guide This section shows the Megabytes (or Gigabytes) passed through each network interface card (NIC1 and NIC2), distinguishing inbound and outbound data, and with the corresponding graphic. System data A progress bar shows the percentage system load and uninterrupted run time. Restart statistics Use this button, at the bottom of the window, to restart the system graphic statistics. Obviously, on restarting the statistics the data displayed in the Status window will change. 40 Panda GateDefender Performa-User Guide Introduction to the settings When you access the Settings menu of the Panda GateDefender Performa console, you will find the options grouped into two main sections: protection settings and system settings. From these sections you can configure specific features of each protection module, general system features, IP addresses and domains, protection profiles, warnings, etc. Protection settings In addition to configuring the anti-malware and anti-spam protection, Panda GateDefender Performa lets you decide which Web pages to allow users to access, email, Internet or News content to permit or restrict, and to restrict access to instant messaging and P2P protocols. You can also add additional ports to the ports that Panda GateDefender Performa uses by default. You can also create specific profiles and assign them to the appliances you choose. 41 Panda GateDefender Performa-User Guide System settings In this section of the Settings menu you will find options that allow you to configure general system features, internal networks, IP addresses and domains, warnings, etc. 42 Panda GateDefender Performa-User Guide Protection settings Anti-malware protection Malware types Panda GateDefender Performa protects against malware in general and viruses in particular, before these malicious codes can enter or leave your organization. Panda GateDefender Performa blocks attacks launched by: 1. Viruses. Viruses are programs that can enter computers or IT systems in a number of ways, causing effects that range from simply annoying to highly-destructive and irreparable. 2. Worms. Programs similar to viruses but differ in that all they do is make copies of themselves (or parts of themselves). 3. Vulnerability exploits. Attempts to exploit vulnerabilities through both e-mail and HTTP. 4. Trojans. Strictly speaking, a Trojan is not a virus, although it is often thought of as such. Really they are programs that install themselves on computers appearing to be harmless programs and carry out actions compromising user confidentiality. 5. Dialers. These are programs that are often used to maliciously redirect Internet connections. They are designed to disconnect the legitimate telephone connection used to hook up to the Internet and re-connect via a premium rate number. Often, the first indication a user has of this activity is an extremely expensive phone bill. 6. Jokes. These are not viruses, but tricks that aim to make users believe they have been infected by a virus. 7. Spyware. Programs that are automatically installed with another, (usually without the user’s permission and even without the user realizing), which collect personal data (data on Internet access, action carried out while browsing, pages visited, programs installed on the computer, etc.). This information could be published, compromising user confidentiality. 8. Hacking tools and potentially unwanted programs. Programs that can be used by a hacker to carry out actions that cause problems for the user of the affected computer (allowing the hacker to control the computer, steal confidential information, scan communication ports, etc). 9. Security risks. Any program that can be used for malicious purposes to cause problems for the user of the computer. For example, a program for creating viruses or Trojans. 10. Phishing. This is an attack that uses social engineering. It consist of a message that seems to be sent from a reliable source and tries to trick the user into revealing private information (passwords, credit card number, etc.), which will then be used for fraudulent purposes (for example, identity theft). Anti-malware protection settings You can configure anti-malware protection (anti-dialers, anti-spyware, anti-jokes, anti-phishing, heuristic protection and protection against hacking tools and security risks). Bear in mind that the protocol settings defined for the antivirus protection will be applied to the rest of the types of anti-malware protection 43 Panda GateDefender Performa-User Guide You can configure the following types of protection: • Antivirus protection: Viruses, worms and Trojans. • Heuristic protection: Unknown viruses. • Anti-phishing protection: Private data theft. • Protection against other risks: Hacking tools and security risks. • Trusted sites and domains: List of trusted domains and/or IP addresses whose traffic will not be scanned for malware. Antivirus protection settings Protection against jokes, spyware and dialers If you enable the antivirus protection, the protection against jokes, spyware and dialers will also be enabled: • Jokes: These are not viruses, but tricks that aim to make users believe their computers have been infected by a virus. • • Panda GateDefender Performa deletes jokes detected. As they are not files infected by a virus, they cannot be disinfected. Spyware: Programs that are automatically installed with another program, (usually without the user’s permission and even without the user realizing), which collect personal data (data on Internet access, action carried out while browsing, pages visited, programs installed on the computer, etc.). Panda GateDefender Performa deletes spyware detected. As they are not files infected by a virus, they cannot be disinfected. Dialer: These are programs that are often used to maliciously redirect Internet connections. They normally redirect the connection to a premium-rate number. Panda GateDefender Performa deletes dialers detected. As they are not files infected by a virus, they cannot be disinfected. In all three cases, Panda GateDefender Performa inserts a customizable warning as well as deleting the threat. For instructions on how to configure the warning, click here. Antivirus protection settings To access the antivirus protection settings, click the Settings menu of the main console window, and select Antivirus. This window allows you to configure the protocols that Panda GateDefender Performa must scan for viruses, the file extensions that must be scanned or excluded from the scan and the actions Panda GateDefender Performa must take when malicious code is detected. 44 Panda GateDefender Performa-User Guide Protocols to scan Panda GateDefender Performa intercepts and scans HTTP, HTTPS, FTP, SMTP, POP3, IMAP4 and NNTP traffic for viruses, worms and/or Trojans. If you use Exchange servers in native mode, encrypted traffic generated between them will be let through without being scanned. If you disable the checkbox next to any protocol in the antivirus protection settings window, Panda GateDefender Performa will not scan that protocol for malware. The protocols configured through the antivirus protection settings window will also be automatically applied to the rest of the protection types. Click here to check the configuration options for each protocol. After configuring the protocols and port, you can configure the Extensions to scan. If you click on this option, a new window appears in which you can specify if Panda GateDefender Performa must scan all files (Scan files with any extension) or the files whose extension appears in the Extensions to scan list (Scan files with the following extensions:). In this case, select the corresponding checkbox if you want Panda GateDefender Performa to Scan files without extensions. Actions to take In this section, you can specify the action Panda GateDefender Performa must take when malicious code is detected. 45 Panda GateDefender Performa-User Guide Depending on the settings of the events to report, different types of notifications could be available. For more information, refer to Events to report settings. The actions that can be taken with messages automatically generated by viruses are: • Completely delete the message. • Delete only the infected attachment. For the rest of the detections, the options are: • Disinfect. Panda GateDefender Performa will disinfect the infected file. If disinfection is not possible because the virus code has overwritten the original code, for example: o For the HTTP/S and FTP protocols the file transfer will be blocked or it will be rendered unusable. o For the rest of the protocols the infected files will be deleted. o By default, a copy of files that can’t be disinfected will be sent to quarantine. If you don’t want these files to be stored in quarantine, clear this option. When messages are deleted, Panda GateDefender Performa will reply to the computer trying to send the message carrying the malicious code so that it thinks that the message has been correctly sent. • Delete the file. Panda GateDefender Performa will directly delete the infected file. • For the HTTP/S and FTP protocols the file transfer will be blocked or it will be rendered unusable. • For the rest of the protocols: The infected files will be deleted. • If you enable the checkbox For the SMTP protocol, completely delete the message (not just the file), email messages that use this protocol will be prevented from reaching the recipient. It is advisable to select the option Disinfect, as almost all fake-from messages and messages sent by mass-mailing worms are infected, and will be deleted when they are detected. Attachments with useful content in other messages will be disinfected. The recipients of infected messages will be informed that they have been disinfected and a warning can also be sent to the sender. Optimization of HTTP/S traffic In order to optimize HTTP/S traffic, the cache will store certain information about the addresses of malware downloaded for certain period of time. This means that during this period, when malware that has already been identified is accessed, Panda GateDefender Performa will display a warning containing the address, name, type of malware and action taken. This prevents downloading and scanning the malware again and optimizes HTTP/S traffic. If you want to use the cache that stores malware addresses, select the corresponding checkbox. You can also configure the cache time limit, provided the time value is between 1 and 60 minutes. 46 Panda GateDefender Performa-User Guide Protocol settings Protocols are rules and procedures for communication between computers. Be particularly careful when configuring the protocols to scan, as these settings will be applied to the antivirus scan and the other types of anti-malware protection. Panda GateDefender Performa protects the most widely used communication protocols: • HTTP/HTTPS: Hyper-Text Transfer Protocol. Internet. • SMTP: Simple Mail Transfer Protocol. • POP 3: Post Office Protocol Version 3. Protocol for managing in the Internet. • IMAP4: Internet Message Access Protocol. • FTP: File Transfer Protocol. For transferring files between computers that run TCP/IP. • NNTP: Network News Transfer Protocol. Protocol for accessing newsgroups. If you use Exchange servers in native mode, encrypted traffic generated between them will be let through without being scanned. Antivirus protection for HTTP/HTTPS When the HTTP scan is enabled, Panda GateDefender Performa: • Scans the traffic in connections whose target port is 80, or any of the additional HTTP ports specified (HTTP 1.0 and HTTP 1.1). • Scans data transferred through download commands (for example: GET), as well as data transferred through upload commands (for example: POST). • Scans web mail traffic in both directions, regardless of which side of the appliance establishes the connection. It scans all the web mail downloaded and sent. • Scans any transfer that uses HTTP, even those that could prevent the information from being correctly scanned (files downloaded in chunked HTTP transfer mode, partial files and in several threads that are downloaded, etc.). • Scans FTP on HTTP. Antivirus protection for FTP When the FTP scan is enabled, Panda GateDefender Performa: • Scans the traffic in connections whose target port is 21, or any of the additional FTP ports specified. • Scans FTP traffic in both directions, regardless of which side of the appliance establishes the connection. It will scan files transferred through active FTP, passive FTP and extended passive FTP. Scans all files downloaded and uploaded. Antivirus protection for SMTP When the SMTP scan is enabled, Panda GateDefender Performa: • • • Scans the traffic in connections whose target port is 25, or any of the additional SMTP ports specified. Scans SMTP traffic in both directions, regardless of which side of the appliance establishes the connection. Scans any transfer that uses SMTP, even those that could prevent the information from being correctly scanned (files downloaded in CHUNKING (BDAT) -rfc3030, BINARYMIME -rfc3030, 47 Panda GateDefender Performa-User Guide PIPELING -fr2920 mode, etc.). Antivirus protection for POP3 When the SMTP scan is enabled, Panda GateDefender Performa: • Scans the traffic in connections whose target port is 110, or any of the additional POP3 ports specified. • Scans POP3 traffic in both directions, regardless of which side of the appliance establishes the connection. Antivirus protection for IMAP4 When the IMAP4 scan is enabled, Panda GateDefender Performa: • Scans the traffic in connections whose target port is 143, or any of the additional IMAP4 ports specified. • Scans IMAP4 traffic in both directions, regardless of which side of the appliance establishes the connection. Antivirus protection for NNTP When the NNTP scan is enabled, Panda GateDefender Performa: • Scans the traffic in connections whose target port is 119, or any of the additional ports specified for IMAP4. • Scans NNTP traffic in both directions, regardless of which side of the appliance establishes the connection. Heuristic protection settings To access the heuristic protection settings, click the Settings menu of the main console window, and select Heuristic. The Panda GateDefender Performa heuristic protection detects viruses that are not yet cataloged. The same protocols as those configured for the antivirus protection will be scanned by the heuristic protection. Select Enable unknown threats protection to activate the heuristic protection. The heuristic scan options are only available when this checkbox is enabled. Sensitivity level The sensitivity level of the heuristic scan specifies the tolerance level of the protection to suspicious files. The higher the level of sensitivity, the higher the protection, but also the risks of a legitimate message being classified as suspicious. Action The actions that can be taken are: • Send the suspicious file to quarantine. If you choose this option, the rest of the actions will be disabled. 48 Panda GateDefender Performa-User Guide • • For HTTP and FTP: Panda GateDefender Performa blocks the transfer of those suspicious files or renders them unusable if they cannot be blocked. For the rest of the protocols: • Delete the suspicious file: When files are deleted, Panda GateDefender Performa deletes the suspicious file and includes a text in the message that reports the deletion. • Redirect the message: Panda GateDefender Performa The suspicious message will be redirected to the email address entered in the textbox corresponding to this option. Messages will only be completely redirected for SMTP. For other mail and news protocols, the suspicious content will be deleted and a substitue text can be configured by clicking on the corresponding link Click Mail server settings to specify the SMTP server that will be used to redirect mail. For more information about how to configure the mail server, click here. Anti-phishing protection settings To access the anti-phishing protection settings, click the Settings menu of the main console window, and select Anti-phishing. The anti-phishing protection will safeguard computers from all types of attacks related to private data theft such as passwords, banking details, etc. The same protocols as those configured for the antivirus protection will be scanned by the anti-phishing protection. The anti-phishing protection will be enabled whenever the protection for any of the email protocols is enabled in the antivirus protection settings. To enable this protection, select the Enable Anti-phishing protection checkbox. In the SMTP traffic to scan checkbox, select the direction of the messages (inbound, outbound, inbound and outbound) you want to scan, and click Save. Remember that for this protection to operate correctly, it is important to define the internal networks in your organization. To do this, click Internal networks. Action • Delete: Panda GateDefender Performa deletes the message. • For SMTP, Panda GateDefender Performa will completely delete it. 49 Panda GateDefender Performa-User Guide • For the rest of the mail and news protocols, a message can be inserted in the subject and body of the original message. Enable the checkboxes for each option and enter the text that you want to insert in either the subject or message body. • • Flag message subject and body: The message will be flagged and a text will be added to the subject and/or body of the message indicating that it is phishing. Enable the corresponding checkboxes for each option and enter the text you want to insert in either the subject or message body. Redirect the message: The suspicious message will be redirected to the email address entered in the textbox corresponding to this option. • Enter the email address to which you want to redirect the message. • Click Mail server settings to specify the SMTP server that will be used to redirect mail. For more information about configuring the mail server, click here. • Enable the corresponding checkboxes for each option and enter the text you want to insert in either the subject or message body. Messages will only be redirected for SMTP. For the rest of the mail and news protocols a copy will the sent to the address specified in the associated textbox. • Let it through, just generate report: Lets the file through and generates a detection report. Protection against other security risks settings To access the protection against other security risks settings, click the Settings menu of the main console window, and select Other risks. The Panda GateDefender Performa protection against other risks keeps your organization safe from hacking, security risks caused by certain applications and potentially unwanted programs. The same protocols as those configured for the antivirus protection will be scanned by the protection against security risks. Protection against hacking tools and potentially unwanted programs The Panda GateDefender Performa protection against hacking tools and potentially unwanted programs safeguards your network from malicious hacking tools. Select Enable protection against hacking tools and potentially unwanted programs. If you select Automatically delete potentially unwanted programs, Panda GateDefender Performa will automatically delete these potentially unwanted programs without prompting you to confirm. Depending on the settings of the events to report, different types of notifications could be available. For more information, refer to Events to report settings. 50 Panda GateDefender Performa-User Guide Protection against security risks The Panda GateDefender Performa protection against security risks neutralizes the security risks caused by certain applications installed on your system. This protection is enabled whenever the antivirus protection is enabled, so that your organization will always be protected against these kinds of threats. Trusted sites and domains settings in the anti-malware protection To access the trusted sites and domains settings, click the Settings menu in the main console, an in Protection > Anti-malware select Trusted sites and domains. Sometimes, the traffic sent from certain servers, computers or domains is reliable enough to be excluded from the scans. By excluding this traffic from the anti-malware scans, the workload of Panda GateDefender Performa is reduced and its performance is optimized. You can create a list of servers, websites, domains, subdomains, IP addresses and ranges that will be excluded from the list. This action will apply to all protocols. To do this: 1. 2. 3. 4. Click the Settings menu in the main Console screen. Go to Protection > Anti-malware and click Trusted sites and domains This shows the trusted sites and domains configured to date. To add a new domain, subdomain, range, etc, include it in the New box and click Add. In the case of IP addresses, you can use the CIDR format, and for sub-domains, you can use wildcards. The updated list will be displayed in the box. To delete any item, select it and click Delete. After you have completed these steps, Panda GateDefender Performa will not scan traffic from those domains, servers or computers for malware. The correct format for entering a trusted site or domain • • For websites: enter the full URL (for example, mail.pandasoftware.com), or the IP address (for example, 192.168.1.200 ). For domains or sub-domains: enter an asterisk (for example: *.subdomain.domain.com or *.domain.com, etc). You can also enter an asterisk after the final dot of the domain (for example: www.domain.*). Bear in mind that it is not possible to use more than asterisk (for example: *.domain.*) If you do not want to enter sub-domains, you do not need to use the asterisk (for example, domain.com). 51 Panda GateDefender Performa-User Guide Content Filter protection Content Filter protection settings Panda GateDefender Performa monitors and filters the content of email attachments, websites and newsgroups. The Content Filter settings are divided into the following groups: • • • HTTP/S and FTP protection settings Mail and news protection settings. Trusted sites and domains HTTP/S and FTP protection settings HTTP/S and FTP protection settings To access the HTTP/S and FTP protection settings, click the Settings menu of the main console window, and select Content Filter > HTTPs and FTP. The Content Filter HTTP/S andFTP protection allows you to control the files that can or cannot enter your organization through HTTP/S and FTP. Files to scan Select Enable the content-filter HTTP/S and FTP protection to use this powerful content filter. For more information about configuring the files to scan, click here. 52 Panda GateDefender Performa-User Guide Traffic to scan You can choose which traffic to scan. Enable the checkbox for the corresponding protocols: HTTP, HTTPS and FTP. Filters Select Enable file filter. For more information about configuring the file filtering, click here. Select Enable HTML page filter if you want to delete items that could be dangerous from HTML files. If this filter is enabled, you can also configure it to Delete embedded scripts in the code of HTML pages or Delete references to external scripts. If you selected Delete embedded scripts, click Settings to configure this option. Files to scan settings Check Scan compressed files to enable the scan of compressed files. Files excluded from the scan Sometimes, certain files might need to be excluded from the file scan of the content-filter protection. To add a file to the list of exclusions in Panda GateDefender Performa, follow the steps below: 1. 2. Click on Add... Select the file you want to exclude. If you want to import a list of files for the same purpose, click on Import list and select the file to import. To delete a file from the list of exclusion, click on the file and then on Delete. 53 Panda GateDefender Performa-User Guide To export your list of exclusions, click on Export list. Click on Clear list to delete all the files from the list, leaving it blank. File filter settings The file filter settings section allows you to specify the file types to detect and the action to take of one of these files is detected. Follow the steps below to configure the file filter: 1. 2. Enable the checkbox next to the description of each file type to detect. Select the action to take if one of these messages is detected. The drop-down menu offers the following actions: • • • Delete: Eliminates the file detected. Let it through, just generate report: Lets the file through and generates a detection report. Send it to quarantine. 3. You need to specify additional information for some options. In this case, the Settings button will activate. Click on it and configure the parameters required: Files with a multiple extension or truncated extension: Panda GateDefender Performa will show a list with the title: Multiple extensions ending in the following will be filtered: To exclude any of the multiple extensions in this filter, specify it in the Multiple extensions excluded list. Attachments whose size exceeds the maximum: Define the maximum size. Panda GateDefender Performa will block files that exceed this size. Suspicious compressed files: Define if they are suspicious because they have an excessive level of nesting, contain an excessive number of files or exceed a maximum size when decompressed. Files with dangerous extensions: Define the list of dangerous extensions. Dangerous MIME type settings: Define the MIME types to detect. ActiveX: Define the websites from which ActiveX controls and be downloaded or the websites from which they cannot be downloaded. Java Applets: Define the websites from which Java Applets controls and be downloaded or the websites from which they cannot be downloaded. • • • • • • • 4. Click on Save. Mail and news protection settings Protection for mail and news settings The content-filter mail and news protection lets you control the messages and attachments that can enter your organization and those that cannot. Messages and attachments to scan Select Enable the content filter mail and news protection. In the SMTP Traffic to scan checkbox select the direction of the messages (inbound, outbound, inbound and outbound) you want to scan, and click Save. 54 Panda GateDefender Performa-User Guide Remember that for this protection to operate correctly, it is important to define the internal networks in your organization. To do this, click Internal networks. For more information about configuring the filter of attachments, click here . Filters The message filter allows you to filter messages by their characteristics and delete potentially dangerous content: • Enable message filter. The attachment filter scans and filters potentially dangerous items that could be included in email messages and allows actions to be taken on them or on the messages carrying them. • For more information about configuring it, click here. Enable attachment filter. For more information about configuring it, click here. Anomalies Certain programs or computer systems have flaws that could be exploited. Panda GateDefender Performa protects your network from these types of vulnerabilities through its content-filter protection. Detect malformed messages to detect messages that do not meet messaging 1. Select standards and could, therefore, pose a threat to your organization. 2. Select the action to take if one of these messages is detected. The drop-down menu offers the following actions: • Delete message. For SMTP, messages will be completely deleted. For the rest of the protocols, the texts in the message that the original recipient will receive will be replaced. You can configure the replacement text by clicking on the associated link. • Redirect the message. For SMTP, messages will be redirected to the Address configured. You can modify this address by clicking on the link. For the rest of the protocols, a copy will be sent to the previous address and the texts in the message that the original recipient will receive will be replaced. You can configure the replacement text by clicking on the associated link. • Let it through, just generate report: Lets the file through and generates a detection report. • Send it to quarantine. You can configure automatic sending to quarantine. 3. Enable Block partial messages. Allows you to detect partially received messages received, which can pose a threat due to a possible vulnerability in mail programs. If a partial message is detected, the content will be replaced with a warning. Message filter settings Message content Content-filter can scan messages by their content and delete potentially dangerous content. Follow the steps below to configure these settings: 1. 2. Check Enable text content filter and click on Settings to customize message filtering. In the Action to take menu, select the action that the message filer must take with messages: • Delete message. • Redirect message. 55 Panda GateDefender Performa-User Guide • • 3. 4. 5. Let it through, just generate report. Send it to quarantine Check Delete embedded scripts to delete potentially dangerous code inside messages. Click on Settings...to customize the filter. Check Delete only references to external scripts to delete only the references to scripts outside the message. Check Delete all external references to delete all the external references. Click on Settings.. to customize the filter. Number of recipients Many spam messages can be identified by the high number of recipients they are sent to. Content-filter allows you to control the number of recipients of a message, deleting messages that exceed the maximum established. To do this: 1. 2. Check Maximum number of recipients for inbound mail and enter the maximum number you want. Maximum number of recipients for outbound mail and enter the maximum Check number you want. Mail and News attachment filter settings The attachment filter settings section allows you to specify the files to detect and the action to take if one of these file types is detected. Follow the steps below to configure the attachment filter: 1. 2. Enable the checkbox next to the description of each file type to detect. Select the action to take if one of these messages is detected. The drop-down menu offers the following actions: • Delete attachment. • Delete message. For SMTP, messages will be completely deleted. For the rest of the protocols, the texts in the message that the original recipient will receive will be replaced. You can configure the replacement text by clicking on the associated link. • Redirect message. For SMTP, messages will be redirected to the address configured. You can modify this address by clicking on the link. For the rest of the protocols, Panda GateDefender Performa will send a copy to the previous address and the texts in the message that the original recipient will receive will be replaced. You can configure the replacement text by clicking on the associated link. • Let it through (just generate report). • 3. Lets the file through and generates a detection report. Send it to quarantine. Attachments will be deleted and a replacment text included in the message. You can configure the replacement text here. Additional settings can be configured for certain file types. If you have selected one of these types, the Settings button will be activated. Click this button to define the settings for this file type. If the checkbox for a file type is disabled, the Settings button will not be available, even if this type of file allows additional settings to be defined. 56 Panda GateDefender Performa-User Guide Trusted sites and domains settings in the Content Filter protection To access the trusted sites and domains settings for the Content Filter, click the Settings menu in the main console, and select Content Filter > Trusted sites and domains. Sometimes, the traffic sent from certain servers, computers or domains offers enough guarantees to be excluded form the Content Filter scans. By excluding this traffic from the Content Filter, the workload of Panda GateDefender Performa is reduced and its performance is optimized. In order to exclude trusted sites and domains from the Content Filter, follow the steps below: 1. 2. 3. 4. 5. 6. Click the Settings menu in the console. Go to Protection > Content Filter and click Trusted sites and domains HTTP/S and FTP protocols: use the New text box to enter domains and/or IP addresses (in CIDR format) whose traffic will not be filtered. You can use wildcards for sub-domains. Click Add. Mail and News: you can enter domains and IP ranges. You can use wildcards for sub-domains. Use the New text box to enter IP addresses (in CIDR format) whose traffic will not be filtered. Click Add. Trusted sites and domains added will be displayed in a list in the large box. To delete any of them, select them and click Delete. If you want to import or export a list of domains or IPs, consult the section Import /Export files or lists. After you have completed these steps, the Panda GateDefender Performa Content Filter will not scan traffic from those domains, servers or computers. The correct format for entering a trusted site or domain • • For websites: enter the full URL (for example, mail.pandasoftware.com), or the IP address (for example, 192.168.1.200 ). For domains or sub-domains: enter an asterisk (for example: *.subdomain.domain.com or *.domain.com, etc). If you do not want to enter sub-domains, you do not need to use the asterisk (for example, domain.com). Anti-spam protection Anti-spam protection settings To access the anti-spam protection settings screen, click on the Settings menu in the main console screen, and then select Anti-spam > Anti-spam settings. 57 Panda GateDefender Performa-User Guide Introduction Spam is unsolicited email. Panda GateDefender Performa includes several technologies for detecting spam: o o o o Signature-based detection Detection based on DNSBLs Anti-backscatter protection Open Relay Spam protection To configure the detection based on DNSBL, the protection against unwanted notification messages and the Open Relay Spam protection, go to the advanced settings screen. In the current screen you can only configure the signature-based protection. Anti-spam protection settings In order to configure the general anti-spam protection, you must specify: o Which protocols Panda GateDefender Performa must scan for spam (SMTP, POP3 and IMAP4). In order to enable the scan of each protocol, enable the corresponding checkbox. o The internal networks. To do this, click the internal networks link and include the IP ranges of your organization in CIDR format. o The traffic to be scanned (inbound, outbound or both) depending on the internal networks defined. If the internal networks are not defined, all traffic will be considered inbound. This information is also used by Panda GateDefender Performa when generating reports, indicating the address of mail cataloged as spam (SMTP in or SMTP out). o o o Sensitivity of the scan to balance false positives against false positivies. The action Panda GateDefender Performa must take when it detects spam. Configure the white lists and blacklists if necessary. Not all detection technologies are available for all possible scans and protocols. Detection based on DNSBL, protection against unwanted notification messages and Open Relay Spam protection are only available for inbound SMTP traffic. SMTP protocol To enable anti-spam protection for SMTP: 1. Select the SMTP checkbox. 2. Then, select the option you want from the Traffic to scan menu: o Inbound: enables detection of spam messages coming from the Internet. o Outbound: enables detection of spam messages coming from the internal network. o Inbound and outbound: enables detection of spam messages coming from the internal network and the Internet. Click Save to store the traffic to scan settings. To go to the advanced SMTP anti-spam protection options, click here. If any of the protection enabled in the SMTP anti-spam protection advanced settings is incompatible with the selected traffic direction to scan, Panda GateDefender Performa will display a warning. 58 Panda GateDefender Performa-User Guide Sensitivity level The sensitivity level of the anti-spam protection specifies the tolerance level of the protection to suspicious files. The higher the level of sensitivity, the higher the protection, but the risks of a legitimate message being classified as suspicious. Set the sensitivity level of the anti-spam protection by enabling the corresponding option (high, medium or low). Action to take with messages classified as spam or probable spam. Specify what action Panda GateDefender Performa must take when it classifies an email message as spam or probable spam: • • • • Delete: The suspicious file will be deleted. o For SMTP: Panda GateDefender Performa will delete it completely. o For the rest of the mail and news protocols: A text will be inserted in the subject of the original message. o You can write the text that you want to appear in the message subject. Redirect the message: The suspicious message will be redirected to the email address entered in the textbox associated to this option. o Click Mail server settings to specify the SMTP server that will be used to redirect mail. For more information about how to configure the mail server, click here. o For SMTP: Messages will be redirected to the address specified in the textbox. o For the rest of the mail and news protocols: A copy of the message will be sent to the specified address and the text entered in the textbox will be inserted in the subject of the original message. Let it through, just generate report: Allows you to let the message through, generating a detection report. Send it to quarantine. You can configure automatic sending to Quarantine. You can write the text that you want to appear in the message subject. These actions are applicable in the case of signature-based detection and Open Relay Spam protection. For the other detection technologies, Panda GateDefender Performa offers specific actions in the SMTP anti-spam protection advanced settings. Spam white list and blacklist If a domain or a certain server offers enough guarantees, the messages it sends can be excluded from the anti-spam scan (white list), lightening the workload of Panda GateDefender Performa and thereby optimizing performance. Similarly, you can specify that Panda GateDefender Performa must treat all messages sent from certain domains or servers as spam (blacklist). You can also enable the option to Delete messages from the names and addresses included in the spam blacklist. Click here for instructions on how to configure the white list and blacklist. 59 Panda GateDefender Performa-User Guide Spam white list and blacklist The spam white list lets you specify trusted senders. Messages from these senders will not be analyzed by any of the anti-spam measures. The spam blacklist lets you specify senders you consider to be dangerous. Messages from these senders will always be classified as spam. If the Delete messages from the names and addresses included in the spam blacklist checkbox is enabled, the messages will be deleted; if it is disabled, the action defined in the Action to take with messages classified as spam section will be applied. You can specify senders using their IP address, domain name or email address. Depending on the mail protocol, the data used to determine whether a sender belongs to a list is as follows: • SMTP: the IP address from which the message has been sent and the email address of the sender. • POP3/IMAP: the IP of the server and the email address of the sender. • To include an IP address, a domain name or an email address in one of the lists, follow the steps below: 1. 2. 3. 4. Select the Protection settings option in the menu on the left of the Web administration console. Click Anti-spam protection. At the bottom of the console, you can configure the white list and the blacklist. In the box below the option New for each of the lists, enter the IP address, domain name or email address that you want to include and click Add. Repeat these steps for every IP, domain or email address you want to add. In order to remove a domain, IP address or address from one of the lists (white or black), select it and click the corresponding Delete button. Repeat these steps for all the items you want to remove. If you want to import the content of the list, click Import list and then select the file to import. To export a list, click Export. Click Save to save any changes. Advanced SMTP anti-spam protection settings General considerations You can access the SMTP anti-spam protection advanced settings through the Anti-spam protection settings link in the main screen. These settings are only valid for inbound SMTP traffic, and before using them, it is important to define the internal networks to be able to differentiate between inbound and outbound messages. Once you have defined the internal networks, you can configure: - Open Relay Spam protection - Response to the sender in the event of blocked SMTP messages - Protection against unwanted notification messages (anti-backscatter) 60 Panda GateDefender Performa-User Guide - Detection based on DNBLs. Response to the sender in the event of blocked SMTP messages When a detection is made in SMTP by any of the anti-spam protections (blacklist, Open Relay Spam protection, protection against unwanted notification messages, detection based on DNSBLs or the antispam engine protection) and the action involves blocking the message, you can establish an error code that the sender will receive. This way, on receiving the error, the sender will understand that they cannot send spam to the recipient in question. The actions that involve complete blocking of the SMTP message are eliminate, redirecting of the message and sending to quarantine. To enable this option, select Reject message during connection in the SMTP Anti-spam protection advanced settings, and select a Reply code. The possible error codes are: • 554 Spam detected (default) • 552 Exceeded storage allocation • 452 Requested action not taken: insufficient system storage • 451 Requested action aborted: local error in processing. Detection based on DNSBLs Detection based on DNSBLs A DNS blacklist is a list of IP addresses of spammers recognized by the community. On receiving an email, Panda GateDefender Performa checks the IP address from which the message has been sent against the external DNSBL to determine if the message has been sent by a spammer or not, without having to analyze the content of the message itself. That's why classification is much faster that with other methods implemented in Panda GateDefender Performa. DNSBL is a complementary technology, that works in conjunction with the other anti-spam modules. The DNSBL lists are accessed through DNS requests. Check that your firewall allows Panda GateDefender Performa to communicate with external DNS servers. Detection based on DNSBLs only works with inbound SMTP mail, so it is essential to indicate the internal networks of your organization so that Panda GateDefender Performa can distinguish between inbound and outbound traffic. If the internal networks in your organization are not defined, the DNSBL protection cannot operate. To enable the DNSBL protection, select Enable detection by DNBLs and choose the action you want to take on this type of message from the drop-down menu. If you select Redirect or Let it through, just generate report, you can insert a text in the Subject field to help you identify the message. In the case of the Redirect option, specify the recipients email address, and configure the mail server to be used. To do this, click Mail server settings. 61 Panda GateDefender Performa-User Guide Enabling DNSBLs Enable use of DNSBLs recommended by Panda Security This option lets you enable detection using DNSBLs recommended by Panda Security, and which have been selected on the grounds of reliability and response time. Bear in mind that Panda Security can modify the recommended DNSBLs without prior notice. Enable use of additional DNSBLs This option lets you add a maximum of three DNSBLs which will be included in the Panda GateDefender Performa detection process. You must bear in mind: 1. 2. 3. 4. 5. That these DNSBLs are not maintained by Panda Security, and therefore it does not guarantee their content. That the use of additional DNSBLs is outside the responsibility of Panda Security. That DNSBLs which are poorly maintained will take an indeterminate time to change the status of any entries, and so IPs which once belonged to spammers will probably continue to figure as spam. The opposite is also possible: there may be IP's that belong to spammers but do not figure as such in additional DNSBLs. You may have to pay for some of these lists. You can find subscription or free black lists on the Internet, searching for example for “DNSBL” or “RBL”. Make sure you are aware of the terms and conditions of use when using such third-party lists. Not all DNSBLs guarantee a 24x7 service. If during communication with any additional server you have defined there are frequent timeouts or service failures, it is your responsibility to select an alternative server. If there is a discrepancy between the DNSBLs recommended by Panda Security and those configured by the user when it comes to cataloging spam, the former shall have priority. If your IP or domain has been included in one of these lists, consult the following URL: /www.blacklistalert.org/?q=IP to find out why. You may have to contact those responsible for the blacklist to remove your IP or domain from it. The maximum response time of DNSBLs can be configured in Tools: advanced settings in the section SMTP settings – Maximum time to reply to DNSBL queries. To remove a DNSBL, select it in the list and click Delete. If you want to prevent an IP address from being checked in the DNSBL servers, add the IP to the spam white list in the Anti-spam protection settings. Message header analysis There are two procedures for determining the IP address of the sender of an email: • • Determining the source IP address of the SMTP connection established between the sender MTA (which could be that of a spammer) and the recipient in your organization. If the IP address of the sender MTA belongs to a DNSBL it will be classified as a spammer and the mail received will be marked as spam. Determining the IP addresses of the MTAs through which the message has passed before reaching the recipient server, as stored in the Received headers of each mail message. 62 Panda GateDefender Performa-User Guide With this option, Panda GateDefender Performa will not analyze the SMTP connection IP address, but will analyze the IP included in the Received header indicated in the console, determining if it coincides with any in the DNSBLs configured. If Panda GateDefender Performa is installed behind the organization's MTA, check that it is correctly configured to include information about the IP address of the sender MTA in each email. Some badly-configured mail servers will only include the domain name without indicating the IP address; in this case Panda GateDefender Performa will display a warning indicating the reason for the failure in the DNSBL module. Analysis of the Received header of the message is necessary when Panda GateDefender Performa is situated in the organization's network in such a way that there is no SMTP communication with the MTA from which the message has been sent. Given that all MTAs include this information in each message, it is not possible to determine which of the available headers carries the useful MTA information, as the number of MTAs through which an email may pass until reaching the client is variable and depends on the network. There are therefore several general scenarios possible that will influence which Received header is considered: Scenario 1: Panda GateDefender Performa in front of the first MTA In this scenario it is not necessary to analyze message headers as there is a direct SMTP connection between the MTA sending the email and the MTA of the organization that receives it. Panda GateDefender Performa will extract the source IP address of the SMTP connection and check it against the configured DNSBLs. 63 Panda GateDefender Performa-User Guide Scenario 2: Panda GateDefender Performa behind the first MTA In this scenario, Panda GateDefender Performa has to analyze the message headers, as the connection that it analyzes will correspond to the download of the mail by the client and not to the connection between the remote MTA and the internal MTA. The relevant header is the one introduced by the first MTA of the organization, as it is the only one that can determine the source IP address of the MTA which has sent the email. The first Received header will be considered. 64 Panda GateDefender Performa-User Guide Scenario 3: Panda GateDefender Performa behind the last MTA of 3 MTAs in relay In this scenario, Panda GateDefender Performa has to analyze the message headers. The relevant header is the one introduced by the first MTA of the organization, as it is the only one that can determine the source IP address of the MTA which has sent the email. The third header is the one to consider, as each MTA enters its own header on top of the previous one. See image. The blocking of messages through this detection system will be reflected in the spam report, including whether the detection has been through recommended or additional DNSBLs. 65 Panda GateDefender Performa-User Guide Protection against unwanted notification messages (backscatter) Protection against unwanted notification messages (backscatter) What is a bounce message (NDR)? In the context of SMTP, a bounce message is a notification in email format, generated automatically by the MTA when there is a problem in delivering mail. It generally occurs when the recipient does not exist or there are connection problems with the recipients MTA. There are several different terms for bounce messages: • NDR: Non Delivery Report, used in Panda GateDefender Performa. • DSN: Delivery Status Notification. • NDN: Non Delivery Notification. In all cases, the NDR is sent to the sender of the original mail indicating the reasons for which a message could not be delivered. NDR messages are generated automatically by the MTA which receives the original email. The origin of the bounce message is therefore the MTA and the recipient is the sender of the original mail. NDR message format The general format of an NDR message, with respect to being identified by Panda GateDefender Performa, is as follows: • • • FROM <> (empty) or MAILER-DAEMON or POSTMASTER. MIME header Content-type=message/Delivery-status; report-type=Delivery-status; Return-Path field: <MAILER-DAEMON> or <POSTMASTER> or empty Backscatter Backscatter is a technique which involves the receipt of an NDR (Non Delivery Report) for a message which has not really been sent. It is caused by a virus which has infected computers outside of the user's network. These viruses spoof the sender field ("From:") all of an email message, selecting addresses at random from the infected computer's contact list. Spammers also use backscatter techniques. They use legitimate users' addresses as the reply addresses of the spam messages they send. This way they can send hundreds or even thousands of email messages to the legitimate user's mail server. To enable the anti-backscatter protection, select Enable anti-backscatter protection, and select the action you want to take on these types of messages. If you select Redirect or Let it through, just generate report, you can insert a text in the Subject field to help you identify the message. In the case of the Redirect option, specify the recipients email address, and configure the mail server to be used. To do this, click Mail server settings. If you select Delete, the option Reject message during connection will not be possible. Blocking of unwanted notification messages will be reflected in the spam report. 66 Panda GateDefender Performa-User Guide Then, select the method you want to use for this type of protection: BATV, or NDR restriction. Bear in mind that these methods are exclusive of each other. Backscatter diagram In this diagram, [email protected] is the spam recipient and [email protected] is an existing but inaccessible domain. BATV (Bounce Address Tag Validation) What is BATV? This is an anti-backscatter technique involving validating the source of the message through a tag that authenticates the sender. It is an acronym of Bounce Address Tag Validation. This technique can be used in MTAs and perimeter security appliances. In our case it is Panda GateDefender Performa that handles all the BATV information. How it works: 1. 2. 3. When sending a message, Panda GateDefender Performa transparently adds a tag in the MAIL FROM command of the SMTP session. This tag has the following format: • [email protected] • K is the key number. It is a number from 0 to 9. This means several keys can be generated with the same information. • DDD is the number of days elapsed since 1970, (applying MOD 1000). • SSSSSS is the value of the three first bytes of the SHA-1 HMAC encryption of the KDDD string. As K is a number between 0 and 9 there are 9 different keys although only one of them is in the email. If the MTA cannot deliver an email, it will generate an NDR for the source of the original message along with the tag. Panda GateDefender Performa receives all messages that reach the MTA of the protected organization. The sequence of steps involved to check the authenticity is as follows: 67 Panda GateDefender Performa-User Guide • • • • • First it determines whether the message is an NDR or not (with the conditions described in the point above). If it is not an NDR, BATV is not applied and the message is delivered to the other modules: Anti-spam, Content-filter, Anti-malware, etc. If it is an NDR, the system checks for a tag. If there is no tag, it is marked as spam. If there is a tag, the following additional checks are made: • The DDD value is extracted and compared with the current date. If the difference is greater than seven days it is rejected (a maximum of seven days difference with the original message is permitted). • If the difference is less than seven days, the SSSSSS string is decrypted. The decrypted SSSSS string must coincide with KDDD. • If the decrypted SSSSS string does coincide with KDDD, the message is taken as valid. If not, it is considered spam. BATV diagram with a legitimate NDR 68 Panda GateDefender Performa-User Guide BATV diagram with a malicious NDR Conflict detection If the MTA protected by Panda GateDefender Performa supports BATV (i.e. if the mail server already includes control tags and checks the validity of inbound NDRs), it is important not to overwrite these tags, as if Panda GateDefender Performa overwrites the control tag included by the MTA the message will be rejected by the MTA. Panda GateDefender Performa does not apply BATV if it verifies that outbound messages already have a tag. It also generates a system event and a warning in the Status page of the Web console. Before enabling BATV Remember that: 1. 2. 3. You must have configured internal networks to be able to differentiate between inbound and outbound mail. The traffic to analyze must be inbound or outbound. It is incompatible to enable BATV in Panda GateDefender Performa and another internal mail server at the same time. To enable BATV, select Enable BATV. White list of domains and addresses excluded from BATV You can use this list to exclude domains from BATV. To do this, click White list of domains excluded from BATV. Restricting the entry of NDR messages 69 Panda GateDefender Performa-User Guide To restrict receipt of NDR messages by any of the IP addresses defined in your internal networks, select Restrict NDR reception to the following IP addresses. Us the buttons Add and Remove to configure the list of addresses, or Import and Export to import or export lists of addresses. This option is disabled while traffic direction is outbound and the list of internal networks defined is empty. Factors to bear in mind when restricting NDR messages Normally, NDR messages sent by the company's first relay or MTA, and not by relays or mail servers in other companies. Nevertheless, this is not always the case, as a remote server may have accepted mail due to traffic saturation, and when processing it later, realize that the recipient does not exist, consequently generating a notification message. If administrators realize they are not receiving NDRs generated by a certain relay or mail server, they should increase the list. In the spam events report, you can filter the reasons for having blocked backscatter and thereby check if any of the events blocked are actually correct. In this case you can include the source IP address of this NDR in the list of servers from which NDR messages are permitted. Another option is to select Send to quarantine and check the messages in that situation, to see if there are any legitimate NDR notifications. Open Relay Spam protection This offers additional protection against spam. Under normal circumstances, all inbound mail must have a local user as a recipient (on internal domains). This prevents the use of internal SMTP servers as Open Relay servers. Any inbound SMTP traffic directed to non-local domains is considered Open Relay Spam. Inbound SMTP is any mail coming from an external network (if no internal networks are defined, all SMTP traffic is considered inbound). Similarly, non-local domains are those that are not defined in the Internal domains in the Internal domain management form. Web and IM/P2P/VoIP filter Web filtering Configuring the Web filter To access the Web filter settings click the Settings menu in the main console window, and select IM/P2P/VoIP and Web filter > Web filter. 70 Panda GateDefender Performa-User Guide Through this filter, Panda GateDefender Performa lets you restrict access to certain content (URLs or Web pages) on the Internet. To do this, all URLs accessed through HTTP and/or HTTPS are scanned and blocjed if they are restricted. Unlike other anti-malware protection, Web filtering can be enabled even though the antivirus scan is not enabled. Through the Web filtering settings the administrator can: • • • • • Select the content to which access must be blocked. Define a timetable for the restrictions. This can be done through the chart displaying the days of the week and the time. Click the cell corresponding to the day and time to allow/restrict. Specify the URLs or websites that cannot be accessed under any circumstances (blacklist). Specify the URLs or websites that can be accessed regardless of their content (white list). Include a list of users exempt from the Web filter to which no access restrictions will be applied. Content with restricted access Select the categories to which you want to restrict access. Bear in mind that there is a category called Uncategorized pages, which restricts access to all pages for which the Web filter could not find a category. Use the options All and None to select or unselect groups of contents. The first access to Web pages figure as uncategorized until they are included in the Commtouch URL cache. Possible actions You can perform different actions on the restricted URLs or domains accessed by users: • Block access to the restricted page 71 Panda GateDefender Performa-User Guide If this checkbox is enabled, Panda GateDefender Performa will block access to the restricted URLs. If this checkbox is not enabled, Panda GateDefender Performa will allow access to the restricted URLs, whether they appear in the blacklist or not. It will log the access in the Web filtering report if configured to do so. • Show a warning page instead (If the option Block access to the restricted page is not selected, this option is disabled). Panda GateDefender Performa prevents access to restricted URLs and displays a screen that indicates the URL (variable %URL%) and the category (variable %URLCATEGORY%) under which the URL has been blocked. This warning page can be configured. To do this click Edit warning page . Editing substitute texts for the warning page In the Edit the Web filtering warning page window, enter the title and text of the message you want to display. Then click Save. Click Restore to apply the default settings. The design of the page can be configured in Settings > System > Substitute page for HTTP/S, where you can choose from three types of design and add the company logo. Users can automatically report false categorization to Commtouch through a simple link on the warning page. The report reaches the Web filter database and statistics are monitored from Panda Security to control the number of false positivies generated by the Web filter. White list The Web filtering white list contains domains, sites or specific addresses which, even though they don’t belong to a restricted category, must be accessible for the network users. To enable this Web filtering feature: 1. Enable the Enable use of the white list checkbox. 2. Configure the list by clicking on To configure this list, click here. A window will then open that allows you to define what domains or Web pages should be added to the white list. To add a URL to the white list, follow the steps below 1. 2. 3. 4. 5. 6. Enter the URL that you want to add to the white list in the New field. Click Add. Repeat steps 1 and 2 for each URL that you want to add to the list. To import or export from the list, refer to the section Import / Export files or lists. If you make a mistake or want to remove a URL from the white list, select the relevant URL in the list and click Remove. Click Save. How to configure the white list 72 Panda GateDefender Performa-User Guide To configure the Web filtering white list, you can add: • Full URL (www.domain.com/address): Only this address will be excluded from the filter (page, file or directory). • Website (www.domain.com): All of the addresses belonging to the site will be excluded from the filter: (www.domain.com, www.domain.com/address_1, www.domain.com/address_2, etc.). • Domain or sub-domain (domain.com or subdomain.domain.com): All of the addresses belonging to all the websites in the domain or subdomain will be excluded from the filter (www.domain.com, www3.domain.com, XXX.domain.com/address). You can use wildcards to define subdomains. When configuring the white list, you can use a wildcard provided that it is at the beginning of the string preceeded by the dot. For example: *.panda.com . Or at the end after the dot. E.g. www.panda.* Blacklist The Web filtering blacklist contains domains, sites or specific addresses which, even though they don’t belong to a restricted category, must not be accessible for the network users. These will always be filtered, regardless of their category. To enable this Web filtering feature: 1. Enable the Enable use of the blacklist checkbox. 2. Configure the list. Configure the list by clicking on To configure this list, click here. When you do this, a window will open that allows you to define what domains or web pages should be added to the blacklist. To add a URL to the blacklist, follow the steps below: 1. 2. 3. 4. 5. 6. Enter the URL that you want to add to the blacklist in the New field. Click Add. Repeat steps 3 and 4 for each URL that you want to add to the list. To import or export from the list, refer to the section Import / Export files or lists. If you make a mistake or want to remove a URL from the blacklist, select the relevant URL in the list and click Remove. When you have finished, click Save. How to configure the blacklist To configure the Web filtering blacklist, you can add: • Full URL (www.domain.com/address): Only this address will be filtered (page, file or directory). • Website (www.domain.com): All of the addresses belonging to the site will be filtered: (www.domain.com, www.domain.com/address_1, www.domain.com/address_2, etc.). • Domain or sub-domain (domain.com or subdomain.domain.com): All of the addresses belonging to all the websites in the domain or subdomain will be filtered www.domain.com, www3.domain.com, XXX.domain.com/address). You can use wildcards to define subdomains. When configuring the black list you can use wildcards, provided that: They are at the beginning of the string before the dot. For example: *.panda.com . Or at the end after the dot. E.g. www.panda.* 73 Panda GateDefender Performa-User Guide IM/P2P/VoIP application filter IM/P2P/VoIP protocol filter settings To access the IM/P2P/VoIP protocol filter settings, click the Settings menu in the main console window, and select IM/P2P/VoIP and Web filter > IM/P2P/VoIP filter. Panda GateDefender Performa monitors and blocks access to instant messaging and file exchange protocols. Firstly, select Enable the P2P and messaging protocol filter. Schedule for applying the restrictions Use the matrix displaying the days of the week and the hours. Click the cell corresponding to the day and time to allow/restrict. Retsricted P2P protocols Select protocols to restricted. Use the corresponding checkbox. • BitTorrent • eDonkey • FastTrack • Gnutella • OpenNap • Ares • DirectConnect • Manolito • Spotify • Applejuice Use the link "....." to see the rest of the protocols that can be filtered. Restricted messaging protocols Select protocols to restricted. Use the corresponding checkbox. 74 Panda GateDefender Performa-User Guide • • • • • • ICQ/AOL IRC MSN Messenger Yahoo! Messenger Skype Jabber Protection level You can select different security levels in the filtering of protocols you want to restrict: • If you choose maximum level security, all traffic will be scanned in-depth to restrict the protocols that you have specified, regardless of the port used. This is the safest option, but it may reduce the performance of the appliance. • You can choose a mixed level. This analyzes the traffic in all ports, except those specified. For example, you can specify that traffic entering protocol ports http (80) or ftp (20) is not analyzed, so that traffic through these ports is not affected. If several ports are specified, they must be separated by commas. • To obtain maximum performance from the appliance, you can choose to scan traffic only in ports used frequently by the applications you want to restrict. Also, you can specify as many additional TCP or UDP ports as you like. If several ports are specified, they must be separated by commas. If the port that uses the restricted protocols is different from the normal or specified ports, the protocols cannot be effectively restricted. Protocols that can be filtered • • • • • • • • • • • • • • • MSN - Version 2009 (Build 14.0.8117.416) Yahoo Messenger - v10.0.0.1267 Skype - v4.2.0.166 BitTorrent - Oficial Client v6.4 (build 18095). Protocol v11031 Ares - v2.1.5 (Ares Protocol y BitTorrent Protocol) AppleJuice - v0.70.5/F-1.15 Direct Connect/Advanced Direct Connect (DC++) - v0.761 (r2102) Emule (Edonkey) - v0.50a FastTrack / Kazaa Gnutella/Gnutella2 (Shareaza) - v2.5.2.0 ICQ - v7.1 LimeWire - v5.5.8 Jabber (XMPP) MP2P - Manolito/Piolet/Blubster v3.1.1 Spotify Users exempt from filtering Panda GateDefender Performa lets you create lists of users (computers or subnets) that will be excluded from the Web and IM/P2P/VoIP filters. Users excluded from web filtering In the 1. 2. 3. Web filter settings screen, follow these steps: Enable the Enable use of the excluded users list checkbox. If you want to add a computer to the list of exempt computers or subnets, click New. Enter the IP address and Net mask details. 75 Panda GateDefender Performa-User Guide 4. 5. 6. Click Save. The computer will appear in the list of computers excluded from filtering. Repeat steps 2, 3 and 4 for each computer and subnet that you want to exclude from Web filtering. Use the corresponding buttons to modify the list or remove any computers from it. If when you enter an IP address you do not include the corresponding subnet details, the value 255.255.255.255 will ultimately be included, referring solely to this specific IP address. Users exempt from P2P/IM filtering In the 1. 2. 3. 4. 5. 6. IM and P2P settings screen, follow these steps: Enable the Enable use of the excluded users list checkbox. If you want to add a computer to the list of exempt computers or subnets, click New. Enter the IP address and Net mask details. Click Save. The computer will appear in the list of computers excluded from filtering. Repeat steps 2, 3 and 4 for each computer and subnet that you want to exclude from filtering. Use the corresponding buttons to modify the list or remove any computers from it. 76 Panda GateDefender Performa-User Guide Export/Import a list of computers. Once you have defined a list of computers that are exempt from filtering, you can export it. This also means you will be able to recover it whenever you want using the Import option, and therefore avoid having to reenter all the data of all the computers. Refer to the section Import/Export files or lists. Profiles Configuration by profiles Panda GateDefender Performa enables various profiles to be managed easily, by creating configurations as desired and personalized profiles. To do so, you can use: • Settings management: This enables settings to be created as required, and which can be used for the various profiles. • Protection profile settings: This enables personalized profiles to be created to which the settings can be applied. Managing settings Panda GateDefender Performa lets you set up various configurations which can subsequently be applied to a protection profile. This lets you configure the protection you can apply to specific users, addresses or IP ranges, domains, email addresses and specific Web pages. This is an easier method of managing configuration by profiles. Simply define the configuration required and apply it to the protection profiles that you have already created. Follow 1. 2. 3. 4. 5. these steps to set up a configuration: In the main screen of the Web console, click Settings. In Profiles, click List of settings. You will see the Settings manager window. Click Add. In the Edit settings window, specify the name with which you want to identify these settings. Indicate the protection, to configure (Anti-malware, Content Filter, Anti-spam and/or IM/P2P/VoIP and Web filter). You can use the Comments field to specify the details you create which will help you identify the configuration in the future. 6. Click Edit settings. 7. Set up the configuration you require for each of the protections specified. 8. Click Accept settings. Once the required configuration has been set up, it can be modified or deleted by clicking Modify or Delete. Edit Settings Click the following links to find out more about the various protection settings: • • • • • Anti-malware protection Content Filter protection Anti-spam protection Web filtering IM/P2P/VoIP filter 77 Panda GateDefender Performa-User Guide Creating and modifying protection profiles You can use Panda GateDefender Performa to specify profiles for the protection you want to apply to users or user groups, IP addresses, domains, email addresses, specific websites, etc. Before a protection profile can be created, you must first have created a configuration in the Settings manager. Follow these steps to create a protection profile. 1. In the main screen of the Web console, click Settings. Then select Assign settings to local profiles Click Add (if you want to create a new profile) or Modify (if you want to modify an existing profile). 2. This will take you to the Protection profile manager screen with the following options: • Name:Descriptive name of the profile. • Apply to: This specifies the items to which the settings will be applied. Enable the checkboxes that you want to include in the settings. The options available are: o Users: Select one of the two options offered by Panda GateDefender Performa: o User groups: This lets you apply a specific protection profile to the user groups or LDAP groups specified in the User management section. o Sub-tree/individual users: If you have already specified an LDAP server, you can specify the branch of the hierarchy to which you want to apply the protection profile. In the BaseDN field, specify the DN of a container, or else the DN of a specific user. o IP/IP address group: Enable the checkboxes corresponding to the options you want to include in the configuration: IP/Source group and IP/target group. • • • Each of these consists of a list from which you can select the IP address group to which to apply the protection profile. You must have created it in the IP address management screen Domains: Enable the checkboxes corresponding to the options you want to include in the configuration: Source Domain and Target Domain. Each of these consists of a list from which you can select the domains to which to apply the protection profile. You must have created it in the Domain management screen. Email addresses: Enable the checkboxes corresponding to the options you want to include in the configuration: Email sender addresses, Email recipient addresses, Domain lists. Specify a list of addresses for each, separated by commas. Settings: Select one of the configurations from the drop-down menu. Remember that you must first have set up a configuration in the settings manager. Once you have configured the user, click OK to save the changes. Centralized protection settings Introduction and access to the centralized settings 78 Panda GateDefender Performa-User Guide On occasions, the complexity and extension of the corporate networks Panda GateDefender Performa must protect in corporate environments require more than one appliance to be deployed and running. Panda GateDefender Performa’s Web console allows you to manage the protection provided by the different appliances on the corporate network in a centralized way. In short, the centralized protection management in Panda GateDefender Performa lets you: • Select the appliances or groups of appliances to which you want to remotely and automatically establish and apply protection settings. • Select protection settings applicable to the different appliances. • Select different configuration profiles applicable to the appliances. • Monitor which settings and profiles have or haven't been applied to each appliance. It is essential that all appliances whose protection settings will be managed centrally, have the same system version installed. By using this feature, you will not have to connect individually to each of the appliances every time you want to apply a protection configuration. You only have to enter the login details when you configure the appliances. Below you will find a summarized description of the screens you'll have to use to remotely and centrally manage the appliances deployed on your network. As you can see, the configuration is simple and intuitive: Basic process for centrally configuring the protection 1. Determine the appliances or groups of appliances to which you want to centrally apply the settings. To do this, click the Settings menu in the main Console screen. Then, select Profiles > List of appliances. 2. In the List of appliances screen you can indicate which appliances or groups you want to manage. You can add new appliances or groups, modify them or delete them. You can change the structure of any group, adding or removing appliances. Protection management. From the Assign settings to other appliances screen, you can establish, if you want to manage individual appliances or the groups defined in the previous step. Once you have selected the configuration, you can apply it directly to all appliances. This configuration will be the main or default settings on the target appliances. 3. If you want to create or edit protection settings to apply to managed appliances, use the Settings management screen. Additional Profile selection You may want to apply certain configuration profiles to appliances or groups of appliances. In this case, the Profile selection screen lets you select new profiles and assign them, along with the corresponding configuration, to appliances or groups of appliances. You can create or edit configuration profiles from the Create and modify profile settings screen. As you can see in this screen, a profile specifies the user group, domains, IP/address 79 Panda GateDefender Performa-User Guide group, etc., to which a certain configuration is applied (Example: blocking access to certain Web content to the group of IP addresses: 172.16.*.*). List of appliances These screens let you indicate which appliances or groups you want to manage. You can add new appliances or groups, modify them or delete them. You can change the structure of any group, adding or removing appliances. To access the List of appliances screen, click the Settings menu in the main console screen, and select Profiles > List of appliances. Manageable appliances In the Manageable appliances section you will see the appliances with their name and the console IP. To add a new appliance, click Add. In the Appliance detailsscreen enter the data needed in order to manage an appliance remotely: • Name: a name to identify the appliance. • IP: IP address used to access the console. • User: name of a user with full administration permissions. • Password: user password. • Group: group to which the appliance belongs. This parameter is optional. • Comment: here you can add additional information. This field is optional. Then click Save. Manageable groups In the Groups of manageable appliances section you will see groups of appliances, the names of each appliance in the group and the IP address of the console of each appliance. To add a new group click Add. In the Group details screen, enter the data needed in order to manage a group remotely: • Name: name identifying the group. • Appliances in the group: the table shows appliances that are not assigned to any group. Use the checkboxes to select the appliances that will make up the group. Then click Save. Assigning settings to other appliances Once you have defined in the List of appliances screen, the appliances and groups of appliances you want to configure remotely, you can assign and apply protection settings. If you want to create or edit protection settings to apply to managed appliances, use the Settings management screen. You may want to apply certain configuration profiles to appliances or groups of appliances. In this case, the Profile selection screen lets you select new profiles and assign them to appliances or groups of 80 Panda GateDefender Performa-User Guide appliances. You can create or edit configuration profiles from the Create and modify profile settings screen. Assigning settings to other appliances 1. 2. 3. Click the Settings menu in the main Console screen. Select Profiles > Assigning settings to other appliances. In the Appliances section, select the appliance to which you want to assign and apply the settings. When you click on the name of an appliance, you will access the corresponding Web console. 4. 5. 6. Click Modify to access the Centralized management screen. In the Settings menu, select the settings to assign to the appliance. Click Set. The Apply button will only be visible when you select settings from the drop-down menu. If you want to send an associated settings profile instead, click Edit list to access the Profile selection screen. Click Save. Assigning settings to groups of appliances 1. 2. 3. Click the Settings menu in the main Console screen. Select Profiles > Assigning settings to other appliances. In the Groups of Appliances section, select the group to which you want to assign and apply the settings. When you click the triangle next to the group name, you will see the appliances in the group. 4. 5. Click Modify to access the Centralized management screen. In the Settings menu, select the settings to assign to the group. 6. Click Apply. The Apply button will only be visible when you select settings from the drop-down menu. If you want to send an associated settings profile instead, click Edit list to access the Profile selection screen. Profile selection When you use the option in Panda GateDefender Performa, you may need a settings profile other than the one assigned to the appliance in the Assign settings to other appliances screen. You can use Profile selection to resolve this situation. To do this: 81 Panda GateDefender Performa-User Guide 1. 2. 3. In the list of Profiles available, select the profile you want to add to the list of assigned profiles and click >>. It will be removed from the list of profiles available and added to the list of profiles assigned. In the list of Profiles assigned, select the profile you want to remove from the list and click <<. It will be removed from the list of profiles assigned and added to the list of profiles available. Click Save. The new profile will appear in the list of profiles in the Assign settings to other appliances screen. You can create or edit configuration profiles from the Create and modify profile settings screen. As you can see in this screen, a profile specifies the user group, domains, IP/address group, etc., to which a certain configuration is applied (Example: blocking access to certain Web content to the group of IP addresses: 172.16.*.*). 82 Panda GateDefender Performa-User Guide System settings General settings Introduction Click the Settings menu in the main Console screen. In the System section, you will find the Panda GateDefender Performa general settings options: • Access the console: This lets you define the configuration IP address, the time when the • Load balancing/high availability: Lets you configure Panda GateDefender Performa to • System clock: Lets you set the system date and time. • Explicit proxy: If Panda GateDefender Performa is not operating on the network infrastructure • configuration console should disconnect automatically and management of permissions and passwords for using the console. work in parallel with other units, sharing the workload and increasing the capacity and stability of the protection. The type of load balancing can be configured: automatic or manual. along with a proxy, you will have to enable the internal (explicit) proxy for the various HTTP/HTTPs protection profiles depending on the user. HTTPS connections and certificates: To manage HTTPS traffic and scan it for malware, Panda GateDefender Performa authentication and certificates. has to establish connections that require • Advanced settings • Quality of Service (QoS) settings: Panda GateDefender Performa has a Quality of Service feature aimed at ensuring that traffic flow reaches its destination with certain levels of performance and minimum delays. Console access settings Console access In this screen you can configure different general aspects of the console, such as: Users You can configure the users that can access the Web console, their passwords and permissions. You can add new users and edit existing ones, selecting them and then clicking the corresponding buttons. This will take you to the Edit user screen. The default user cannot be deleted and its permissions cannot be changed. 83 Panda GateDefender Performa-User Guide Configuration IP • • Configuration IP address. This IP address is vital for accessing the console (not remote). This address must be unique within the organization. The default IP is 172.16.1.1 and the default net mask is 255.255.255.0. The subnets or IP addresses from which users can access. Select Access is only available from the following IPs or subnets. Use the corresponding buttons to add, modify or remove IP's and subnets. Automatic disconnection of the Web console • Automatically disconnect the Web console after a certain period of inactivity. By default, the console will disconnect after thirty minutes of inactivity. In order to view the factory settings of the appliance, click here. Editing users Panda GateDefender Performa lets you change the user name and password for logging into the Web administration console. It also lets you assign different permissions to each user, depending on the specific needs of your organization. Users will be able to access functions in accordance with the specific permissions they have. Panda GateDefender Performa will ask for a user name and password whenever anyone accesses the Web administration console. The default user is defaultuser and the default password is defaultpass. It is advisable to change these details, at least the first time you access the Web administration console. For security reasons, the default user cannot be deleted and its Complete Administration permissions cannot be changed. Enter the following data: 1. 2. • • • User name. Password (twice). Remember that: The password must be 6 to 12 characters long (numbers and/or letters). Panda GateDefender Performa does not allow you to copy and paste. The feature in some browsers that allows you to save previously entered data is disabled. If you lose or forget these details, you can recover the factory settings. 3. Permissions In corporate environments there may be several users that need to access the console, and each of them may need different permissions depending on the tasks they have to carry out. Panda GateDefender Performa includes four types of permissions: • • Monitoring: Users have permission to access the Status, Reports and Services screens. Protection settings: Users have permission to access the Protection settings, Definitions, Profiles, Quarantine and Warnings screens. 84 Panda GateDefender Performa-User Guide • Complete administration: Users can access all console functions, including Updates, License management and Tools. If all three checkboxes are selected, the user will have Complete administration permissions. Console access through the configuration IP address Panda GateDefender Performa has a configuration IP address, which is used to access the web console. This IP address must be unique and different from the network IP address. • • Configuration IP address. This is the IP address that must be used to access the settings web console. Network IP address. This is the IP address that Panda GateDefender Performa uses to establish connections (to update, send warnings, etc.). It is configured through the System settings - Network environment window. All Panda GateDefender Performa units are configured with the same configuration IP address by default. You can change it but bear in mind that if you forget it, you won’t be able to access the settings web console unless you restore the factory settings of the appliance. For information about the factory settings, click here. What’s more, this configuration IP address must not be in use by any other device in the network. If several Panda GateDefender Performa units are connected in parallel, set a different a unique configuration IP address for each of them. After setting the configuration IP address, you can access the appliance from both sides of Panda GateDefender Performa, as you can access the console through this IP address or through any of the network interface cards of Panda GateDefender Performa. Automatic disconnection of the Web console You can configure the Web console to automatically disconnect after a certain period of inactivity. To do this: • • Enable the Automatically disconnect the Web console after XX minutes of inactivity checkbox in the System settings screen. In the textbox, enter the number of minutes before the Web console will disconnect. After completing these steps, the console will stop functioning if no operations are carried out for the specified period of time. If this happens, in order to use the console again, you will have to log on again. 85 Panda GateDefender Performa-User Guide Load balancing/high availability Introduction 1. 2. 3. Panda GateDefender Performa offers three operational modes: Normal or isolated High availability Load balancing Normal In normal mode, a single appliance protects the internal network Both outbound traffic (originating from the internal network) and inbound traffic (originating from the external network) pass through it and are filtered. Load balancing Load balancing allows the workload to be shared between several Panda GateDefender Performa units. This provides better performance and fault tolerance. By using this system, if one of the units fails, the rest will take care of the workload automatically. The time that passes between one unit failing and the rest taking over its workload is no longer than fifteen seconds. So that load-balancing appliances can communicate between each other, an IP multicast is required, meaning that all appliances must have their configuration interfaces on the same subnet. When a new appliance is installed and configured on a load-balancing cluster, Panda GateDefender Performa detects it automatically and re-organizes load-balancing depending on the new total number of appliances in the cluster. High availability If load-balancing is disabled, Panda GateDefender Performa allows appliances to operate in high availability mode when connected in parallel. In this case it will not be necessary to use the IP multicast, as the appliances do not communicate between each other. Both load balancing and high availability require the bypass mechanism to be disabled in those appliances with these types of cards. 86 Panda GateDefender Performa-User Guide Bypass The appliance network cards offer bypass functions, so that: - Without bypass or with bypass disabled: If the appliance is switched off (e.g. if the power supply is interrupted) or restarted (system or service restart), traffic cannot continue to pass through it. The connection with the external network will be cut off. - With bypass enabled: If the appliance is switched off or restarted, bypass will be activated with the advantage that traffic will continue to pass through, but without being filtered. On activating high-availability or load balancing, the bypass function will be disabled. This avoids loops on the network. STP (Spanning Tree Protocol) Spanning Tree Protocol is a data link level protocol (OSI level 2) that avoids creation of network loops. Panda GateDefender Performa supports this protocol, as it could be necessary to install appliances in parallel (high availability and load balancing): - If there are already devices on the network that support STP, it will not be necessary to enable STP on the appliances. - Otherwise (if there is no device with STP on the network on which the appliances are installed), you will have to enable STP. To enable STP Settings > System > General > Advanced settings In the General settings section, select the checkbox Enable support for STP (Spanning Tree Protocol) Support for STP is enabled by default. It is always advisable to check with the support service before changing any feature in the Advanced settings screen. Enable load-balancing/high availabilty 1. 2. 3. 4. 5. Click the Settings menu in the console. In the System section, select High availability/Load balancing. Enable the high availability or load balancing features in the screen as required. If you want to enable load-balancing, enter the multicast IP in the text box. Click Save. At the bottom of the screen there is a list of load-balancing cluster units. A change to the operational mode of an appliance (slave or master) generates the corresponding system event. 87 Panda GateDefender Performa-User Guide To access the console of any appliances in the cluster, click on the name of the appliance. For load-balancing to take effect, the Enable load-balancing checkbox must be selected in all appliances. Load balancing Load balancing operation Load balancing enables Panda GateDefender Performa to increase the availability and capacity of the protection. By spreading the load, more connections can be scanned Of all the traffic intercepted by the appliance/master node, a certain amount will be 'balanced' among the slaves, which will perform the scans. The load is balanced equally, and distributed so that all nodes have an equal level of occupation. If the master node should crash, one of the slaves will take over its functions, continuing to scan and protect the network. Network diagram with three nodes 88 Panda GateDefender Performa-User Guide Multicast To perform load balancing and maintain communication between the notes, multicast is required. Multicast addressing allows information to be sent across a network efficiently to a group of recipients (without broadcasts). For this a group multicast address is needed, through which the nodes send and receive data. Multicast diagram (a network node sends data to other nodes): In Panda GateDefender Performa it is possible to configure this IP address in group or cluster. The IP address range is (RFC 3171): 224.0.0.0 - 239.255.255.255 By default the IP address of the cluster configured in the appliances is 239.0.0.1 89 Panda GateDefender Performa-User Guide Load-balancing deployment Deployment of load-balancing involves the following steps: 1. 2. 3. 4. 5. 6. 7. Install/configure the necessary switches on the network Install the first node Configure the system in the node (name, IP addresses, etc) Connect to the network License Configure the protection (anti-malware, anti-spam, Content Filter,… ) Enable load balancing To complete the deployment: 1. Go to the Settings menu. 2. In the System section, in the General sub-section, click High availability/Load-balancing. 3. Enable the Enable high availability checkbox. 4. Enable the Enable load-balancing checkbox. 5. Configure the cluster multicast IP address. 6. Click Save. 7. Install the second node 8. Configure the system 9. Connect to the network 10. License 11. Configure the protection settings identically as for the first node (if you use QoS, enable it and configure it exactly the same as in the first node). After having configured the first node, you can send the settings information to the other nodes. 1. 2. 3. 4. 5. 6. 7. Enable load-balancing (so that the appliances can communicate, the multicast IP address of the cluster must be the same in all nodes). Master node name: node-A Network IP address of the master node: 192.168.1.1/24 Configuration IP address of the master node: 172.16.1.1/24 Default gateway: 192.168.1.100 Multicast IP of the cluster: 239.0.0.1 Slave node name: node-B 90 Panda GateDefender Performa-User Guide 8. 9. 10. 11. 12. 13. Network IP address of the slave node: 192.168.1.2/24 Configuration IP address of the slave node: 172.16.1.2/24 Default gateway: 192.168.1.100 Multicast IP of the cluster: 239.0.0.1 The protection settings must be exactly the same in all nodes. Load-balancing must be enabled in all nodes. The Status screen will indicate that the appliance is in load-balancing mode. The list of cluster nodes will also appear. In the High availability/Load-balancing settings screen there is a table with the cluster nodes (indicating the IP of each node and whether it is a master/slave). High availability High availability mode This operational mode improves the availability of the protection offered by Panda GateDefender Performa. High availability mode operates with an active node (through which traffic passes) and one or more passive nodes (through which traffic will pass if the active node fails). Under normal circumstances -with the active node operating- traffic will be filtered by this node and the passive node will not take any action. If the system or services are restarted in the active node, or if the appliance is switched off, the passive node will take care of the filtering. Deployment in High Availability mode Deployment of high availability involves the following steps: 1. 2. 3. 4. 5. 6. 7. Install/configure the necessary switches on the network Install the first node Configure the system in the node (name, IP addresses, etc) Connect to the network License Configure the protection (anti-malware, anti-spam, Content Filter,… ) Enable high availability 91 Panda GateDefender Performa-User Guide To complete the deployment: 1. 2. 3. 4. 5. 6. 7. 8. 9. Go to the Settings menu. In the System section, in the General sub-section, click High availability/Load-balancing. Enable the Enable high availability checkbox. Click Save. Install the second node Configure the system Connect to the network License Configure the protection settings identically as for the first node (if you use QoS, enable it and configure it exactly the same as in the first node). After having configured the first node, you can send the settings information to the other nodes. System clock In this window, apart from showing the date and time of the appliance, you can also set it (in 24-hour format). First of all, the screen shows the system date and time: Then, Panda GateDefender Performa allows you to set the date and time of the appliance. To do this, specify: • • • • The Date format: either day/month/year or month/day/year. The Time zone. Manual setting. You can manually edit the date and time. Automatic setting using NTP. Enter the address/URL of the NTP server. Explicit proxy If Panda GateDefender Performa is not operating on the network infrastructure along with a proxy, you will have to enable the internal (explicit) proxy for the various HTTP/HTTPs protection profiles depending on the user. As with a normal proxy, the user must be included in one of the local or remote groups (LDAP servers) defined in Panda GateDefender Performa. The protection profile will be defined by the group to which the user belongs. The user must be able to authenticate in the Panda GateDefender Performa internal proxy. Although this authentication is optional, it is required in order to apply the profile. To access the internal proxy, the IP of the user must belong to one of the internal networks configured in Panda GateDefender Performa. 92 Panda GateDefender Performa-User Guide Restricted access attempts generate a system event which can be seen in the Security reports screen. In the Warnings settings screen you can configure this event to be notified to a remote Syslog server. Explicit proxy settings screen The proxy can be configured from System » General » Explicit proxy To enable the explicit proxy you must have previously configured the internal networks. Firstly, select Enable operation as proxy for HTTP/HTTPS. Then configure the proxy IP the entwork mask, and the HTTP and HTTPs ports on which the proxy will listen. If you configure the proxy with an IP that already exists on the network, a duplicate IP event is generated, which you will see in the System Report screen, and a warning that will appear in the Status screen. Select the Use authentication checkbox and click Select users to configure the groups that can use the internal proxy. It is also possible to enable a page cache to increase browsing speed (the cache size is 1024 MB). Use the Clear button to empty the cache. HTTPS connections and certificates Introducción 93 Panda GateDefender Performa-User Guide Panda GateDefender Performa can scan encrypted HTTPS traffic for malware, in the same ways as for HTTP. This HTTPS traffic is basically HTTP traffic across a secure, TLS channel (Transport Layer Security, previously SSL). On of the phases for establishing the TLS channel is the authentication of the server's identity. This authentication is based on digital certificates signed by a certification authority. In order for the encrypted traffic to be scanned in Panda GateDefender Performa, two encrypted connections must be established: one between the client and Panda GateDefender Performa, and the other between the appliance and the server. Without the interception by the appliance, there is only an encrypted connection between the client and the server. This type of connection means that not only does Panda GateDefender Performa have to authenticate the server, but the client will also authenticate Panda GateDefender Performa. Actually, Panda GateDefender Performa authenticates as if it were the server delivering the page in question. All of this requires management of digital certificates and certification authorities, which can be done in the Panda GateDefender Performa Web console, through Systems > General > HTTPS connections and certificates. Normally, servers are authenticated by the client browser, although in some rare cases, a server may require authentication of the client. This represents a limitation for Panda GateDefender Performa, because client authentication cannot be handled by the transparent interception. However, it is possible to use IP white lists, so that traffic is not intercepted. SSL connection policies To access the screen for configuring SSL connections and certificates, click System » General » HTTPS connections and certificates. By enabling the corresponding checkboxes, you can prevent connections for either of these two situations: • Don't allow connections with servers with invalid certificates for Panda GateDefender Performa: The certificate presented by the server must be signed by one of the certificate authorities configured in GateDefender. If this condition is not met, the corresponding system event will be generated, and will be visible in the System events screen. • Don't allow expired certificates: Do not allow connections if the certificate is expired. If this condition is not met, the corresponding system event will be generated, and will be visible in the System events screen. HTTPS URL white list 94 Panda GateDefender Performa-User Guide Panda GateDefender Performa lets you define a list of domains, sites or specific pages for which the validity of the certificate will not be checked. To apply this white list click Enable use of the white list, and you will go to the HTTPS URL white list screen where you can define the list. Certification authorities Internal certification authorities for signing certificates This certification authority will be used by Panda GateDefender Performa for generating certificates that will be sent to end users. You can download the corresponding certificate for users to install in their browsers to prevent them from getting SSL security warnings. The file extension is .crt to ensure compatibility with Internet Explorer. You can import a certification authority certificate to use to generate certificates. In this case you will have to import the private key (RSA or DSA) used to sign them. You can either download a new internal certification authority or edit an existing one. Either option, in the case of appliances operating in load-balancing mode, mean that this change will have to be exported to other units, to avoid having to install different certificates on clients for each appliance. 95 Panda GateDefender Performa-User Guide The Export private key button will only be enabled when modifications have been made to the default certification authority. If you click Restore, the default settings will be restored. You will then have to import the private key, (previously exported from another Panda GateDefender Performa) and the certification authority certificate in each of the appliances. Use the Modify button to change the internal certification authority, editing the corresponding data. Certification authorities for verifying certificates Panda GateDefender Performa offers a list of certification authorities for validating certificates received from HTTPS sites. You can import/export new certificate authorities or delete some existing ones. Use the corresponding buttons. If you want to see the details of any of the authorities in the list, select it and click View details. Restoring HTTPS certificate settings Use the Restore button if you want to restore the Panda GateDefender Performa factory settings for the internal certification authority certificates and certification authorities. Advanced settings The parameters on this page must not be modified unless specifically requested by our technical staff. If this is necessary, they will explain the steps to follow. Quality of Service (QoS) settings Quality of Service settings Panda GateDefender Performa has a Quality of Service feature aimed at ensuring that traffic flow reaches its destination with certain levels of performance and minimum delays. Panda GateDefender Performa bases this function on the assigning of bandwidth to interface outputs. For the correct operation of QoS in Panda GateDefender Performa, the external interface or NIC1 must be connected to the external network (the Internet, for example), while the internal interface or NIC2 must be connected to the internal network (the corporate network for example). 96 Panda GateDefender Performa-User Guide Appliance connection The most basic way of administering QoS in Panda GateDefender Performa is the configuration of bandwidth for each interface. Existing traffic flow Downstream traffic goes from the external network to the internal network, passing through NIC1 as inbound traffic, and then through NIC2 as outbound traffic. Upstream traffic goes from the internal network to the external network, as inbound traffic in NIC2 and outbound traffic in NIC1. Panda GateDefender Performa lets you set the outbound bandwidth for NIC1 and NIC2 (marked in orange): 97 Panda GateDefender Performa-User Guide - When you set the maximum outbound traffic in NIC1 this restricts the amount of traffic going to the external network. - When you set the maximum outbound traffic in NIC2 this restricts the amount of traffic going to the internal network. Example of a network with QoS based on global bandwidth Existing network - LAN at 100 Mbps - ADSL with download speed of 6 Mbps and upload of 1 Mbps Settings: - Period in which QoS is applied: by default. Global bandwidth settings: or external interface (NIC1): ♣ Maximum outbound traffic: 1 Mbps or Internal interface (NIC2): Maximum outbound traffic: 100 Mbps♣ IP and protocol settings: none Result: - Maximum upload traffic speed will be 1 Mbps. This will prevent saturating the connection by sending data at more than 1 Mbps. - Maximum download traffic speed will be 100 Mbps. 98 Panda GateDefender Performa-User Guide To achieve greater control over QoS, you can also use these settings, through which you can define the rules for managing outbound traffic in the external interface or NIC1: Using these settings has the advantage that you can add rules, favoring certain types of outbound network traffic. Protocols and the source IP of data packets (which circulate from the internal network to the external network) are used to classify traffic flows. These flows can be assigned guaranteed bandwidth. Even if all outbound bandwidth is occupied, if there is guaranteed bandwidth for an IP address/protocol, this will be reserved for the IP/protocol. It is also possible to define maximum bandwidth, thereby controlling the amount of bandwidth for a certain protocol or group of IPs, leaving bandwidth free for other traffic. Finally, traffic priority is a factor to bear in mind for unused bandwidth. QoS sample settings Concepts used in the examples: Downstream traffic Traffic that enters via the Internet or external network and enters the internal network or LAN Upstream traffic Traffic that leaves the LAN or corporate network towards the Internet or external network. Inbound traffic (to an interface) Traffic that enters through the port of a network card (enters the appliance) Outbound traffic (to an interface) Traffic that leaves through the port of a network card (leaves the appliance) Interface identification The interfaces are identified as follows: - NIC1: external interface ( connected to the Internet or an external network ) - NIC2: internal interface ( connected to the corporate network or the internal network to protect ) Internal or inherent appliance traffic Generated by the network card or the appliance settings (depending on the development) Interceptable traffic Traffic that is filtered through the various protection units. 99 Panda GateDefender Performa-User Guide Scenario 1: mail and Web There is an internal network in which outbound Web (HTTP) and email (SMTP, POP3) traffic flows are generated, both with a similar traffic volume: HTTP traffic is considered of low importance and to restrict, except for a computer with the IP address: 192.168.1.112, in which case it has high importance. Existing network: Upload BW of the external link: 1024 Kbps Download BW of the external link: 100 Mbps QoS settings: (must be adjusted to the previous BW) Maximum outbound traffic for the external interface (NIC1): 1024 Kbps Maximum outbound traffic for the internal interface (NIC2): 100 Mbps Reserved bandwidth: 5 % The following rules are created: Rule Source IP Protocol Guaranteed BW BW limit Priority 1 192.168.1.112/32 HTTP 300 Kbps Not limit ed High 2 192.168.1.0/24 HTTP 0 Kbps 200 Kbps Low 3 192.168.2.0/24 HTTP 0 Kbps 200 Kbps Low 4 Any SMTP 400 Kbps Not limit ed medium 5 Any POP3 100 Kbps Not limit ed medium • Rule 1 Provides guaranteed BW of 300 Kbps to HTTP traffic originating from IP 192.168.1.112. It will also have high priority in order to get any free BW –if required-. 100 Panda GateDefender Performa-User Guide • Rule 2 For the rest of the subnet 192.168.1.0/24, the HTTP traffic has no guaranteed BW and will be limited to 200 Kbps. The priority will be low so that it does not compete for free BW. • Rule 3 For the whole 192.168.2.0/24 subnet, the procedure is the same as the previous rule, limiting HTTP traffic to 200 Kbps and assigning low priority. • Rule 4 SMTP traffic, whatever the origen, is guaranteed 400 Kbps (outbound) and will have medium priority. • Rule 5 POP3 traffic, whatever the origen, is guaranteed 100 Kbps (outbound) and will also have medium priority. The buttons to the side of the box let you move the selected rule up and down. The rules are applied in accordance with the order in which they are listed. In this scenario, rule 1 should be listed before rule 2, so that it discriminates traffic originating from the computer or host 192.168.1.112. Scenario 2: Web There is an internal network from which outbound Web (HTTP, HTTPS) traffic originates and traffic that does not conform to the rules. HTTP and HTTPS traffic is considered important and there is a lesser volume of traffic from other protocols which is given less importance. Existing network QoS settings Upload BW of the external link: 512 Kbps (must be adjusted to the previous BW) Download BW of the external link: 100 Mbps Maximum outbound traffic for the external interface (NIC1): 512 Kbps Maximum outbound traffic for the internal interface (NIC2): 100 Mbps Reserved bandwidth: 5 % The following rules are created: 101 Panda GateDefender Performa-User Guide Rule Source IP Protocol Guaranteed BW BW limit Priority 1 any HTTP 200 Kbps Not limited High 2 any HTTPS 200 Kbps Not limited High • Rule 1 Guaranteed BW of 200 Kbps to HTTP traffic. It will also have high priority in order to get any free BW – if required-. • Rule 2 Guaranteed BW of 200 Kbps to HTTPS traffic. It will also have high priority in order to get any free BW –if required-. The rest of the traffic will have medium priority, and so will not compete for free BW. Network settings Network environment Configure the Panda GateDefender Performa network environment (IP address, net mask, default gateway, proxy server IP address and the DNS servers) to access the Internet in the same way as Internet access for any other computer in the same subnet is configured. To check the factory settings of Panda GateDefender Performa, click here. After configuring these parameters, Panda GateDefender Performa will be able to: • Connect to the Internet to look for updates. • Send warnings to any computer. • Download the license file, etc. Check that the data entered is valid and coherent; otherwise Panda GateDefender Performa will not be able to establish the connections it needs to operate correctly. Enter the following data: • Panda GateDefender Performa name: • Network data: • Additional routing table: • DNS Servers: • Internet access via HTTP proxy: • Virtual MAC addresses: Panda GateDefender Performa name Name that identifies the Panda GateDefender Performa unit within the organization. This name will be used in the warnings in order to specify which appliance has sent them. This is not a NetBIOS name. Network data Data (network IP address, net mask and default gateway) used by Panda GateDefender Performa to connect to the Internet. As it works like a bridge, the appliance only needs one network IP address, which it uses to establish 102 Panda GateDefender Performa-User Guide connections through any of its network interface cards. The appliances use the network interface card that is connected to the network in which the target of the connection is located. Additional routes table This allows static routes to be defined. The appliances use these routes when they need to connect to subnets that cannot be reached through the default gateway. For example, when the server the appliance must connect to in order to send warning messages is in a different subnet. You can add new routes by clicking on the New button. Then enter the following data: • Target: IP address of the host or IP address of the target subnet that will use the route. • Net mask: The net mask is used with the target in order to determine when the route will be used. • Gateway: IP address of the router to which the data for recipients will be sent. These are determined by the Target and Net mask. DNS servers IP addresses of the primary and secondary DNS servers that Panda GateDefender Performa must use to resolve domain names and IP addresses. You can specify the preferred DNS servers and up to two alternative DNS servers, which will be used if it is not possible to connect to the preferred server because it cannot be found or because it returns an error. The appliances are configured with a default DNS server that you can change to include the IP addresses or DNS serves that you want to use. Internet access via HTTP proxy If Panda GateDefender Performa will access the Internet via a proxy server, enable the checkbox and enter the following data: • IP address of the proxy and the port it uses. • If the proxy server requires authentication, enable the Requires authentication checkbox and indicate a valid user name and password for the proxy. Virtual MAC addresses Some devices used in complex networks use virtual MAC addresses (usually devices working in load balancing mode). In this case, the unit needs to know which of the two network interface cards is connected to each virtual MAC address being used n the organization. Click on the Specify virtual MAC addresses link to associate the virtual MAC addresses with the corresponding network interface card in the appliance. Network interfaces Panda GateDefender Performa, by default, has the network cards in Autonegotiation mode and Auto-negotiation speed. It is not advisable to force them to function in a specific mode ((half-duplex or full-duplex) or at a specific speed (10 Mbps, 100 Mbps, 1 Gbps). 103 Panda GateDefender Performa-User Guide However, if really necessary, you can configure the network interface card operational mode and speed. The options are: • AutoSensing/Autonegotiation. This is the recommended, default mode. If you select this option, Panda GateDefender Performa assigns the autonegotiation value to the operational mode and the speed at which the network interface works. • Full-duplex. Communication mode in which nodes can simultaneously send and receive data between one another. Full-duplex communication usually requires you to control the traffic flow in order to ensure that none of the devices send out data faster than the other can receive it. • Half-duplex. Communication mode for transmitting data between two points in just one direction at a time (either of the two). This means that data cannot be sent and received at the same time, which is possible with full-duplex communications. When using a hub to interconnect several devices, all should be functioning in the same mode (half-duplex or full-duplex). If they work in different modes, communication between them will not be effective. In these circumstances, forcing cards to work in full-duplex or half-duplex mode could cause problems, considerably reducing network and appliance performance. However, when switches are used to connect devices, each device can work in a different mode. You also have the option to configure a set speed at which the network interface card should work. This can be done provided that the Autonegotiation option is not selected in Mode. The following speeds are available: • 10 Mbps. • 100 Mbps. • 1 Gbps. In most cases the default mode (AutoSensing / Autonegotiation) is the most appropriate. If you select Auto negotiation mode, you will not be able to configure the fixed speed of the network cards, as this option affects both cases. Additional port settings The system uses the standard port for intercepting and filtering the traffic for each protocol. However, you can also enter additional ports for each protocol. To access the Port settings screen, click the Settings menu in the console, and in the Network section, select Additional ports. The communication that uses the standard ports and the additional ports entered will be scanned by Panda GateDefender Performa. Protocol Default port HTTP 80 HTTPS 443 FTP 21 SMTP 25 104 Panda GateDefender Performa-User Guide POP3 110 IMAP4 143 NNTP 119 Panda GateDefender Performa does not allow you to enter the following ports: • Invalid ports (higher than 65535, for example). • Standard ports, as the traffic that passes through these ports will always be scanned (as they are defined in the factory settings and used by default). • Ports already entered for other protocols. Panda GateDefender Performa does not scan traffic in non-standard ports not included in the additional ports configured here. Managing internal networks By defining internal networks you can classify SMTP messages as inbound or outbound. This configuration is necessary for the anti-spam, anti-phishing and content-filter protections to operate correctly. SMTP messages will be classified as inbound in the following cases: • • • No internal networks have been defined. In this case, all SMTP mail will be considered inbound. The source IP address does not belong to any of the networks specified in the list of internal networks. The source IP address coincides with any of the IP's defined in the list of excluded IP's. SMTP mail will be classified as outbound provided that the source IP address belongs to one of the internal networks defined. Adding internal networks To access the Internal network management screen, click the Settings menu in the console, and in the Network section, select Internal networks. To add an internal network, enter the network address in the Subnet box and click Add. The network address must be specified in CIDR format (e.g. 192.168.0.0/16). Individual IP addresses can be specified using 32 as a mask (e.g. 192.168.5.205/32). Repeat these steps for each network defined in your organization. To remove an internal network, select it in the list and click Delete. Then accept the confirmation message. To import or export content from the list, refer to the section Import / Export files or lists. The IP addresses defined in the list of internal networks will also have access to the HTTP/HTTPS explicit proxy. Excluded IPs 105 Panda GateDefender Performa-User Guide 1. 2. 3. 4. To add an IP to the list, enter the IP in the IP address box and click Add. Repeat this step for all the IPs you want to add to the list. To remove an IP, select it in the list and click Delete. Then accept the confirmation message. Click Export to export the content on the list to text file. Each line in the file will be an entry in the list. Click Import to display the screen for importing files. Use the Browse button to locate a file containing a list to import. Click Save for the settings to take effect. The IP addresses included in the list of internal networks will not have access to the HTTP/HTTPS explicit proxy. Managing internal domains You have to define internal domains for the protection of SMTP relay servers to operate correctly (configuration of advanced anti-spam protection options for SMTP). This protection classifies all inbound SMTP messages to unknown recipients as spam. The recipient of a message will be considered unknown in the following cases: • No internal domains have been defined. In this case, all SMTP messages will be understood to be addressed to unknown recipients. • The domain of the recipient's address does not coincide with any of the internal domains defined. The recipient of an SMTP message will be considered as known provided that the address domain belongs to the list of internal domains. Adding internal domains To access the Internal domain management screen, click the Settings menu in the console, and in the Network section, select Internal domains. 1. To add a domain to the list, enter the domain name in the New section and click Add. Repeat these steps for each domain defined in your organization. 2. To delete a domain from the list, select it and click Delete. 3. To import or export content from the list, refer to the section Import / Export files or lists. Configuring the updates Introduction to updates Panda GateDefender Performa periodically carries out updates that will not interfere with the functioning of the unit or allow traffic to enter or leave the corporate network without being scanned. There are three types of updates: • Update definition files for malware, spam rules and web filtering categories. Panda • System software upgrade: for example, the operating system, the hardware drivers, the web • GateDefender Performa will attempt to perform this type of update every fifteen minutes. server used to view the administration console, etc. or the malware and spam scan and detection engines. Install hotfixes: Lets you view the hotfixes installed and install new hotfixes. 106 Panda GateDefender Performa-User Guide The appliance is updated via the Internet. Panda GateDefender Performa checks if new updates are available at regular intervals. • • The definition files are automatically updated every 15 minutes and a system event with the result is generated. An email message is also sent if the corresponding option is enabled and the SMTP server for sending the warnings has been defined. When it updates the system software, Panda GateDefender Performa reports if an update is available and the administrator must decide when the update should be installed (by clicking on the corresponding option in the Update - System software upgrade window). Panda GateDefender Performa will only update the definition files of the protection modules that have an active license. Updating the protection software Panda GateDefender Performa periodically looks for updates of the malware signature file, spam rules and web filter categories, provided the license is active. Even though the update process is automatic, it is possible to perform an on-demand update of malware signatures and Web filtering categories at any time. To do this, click the Update now button in the Automatic update of the protection software section. Enable sending of notifications You can also configure a message to be sent with the results of the updates. To do this, click here, and in Warnings: Events to report, select the events for which warnings will be sent to the administrator and the sender. The warnings will be sent using the email accounts, SMTP, Syslog and SNMP configured previously. Update settings Panda GateDefender Performa allows you to select the way in which you want to update malware signatures. 1. If you want to continue updating them through the Internet, select the From the Internet option. 2. To update locally, select From a local server and enter the URL to access the pavsig.zip file in the Update URL text box. 3. Click Save. 4. Confirm if you want to perform updates locally. 5. Once the Panda GateDefender Performa Services have restarted, click OK. This will take you to the Status screen. If you select From a local server, the protection modules that require an Internet connection (anti-spam, IM/P2P protocol and Web filtering, spam quarantine, spam detected report, Web and IM/P2P protocol filtering report) will be disabled for the time Panda GateDefender Performa works in local mode. 107 Panda GateDefender Performa-User Guide Updating the system software System software (firmware) includes any software used by the appliances except the definition files, for example, the operating system, the hardware drivers, the Web server used to view the administration console, etc. or the malware and spam scan and detection engines. The appliances look for software updates every 12 hours. When an update is available: • A warning is displayed in the Update page under Update system software. • A system event is generated. Before updating the system software, you can find out about the characteristics of the new version. To do this, click For more information about the new features in this version, click here. If the update is 1MB or less, you will access a Web page, where in addition to information about the new version, you will find the steps to follow in order to download and install it. In order to perform the update click Update. First of all, the compressed file is downloaded. Through the progress bar, Panda GateDefender Performa informs you of the status of the download, specifying the kilobytes downloaded and the total size of the download. The console indicates if a system software update is available. The appliance can also send you an email. If you want to receive an email notification when an update is available, click the link and configure the target email account(s). If the console and the appliance web server have problems establishing a connection, after accepting the warning in the browser, Panda GateDefender Performa will open the access page. In this case, access again and go to the System software update page. The console will show the current status of the download and application of the update. Hotfix management Hotfixes are updates containing improvements and solutions to problems. Every month, a new hotfix pack is published on our Web page. Follow these steps to open the published hotfxes: 1. 2. 3. 4. 5. 6. 7. Go to the following page: http://www.pandasecurity.com/enterprise/support/ In the section Other corporate solutions select your version of Panda GateDefender Performa from the drop-down menu and click Find. From the first drop-down menu, select Solve incidents with the product, and from the second, select Solve other incidents with the product. Click Find. A list of incidents and hotfix packs available appears. You can use the drop-down menu to order the list by date or number of visits. Select the hotfix pack you require. Next, a page appears with detailed information on the features of the hotfix pack and a download link. There are two options: If the hotfix pack is in a compressed file (zip, or tgz), you can install it from the Panda GateDefender Performa console, following the instructions given below. If the hotfix pack is in an ISO image, follow the instructions given on the Web page. If you have downloaded a hotfix pack in a zip or tgz file, follow these steps to install it from the Panda GateDefender Performa console: 1. In the Panda GateDefender Performa console, click Settings. 108 Panda GateDefender Performa-User Guide 2. 3. 4. 5. 6. In the Update section, click Update settings. In Hotfix management, click in the link here. Go the Hotfix management screen to see a chronological list of hotfixes installed. Click Browse and find the ZIP or TGZ file you have just downloaded. Click Install hotfix. Click Install now to start the process. Once you have downloaded the hotfix, this will appear in the list which its details (Name, Description, and Installation date). The list of hotfixes installed is ordered in reverse chronlogical order. Hotfix management To uninstall the latest hotfixes installed, use the button Uninstall. Confirm the uninstallation, and when you finish the hotfix will disappear from the list, which will now display the most recently installed hotfix. If the uninstallation process requires a restart, this will be indicated in the uninstallation confirmation screen. Error in the installation/uninstallation If an error occurs when installing/uninstalling the hotfix, you can consult Panda Security's technical services directly, as indicated in the error message, or try to install/uninstall the hotfix again from the Hotfix management screen. In the event that after uninstalling the hotfix you have to restart the computer, a message will be displayed in the Hotfix uninstallation confirmation screen. Domain users Managing LDAP servers If you are using LDAP, you can obtain a list of users or user groups to which you can apply a specific security protocol in the configuration of protection profiles. To do this, in the Settinings menu of the main window, select Domain users > LDAP sources. LDAP servers Follow these steps to add or modify LDAP servers: Click on the Add button (if you want to enter an LDAP server) or Modify (if you want to modify one that already exists). This takes you to theDefinitions: LDAP servers screen with the following options: • Name: Descriptive name of the server. 109 Panda GateDefender Performa-User Guide • Server/IP: Server IP address. You can enter the required data, or if you have specified it previously, select the server from the list after clicking the icon • • • • • • • • . Select the value you want from the drop-down menu. BaseDN: Specify the base from which to look up information on the LDAP server. Type of server: When you select one of the default types, the User and User groups fields are automatically completed. If your server has a special characteristic, these data can also be specified manually. o Active Directory o LDAP v3 Names of the attributes defined in the LDAP server: Complete or modify these fields to establish a link between the names of the LDAP server attributes and those used by Panda GateDefender Performa. The fields are the following: o For the user: ObjectClass, User ID, Name, Email, Description. o For the user group: Object, Class, Group ID, Member, Description. Port: Port used to connect to the server. The default port is 389. SSL connections. Bind DN (optional): Specify the DN that enables the appliance to be identified to the LDAP server. Only if the server requires authentication. Password and Repeat password (optional): These fields enable you to enter the password given for Bind DN. Description (optional). Management of servers with validation Panda GateDefender Performa enables you to specify servers whose validation of users is made through LDAP. In this way, you can obtain LDAP groups to which you can apply a specific security protocol in the configuration of protection profiles. To do this, in the Settings menu of the main window, select Domain users > User authentication. Servers with validation In the Servers with validation section, click on the Add button (if you want to enter a new address) or Modify (if you want to modify one that already exists). This takes you to theDefinitions: Servers with validation screen that displays the following options: • • Name: Specify a name for the server. Server IP address. You can enter the required data, or if you have specified it previously, select the server from the list after clicking the icon • • • . Select the value you want from the drop-down menu. Protocol: Protocol operated by the server: HTTP, FTP, SMTP, POP3 or IMAP4. LDAP servers: LDAP server to be validated. The drop-down menu contains the option localusers for users specified internally in the appliance, plus the LDAP servers defined previously in the Definitions: LDAP source management screen. Description (optional). 110 Panda GateDefender Performa-User Guide Agent to identify domain users You can identify users in environments with Kerberos authentication using agents installed in the domain controllers. You can also apply protection profiles to P2P/IM/VoIP protocol users in any type of authenticated environment. To enable the use of agents for identifying users in domain controllers, select the corresponding checkbox. Then click Add and go to the Configuration of agent data screen, where you can enter the following information: • • • Name IP address of the domain controller LDAP servers The IP address of the domain controller may be among the IP addresses previously defined in the Definitions: IP addresses screen. If so, click Address settings and select from the list of IP addresses displayed. Click Save and check that the agent configured appears correctly in the list in the section Agent for identifying domain users. Then enter the port, the time period during which the agent will be consulted (in seconds), and the password. Use the button Test connection with agents to check the connection with the agents configured. The Verification of the connection with the agents screen displays a list of the agents configured and the progress of the connection with each of them. User management This option of Panda GateDefender Performa enables you to create users and groups of users to which you can apply a specific security protocol through configuration of protection profiles. To do this, click the Settings menu in the main Console screen. Then select Domain users > Local groups and users. Go to Definitions: User management. Users Follow these steps to add users: 1. In the Users section, click Add. 2. Give a descriptive name for the user, an email address to help identify the user, and the name of the user you wish to add. 3. Enter a password and confirm it (optional). 4. If you have already created a group of users, this will appear in the Group box. You can add users to these groups by ticking the relative boxes. This makes it easier to manage users. 5. You can also add a comment, if you want. 6. Click Add. 111 Panda GateDefender Performa-User Guide You can modify the data entered, or delete a user whenever you want by clicking the corresponding buttons. If you want, you can use the Export option to save this data in a file. You can import these files again later. User groups Follow these steps to add a user group: 1. 2. 3. 4. 5. In the Panda GateDefender Performa console, click the Definitions > User management menu. In the Groups section, click Add. Specify the name of the user group you wish to add. You can also add a descriptive comment, if you wish. If you have already added users, these will appear in the Local users frame. You can add them to the group by ticking the relative boxes. Click Add. You can modify the data entered, or delete a user group whenever you want by clicking the corresponding buttons. If you want, you can use the Export option to save this data in a file. You can import these files again later. Definitions Introduction Panda GateDefender Performa makes it easy for you to access the definition of those elements most relevant to the operation of the appliance. The options available are: • • • IP addresses This enables you to specify IP addresses or ranges of IP addresses to which a specific security protocol is to be applied through the configuration of protection profiles. LDAP sources and server management. This enables you to manage the list of LDAP servers that will later be used to obtain a list of users, also other servers requiring validation. Next, you can apply the security policy as required to these users through the configuration of protection profiles. User management This enables you to create and modify profiles for users and groups which can be used when configuring various protections. • Domain management This enables you to create and modify profiles for domains and groups which can be used when configuring various protections. 112 Panda GateDefender Performa-User Guide Managing IP addresses This option of Panda GateDefender Performa enables you to specify the IP addresses to which you can apply a specific security protocol through configuration of protection profiles. To access theIP address management screen click in the Settings menu of the main console window. Then select Definitions > IP address. IP addresses Follow these steps to add IP addresses: 1. 2. 3. In the Addresses section, click Add. Add a descriptive name and an IP address in the relative boxes. If you have already created a group of IP addresses, you can add this IP address to the group by ticking the box next to it. Click Add. Groups of IP addresses Follow these steps to add groups of IP addresses: 1. 2. 3. 4. In the Panda GateDefender Performa console, click the Definitions > IP Addresses menu. In the Groups section, click Add. Specify a name for the group. Add the IP addresses as required. You can add: • Previously specified IP addresses. • Other previously defined groups. • Specific IP addresses and subnet masks in short format and short CIDR format (xxx.xxx.xxx.xxx/yy). yy is the number of bits in binary, starting from the left. For example: 24 = (11111111. 11111111. 11111111.00000000) = 255.255.255.0. 5. 6. Click Add. If you wish, you can add a descriptive comment in the field. Click Add at the bottom of the page to save the changes. You can modify or delete IP addresses and groups added whenever you want. All you have to do is highlight the address or group from the list and click Modify or Delete. If you want, you can use the Export option to save this data in a file. You can import these files again later. 113 Panda GateDefender Performa-User Guide Domain management This option in Panda GateDefender Performa enables you to create domains, groups of domains or subdomains to which you can apply a specific security protocol through configuration of protection profiles. To go to this screen, click the Settings menu in the main Console screen. Then select Definitions > Domains. Domains Follow these steps to add specific domains or groups of domains: 1. 2. In the corresponding section (Domains or Groups) use the Add button. Specify the domain or the group to be added. • • 3. If it is a domain, specify which domain group you wish to add it to by marking the relative box. A domain group must have been added previously before you can do this. If it is a domain group, you can also specify additional domains that belong to the group, separated by commas. In the case of sub-domains, you can use wildcards to define them.In both cases you add a descriptive text. Click Add. You can modify the data entered, or delete a user whenever you want by clicking the corresponding buttons. If you want, you can use the Export option to save this data in a file. You can import these files again later. Warnings Introduction Panda GateDefender Performa will keep you informed about all the incidents detected. To do this, you must configure the parameters of the warnings that must be sent via email to syslog servers or to SNMP managers whenever an incident is logged and select the types of events you want to be informed about. • • • Events to report settings. Lets you select which events will be reported via email, Syslog and SNMP. It allows you to specify the language in which warnings will be received, the events to report to the administrator or recipient of the message and the events for which replacement texts will be available for the attached files deleted. Email warnings settings. Lets you configure parameters related to warnings sent via email. Allows you to Configure the periodic activity notification and Recipient mail account details. Syslog warnings settings. Lets you configure parameters related to warnings sent to a remote Syslog server. Allows you to configure the name or IP address of the server, the port to which the events will be sent and other options. 114 Panda GateDefender Performa-User Guide • • SNMP warning settings. Lets you configure parameters related to warnings sent to SNMP servers: the general SNMP v1/v2c settings and the communities. Customize texts. You can choose to keep the default warning texts or to customize them. Events to report settings This feature lets you select the events that will be reported via email, SNMP and syslog. Language Use the drop-down menu to select the language in which all notifications will be received (to the administrator, to the sender of the message and the replacement text for attached files deleted from messages). Notification to administrators This allows you to customize the events to report and how notification will be sent (via SMTP, SNMP or syslog): • SMTP, SNMP, syslog: Various checkboxes can be enabled for each event. Each checkbox enables an event with a type of notification (SMTP, SNMP, syslog). If the checkbox is for a main group, click on it to select or clear all of the check boxes for the events in the group. If the group checkbox is selected, and you clear a check box for one of the events in the group, it will not be disabled unless all events are disabled. If groups are partially selected, when opening the page, the groups will be expanded to show the content and the group will be selected. If the checkbox for all events is cleared, the check box for the group will also be cleared. • Event: Shows the name of the group or event. If it is a group, the name will be preceded by one of two symbols. This appears when the group branch is collapsed. If you click , the rows belonging to the group 1. are expanded. This appears when the group branch is expanded. If you click , the rows belonging to the group 2. are collapsed. To find out how to configure the syslog or SNMP notifications, refer to syslog warnings settings or SNMP warnings settings. Notification to sender Panda GateDefender Performa allows you to send an email message to the sender with notification of the event. As with the administrator notifications, there are events and main groups; groups made up of events: • SMTP: 115 Panda GateDefender Performa-User Guide Notifications are sent to the sender’s email address. If the checkbox is for a main group, click on it to select or clear all of the checkboxes for the events in the group. If the group checkbox is selected, and you clear a checkbox for one of the events in the group, it will not be disabled unless all events are disabled. If groups are partially selected, when opening the page, the groups will be expanded to show the content and the group will be selected. If the checkbox for all events is cleared, the checkbox for the group will also be cleared. • Event: Shows the name of the group or event. If it is a group, the name will be preceded by one of two symbols. 1. This appears when the group branch is collapsed. If you click , the group is expanded. This appears when the group branch is expanded. If you click , the rows belonging to the group 2. are collapsed. Text to replace deleted files When Panda GateDefender Performa detects certain types of malware, it will delete them and replace them with a text. Panda GateDefender Performa let you customize events: • Email, HTTP/FTP: Several checkboxes can be enabled for each event. If the checkbox is for a main group, click on it to select or clear all of the check boxes for the events in the group. If the group checkbox is selected, and you clear a checkbox for one of the events in the group, it will not be disabled unless all events are disabled. If groups are partially selected, when opening the page, the groups will be expanded to show the content and the group will be selected. If the checkbox for all events is cleared, the checkbox for the group will also be cleared. • Event: Shows the name of the group or event. If it is a group, the name will be preceded by one of two symbols. This appears when the group branch is collapsed. If you click on it, the group is expanded. 1. This appears when the group branch is expanded. If you click on it, the rows belonging to the 2. group are collapsed. Syslog warnings settings The syslog utility allows you to export all errors that occur in the application, as well as information about its status. Network administrators can monitor different devices through the information sent by each one through syslog. To access the Warnings: Syslog warnings settings screen, click the Settings menu in the main console window and select Warnings > Syslog warnings. 116 Panda GateDefender Performa-User Guide Panda GateDefender Performa includes the option to report the log files to a remote server. To do this: 1. 2. 3. 4. 5. 6. Select the Syslog Registry checkbox. If you clear the Syslog registry checkbox, Panda GateDefender Performa will not send any type of message to the remote syslog. Server: This informs the syslog server that it will receive notifications, using its IP address or name. Port to which events will be sent (port 514 by default). Panda GateDefender Performa uses UDP. Facility (local0 to local7). The messages are sent to the remote server through one of the eight facilities available. The facility must be the same in the Panda GateDefender Performa syslog and in the remote syslog. The default value is local0. Select the CSV format checkbox to use this format. Otherwise, the warning will be sent in plain text. Click OK to save the current settings. If you clear the Syslog registry check box, Panda GateDefender Performa will not send any type of message to the remote Syslog. SNMP warnings settings Panda GateDefender Performa lets you manage warnings through an SNMP manager. If you use this type of tool on your network, you can conduct queries on the warnings generated by the appliance, or receive this information directly in the SNMP manager (trap). To access the Warnings: SNMP warnings settings screen, click the Settings menu in the main console window and select Warnings > SNMP warnings. Follow these steps to enable and configure SNMP warnings: 1. Select the SNMP agent checkbox. 2. Complete the fields Description, Location and Contact. The data entered here is not relevant for the settings. 3. Click Add. You will see the Warnings: SNMP community screen. 4. In the Name field, enter the name of the SNMP manager community to use. This must be a word (you can use alphanumeric characters) that matches the one entered in the SNMP manager. Otherwise it won’t be possible to establish a communication between the appliance and the SNMP manager. 5. Specify the IP address of the SNMP manager. If you are using multiple managers, enter their IP addresses, separating them with commas. 6. To be able to conduct queries regarding the warnings sent, you must configure the ports the appliance will receive the queries at. In the Query section, select the checkboxes of the two available protocols (v1 and v2c) and enter the appropriate ports. These ports will remain open in the appliance to receive the queries made from the SNMP manager. 7. For the appliance to send warnings to the SNMP manager (trap), indicate the SNMP manager ports that warnings must be sent to. These ports must be open in the SNMP manager for warnings to be sent correctly. Email warnings Email warnings settings Allows you to configure preferences and the details of the destination email account. 117 Panda GateDefender Performa-User Guide • Recipient mail account details. Allows you to configure the address or addresses to which the • Periodic activity notification settings. Allows you to customize the intervals at which the warning will be sent and the mail server to use. notification summary will be received. Recipient mail account details • • • • • Enter the details of the email account that warnings must be sent to: Email address(es). Enter the email address of the person that you want to send the message to. If the warning must be sent to more than one recipient enter the addresses separated by commas. For example: [email protected], [email protected], [email protected]. SMTP server Panda GateDefender Performa must use to send warnings. Port through which communication must be established. Requires authentication: If the SMTP server requires authentication, enable the Requires authentication checkbox and indicate the user name and password that are valid for the mail server. Use the following sender. Email address that will appear as the sender of the message. Periodic activity notification The periodic activity notification shows a summary of the scan, detection incidents and system activity for the different types of protection. Each message includes all the detections since the last time the periodic activity notification was sent. For information on how to configure the notifications, click here. The subject of the periodic activity notification is: Periodic activity notification. The message body is divided into three parts: Header, security protection and system activity. Header The header of the warning summary message appears in the following format: . Panda GateDefender Performa Start: <Start date> End date: <End date>. Panda GateDefender Performa identification System version Name: <name> IP address: <IP address>. Security protection 118 Panda GateDefender Performa-User Guide It shows the following fields: Anti-malware protection: Files scanned Detections in mail and news. Detections in HTTP and FTP. Evolution graph. Content Filter protection: Items scanned. Filtering in mail and news. Detections in HTTP and FTP. Evolution graph. For the anti-spam protection: Files scanned Spam messages. Evolution graph. For the Web filtering: Pages scanned: Restricted pages Evolution graph. IM/P2P/VoIP filter: Restricted P2P protocols Restricted IM protocols: Evolution graph All protection includes the View details link. Click it to access the details screen, with more detailed information. If a protection is not enabled or does not have a license, the content will be displayed in gray to indicate that it is not available. System activity It shows the following fields: o System: Active connections Connections established Failed connections Evolution graph. 119 Panda GateDefender Performa-User Guide o Network cards (NIC1 and NIC2) Inbound traffic. Outbound traffic. Evolution graph. Periodic activity notification settings The Periodic activity notification settings option allows you to customize the notification summary interval. For more information about the content of the periodic activity notification, click here. Notification summary interval Panda GateDefender Performa allows you to configure how often the notification summary will be sent. The frequency can be daily, weekly or monthly. 1. 2. Select Send periodic notification summary to configure the frequency. Select the frequency (daily, weekly or monthly) with which you want to receive the notification summary. • Daily. Will be sent at 00:00 h each day. • Weekly Will be sent at 00:00 h every Monday. • Monthly Will be sent at 00:00 h on the first of the month. 3. Select the format of the numeric values of the warnings from the drop-down menu. The options available are Percentage and Absolute: Customizing the texts/pages Customizing the texts Panda GateDefender Performa allows you to customize the warnings and substitute texts for the following events: • • • • Detection of malware. Detection of potentially dangerous file. Items filtered by the Content Filter protection. Item deleted because it could not be scanned. To customize the texts click the Settings menu in the main console window, and select Customization > Texts for substitute pages and warnings. For each of the event above, you can edit the following texts: 120 Panda GateDefender Performa-User Guide • • • Sender: This option allows you to customize the message to send to the sender of the infected email message. This field cannot be edited for the warnings sent for events related to files downloaded from the Internet (HTTP) or to file transfers through FTP. When you click this link you will see the Customize warning to the sender screen, where you can define the text of the warning. Substitute text: When Panda GateDefender Performa detects a malicious code, it will delete it and replace it with a text. If you click this option, you can edit the text that will be inserted in the email message, web page or file transferred through FTP. When you click this link, you will see the Customize replacement text screen, where you can enter the text to replace the infected item. Administrator: This option allows you to customize the message to send to the administrator. When you click this link you will see the Customize warning to the administrator screen, where you can enter the text to be sent to the administrator. Customization of the substitute HTTP/S page Panda GateDefender Performa lets you customize the HTTP/S substitute page, that is, the page displayed when the anti-malware, Content Filter or Web filter block suspicious content. You can choose between several screens, adding the logo you want and customizing the text. Click Settings in the main console window and select Customization > Substitute page for HTTP/S. Customizing the substitute page 1. 2. Select the template you want from those offered by Panda GateDefender Performa. Logo. Use the Import button to select the logo you want to use. If you use the Default image button, the page will display the Panda Security logo. Logo parameters: jpg or png format Maximum size: 250 x 100 pixels 3. Descriptive text. Enter the text you want in the dialog box. You can use text and html code. To see an example of the substitute page, with a sample descriptive text, use the link Substitute page preview. 4. User profile information. Enable the checkbox if you want the page to display the protection profile applied when the suspicious content was blocked. Click Save. 121 Panda GateDefender Performa-User Guide Quarantine Introduction to quarantine Panda GateDefender Performa has three quarantine areas: • Malware quarantine: This is a place for isolating suspicious files and malware that cannot be disinfected at the time of detection. Panda GateDefender Performa will attempt to disinfect these files after each update (if so indicated in the settings), although it is also possible to do this at any other time using the Analyse quarantine button. You can also send us these files to be analysed by our experts. • Content-filter quarantine: This is the place where all filtered items are sent (as long as this is • Spam Quarantine: Contains email messages that have been classified as, or are suspected to indicated in the settings). It is advisable to review it periodically in order decide on the best way of dealing with the items stored there. You can restore them, send them to another location, delete them, etc. be, spam. It is advisable to review the spam quarantine from time to time in order to take pertinent decisions about these messages. You can restore them, redirect them to another location, delete them, etc. You can also add the domains of senders you choose to the blacklist and white list of the Anti-Spam module. Malware quarantine As long as it has been indicated in the anti-malware settings, Panda GateDefender Performa will isolate all suspicious files and threats that cannot be disinfected at a given moment to quarantine. Once stored, you can take a series of actions on the items. Follow these steps to access malware quarantine: 1. 2. Click the Quarantine menu in the main Console screen. Select Malware quarantine. Information about items in quarantine Panda GateDefender Performa displays a table of items in quarantine, describing the following aspects: • Entry date: Indicates when the item was included in quarantine for the first time. • Last entry: Indicates when was the last time the item was included in quarantine. • Item: Shows the name of the threat. • Instances: Shows the number of times a threat has been detected. • Only once: Item details. • More than once: instance details. • Reason: Gives details of why the file was included in quarantine. For example, because the file is suspicious or cannot be disinfected. • If the item has been sent for scanning, this will be indicated in the corresponding column along with the date it was sent. Click on the heading of each column to arrange the information they contain as you want. 122 Panda GateDefender Performa-User Guide For much more detailed information, click on the + symbol appearing to the left of each item. You can see the name and location of the detected file, the source and destination IP, etc. Instance details Malware quarantine shows the number of times each threat has been detected. If you want more information about any of the items, select it and click on the number corresponding to it in the Instances column. A screen will appear with information about each detection: • • • • The date when it was sent to quarantine. The item included in quarantine. The reason why it was included in quarantine. The source (protocol) in which it was detected. Exclusions, filter and options • • • Exclusions: Shows files that have been excluded from quarantine. For more information, consult the Items excluded from quarantine section. Filter: with the quarantine filter you can specify which information should be displayed in the list: date entered, subject, source or target IP, etc.) For more information refer to the section Malware quarantine filter. Options: Lets you adjust the quarantine size using various settings. It also permits you to indicate the number of lines in the list, how to behave towards restored messages, to send suspicious files to be analyzed, etc. For more information, consult the section on Malware quarantine settings . Other options • • • If any of the items arrived via the SMTP protocol, you can return it to its original location. To do this, select the item and click Restore. If the items have arrived via the SMTP protocol, you can resend them to an email address using the Redirect button. This permits you to review the content of the messages. You can also delete the items you wish by clicking the corresponding button. Possible actions in malware quarantine You can take the following actions on items in quarantine: • Download file: Permits downloading of a file, as long as it has been detected in the http-ftp protocols. • Scan quarantine: Only appears activated if automatic disinfection of quarantine is disabled. In this case, if you wish you can scan all of the items in quarantine with the latest available file of virus identifiers, by using the button available for the purpose. • Sending of suspicious files: You can send suspicious files to be analyzed by experts, by clicking the corresponding button. If any item selected exceeds the maximum permitted size, it will not be sent. • Exclude: With this button you can obtain better quarantine management, avoiding storage there of already recognized malware, for example. For more information, consult the Items excluded from quarantine section. • Delete: Permits removal of items selected from the list. A pop-up window will ask for confirmation. • Empty quarantine: Deletes all items without having to select them previously. 123 Panda GateDefender Performa-User Guide Malware quarantine settings Malware quarantine settings allow you to: • • • • • Adjust its size. Enable the sending of suspicious files for analysis by experts. Specify the number of lines to display in the list. Activate automatic analysis of items after each update. Specify quarantine’s behavior on restoring items to their original location. Follow these steps to go to the malware quarantine settings: 1. 2. Click Quarantine in the console and then select Malware quarantine. Click Settings in the quarantine window. Let us now look at the settings options in more detail: Size and time in quarantine You can specify how quarantine behaves when its maximum capacity is exceeded. There are two options: 1. 2. Delete the oldest items: If you select this option, the oldest items will be deleted to free up space and allow more recent items to be stored. Reject new items: When it reaches its maximum size no more files will be included in quarantine. You can also set the maximum size of files to be sent to quarantine. In this way you will avoid excessively large files being stored that may saturate quarantine. The maximum size of a file will not be able to exceed 100 MB. If a message is received with an attached file that cannot be included in quarantine because it exceeds the maximum size setting, you can specify a warning message for such a circumstance. Sending items for analysis You can set quarantine so that it automatically sends files suspected of being infected, or those that cannot be disinfected, to the laboratory, as long as their size is less than 10 MB. General preferences This section allows you to: • • • Limit the amount of information that will be shown in each quarantine page. To do this, enable the Lines to display on each page box, and indicate the number of lines. Activate automatic analysis of quarantine after each update. Indicate if you want a copy of items that are restored to their original location to be stored in quarantine. If you wish, you can include a text in the subject of the messages restored. Once you have set the configuration you want, click Save. Items excluded from quarantine Quarantine exclusions allow it to be better managed, avoiding already recognized malware being stored there, for example. 124 Panda GateDefender Performa-User Guide In order to withdraw malware from quarantine you just have to check the checkboxes that correspond to the items you want and click on the Exclude button. You can see the items withdrawn from quarantine by clicking on the Exclusions link. If you want any excluded item to return to quarantine if it is detected again in the future, click on Consider dangerous. Content Filter quarantine As long as it has been indicated in the anti-malware settings, Panda GateDefender Performa will isolate all suspicious files and threats that cannot be disinfected at a given moment to quarantine. Once stored, you can take a series of actions on the items. Follow these steps to access malware quarantine: 1. Click the Quarantine menu in the main Console screen. 2. Select Malware quarantine. The window displayed shows a list of the items isolated in the Content Filter quarantine. Information about items in quarantine Panda GateDefender Performa displays a table of items in quarantine. The information is separated in the following columns: - Date: Indicates when the item was included in quarantine. - Item: Shows the file name or the email subject. - Reason: Shows a short text indicating why it was included in quarantine (for example, because it is a suspicious compressed file, etc.). - Source: Indicates in which protocol the item was detected: HTTP / FTP / SMTP / POP3 / IMAP4 / NNTP. Click on the heading of each column to arrange the information they contain as you want. By clicking on the + symbol, appearing to the left of each of the items in quarantine, you will obtain detailed information about them. Filter and options You can configure the listing using the following options: Filter:You can specify the information to be shown in the listing, using various parameters (date of entry to quarantine, subject, source or target IP address, etc.). For more information, consult the section on Content Filter quarantine filter . 125 Panda GateDefender Performa-User Guide Options:Lets you adjust the quarantine size using various settings. You will also be able to indicate the number of lines in the list and how to behave towards restored messages. For more information, consult the section on Content Filter quarantine settings. Possible actions in content-filter quarantine You can take the following actions on items in quarantine: • • • • • Download file: If the file has arrived via protocols http or ftp, you can use this button to download it. Restore: Allows you to return the selected items to their original location. This option is available if the items arrived via the SMTP protocol. Redirect. Allows the selected items to be sent to the email address indicated. For more information, consult the section Resend Address. Delete: Permits deletion of items selected from the list. A pop-up window will ask for confirmation. Clear quarantine: Deletes all items without having to select them previously. Content Filter quarantine settings Content Filter quarantine settings allow you to: • • • Adjust the size of the quarantine. Specify the number of lines to display in the list. Specify how quarantine operates on restoring items. Follow these steps to go to Content Filter quarantine settings: 1. 2. Click Quarantine in the Panda GateDefender Performa console and then select Content Filter quarantine. Click Settings in the quarantine window. Let us now look at the settings options in more detail: Size and time in quarantine You can specify how quarantine behaves when its maximum capacity is exceeded. There are two options: • • Delete the oldest items: If you select this option, the oldest items will be deleted to free up space and allow more recent items to be stored. Reject new items: When it reaches its maximum size no more files will be included in quarantine. You can also set the maximum size of an item to be sent to quarantine. In this way you will avoid excessively large items being stored that may saturate quarantine. The maximum size of an item will not be able to exceed 20 MB. If you want, you can indicate an email address to which to redirect messages that exceed this size. Finally, if you wish, you can indicate the maximum number of days that items will remain in quarantine. Once this period is reached, the items will be deleted. 126 Panda GateDefender Performa-User Guide General preferences This section allows you to: • Limit the amount of information that will be shown in each quarantine page. To do this, enable the Lines to display on each page box, and indicate the number of lines. • Indicate if you want a copy of items that are restored to their original location to be stored in quarantine. If you want, you can include a text in the subject of the messages restored. Once you have set the configuration you want, click Save. Spam quarantine As long as it has been indicated in the anti-spam protection settings, Panda GateDefender Performa will isolate all email messages classified as spam, or suspected of being so, to quarantine. Once stored you can take a series of actions on quarantined messages. Follow these steps to access spam quarantine: 1. 2. Click the Quarantine menu in the main Console screen. Select Spam quarantine. The window displayed shows a list of the items isolated in spam quarantine. Information about items in quarantine Panda GateDefender Performa displays a table of items in quarantine. As well as showing the subjects, senders and destinations of the messages, you can obtain information about the following aspects: • • • • • • Date: Indicates when the item was included in quarantine. Sender: The person that has sent the email message. Recipient:: the recipient of the message. Reason: Gives details of why the message was included in quarantine. This allows you to know if the message was classified as spam, or as probable spam. Subject: The subject of the message. Source: Indicates the protocol in which the unwanted message was detected: SMTP / POP3 / IMAP4. Information about items in quarantine • • • • • • • Quarantine name: Indicates the name with which the item appears in the quarantine (it can be the message subject, etc.). Original name: Shows the name of the original file. Reason: Gives details of why the item was included in quarantine. For example, because disinfection was not possible, because it was possible spam, etc. Probability of Spam: If it is an unwanted mail message, the information in thus column shows the percentage of probability of being spam. Spam engine: Shows the version of the anti-spam engine used. Status: Shows the status of the item in question. For example, you can see if the item has been sent to quarantine, if it is possible spam, etc. Date: Indicates when the item was sent to quarantine. 127 Panda GateDefender Performa-User Guide • • • • If the item has been sent to to be analyzed, it will show you the date when sent. Otherwise, you will be able see its current status. For example, if it is pending being sent or it is not possible to send it. Source: Indicates the protocol in which the item was detected: Source IP: Specifies the IP address from which the item was sent. Target IP: Specifies the IP address to which the item was being sent. In the case of an email, you can see the subject, sender and recipients of the message, as well as a link to download the message. Click on the heading of each column to arrange the information they contain as you want. Filter and options You can configure the listing using the following options: • • Filter:This allows you to specify the information to be shown in the listing, using a range of parameters. For example, you can indicate that you only want items shown that were included in quarantine between two dates, messages with a certain subject, sender or destination, etc. For more information, consult the section on Spam quarantine filter . Options: Allows you to adjust the quarantine size using various settings. It also lets you indicate the number of lines per page in the list and what to do with restored messages. For more information, consult the section on Spam quarantine settings. Possible actions in spam quarantine You can perform the following actions from spam quarantine: • • • • • Add domain to: o Blacklist: With this button you can add the domains of the messages selected to the spam blacklist. In this way other messages coming from these domains will always be treated as spam. o White list: With this button you can add the domains of the messages selected to the spam white list. In this way, messages coming from these domains will not be analyzed for spam. Restore: This allows you to return the selected messages to their original location, as long as they have arrived by SMTP. Redirect. Allows you to redirect the messages selected to a specific email address. For more information, refer to the Resend address section. Delete: Allows you to delete messages selected from the list. Empty quarantine: Deletes all items without having to select them previously. Spam quarantine settings The spam quarantine settings allow you, among other things, to: • • • Adjust the size of the quarantine. Limit the number of lines to display per page. Specify its behavior on restoring files to their original location. Follow these steps to go to spam quarantine settings: 128 Panda GateDefender Performa-User Guide 1. 2. Click Quarantine in the Panda GateDefender Performa console and then select Content Filter quarantine. Click Settings in the quarantine window. Let us now look at the settings options in more detail: Size and time in quarantine You can specify how quarantine behaves when its maximum capacity is exceeded. There are two options: • • Delete the oldest items: If you select this option, the oldest items will be deleted to free up space and allow more recent items to be stored. Reject new items: When it reaches its maximum size no more messages will be included in quarantine. You can also set the maximum size of a message to be sent to quarantine. In this way you will avoid excessively large messages being stored that may saturate quarantine. The maximum size of a file will not be able to exceed 20 MB. If you want, you can indicate an email address to which you want to redirect the messages that exceed this size. Finally, if you want, you can indicate the maximum number of days that messages will remain in quarantine. Once this period is reached, the messages will be deleted. General preferences This section allows you to: • • Limit the amount of information that will be shown in each quarantine page. To do this, enable the Lines to display on each page box, and indicate the number of lines. Indicate if you want a copy of messages that are restored to their original location to be stored in quarantine. If you want, you can include a text in the subject of the messages restored. Once you have set the configuration you want, click Save. Quarantine filters Introduction Over time, the quarantine may come to show too much information, making it complicated to manage. To make this task easier, Panda GateDefender Performa includes a filter with which you can specify exactly what information you want to see. To enable a filter You can apply a filter to the information shown by quarantine, by following these steps: 1. 2. 3. 4. 5. Select the Quarantine option from the menu on the left of the Web administration console. Click on the quarantine for which you want to filter information (malware quarantine, Content Filter quarantine or spam quarantine). Click on the Filter link. Another window appears with the filtering options. For example, you can indicate that you only want items shown that were included in quarantine between certain dates, messages from a certain sender, etc. Once you have indicated the options you want, click on Apply filter. Click OK for quarantine start to show the information you have just specified. 129 Panda GateDefender Performa-User Guide To disable a filter 1. 2. 3. 4. 5. Select the Quarantine option from the menu on the left of the Web administration console. Click on the quarantine for which you want to filter information (malware quarantine, spam quarantine or Content Filter quarantine). In the new window, click on the Filter link. Another window appears with the filtering options. Click Disable filter. Click OK for quarantine start to apply the new filtering settings. Filtering settings The filtering options are different for each type of quarantine. To obtain more information on the available filtering options for each type of quarantine, refer to the following sections: • • • Malware quarantine filtering Content Filter quarantine filtering Spam quarantine filtering Malware quarantine filtering Panda GateDefender Performa permits filtering of the malware quarantine so that it only shows events that meet the characteristics you specify. For example, you can indicate that you only want items shown that were included in quarantine between certain dates, messages from a certain subject, sender or recipient, etc. You can perform filtering by one of the data items available or by a combination of a number of them. Once you have configured the filter, click on Apply filter and then on OK. < BACK Content-filter quarantine filtering Panda GateDefender Performa permits filtering of the content-filter quarantine so that it only shows events that meet the characteristics you specify. For example, you can indicate that you only want items shown that were included in quarantine between certain dates, messages from a certain subject, sender or recipient, etc. You can perform filtering by one of the data items available or by a combination of a number of them. Once you have configured the filter as you wish, click on Apply filter and then on OK. < BACK Span quarantine filtering Panda GateDefender Performa permits filtering of the spam quarantine so that it only shows events that meet the characteristics you specify. For example, you can indicate that you only want items shown that were included in quarantine between certain dates, messages from a certain subject, sender or recipient, etc. 130 Panda GateDefender Performa-User Guide You can also filter information on the basis of percentages of probability of spam in the messages in quarantine. You can indicate the percentages interval desired in the fields for this purpose. You can perform filtering by one of the data items available or by a combination of a number of them. Once you have configured the filter as you wish, click on Apply filter and then on OK. 131 Panda GateDefender Performa-User Guide Reports Introduction Panda GateDefender Performa generates a series of reports that contain the events related to the scans and the activity of the appliance. These are: Protection reports: • • • HTTP/HTTPS/FTP Mail/News IM/P2P/VoIP filter Security reports: • • Report on access restricted by the explicit proxy Report on invalid SSL certificates System report: • System events report To view this report at any time, click the Reports menu and select the report. As a general rule, these reports contain different options and can be exported to a text file. You can also use filters to select the information displayed. • • Access to the report settings options Filtering the information logged in the reports. To remove the content of the reports, use the Clear report button. If you want to arrange the data in the columns, click on the column header. The columns that can be rearranged have an arrow icon to the left of the column name. Configuring and filtering reports Report settings The reports generated by Panda GateDefender Performa include a large amount of significant information. However, you can filter the information that appears in the reports. 1. 2. 3. Click the Reports menu in the main Console screen. Select the report you want to consult. In the following window, click Options. 132 Panda GateDefender Performa-User Guide The options you can configure in the report are: • Continue generating this report If you don't want Panda GateDefender Performa to generate the report, unselect the corresponding checkbox. • Automatically delete events after XX days Specify the period for which events should remain in the reports (90 days by default). Panda GateDefender Performa will automatically delete events after this period. Exporting the reports You can save the information displayed in the report to a txt file. To do this, click on the Export: csv link. The content of the report will be exported to .csv format Filtering information in the reports The information displayed in the report can be filtered. This means that Panda GateDefender Performa allows you to configure the report to display only certain types of events, to display the incidents by protocol, IP address, etc Enabling the report filter 1. 2. 3. Click the Reports menu and select the type of report you want to filter. In the new window, select the corresponding option from the Filter period drop-down menu. Set the filter you want. Use the Filtering conditions menu. Use the Add condition button to add conditions, and click Filter. When adding conditions, you can use wildcard characters to refine the search ("*", "?", etc) 133 Panda GateDefender Performa-User Guide Filtering conditions according to the type of report Protection report Security report System report If you want to save the filter, use the Save button and enter the name of the filter in the textbox in Filters stored. Then click Enter. To remove the data from the latest filter click Clean. In addition to clearing the filter, a report will be generated without filters, corresponding to the filter period All. Stored filters Once certain filters have been stored, or you are using certain parameters to filter (even though they have not been stored), Panda GateDefender Performa lets you take the following actions: Delete the stored filter: Once a filter has been stored you can delete it by clicking the 'x' to the right of the name of the filter. Run the stored filter If you want to run a stored filter, just click on the name in Filters stored. Set a filter as default 134 Panda GateDefender Performa-User Guide If you want to set one of the stored filters as default, i.e. you want a filter to be applied by default when a report is opened, just click on the link “Preset”, which appears to the right of the filter name when you pass the mouse pointer over it. Bookmark a filter: Another useful feature in Panda GateDefender Performa is the option to bookmark a filter. To do this you must first have run a stored filter. This gives you quick access to the filter once it is stored. If the filter is deleted however, when you try to access via the bookmark, you will open the reports without applying the filter (or with the default filter if one has been set). Considerations for the filters. User and email address: users must be defined in LDAP or Kerberos. Additional features in the report views • • • • • • • • • When viewing the reports you can, if you want just display the information that interests you. For example, if in the protection report you only want to see the mail and news report, just click in the title area of each report table. To access the details of each report, just move the mouse pointer over it to see all the information available for each event. To highlight the type of protection that has generated the event, the rows are shaded according to type (e.g. green - anti-malware, blue - Content Filter, red - anti-spam, brown - Web filter). Above each table there are checkboxes for each of the protection types, by selecting/clearing these boxes you can display the information for the protection you want. All aree selected by default. To highlight the lack of licenses for any type of protection, the corresponding checkbox will be grayed out. Use the drop-down menu to select the number of results to display per page, and the Back / Next arrows to move from page to page. The columns can be redimensioned and reordered. You can select the columns you want to view, through a list of all the columns available with checkboxes. The information in the reports is not refreshed automatically. Users can refresh all the tables by clicking F5 or the Refresh button. The most recent status of the items viewed will always be saved: tables hidden or visible, number of items displayed, protection displayed and columns displayed. For convenience, these temporary settings are stored as cookies. This means different users can save their own preferences. Protection reports Introduction The protection reports offer data on malware and spam, the Content Filter events, and access to Web pages and P2P, VoIP and IM protocols. The reports include settings options and can also be exported to .csv format. Also, if you place the cursor on a selected item, you will get specific information about the event in question. 135 Panda GateDefender Performa-User Guide If you want, you can filter the information in the report. You can do this with a simple and easy-to-use filter tool. The protection reports are structured into four areas: the filtering tool and another three, corresponding to HTTP/HTTPS/FTP, Mail/ News and IM/P2P/VoIP protocol filtering. Protection report This report offers data on malware and spam, the Content Filter events, and access to Web pages and P2P, VoIP and IM protocols. Viewing the malware detected The information displayed in the report is structured into three areas: • HTTP/HTTPS/FTP • Mail/News • IM/P2P/VoIP filter HTTP/HTTPS/FTP Use the protection data you want displayed in the report. boxes to select the The report then displays the data organized into columns. You can select the columns to be displayed in the report, using the drop-down menu • Detection source. When malware has been detected in HTTP or FTP, the report specifies if it was uploaded or downloaded. 136 Panda GateDefender Performa-User Guide Mail/News Use the boxes to select the protection data you want displayed in the report. If you select Highlight outbound mail, the lines marked as SMTP Out will be highlighted in bold. The report then displays the data organized into columns. You can select the columns to be displayed in the report, using the drop-down menu Columns - Protocol Protocol in which the malware was detected. IM/P2P/VoIP filter In this case, select the Columns to be displayed in the report. Details of the detection Place the cursor on the icon to the left of each row to see the Details dialog box with extended information about each event, which will be different depending on the type of detection. You can use the report settings options through the Options drop-down menu. For more details about these options, refer to the section Report settings. If you want to delete the content of the report, use the option Clear report. Security reports Introduction To access these reports, click the Reports menu in the main console menu, and then select Security report. 137 Panda GateDefender Performa-User Guide The reports include settings options and can also be exported to .csv format. Also, if you place the cursor on a selected item, you will get specific information about the event in question. If you want, you can filter the information in the report. You can do this with a simple and easy-to-use filter tool. In addition to the system and protection reports, Panda GateDefender Performa offers other reports on access restricted by the explicit proxy and the use of invalid certification authorities and certificates for HTTPS. • • Report on access restricted by the explicit proxy This shows authentication attempts restricted by the explicit proxy, because the user does not have permission to access the proxy, authentication errors, etc. Report on invalid SSL certificates This shows access to HTTPS sites that have received invalid SSL certificates (expired, unknown certification authority, invalid certificate name or certificates that don't coincide with the site). Report on access restricted by the explicit proxy This shows authentication attempts restricted by the explicit proxy, because the user does not have permission to access the proxy, authentication errors, etc. Viewing restricted access attempts Once the filtering conditions have been established, click Filter. The report shows the data, grouped into columns, that you have selected in the Columns menu: Details of the detection Place the cursor on the icon to the left of each row to see the Details dialog box with extended information about each event, which will be different depending on the type of detection. You can use the report settings options through the Options drop-down menu. For more details about these options, refer to the section Report settings. If you want to delete the content of the report, use the option Clear report. 138 Panda GateDefender Performa-User Guide Report on invalid SSL certificates This shows access to HTTPS sites that have received invalid SSL certificates (expired, unknown certification authority, invalid certificate name or certificates that don't coincide with the site). Viewing HTTPS sites with invalid SSL certificates Once the filtering conditions have been established, click Filter. The report shows the data, grouped into columns, that you have selected in the Columns menu: Details of the detection Place the cursor on the icon to the left of each row to see the Details dialog box with extended information about each event, which will be different depending on the type of detection. You can use the report settings options through the Options drop-down menu. For more details about these options, refer to the section Report settings. If you want to delete the content of the report, use the option Clear report. System report System report Panda GateDefender Performa shows a detailed report on system events (updates, restarts, etc.). In order to view this report, click the Reports – System report menu. Viewing the events logged Once the filtering conditions have been established, click Filter. The report shows the data, grouped into columns, that you have selected in the Columns menu: 139 Panda GateDefender Performa-User Guide Some of the events logged in this report are: • Result of every update process. • Update performed. • Update errors, clearly specifying the cause of the error (for example: Could not connect to the • • • • • • • • • updates server; The updates server has returned an error; An error occurred during the download process; An error occurred during the update process, etc.). Error sending email warnings. Appliance start up. Problems starting the appliance (the problems and the actions taken to resolve them will be specified). Could not connect to the DNS server. Problems connecting to the proxy server configured (for example, due to a validation error). Could not connect to the license server. The license server has returned an error. Quarantine space about to be used up. Quarantine space exceeded. Details of the detection Place the cursor on the [+] icon to the left of each row to see the Details dialog box with extended information about each event, which will be different depending on the type of detection. You can use the report settings options through the Options drop-down menu. For more details about these options, refer to the section Report settings. If you want to delete the content of the report, use the option Clear report. 140 Panda GateDefender Performa-User Guide Tools Introduction Panda GateDefender Performa includes a series of useful tools to deal with situations in which the appliance performance is less than optimum. Use the links below to find out more about them: • • • • • • • • Diagnosis tools Internal log files Links to services Export / Import settings Sending statistics Restarting the system services Complete system restart Shutting down the system Diagnosis tools Panda GateDefender Performa has a series of tools for diagnosing problems on the appliance. The options available are: • • • • • • Ping Traceroute DNS resolution Connectivity with Panda Security Show network status Packet capture Ping The tools screen has two parts: Tool and Result. Tools Settings options: • Tool: Select Ping. • Parameters • Target addresses: Specify the target host. • Number of pings to be sent. Specify the number of pings. • TTL: Specify the TTL value. • Types: Select the type of ping required, TCP, UDP or ICMP. • If you want to launch the tool, click on Run. Result Displays the result obtained from running the tool. If you want to save the result in a file, click on Export to file. 141 Panda GateDefender Performa-User Guide Click on OK to return to the Support tools screen. Traceroute The tools screen has two parts: Tool and Result. Tools Settings options: • Tool: Select Traceroute. • Parameters o Target addresses: Specify the target host. o Number of pings to be sent. Specify the number of pings. o TTL: Specify the TTL value. o Types: Select the type of ping required, TCP, UDP or ICMP. • If you want to launch the tool, click on Run. Result Displays the result obtained from running the tool. If you want to save the result in a file, click on Export to file. Click on OK to return to the Support tools screen. DNS resolution The tools screen has two parts: Tool and Result. Tools Settings options: • Tool: Select DNS resolution. • Parameters • Address: Specify the address to be resolved. If an IP is entered, an inverse resolution will be carried out. • Request type: Select a value from the list: A, ANY, CNAME, NS, MX, PTR, SOA, TXT, LOC, RP and SIG. • Protocols: Select the type of connection required, TCP or UDP. • Port: Specify the port. The default port is 53. • Server: Specify the server. • If you want to launch the tool, click on Run. Result Displays the result obtained from running the tool. If you want to save the result in a file, click on Export to file. Click on OK to return to the Support tools screen. 142 Panda GateDefender Performa-User Guide Connectivity with Panda Security Panda GateDefender Performa has to communicate with the following servers to operate correctly. • System software update server • License server • Anti-malware update server • Malware quarantine server • Panda cloud scanning server • Panda cloud data server • Anti-spam update server • Web filter data server You can check that connectivity to these servers is running correctly through the Tools menu in the console. To do this, follow these steps: 1. 2. 3. 4. Go to Tools in the Panda GateDefender Performa console. Click Diagnostic tools. Select Connectivity with Panda Security from the drop-down menu. Click Run. In the Result field, check the connectivity for each of the servers. You can save the results in a TXT file in your chosen route by clicking Export results. Display system network status You can check the status of the network by following these steps: 1. Go to the Tools menu in the Panda GateDefender Performa console. 2. Click on Diagnostic tools. 3. Select Display system network status from the drop-down menu. 4. Click on Run. If you want to save the result in a text file, click on Export to file. Packet capture The Tools screen has two parts: Tool and Result. Using this tool can negatively affect the performance of your appliance. Tool Settings: 1. 2. Tool: Select Packet capture. Parameters - Type of capture: Select the type of capture: Maximum capture time, Maximum capture size, Maximum packets for capture or Circular capture. Circular capture consists of a buffer that allows the capture of the last megabytes transferred. This can be specified in the Value field. 143 Panda GateDefender Performa-User Guide Capture size is limited to 300 MB - Value: Set the capture limit. This can be specified in seconds, megabytes or packets, depending on the type of capture selected. - Capture interface: Select the network interface on the appliance. - Maximum packet size: Select one of these two options: Capture headings or Complete traffic. - Filter: Select filtering: - Capture protocol traffic. - Capture port traffic. - Capture special traffic. - Capture all traffic. 3. 4. 5. 6. 7. 8. Protocols: This option appears after selecting the Capture protocol traffic filter. It establishes the protocol to be used in the filter. Ports: This option is displayed when the Capture port traffic filter is selected. Establish the ports to be used in filtering. A range can be chosen by specifying two ports separated by a hyphen. Source IP: Specify the source IP. Target IP: Specify the target IP. If you want to launch the tool, click Run. If you want to stop the capture, click Stop capture. Result Displays the result obtained from running the tool. If you want to save the result in a file, click Export to file. Click OK to return to the Support tools screen. Internal log files The internal log files allow you to carry out an advanced diagnosis in order to resolve problems. These files may be requested by tech support services when resolving an incident. It is not advisable to generate these files, unless you are asked to do so by Panda Security technicians. To generate log files, select the level of detail that the technicians have specified: 1. In the Tools menu of the console, select Internal log files. 2. Select the log generation mode: 144 Panda GateDefender Performa-User Guide • • Basic mode. Select this option if you want to record basic level information in the log files. Debug mode. Select this option if you want to a greater level of detail in the information in the log files. 4. Select the level of debugging: • Standard. Level of detail necessary for most cases. • Advanced. Lets you control the type of information you want to collect. Enable the checkboxes according to the options you want. 5. Select the level of detail you want. To download the log files onto your computer, click Download logs. 6. Click Save to save the changes. Otherwise, click Cancel. Online services The services provide help and benefits in addition to those offered by the unit. Thanks to these services, you will always have a team of experts on hand that will help you to resolve any queries and problems you might have with viruses and other threats. The services offered by Panda GateDefender Performa are: • • • • • • Online Support Center: A fast, simple way to find answers to your queries. Virus encyclopaedia: Detailed and accurate information about the characteristics of each virus and how to eliminate it. Virus news: The latest virus news. Virus Infection Map: Live graphic coverage of the percentage of computers infected by viruses worldwide. Suggestion box: Allows you to inform Panda Security of the improvements you would make to Panda GateDefender Performa. Your suggestions will be thoroughly studied by the Panda Security technicians. Global ThreatWatch: Check out the current virus situation, and find out if there are alerts anywhere in the world or in your country. In order to use these services, you need an open connection to the Internet. Exporting/importing the settings Once the appliance has been correctly configured and is working properly, you can save the settings parameters. It is useful to do this as: • You can recover them (import them) later. 145 Panda GateDefender Performa-User Guide • You can apply the same settings to another unit without needing to do so manually. Exporting the current settings In order to export the settings, follow the steps below: 1. Click on the Export button. 2. In the window that opens, click on the Settings link. 3. Select the folder where you want save the settings file. 4. Click on the Export button. When this process is complete, the system will generate a file with the current settings, except for the user name and password for accessing the console. Importing settings When importing a settings file from another unit, remember that the name and network settings of the appliance must be unique. Therefore, these details must be modified if another unit is using them. To import or restore settings that you have previously saved, follow the steps below: 1. 2. 3. 4. Click on Browse... Find the settings file that you want to install and click on OK. Then click on Import. If no warning messages are returned, the appliance will have applied the new settings. If a warning appears, you will be informed of the problem and the steps for resolving it. Sending statistics Select: 1. 2. Allow information about malware and other threats to be sent if you want to authorize sending of information about malware and other threats detected by your appliance. Send information about spam detected if you want to authorize sending of information about detected by your appliance. In this way you will be helping improve the detection capacity of Panda GateDefender Performa. The information is sent anonymously, with no data identifying your company. 3. Click Save. Statistics are sent via https, and so all data will be encrypted. 146 Panda GateDefender Performa-User Guide Restarting the system services Restarting the system services can be useful as an initial means for resolving functionality issues in Panda GateDefender Performa. The system services can be restarted in two ways: • Click Restart services in the Tools menu. • If the appliance has an LCD screen use the Reset Services option. Panda GateDefender Performa will perform a clean restart of all services without completely restarting the appliance. This process is much quicker than completely restarting the system. However, while it is in progress, the network traffic will be blocked in order to guarantee that no traffic goes through Panda GateDefender Performa without being scanned. While Panda GateDefender Performa is restarting the services and the network traffic is blocked, the console informs you of the status of the appliance. When the restart is complete, you will see the screen for logging in to the console. If this doesn't happen after a few minutes, open another window in the browser, and connect again to Panda GateDefender Performa. Complete system restart Restarting the system ensures, in the vast majority of cases, that any possible problems detected while the unit is running are resolved. The system can be restarted in two ways: • • Click Restart System in the Tools menu. If the appliance has an LCD screen use the Reset System option. More information When the system is restarted: • • • Panda GateDefender Performa will run a clean restart: It closes all operating system processes and services in order to avoid problems like corrupting the file system. If the appliance has a bypass card, network traffic will not be blocked, but will pass through without being scanned. If the appliance does not have a bypass card, the network traffic will be blocked to guarantee that no traffic passes through without being scanned. Under no circumstances will traffic be allowed through until the system has restarted and the appliance is fully operative. This takes approximately 90 seconds. The system restart and its result are logged in the system events report. In order to check if the system has completely restarted, the administrator can check the following: 147 Panda GateDefender Performa-User Guide • • • • The Web console displays a warning while the computer is restarting. If the console access window does not appear within a few minutes, you must open another browser window and connect to the appliance again. Ping the appliance network IP address. When restart has been completed successfully, the IP address must respond to the ping commands. Ping a computer connected to the other side of the appliance. Panda GateDefender Performa will not allow traffic through until it has been started completely. Then, if you get a reply to the ping, the system has restarted successfully. Check that the LED display in the appliance is on. This means that restart is complete. Shutting down the system Panda GateDefender Performa lets you shut the system down correctly, blocking all network traffic. If the appliance has a bypass card, the traffic won't be blocked, The system can be correctly shut down in two ways: • Click the Shut down system button in the Tools menu. A pop-up window will ask for confirmation. • If the appliance has an LCD screen use the Shutdown option. Panda GateDefender Performa 9100: It is advisable to completely shut down the appliance. To do this, press the switch. It will completely shut down after a few seconds. To restart the appliance, press the switch and wait a few seconds. Panda GateDefender Performa 9500: It is advisable to completely shut down the appliance. To do this, disconnect the network cables. To restart the appliance, reconnect the network cables. Note: Network traffic through Panda GateDefender Performa will be blocked once the system has shutdown. 148 Panda GateDefender Performa-User Guide How do I... Activating Panda GateDefender Performa 1. 2. Click My license, next to the system clock. In the window that appears, click Registration/activation details. on the link (here) that appears under 3. 3. 4. A new window appears: Enter theuser name and password provided by Panda Security. Click Save. Panda GateDefender Performa will contact the Panda Security server to get license information (wait 10 seconds before consulting the information). If an error occurs, a message will be displayed. More information. How do I know when my license expires? In order to check the status of licenses: 1. Select the Status option in the menu on the left of the administration console. In the System status section, click on License management that appears with the option Updates and services expire. 2. A new window opens that shows the status of the licenses you have contracted (expiry date and days left). 149 Panda GateDefender Performa-User Guide How do I update the product? There are three types of updates: • • • Update the signature files, malware, spam and web filtering files. System software upgrade (firmware): for example, the operating system, the hardware drivers, the web server used to view the administration console, etc. or the malware and spam scan and detection engines. Hotfix update. Hotfix updates allow users to include performance improvements and solve specific problems. How do I modify the warning messages? In order to modify the warning messages sent by Panda GateDefender Performa: 1. Select the Warnings option in the menu on the left of the administration console. 2. Configure the events to report. 3. Configure the recipient's mail account. 4. Configure the customizing texts. Enabling and disabling report generation Panda GateDefender Performa generates detailed reports on malware , Content Filter, spam , web filtering and system events. However, for Panda GateDefender Performa to generate these reports, they must be enabled. To enable and disable reports follow the steps below: 1. Click the Reports menu in the console. 2. Click on the report you want to enable or disable. 3. Click on Settings in the pop-up window displayed. 4. Enable or disable the Continue generating this report checkbox. Installing several units in load balancing mode 1. 2. 3. 4. Assign a unique configuration IP address to each unit. Assign a unique network IP address to each unit. Place the units between two switches. An appliance network interface card must be connected to each switch. Now connect the switches to the rest of the network. 150 Panda GateDefender Performa-User Guide For information about the factory settings, click here. To install these units in load balancing mode, it is advisable to: • Use switches instead of hubs. This reduces the number of collisions and increases performance. • Use Ethernet Gigabit connections only if the unit supports them. • Check that the appliance network interface cards are working in full-duplex mode . All of the different types of protection must have the same settings in all the units working in load balancing mode. The network settings (name, IP address, etc.) must be different. In order to guarantee the correct operation of several units working in load balancing, all of the different types of protection must have the same settings in all of them. The network settings (name, IP address, etc.) must be different. Exporting/importing the settings Once the appliance has been correctly configured and is working properly, you can save the settings parameters. It is useful to do this as: • You can recover them (import them) later. • You can apply the same settings to another unit without needing to do so manually. Exporting the current settings In order to export the settings, follow the steps below: 1. Click on the Export button. 2. In the window that opens, click on the Settings link. 3. Select the folder where you want save the settings file. 4. Click on the Export button. When this process is complete, the system will generate a file with the current settings, except for the user name and password for accessing the console. 151 Panda GateDefender Performa-User Guide Importing settings When importing a settings file from another unit, remember that the name and network settings of the appliance must be unique. Therefore, these details must be modified if another unit is using them. To import or restore settings that you have previously saved, follow the steps below: 1. Click on Browse... 2. Find the settings file that you want to install and click on OK. 3. Then click on Import. 4. If no warning messages are returned, the appliance will have applied the new settings. If a warning appears, you will be informed of the problem and the steps for resolving it. Trusted sites and domains settings in the anti-malware protection To access the trusted sites and domains settings, click the Settings menu in the main console, an in Protection > Anti-malware select Trusted sites and domains. Sometimes, the traffic sent from certain servers, computers or domains is reliable enough to be excluded from the scans. By excluding this traffic from the anti-malware scans, the workload of Panda GateDefender Performa is reduced and its performance is optimized. You can create a list of servers, websites, domains, subdomains, IP addresses and ranges that will be excluded from the list. This action will apply to all protocols. To do this: 1. Click the Settings menu in the main Console screen. 2. Go to Protection > Anti-malware and click Trusted sites and domains 3. This shows the trusted sites and domains configured to date. To add a new domain, subdomain, range, etc, include it in the New box and click Add. In the case of IP addresses, you can use the CIDR format, and for sub-domains, you can use wildcards. 4. The updated list will be displayed in the box. To delete any item, select it and click Delete. After you have completed these steps, Panda GateDefender Performa will not scan traffic from those domains, servers or computers for malware. The correct format for entering a trusted site or domain • • For websites: enter the full URL (for example, mail.pandasoftware.com), or the IP address (for example, 192.168.1.200 ). For domains or sub-domains: enter an asterisk (for example: *.subdomain.domain.com or *.domain.com, etc). You can also enter an asterisk after the final dot of the domain (for example: www.domain.*). Bear in mind that it is not possible to use more than asterisk (for example: *.domain.*) 152 Panda GateDefender Performa-User Guide If you do not want to enter sub-domains, you do not need to use the asterisk (for example, domain.com). Restoring the initial values for signing in to the Web console. The option for restoring the initial values for signing in to the Web console allow the user to restore the factory settings of the configuration IP address, the user name and password for the console. Follow the steps below for the appliance model you have: • 1. 2. Panda GateDefender Performa SB: Find the F/D button at the back of the appliance. Hold this button down for a few seconds. The unit restores the factory settings for accessing the Web console. Don’t confuse the F/D button with the Reset (system) button, which resets the whole system. • 1. 2. Panda GateDefender Performa 9100 and 9500: SB, 9100 and 9500 models have a CD drive. Find the Reset button at the back of the appliance. Hold this button down for a few seconds. The unit restores the factory settings for accessing the Web console. In order to view the factory settings of Panda GateDefender Performa click here . Restoring the appliance In the event of serious system errors, you may have to restore the appliance. There are three methods for restoring the appliance which should be used in the following cases: 1. Rescovery via CD This can be used to restore any appliances with CD or DVD drives. 2. Recovery with a USB device This can be used to restore any appliances with USB ports and without CD or DVD drives. 3. Restoring via Live DVD This can be used to restore any appliances without USB ports and without CD or DVD drives. Rescovery via CD The restore CD included with the Panda GateDefender Performa appliance allows you to restore the system if errors occur. 153 Panda GateDefender Performa-User Guide It is important to bear in mind that this method for restoring Panda GateDefender Performa must only be used as a last resort to solve possible errors. Never use the self-restore CD if you have not been advised to do so by Panda Security’s technical support team. To restore the system, follow the steps below: 1. 2. 3. 4. 5. 6. 7. 8. Export the current settings of the appliance to a file. Click here for instructions on how to do this. Connect to http://www.pandasecurity.com/enterprise/downloads/tree/ Enter the user name and password of your license. Go to the section “Downloads available…” In the section “Software available para Panda GateDefender Performa” > Restore CD, download the ISO for recovery via CD of the latest version available for the SUN platform. Insert the CD in the CD drive. Switch off the Panda GateDefender Performa appliance. Start the appliance The restore process will automatically start and the appliance software will be reinstalled. Do not shut down the system while the appliance is working, other the entire system will be corrupted. The recovery process must not be interrupted once it has started. Panda GateDefender Performa will display the factory settings. Import the settings file that you have just exported to apply the settings defined before restoring the appliance. Click here for instructions on how to do this. Restoring using the Live DVD The LiveDVD recovery system is based on a self-executable DVD, which from a computer in the same network as the appliance, working as an update server, will send the software needed to establish restore. Having received the necessary software, users can start restoring the system from the computer. Restoring Panda GateDefender Performa should always be considered as a last resort. Never use the self-restore DVD if you have not been advised to do so by Panda Security’s technical support team. Requirements for running Live DVD • Intel Pentium IV Processor, or similar. • 256 MB RAM. • DVD drive. Before starting the process, connect the server and the appliance in a local network using an Ethernet cable (in the appliance, the cable should be connected to the interface to labeled RES). Using the Live DVD In order to use Live DVD, follow the steps below: 154 Panda GateDefender Performa-User Guide 1. 2. 3. 4. 5. 6. 7. 8. 9. Connect to http://www.pandasecurity.com/enterprise/downloads/tree/ Enter the user name and password of your license. Go to the section “Downloads available…” In the section “Software available for Panda GateDefender Performa” > Restore DVD, download the ISO for recovery via LiveDVD of the latest version available for the 8000 series and SB. Export the current settings of Panda GateDefender Performa to a file. Insert the LiveDVD in the computer and restart it. Live DVD will start, showing the restore interface. Restart the Panda GateDefender Performa appliance. The computer will send and install the software needed for recovery. When this has been done, the Start restore button is activated, which you must press to start the process. The appliance will send the information about this process to the computer. When this process is complete, the following text is displayed in the computer: Remote host restoration completed Click OK to restart the appliance from the hard disk. Do not shut down the system while the appliance is working, other the entire system will be corrupted. The recovery process must not be interrupted once it has started. Panda GateDefender Performa will display the factory settings. Import the settings file that you have just exported to apply the settings defined before restoring the appliance. For more information about the restore process, for example, the minimum requirements for the restore server, refer to the restore guide available in the downloads area of the website www.pandasecurity.com/enterprise/downloads/. Recovery with a USB device To restore the appliance using a USB device, you must first have created a USB installer. Then, follow the steps below: 1. Export the current settings of the appliance to a file. Click here for instructions on how to do this. 2. Insert the USB device in one of the appliance ports. 3. To continue with the process, connect a screen to the VGA socket in the appliance. 4. Also, connect a keyboard. 5. Restart the appliance (click here for information about the process of restarting the system). Once the restart is complete, the restore process will start. When it has finished, you will see the following notice: 155 Panda GateDefender Performa-User Guide 6. 7. To complete the restore process, press ENTER and remove the USB device. The system will restart and the restored software will start. All of the settings will be lost and the factory settings will be displayed. Import the settings file that you have just exported to apply the settings defined before restoring the appliance. Click here for instructions on how to do this. The LCD screen: definition and use This section explains the LCD screen and how to use it. The Panda GateDefender Performa SB and Panda GateDefender Performa 9100 and 9500 models do not have an LCD screen. Specifications of the interface behavior The following characters appear at the start of each line in a menu: To access a submenu, press Enter. Specifies that you are in a submenu and that you can exit to the main menu. To do this, press ESC. When in a submenu, the last character of the first line shows one of the following characters: Press the downward arrow to move to a lower option. You can press any of the arrows to go up to the previous option or go on to the next option. Press the upward arrow to move to a higher option. The appliance LCD screen shows the following: 156 Panda GateDefender Performa-User Guide • • • • • • • • • Status. Possible values are: Running - OK: The appliance is functioning correctly. Starting: The appliance is starting. Closing: The appliance is closing. Restarting: The appliance is re-starting. You may shutdown: The system has closed but the power source is still on. CPU use: Shows the load of the appliance. Configuration. Shows information about the appliance settings. • Config IP: IP address used to access the console. • Network IP: Shows the network IP of the appliance. • Cluster mode Master / Slave: Shows the role of the appliance (Master or Slave). Version info: Shows the version of the appliance system software. Serial number: Shows the serial number of the appliance. Reset access: Allows you to reset the appliance access details (user name, password and IP address). To confirm, press ENTER. To cancel, press ESC. Reset Services: Lets you completely restart the services. To confirm, press ENTER. To cancel, press ESC. Reset System: Allows you to restart the appliance. To confirm, press ENTER. To cancel, press ESC. Shutdown: Allows you to shut down the appliance hardware. To confirm, press ENTER. To cancel, press ESC. • • • • • Configuring internal networks 1. In the Settings menu, select Internal networks. You will see the following screen. 157 Panda GateDefender Performa-User Guide 2. Add the IP address ranges of your internal network (protected by Panda GateDefender Performa). Example 1: If you have just one internal network with IP addresses in the range 192.168.1.0/24, enter this on the page. Example 2: If you want to protect two internal networks, such as 172.16.1.0/24 and 3. 172.16.2.0/24, include both ranges. Click Save. Configuring internal domains 1. In the Settings menu, select Internal domains. You will see the following screen. 2. Add the domains used on your internal network (protected by Panda GateDefender Performa). Example 1: If you have a single domain 'company.com' include it on this page. Users of the protected internal network will have email addresses with the format [email protected]. Example 2: If you have several domains (company.com, company.net, company.biz), add 3. them all. Click Save. Using the basic anti-spam settings 1. 2. In the Settings menu, select Anti-spam protection settings Select the Enable anti-spam protection checkbox for the following protocols • Protocol: • Select the SMTP checkbox 158 Panda GateDefender Performa-User Guide • • • • Sensitivity level: • • 3. Select High Action to take on spam messages: • • • • Select traffic to scan: Inbound, Outbound, or Inbound and Outbound Select the POP3 checkbox Select the IMAP4 checkbox Select Delete Select Insert the following text in the subject Leave the default text or enter your own text Action to take on messages classified as probable spam : • • • Select Send to quarantine Select Insert the following text in the subject Leave the default text or enter your own text Click Save. Using the advanced anti-spam settings 1. 2. In the Settings menu, select Anti-spam protection settings Click To configure the advanced settings, click here. You will see the advanced settings page. Response to the sender in the event of blocked SMTP messages: - Select the Reject message during connection checkbox - Select the response code 554 Spam detected Detection based on DNSBLs - Select the Activar la detección basada en DNSBLs checkbox - Select Delete - Select the Enable use of DNSBLs recommended by Panda Security checkbox - Select the Enable use of additional DNSBLs checkbox 159 Panda GateDefender Performa-User Guide Click the existing link. You will see the screen for configuring additional DNSBL servers. - Select the checkbox that enables zen.spamhaus.org - Click Save. Anti-backscatter protection: - Select the Enable anti-backscatter protection checkbox - Select the action Delete - Select Enable BATV SMTP relay server protection - Select the Enable SMTP Relay server protection checkbox - Click Save (in Advanced settings) - Click Save (in the anti-spam settings page) 160 Panda GateDefender Performa-User Guide