Panda GateDefender Performa - User Guide

Transcription

User Guide
Panda GateDefender Performa User Guide
If your company has acquired this program and you do not have a CORPORATE USER
LICENSE, please contact Panda Software so that you can extend the use of this program to
more than one computer.
Copyright Notice
© 2010 Panda Security. All rights reserved.
Neither the documentation nor the programs included in this package may be copied,
reproduced, translated or reduced to any medium or electronic or machine-readable support
without prior written consent from Panda Security.
Trademarks
Panda Security is a registered trademark owned by Panda Security.
Windows is a registered trademark of Microsoft Corporation. Other product names that are
mentioned in this guide may be registered trademarks of their respective owners.
© 2010 Panda Security.
All Rights reserved.
Printed in the European Union. Printed in 2010.
1008-PGDPMA-US-02
2
Panda GateDefender Performa-User Guide
Table Of Contents
INTRODUCTION ................................................................................... 9
KEY FEATURES OF PANDA GATEDEFENDER PERFORMA ..........................................................9
FUNCTIONS.................................................................................................................11
PROTECTION ...............................................................................................................12
NEW FEATURES ON THIS VERSION ................................................... 13
INTRODUCTION ...........................................................................................................13
IMPROVED DESIGN AND USABILITY .................................................................................13
PROTECTION IMPROVEMENTS .........................................................................................14
Improvements to the anti-malware protection ...............................................................14
Improvements to the Content Filter and anti-spam protection .........................................15
Web and IM/P2P/VoIP filter .........................................................................................15
OTHER IMPROVEMENTS .................................................................................................16
New security reports and improvements to the filtering and............................................16
Improvements to quarantine management ....................................................................16
Integration of new proxy for HTTP/HTTPS.....................................................................16
New agent to identify domain users ..............................................................................17
New Quality of Service (QoS) feature............................................................................17
Collective Intelligence..................................................................................................17
IMPLEMENTATION ............................................................................. 19
ACTIVATING PANDA GATEDEFENDER PERFORMA ...............................................................19
CONFIGURING THE APPLIANCE .......................................................................................19
Points to bear in mind before configuring the appliance..................................................19
Data required to configure the appliance.......................................................................20
Default settings...........................................................................................................21
CREATING THE USB INSTALLER......................................................... 22
DOWNLOADING FILES AND PREPARING THE USB DEVICE ....................................................22
Preparing the USB device.............................................................................................22
CREATING THE USB INSTALLER ......................................................................................23
COMMAND LINE INTERFACE (CLI)..................................................... 27
COMMAND LINE INTERFACE (CLI)..................................................................................27
Readonly role .............................................................................................................27
Admin role..................................................................................................................27
Access........................................................................................................................27
3
COMMANDS ALLOWED IN READ-ONLY MODE ......................................................................27
COMMANDS ALLOWED IN ADMINISTRATOR MODE ...............................................................28
STATUS SCREEN ................................................................................. 29
INTRODUCTION ...........................................................................................................29
Warnings....................................................................................................................29
Protection...................................................................................................................29
System.......................................................................................................................29
LICENSE MANAGEMENT .................................................................................................29
Products contracted ....................................................................................................30
PROTECTION STATUS ....................................................................................................30
Preferences for viewing the protection status.................................................................30
Scan and detection statistics ........................................................................................31
Details of the anti-malware protection...........................................................................32
Details of the Content Filter protection ..........................................................................33
Details of the anti-spam protection ...............................................................................34
Information on Web filtering ........................................................................................35
IM/P2P/VoIP filter details .............................................................................................37
VERSION DETAILS ........................................................................................................38
SYSTEM STATUS ...........................................................................................................38
INTRODUCTION TO THE SETTINGS ................................................... 41
Protection settings ......................................................................................................41
System settings ..........................................................................................................42
PROTECTION SETTINGS..................................................................... 43
ANTI-MALWARE PROTECTION .........................................................................................43
Malware types ............................................................................................................43
Anti-malware protection settings ..................................................................................43
Antivirus protection settings .........................................................................................44
Heuristic protection settings .........................................................................................48
Anti-phishing protection settings...................................................................................49
Protection against other security risks settings...............................................................50
Trusted sites and domains settings in the anti-malware protection ..................................51
CONTENT FILTER PROTECTION .......................................................................................52
Content Filter protection settings ..................................................................................52
HTTP/S and FTP protection settings..............................................................................52
Mail and news protection settings .................................................................................54
Trusted sites and domains settings in the Content Filter protection..................................57
ANTI-SPAM PROTECTION ...............................................................................................57
Anti-spam protection settings .......................................................................................57
4
Spam white list and blacklist ........................................................................................60
Advanced SMTP anti-spam protection settings ...............................................................60
WEB AND IM/P2P/VOIP FILTER ..................................................................................70
Web filtering...............................................................................................................70
IM/P2P/VoIP application filter.......................................................................................74
USERS EXEMPT FROM FILTERING .....................................................................................75
Users excluded from web filtering.................................................................................75
Users exempt from P2P/IM filtering ..............................................................................76
Export/Import a list of computers. ................................................................................77
PROFILES ...................................................................................................................77
Configuration by profiles ..............................................................................................77
Managing settings .......................................................................................................77
Creating and modifying protection profiles.....................................................................78
Centralized protection settings .....................................................................................78
SYSTEM SETTINGS ............................................................................. 83
GENERAL SETTINGS ......................................................................................................83
Introduction ...............................................................................................................83
Console access settings ...............................................................................................83
Load balancing/high availability ....................................................................................86
System clock...............................................................................................................92
Explicit proxy ..............................................................................................................92
HTTPS connections and certificates...............................................................................93
Advanced settings .......................................................................................................96
Quality of Service (QoS) settings ..................................................................................96
NETWORK SETTINGS ...................................................................................................102
Network environment ................................................................................................102
Network interfaces ....................................................................................................103
Additional port settings..............................................................................................104
Managing internal networks .......................................................................................105
Managing internal domains ........................................................................................106
CONFIGURING THE UPDATES ........................................................................................106
Introduction to updates .............................................................................................106
Updating the protection software................................................................................107
Updating the system software ....................................................................................108
Hotfix management...................................................................................................108
DOMAIN USERS .........................................................................................................109
Managing LDAP servers .............................................................................................109
Management of servers with validation .......................................................................110
User management.....................................................................................................111
5
DEFINITIONS ............................................................................................................112
Introduction .............................................................................................................112
Managing IP addresses..............................................................................................113
Domain management ................................................................................................114
WARNINGS ...............................................................................................................114
Introduction .............................................................................................................114
Events to report settings............................................................................................115
Syslog warnings settings............................................................................................116
SNMP warnings settings.............................................................................................117
EMAIL WARNINGS ......................................................................................................117
Email warnings settings .............................................................................................117
Recipient mail account details ....................................................................................118
Periodic activity notification........................................................................................118
Periodic activity notification settings............................................................................120
CUSTOMIZING THE TEXTS/PAGES ..................................................................................120
Customizing the texts ................................................................................................120
Customization of the substitute HTTP/S page ..............................................................121
QUARANTINE ................................................................................... 122
INTRODUCTION TO QUARANTINE ..................................................................................122
MALWARE QUARANTINE ..............................................................................................122
Possible actions in malware quarantine .......................................................................123
Malware quarantine settings ......................................................................................124
Items excluded from quarantine .................................................................................124
CONTENT FILTER QUARANTINE .....................................................................................125
Possible actions in content-filter quarantine .................................................................126
Content Filter quarantine settings ...............................................................................126
SPAM QUARANTINE ....................................................................................................127
Possible actions in spam quarantine............................................................................128
Spam quarantine settings ..........................................................................................128
QUARANTINE FILTERS .................................................................................................129
Introduction .............................................................................................................129
Malware quarantine filtering.......................................................................................130
Content-filter quarantine filtering................................................................................130
Span quarantine filtering............................................................................................130
REPORTS .......................................................................................... 132
INTRODUCTION .........................................................................................................132
CONFIGURING AND FILTERING REPORTS ........................................................................132
Report settings .........................................................................................................132
Filtering information in the reports..............................................................................133
6
Stored filters.............................................................................................................134
Additional features in the report views ........................................................................135
PROTECTION REPORTS ................................................................................................135
Introduction .............................................................................................................135
Protection report .......................................................................................................136
SECURITY REPORTS ....................................................................................................137
Introduction .............................................................................................................137
Report on access restricted by the explicit proxy ..........................................................138
Report on invalid SSL certificates ................................................................................139
SYSTEM REPORT ........................................................................................................139
System report ...........................................................................................................139
TOOLS .............................................................................................. 141
INTRODUCTION .........................................................................................................141
DIAGNOSIS TOOLS .....................................................................................................141
Ping .........................................................................................................................141
Traceroute................................................................................................................142
DNS resolution..........................................................................................................142
Connectivity with Panda Security ................................................................................143
Display system network status ...................................................................................143
Packet capture..........................................................................................................143
INTERNAL LOG FILES ..................................................................................................144
ONLINE SERVICES ......................................................................................................145
EXPORTING/IMPORTING THE SETTINGS .........................................................................145
Exporting the current settings ....................................................................................146
Importing settings.....................................................................................................146
SENDING STATISTICS .................................................................................................146
RESTARTING THE SYSTEM SERVICES ..............................................................................147
COMPLETE SYSTEM RESTART ........................................................................................147
SHUTTING DOWN THE SYSTEM ......................................................................................148
HOW DO I......................................................................................... 149
ACTIVATING PANDA GATEDEFENDER PERFORMA .............................................................149
HOW DO I KNOW WHEN MY LICENSE EXPIRES?................................................................149
HOW DO I UPDATE THE PRODUCT? ................................................................................150
HOW DO I MODIFY THE WARNING MESSAGES? ................................................................150
ENABLING AND DISABLING REPORT GENERATION .............................................................150
INSTALLING SEVERAL UNITS IN LOAD BALANCING MODE ....................................................150
EXPORTING/IMPORTING THE SETTINGS .........................................................................151
Exporting the current settings ....................................................................................151
Importing settings.....................................................................................................152
7
TRUSTED SITES AND DOMAINS SETTINGS IN THE ANTI-MALWARE PROTECTION ......................152
RESTORING THE INITIAL VALUES FOR SIGNING IN TO THE WEB CONSOLE. ............................153
RESTORING THE APPLIANCE .........................................................................................153
RESCOVERY VIA CD ...................................................................................................153
RESTORING USING THE LIVE DVD ................................................................................154
Using the Live DVD ...................................................................................................154
RECOVERY WITH A USB DEVICE ...................................................................................155
THE LCD SCREEN: DEFINITION AND USE ........................................................................156
CONFIGURING INTERNAL NETWORKS .............................................................................157
CONFIGURING INTERNAL DOMAINS ...............................................................................158
USING THE BASIC ANTI-SPAM SETTINGS .........................................................................158
USING THE ADVANCED ANTI-SPAM SETTINGS ..................................................................159
8
Introduction
Panda
GateDefender Performa
Panda GateDefender Performa is a scalable and ultra-reliable SCM (Secure Content Management)
perimeter security appliance. It delivers maximum proactive protection in the gateway against contentbased Web and email threats. It blocks all types of malware, spam, undesirable content and other
Internet threats before they enter the company.
Its simple "connect and forget" operation and complete anti-malware protection, along with content
filtering, anti-spam, Web filtering and IM/P2P/VoIP filtering, make Panda GateDefender Performa a
highly effective security solution.
Key features of Panda GateDefender Performa
•
Complete protection
It includes best-of-breed protection against malware, potentially dangerous content, spam,
inappropriate Web content, and IM, P2P and VoIP protocols.
It scans inbound and outbound traffic in all protocols (HTTP/S, FTP, SMTP, POP3, IMAP4 and NNTP)
helping enforce security policies, and doesn’t require additional protection or supporting devices,
therefore reducing complexity and operational costs.
•
Modular structure
It provides specific protection for different threats, reinforcing the risk management systems where
necessary. The cost is optimized since the organization only purchases the protection required.
•
Integrated proactive technology
9
Heuristic engines, Collective Intelligence and Quarantine combined in the perimeter optimize threat
detection, ensuring reception of important information.
•
High performance
The hardware is designed to operate transparently in the perimeter, scanning large traffic volumes in
real-time.
Each unit’s performance adapts to each organization’s traffic, optimizing the risk management system.
Its high performance improves user productivity, making sure that standard security policies are met
and ensuring business continuity.
•
Zombie detection
Outbound SMTP detection allows administrators to identify internal computers that are infected and
which are sending spam and malware to clients and contacts without users’ knowledge.
•
This improves corporate image and reputation with clients.
•
Automatic updates
Updates are automatically carried out every hour in the case of malware and every minute in the case
of spam. The protection is always updated against the latest threats, constantly improving the risk
management system. The solution does not require continuous administration, thereby reducing
complexity and operational costs.
•
'Connect and Forget'
It operates as a transparent bridge, and as installation does not require changes or redirections in the
network settings, complexity is reduced. Once connected, it starts to work immediately, reducing
operational costs.
•
Guaranteed reception of data
Panda GateDefender Performa scans, disinfects, restores and resends files containing unknown
malware without administrator intervention, reinforcing the risk management system. It also prevents
critical information losses and protects the organization against known and unknown threats, helping
enforce security policies. Additionally, it ensures business continuity and reduces operational costs.
•
Console access levels
Different console access levels reinforce security in the risk management system, as security settings
are protected and business continuity is ensured.
Access permission adapts to users’ different needs and reduces complexity for non-expert users.
•
Guaranteed traffic flow
10
The hardware models for large organizations include a bypass option to ensure traffic flow continues in
the case of system failure.
Functions
The main functions of Panda GateDefender Performa include:
•
Load balancing
Automatic, native load balancing ensures high service availability in the event of unexpected failure,
optimizes investment in the organization’s computers, and improves the risk management system. It
also prevents traffic reception delays, improving user productivity and ensuring business continuity. As
it is native and automatic, it eliminates configuration complexity and reduces operational costs.
•
Customizable security policies
Different user profiles and groups can be defined to establish different security policies for each
network user, reinforcing the risk management system. This way, user productivity is optimized and
security policies are enforced.
•
Integration with LDAP/AD
Due to integration with directory systems, the user responsible for each action taken on the network is
identified and the risk management system is improved. In addition, monitoring of internal users
enforces security policies.
•
Centralized settings
All the units deployed can be configured from a single console. Centralized configuration of different
access points improves the risk management system and reduces complexity.
•
Detailed graphic reports
The real-time activity graphic reports significantly reinforce the risk management system.
Administrators and operators therfore have important information to hand, reducing complexity and
operational costs.
• Quarantine
It stores potentially dangerous files and messages in quarantine if they are suspected of containing
unknown malware or are considered to be spam or probable spam. The aim of quarantine is to ensure
access to any important files or emails.
•
Malware quarantine
Reserved for contaminated files that cannot be disinfected or are suspected of containing unknown
malware.
•
Spam quarantine
11
Reserved for emails classified as spam or probable spam.
•
Content Filter quarantine
Reserved for files or messages blocked by the application of security policies.
Protection
The protection units offered by Panda GateDefender Performa are:
•
Anti-malware
Detects and blocks damaging threats before they enter the corporate network: viruses, worms, Trojans,
spyware, dialers, jokes, phishing, hacking tools, security risks and -through its heuristic engine- threats
not yet cataloged.
•
Content Filter
The Content Filter lets you customize the types of files and messages to be filtered. It applies filters
such as maximum file size, maximum number of compressed files, password protection…
With respect to messaging it analyzes and filters by content, subject, type, etc.
•
Anti-spam protection
It includes advanced spam detection techniques, such as DNSBL, anti-backscatter and SMTP Relay,
minimizing the impact of spam on user productivity.
•
Web filtering
The Web filter can restrict access to Web pages with unproductive content simply by selecting
prohibited categories. It therefore optimizes resource usage and improves user productivity.
•
IM, P2P and VoIP protocol filter
Used to block attempts to access applications that can represent security holes. These include instant
messaging (IM), peer-to-peer (P2P) and Voice over IP (VoIP), whose use from inside the network can
be restricted.
12
New Features on this version
Introduction
This new version of Panda GateDefender Performa contains a series of new features and improvements
making it one of the most advanced and complete perimeter security solutions for SMBs on the market.
The development of this version of Panda GateDefender Performa has been undertaken with a special
effort to make configuration as simple as possible, and reduce the total cost of ownership derived from
maintenance of the solution. At the same time, new technologies have been integrated for scanning
your company's traffic, in order to adapt the platform to the cloud computing ethos, essential in order
to handle the increasing volume of malware circulating on the Internet.
In addition to this commitment to improve the usability of the Web console, other functional aspects
have been improved, enhancing the reliability and efficiency of Panda GateDefender Performa and
better adapting it to the needs of users. The new agent for identifying domain users and the integrated
proxy for HTTP/HTTPS are just two examples.
This help file contains information about all features of Panda GateDefender Performa. We hope you
find this documentation useful.
Welcome to the new version of Panda GateDefender Performa.
Improved design and usability
Panda Security has completely redesigned the product administration console, simplifying configuration,
and making the information clearer and more accessible. It is now much more intuitive and simpler to
manage, speeding up and easing technical decision-making regarding corporate security. Administratororiented experience improvements have been complemented by extending user Help files, containing
clear and specific examples and cases of basic and more advanced configuration.
Improvements to the Status screen
The warnings in the Status screen are now classified (in different colors) depending on their severity.
This will allow your network administrator to easily detect the most important problems threatening
your network security. In addition to the problem description, the recommended action is implemented
through a link that is redirected to the console screen where the problem can be effectively solved.
Resolution optimized up to 1024x768 pixels and support for new
browsers
In order to present additional information without compromising clarity, the administration console is
adapted to 1024x768 resolution and takes advantage of new browser features to present improved
activity graphs with plenty of information available through the mouse pointer.
Simpler and more manageable menu at the top of the page
Given the increased technical complexity of the tools provided by Panda Security, and in order to
improve usability, the Web administration console menus have been overhauled, in order to minimize
the time spent searching or navigating through the application. Numerous links to the most frequently
used sections have been included, in order to speed up and simplify the operation of Panda
GateDefender Performa.
13
Protection improvements
Improvements to the anti-malware protection
HTTPS protocol scanning
As there is now more malware affecting user interaction with banking applications, and this type of
communication is usually encrypted, Panda GateDefender Performa scans encrypted HTTPS traffic
through “man-in-the-middle” technology. This will allow administrators to detect attempts made to
send or receive malware in Web connections marked as safe.
Integration of Collective Intelligence with queries to the cloud and
integrated cache of queries
With so much diverse malware in existence, it is impossible for a single network computer or appliance
to make reliable detections. Panda Security has opted to move all scanning and malware detection
intelligence out of the client's infrastructure and into the cloud, while respecting data confidentiality at
all times. The system means that any item suspected of containing malware can be checked against
Panda Security's cloud database.
Panda GateDefender Performa intelligently uses this resource, combining the benefits provided by ‘total
detection’ with increased detection speed resulting from an intelligent internal cache of previously
scanned items. This way, the data flow required to detect and disinfect malware is reduced to a
minimum.
Latency reduction in HTTP/HTTPS navigation
In the past, files had to be downloaded in order to reliably determine whether they contained
dangerous malware. This caused an annoying slowdown of Web content delivery. This was because
Panda GateDefender Performa required the whole file to scan before delivering it to the user.
In this new version of Panda GateDefender Performa, the detection algorithm for dangerous items has
been updated, and so delays are reduced to a minimum, making the service practically transparent to
end-users.
Cache of infected URLs in HTTP/HTTPS navigation
In order to save network resources, Panda GateDefender Performa stores any URLs with malware, in
order to avoid the files being downloaded and scanned every time they are requested by a corporate
network user.
Additionally, intelligent management of the URL cache allows the items to be accessed once the
malware is eliminated from the server, preventing the resource from being inaccessible for an indefinite
period.
Customization of the page displayed on detecting malware in
HTTP/HTTPS
In order to improve the feedback returned to end-users, the screen displayed on accessing an item
suspect of containing malware can be customized.
14
Improvements to the Content Filter and anti-spam
protection
Improvements to the Content Filter protection
The HTTPS protocol has been added to the numerous Content Filtering options available since the first
versions of Panda GateDefender Performa.
Now users are protected against all malicious items included by third parties on Web pages marked as
secure, generally those belonging to banks and financial institutions, and which are specifically targeted
by criminals trying to obtain confidential user data (account numbers, passwords, etc.)
The customization improvement mentioned in the previous section also applies to the Content Filter
protection.
Improvements to the anti-spam protection
Spam detection was no longer an issue with Panda GateDefender Performa once the anti-spam engine
was implemented.
However, the invention and application of new spam generation methods make it necessary to
frequently check mail scanning methods in order to meet the 99% detection commitment to Panda
Security clients and reduce the false positive detection ratio. Consequently, Panda GateDefender
Performa implements self-learning technologies to report emails that have been incorrectly classified as
spam and update its detection algorithms with the new information.
The new version of the anti-spam engine, already integrated in previous versions through the cloud,
leverages a huge database of knowledgeand is updated in real-time with new detections of spam
reported by users. This system offers the security of enjoying a clean email service, with the peace of
mind of knowing that you will not be losing messages that could be important for your company.
Web and IM/P2P/VoIP filter
Improvements to the Web filter
As the amount of malware and spam increases, so there are more and more websites with dangerous
or inappropriate content, and it is difficult for a single computer to store information about all such sites.
Panda Security updates the Web filter engine responsible for classifying downloaded pages in the cloud,
and allows you to apply standard actions (block, report, etc.). This way, Panda Security is coherent
with the rest of the detection engines, and also sends any knowledge accumulated to the cloud.
Given that cloud resources are virtually unlimited, the number of potentially inappropriate website
categories has been increased as well as the number of sites themselves. There are also greater
guarantees that any access to the Web will conform to the needs of the company. In addition, your
company can contribute actively to the cloud knowledge base, reporting any new inappropriate
websites.
As with the malware and content filtering, in this version of Panda GateDefender Performa, Web
filtering includes HTTPS, and the substitute page displayed (when necessary) can be customized, as
with the rest of the filters.
Improvements to the filtering of IM/P2P/VoIP applications
15
One of the most significant problems when calibrating the bandwidth required for your company’s
activities, is to ensure there is sufficient bandwidth available to cover your employees’ needs.
To this end, the quick and accurate identification of restricted protocols -such as p2p (emule,
bittorrent), VoIP (Skype), messaging (Messenger-) and others is vital. Access to these protocols and
applications not only affects your bandwidth but also your company's productivity, and so it is essential
to accurately determine which should be allowed and which not.
Due to the constant evolution of these applications, Panda GateDefender Performa updates the set of
rules that allow the detection of these types of data transfers, so that new versions of messaging and
P2P programs are correctly identified and managed (block or report).
Given that not everyone's needs are the same, Panda GateDefender Performa lets you define individual
protection profiles for each user for P2P and messaging applications.
Other improvements
New security reports and improvements to the filtering
and presentation of current reports
The increasing amounts of malware being received and detected by companies means that there is also
more information to make available to network administrators.
Because of this, Panda Security provides search tools and filters for presenting reports as well as new
types of reports. These new reports concern the SSL certificates and the explicit proxy, in addition to
those offered in previous versions.
The reports screen has been redesigned to jointly display a breakdown of the malware detected for all
the protection modules purchased, minimizing the time spent navigating through the administration
console. The limits for storing old reports have also been updated and expanded, in line with the
increase in the amount of malware on the Web and the considerable increase in the information
provided by Panda GateDefender Performa regarding each security problem.
Now, Panda GateDefender Performa maximizes the potential of the reports, so that these show all
possible details about each of the protection and the new features implemented.
Improvements to quarantine management
Apart from the improvements made to malware detection and reports, the space used for the
quarantine of items suspect of containing malware has been increased. It is now easier to search for
items, restore them and to download messages.
Integration of new proxy for HTTP/HTTPS
In the case of networks that do not have a proxy Web server, Panda GateDefender Performa
implements a Web cache server that speeds up page and file downloads via HTTP and HTTPS, saving
data flow and allowing you to delay decisions on expanding resources. Additionally, by implementing
authentication methods that use local databases or LDAP, its use can be restricted to specific network
users, integrating with the user management infrastructure already installed in your company.
16
Finally, the integrated proxy helps in the configuration and deployment of protection profiles, avoiding
the need for validation servers in your corporate network, optimizing the number of servers and
therefore the reducing the overall TCO.
New agent to identify domain users
In order to complement the deployment of protection profiles, Panda Security provides a Windows
application which can be installed on your main or secondary domain controller to help Panda
GateDefender Performa correctly identify users in your network domain. This way, all domain users are
identified and the selected protection profile is applied.
New Quality of Service (QoS) feature
As a perfect complement to the explicit proxy, and the Web filtering and IM/P2P/VoIP filtering tools,
Panda GateDefender Performa implements QoS technology in this version. This technology allows you
to prioritize Internet access for data flows marked as important by your company. This way, traffic can
be identified by type, and minimum and maximum bandwidth use can be assigned, in addition to
priorities, in order to effectively manage the use of the data flow delivered to local network users.
Collective Intelligence
Panda GateDefender Performa supports Collective Intelligence, meaning that the detection capacity of
the anti-malware protection is significantly increased as it is also based on queries to the Panda
Security knowledge server (“the cloud”). This server is continually updated and contains all Panda
Security's information about malware and security threats.
How does the Collective Intelligence scanning/detection process
work?
Collective Intelligence implies a new type of logic in the scan, which acts in the following way:
1. The signatures stored in the appliance are consulted.
2. If the sample is not found among the signatures, the local cache is consulted.
3. If the information is not in the local cache, a query is made to the server.
4. If malware is identified, the Collective Intelligence server returns the identifier and the generic
type of malware. To complete the information, for example with the name of the malware and
other useful data, a query is made to the Panda Security extended information server.
5. If there are any changes to the knowledge available, the Collective Intelligence server
automatically communicates the updates to the appliances, specifying those samples of
goodware that have recently undergone changes, or completely emptying the cache.
Collective Intelligence cache
The use of Collective Intelligence involves maintaining a local cache in the appliance storing the results
of queries to the cloud.
Malware-positive or suspicious results stored in the cache will expire in 24 hours, even if during this
time there has been frequent access to the item or even if the cache has not exceeded the limit. This
means that there will have to be a query to the cloud if the expired item is scanned again.
The cache is persistent, i.e. the content is maintained between restarts of the appliance and its
processors, but it is automatically emptied whenever a manual update is launched through the "Update
now", button in the Update screen of the Web console.
17
In the case of several load-balancing appliances, the cache of each of them operates as an
independent entity.
Control over cloud connections
To avoid unnecessary delays in the case of connection problems, the connection to the cloud will be
interrupted for five-minute periods without impacting the scan in progress. The cloud availability status
will be monitored every 60 seconds, and a system event will be generated if there is a problem. During
this period of disconnection, the signatures and local cache will still be consulted.
The action policy will depend on the network of each user, por lo que el ajuste de la configuración de
los tiempos máximos de acceso a la nube está disponible in the Advanced Settings page of the Web
console. Three parameters can be configured in the "remote scan timers" section:
• Maximum time for cloud queries regarding the Internet (2 seconds by default).
• Maximum time for cloud queries regarding SMTP (10 seconds by default).
• Maximum time for cloud queries regarding other items (3 seconds by default).
Calculation of maximum scan times is based on maximum response times for each intercepted protocol,
grouped into three classes: HTTP/S/FTP, SMTP and POP3/IMAP4/NNTP.
Periodic scanning of items in malware quarantine uses the maximum time defined for SMTP, which
would normally be greater than for the Internet and interactive mail, as an immediate response is not
needed in this case.
In the following cases, events are generated in the system report and sent to the administrator via
SMTP, SNMP and Syslog:
• Cloud queries disabled
Cloud queries re-enabled
Extended information system
The detection results contain only the identifier and the generic type of malware, both for results from
the local cache and from the cloud. To complete the data with a name and a specific type of malware,
a query is made to an extended information server. So the report and the notifications on malware
detected, quarantine and the malware activity details page in the Web console have all the information
they need.
If the extended information system fails, the basic format is then used to display the report, using the
identifier to link to the Panda Security Malware Information Center website, where all the information is
available online.
Checking connectivity with the cloud
You can check connectivity with the cloud servers using the “Connectivity with Panda Security” tool in
the Web console.
Detection of malicious URLs
The system can detect malicious URLs, preventing users from accessing phishing pages or those
harboring malware. This protection is configured through a special Web filter category: "Malicious
websites".
18
Implementation
Activating Panda GateDefender Performa
1.
2.
Click My license, next to the system clock.
In the window that appears, click
Registration/activation details.
3.
4.
A new window appears: Enter theuser name and password provided by Panda Security.
Click Save. Panda GateDefender Performa will contact the Panda Security server to get license
information (wait 10 seconds before consulting the information). If an error occurs, a message
will be displayed.
on
the
link
(here)
that
appears
under
More information.
Configuring the appliance
Points to bear in mind before configuring the appliance
The correct configuration of Panda GateDefender Performa ensures optimum protection of your
corporate network and improves your appliance’s performance.
Therefore, before configuring Panda GateDefender Performa, it is important that you have a clear idea
of the following:
1. Who will be able to change the settings and from which computers.
2. What type of malware you want Panda GateDefender Performa to detect.
3. What protocols you want to protect.
4. Whether a specific type of file to be allowed to enter or leave your organization through a certain
protocol (for example, executable files via email).
5. What type of warnings you want to receive (whether Panda GateDefender Performa should warn
you every time it detects a virus, updates, has connection problems, etc).
6. Who should receive the warnings.
7. Whether you want warning messages to display an explanatory text and the text it should include.
8. Whether there are trusted domains that will never send you malware.
9. Whether there are domains from which you never want to receive any email messages, as they
will always be spam. You can configure automatic blocking - without scanning- of the messages
received from those domains and optimize the performance of the appliance.
10. Whether you want to restrict access to certain Internet contents and what type of content.
11. Whether you want to allow access to a certain URL, regardless of whether it contains restricted
contents or not.
12. Whether you want to deny access to a certain URL, regardless of whether it contains restricted
contents or not.
13. Whether you want advanced log files with more detailed information.
Having a clear idea about these issues will allow you to configure the solution for optimized
performance from the start, the network traffic will adapt to your needs and you probably won’t need
to change the settings at a later stage.
19
Before configuring the appliance, don't forget to have the necessary data to hand.
Once Panda GateDefender Performa is installed, access to the Web console is configured and the
product is activated you can start to configure the system and the protection.
Data required to configure the appliance
Before starting to configure the appliance for the first time, it is advisable to have the following data to
hand:
To establish the network connections
1.
2.
3.
4.
5.
Name of Panda GateDefender Performa: Name of the unit that allows it to be identified.
This name must be unique. If you have more than one appliance in your organization, make sure
that each of them has a different name. The default name is MachineName.
IP address and net mask: Use a free IP address and net mask associated to the in the
network in which the appliance has been installed. These must allow Panda GateDefender
Performa to access the Internet in order to activate and update, and connect with an SMTP
server in order to send warning messages. The default IP is 192.168.1.1 and the default net
mask is 255.255.255.0 .
This is the IP address used to establish connection and is totally different from the
Configuration IP , which is only used to access the Web administration console.
Default gateway: Default gateway for connecting to other networks without static routes
established (Internet). By default, the gateway is 192.168.1.200.
Additional routing table. Allows static routes to be defined for accessing computers or
networks that cannot be reached through the default gateway. For example, for sending warning
messages to an SMTP server in a different subnet, which cannot be accessed through the default
gateway.
You must specify the IP address and net mask associated to the target network or computer and
the IP of the gateway that will be used to establish the connections. If the target is a computer,
leave the net mask field blank or use the value 255.255.255.255 .
DNS servers: Panda GateDefender Performa can be configured with up to three DNS servers.
Firstly, Panda GateDefender Performa uses the primary DNS server. If the connection fails, it will
try to use the rest of the servers configured.
You probably won’t need to change the default settings. If you have your own DNS
servers or DNS servers provided by your ISP, you can configure Panda GateDefender Performa
to use them.
The appliance uses these DNS servers to establish its own connections, update, send warnings and
validate licenses, etc. As a result, if these servers are not configured correctly, Panda GateDefender
Performa will not work properly.
6.
Proxy server IP address and authentication data: If Panda GateDefender Performa is going
to connect to the Internet through an HTTP proxy, you will need to activate it here and specify
the IP address of the server and the port and if it requires authentication, activate this option and
enter the user name and password.
20
To specify who can change the settings:
1.
2.
User name: Defines the user name that must be entered whenever a user tries to access the
console.
Password: Defines the password that must be entered whenever a user tries to access the
console. The password can include letters and numbers and must be six to twelve characters
long.
Configuration IP address: This is the IP address used to access the Web administration console.
The default address is 172.16.1.1. For more information, click here. To activate Panda GateDefender
Performa.
1.
2.
Registration details – User name: This is the user name provided by Panda Security with the
appliance. This will identify your appliance in the updates server.
Registration details – Password: This is the password provided by Panda Security with the
appliance. This will identify your appliance in the updates server.
The user name and password are different from the user details for accessing the Web
console. These are the details identifying the registered user of Panda Security and which
offer access, among other things, to the update servers. provided these when you bought the
appliance.
To configure sending of warnings
1.
2.
3.
4.
Email addresses: Email address or addresses to which Panda GateDefender Performa must
send alerts.
SMTP server: DNS-resolvable IP address or name of the SMTP to use to send warnings.
Port: Port number if the SMTP server uses a different port from the standard port (25).
Authentication details: If the SMTP server requires authentication, keep the user name and
password that Panda GateDefender Performa must use to identify itself to hand.
Default settings
The default settings defined are:
• Appliance name: MachineName.
• Network IP address: 192.168.1.1.
• Net mask: 255.255.255.0.
• Default gateway: 192.168.1.200.
• Primary DNS server: 207.200.7.21
Console login
•
•
•
•
User name: defaultuser.
Password: defaultpass.
Configuration IP address: 172.16.1.1.
Net mask: 255.255.255.0.
21
Creating the USB installer
Downloading files and preparing the USB device
The first step to create a USB installer with which to install or restore the ISO image of Panda
GateDefender Performa involves getting the files required as well as the tool with which to create the
installer.
The ISO and the unetbootin tool to create the installer are available at the following URL:
http://www.pandasecurity.com/spain/enterprise/downloads/clients/default.htm
Preparing the USB device
You will then need to prepare the USB on which you are going to create the installer.
It is IMPORTANT to ensure that the USB device does not contain data that you want to keep,
as all information will be deleted when the process of creating the installer is complete.
Follow these steps:
1.
2.
3.
Insert the device in the USB port and find the assigned drive in your file explorer. (Windows
Explorer-> My Computer-> Removable drives).
Right-click the removable drive icon and click Format.
Select FAT32 as the file system and click Start.
You will then see a warning about the loss of data from the device after formatting. If you are sure
there is no important data on the device, click OK to format it.
22
Once formatting is complete you will see the corresponding notification:
Click OK.
Creating the USB installer
Once the required files have been downloaded and the USB device prepared, it is time to create
the installer.
To do this:
1.
2.
3.
4.
5.
Copy the ISO of the CD downloaded previously to the root folder of your USB device.
Extract the compressed file with the Unetbootin tool to a folder on your computer el comprimido
que contiene la herramienta Unetbootin.
In the same folder, extract the compressed file Performa-4.00.00.buildnumber.FILES4USB.zip.
Start the process by double-clicking the Unetbootin executable file
In the screen that appears, select Custom, and in the Kernel field enter the complete path of the
vmlinuz file, and in Initrd, enter the complete path of the file initrd.gz.
23
6.
7.
8.
Make sure the value of the Type field is USB drive and the value of the Drive field corresponds to
that of the USB device.
Click OK.
Once this process has finished, click Exit.
Click OK. The selected ISO image will be copied to the USB device.
Click Exit .
IMPORTANT: Do not click Restart now, as this will cause all the data on the computer to be
lost.
24
Remember to use the Safely remove hardware option to remove the USB device.
Then,
1.
2.
3.
4.
5.
follow the steps below:
Export the current settings of Panda GateDefender Performa to a file.
Insert the USB device in one of the appliance ports.
To continue with the process, connect a screen to the VGA socket in the appliance.
Also, connect a keyboard.
Restart the appliance.
Once the restart is complete, the restore process will start. When it has finished, you will see the
following notice:
25
To complete the restore process, press ENTER and remove the USB device.
Do not shut down the system while the appliance is working, other the entire system will be
corrupted. The recovery process must not be interrupted once it has started.
Panda GateDefender Performa will display the factory settings. Import the settings file that you have
just exported to apply the settings defined before restoring the appliance.
26
Command Line Interface (CLI)
Command Line Interface (CLI)
The Command Line Interface (CLI) in Panda GateDefender Performa is a useful function in those
situations in which you can't access the console.
To access the Command Line Interface there are two types of profiles or roles with different
permissions.
Readonly role
This is a user with read-only permissions on a limited shell.
This user cannot edit the appliance status or settings. The prompt is >.
Admin role
This is an administrative user with access to all commands and who can edit information relative to all
of them.
After logging in, the user will have limited access to the shell, but with administer rights, using the
command enable.
The prompt in administrator mode is #
And to leave administrator mode: “exit”
Access
The CLI can be accessed through SSH as a serial port. In some appliances, access via VGA is also
allowed, which requires connecting a keyboard and monitor.
Click here to see the list of commands allowed in read-only mode.
Click here to see the list of commands allowed in administrator mode.
For more information about any of the commands, enter the name of the command and then
the character “?” (without quotation marks).
Commands allowed in read-only mode
date
Show current date
DNS
DNS configuration
enable
Enter admin mode
exit
Exit this CLI session
interception
Interception rules
meminfo
Report memory usage
information
netstat
Network statistics
network
Network configuration
ntp
NTP configuration
password
Change password
ping
Ping other machine
quit
27
snmp
SNMP configuration
stats
Statistics
status
Status
syslog
Syslog configuration
tcpdump
Show traffic
top
Show top processes
uptime
Show uptime
vmac
Virtual MAC configuration
vmstat
Report generic statistics
Commands allowed in administrator mode
date
Show current date
DNS
DNS configuration
hotfix
Hotfix utilities
exit
interception
Interception rules
meminfo
Report memory usage
information
netstat
Network statistics
network
Network configuration
ntp
NTP configuration
password
Change password
ping
Ping other machine
quit
reboot
Reboot system
reset
Reset services
restore
Restore factory settings
shutdown
Shutdown
snmp
SNMP configuration
stats
Statistics
status
Status
syslog
Syslog configuration
tcpdump
Show traffic
top
Show top processes
uptime
Show uptime
vmac
Virtual MAC configuration
vmstat
Report generic statistics
28
Status screen
Introduction
The Status screen is the first screen that users access after logging in to the administration console
and it allows them not only to check that the appliance is operating correctly, but also Panda
GateDefender Performa protection statistics.
The screen header, which is common to all the console screens, shows the system clock, the
Disconnect option and the My license link. This takes you to the License management screen
where you can check or edit your registration or activation details and see the technical specifications
of the appliance. You will also see information about the products you have contracted and the
corresponding expiry dates.
You will find the following areas in the Status screen:
Warnings
The Warnings area will be displayed when there are certain problems and will offer recommendations
and advise you on the action to take.
Protection
Click the title of the section to display or hide the content. This section contains graphs with statistical
information about scanning and detections performed by the protection modules. It also includes data
about updates, licenses and quarantine. You can see details of the contents of the graphs through the
corresponding options and export content to .csv format.
To the left of the title of each protection (Anti-malware, Content Filter, Anti-spam, Web filter and
IM/P2P filter) there will be a red icon if the protection is disabled, green if it is enabled, and orange if it
is partially enabled.
If you pass the cursor over the protection title, and it is partially enabled, you will see the actual status.
System
Use the arrow at the end of the title bar of the section to display or hide the content. Here you will see
the system connections and network card traffic. You will also see a graph of the network load history,
uninterrupted runtime, and load-balancing (if enabled). You can enlarge the graphs using the
corresponding option, and export the content to .csv format.
Restart statistics
Use this button, at the bottom of the window, to restart the system graphic statistics. Obviously, on
restarting the statistics the data displayed in the Status window will change.
License management
The License management screen lets you check the status of your licenses for each of the modules
contracted. You can access the screen in two ways:
1.
2.
By clicking the My license link, in the console header, next to the system clock.
By clicking the date in Updates and licenses > Updates and services expire:, in the Status
screen.
29
Products contracted
Bear the following in mind:
1.
•
•
The anti-malware license covers the following types of protection:
Anti-malware
Content Filter
2.
The anti-spam license covers the protection against junk mail (spam).
3.
The Web filter license covers the following types of protection:
Web filtering
Filtering of IM (instant messaging), P2P (file-sharing) and VoIP (Voice over IP).
•
•
When the license for a module has expired or is about to expire, Panda GateDefender Performa will
display the Renew license option, which will give you direct access to the renewals area on Panda
Security’s website.
If you do not have a license for a certain type of protection, Panda GateDefender Performa will indicate
the protection is Without a license and give you the option to Get a license.
Registration/activation details
After installing the Panda GateDefender Performa software and accessing the console, activate the
appliance. To do this, enter the activation details provided by Panda Security. Click the link to
activate the product or consult activation details..
If you want to check these details after activating the unit, you can use the link in this section.
Technical specifications
This shows the serial number and hardware platform of the connected unit.
Protection status
Preferences for viewing the protection status
You can configure viewing preferences in the Status window:
1.
Values viewed: Lets you select the type of data you want to see. Use the drop-down menu:
• Percentage: Shows percentage data in the status graphs.
• Absolute: Shows absolute data in the status graphics. Default mode.
2.
Period viewed: Use the drop-down menu to select a time period for the status graphics:
• Last 24 hours. Default mode.
• Last 7 days.
• Last month.
• Last year.
• Specify dates: If you select this option, text boxes will be enabled that will allow you to specify
the start and end dates.
30
Click OK to save the changes. Otherwise, click Cancel.
Scan and detection statistics
Protection activity graphs display detailed statistics about the activity of the protection modules. They
also show the percentage occupation of quarantine and information about updates.
Use the Enlarge link to expand the graphs. This link is visible when you place the mouse cursor over
the graph.The Export option lets you export the content of the graph to .csv format. By clicking
Details you can see more in-depth data about the selected protection module.
Anti-malware
This displays real-time statistics on the anti-malware (viruses, jokes, dialers , spyware, hacking tools,
security risks and phishing).
It shows the following information:
•
•
•
•
•
•
•
•
•
Total files scanned.
Malware detected. Files in which some kind of malicious code has been detected, in both Mail
and News and for both HTTP and FTP. The number of files detected and their percentage of
the total items scanned is also displayed.
Evolution graph. This shows the evolution of the detections made by the protection. These are
divided into two categories: Detections in Mail and News (red line) and Detections in HTTP
and FTP (green line). Click Enlarge to expand the graph.
View details. Lets you consult the Anti-malware protection details screen in the console with
more detailed and complete information.
Content Filter. This allows you to access real-time statistics on the content filter.
Items scanned by Panda GateDefender Performa.
Items filtered: Files in which some kind of unwanted content has been detected, in both Mail
and News and for both HTTP and FTP. The number items filtered and their percentage of the
total items scanned is also displayed.
Evolution graph.This shows the evolution of the filtering applied by the protection. This is
divided into two categories: Detections in Mail and News (red line) and Detections in HTTP
and FTP (green line). Click Enlarge to expand the graph.
View details: Lets you consult the Content Filter protection details screen in the console with
more detailed and complete information.
Anti-spam
This displays real-time statistics on the anti--spam scan. It shows the following information:
• Messages scanned.
• Spam messages. Number of messages classified as spam and the percentage of the total
messages scanned.
• Evolution graph. This shows the evolution of the detections made by the protection. Click
Enlarge to expand it.
• View details. If you click on this link, the Details of the anti-spam protection will be
displayed with more detailed and complete information.
Web filtering
• Total pages scanned.
• Pages blocked: The number of access attempts blocked or monitored (access to URLs restricted
by the administrator, which have not been blocked by Panda GateDefender Performa but are
logged in the report). The number of events detected is displayed along with their percentage of
the total items scanned.
31
•
•
Evolution graph. This shows the evolution of the pages blocked by the protection. Click
Enlarge to expand the graph.
View details. If you click on this link, the Details of the Web filtering protection will be
displayed with more detailed and complete information.
IM/P2P/VoIP access filter
This displays real-time data on the activity of the Web filter and IM/P2P filters.
• Total access scanned.
• Restricted access: The number of access attempt to IM/P2P protocols and the percentage of
the total is also displayed.
• Evolution graph. This shows the evolution of the accesses to Web pages and IM/P2P
applications blocked by the protection. Click Enlarge to expand the graph.
• View details. Click to consult the Web and IM/P2P application filter protection details
screen in the console with more detailed and complete information.
• Quarantine status. It displays the percentage occupation of quarantine. For more information
about the items in quarantine, click the percentage occupation figure.
Update and licenses
Information about the date of the last update and the date in which the updates and services expire.
This section allows you to check the system update status and the expiry date of the contracted
antivirus protection and services:
1.
2.
Last update: This shows the date that Panda GateDefender Performa last updated the signature
files.
Updates and services expire:This specifies the expiry date of the license contracted. If the
appliance has not been activated, the Updates and services expire: field displays the text
Not activated. and will not change until the contracted protection has been activated
( License management ) screen).
Click the dates to access the Version details and License management screens.
Details of the anti-malware protection
The details of the activity of the anti-malware protection can be displayed in a graph. These details can
be selected by protocol or by a specific date. The graphs will vary depending on the selection criteria.
View selection
You can select the details according to the following values:
•
•
•
Protocol in which malicious code was detected (HTTP/S, FTP, SMTP -default mode-, POP3,
IMAP4 or NNTP).
Values of the data you want to see. Use the drop-down menu:
• Absolute: Shows absolute data in the status graphics (default mode).
Period. You can specify that the graphs must only show the malware detections during a certain
interval.
• Last 24 hours.
• Last 7 days.
• Last month.
32
•
•
Last year.
Specify dates: If you select this option, text boxes will be enabled that will allow you to
specify the start and end dates.
The system uses cookies to remember youir preferences.
Graphs
Panda GateDefender Performa shows the results of the filter applied in the previous section as a graph.
•
Percentages and evolution.
This section shows two graphs. The pie chart shows the number and percentage of
detections for a specific type of malware. Each type of malware is assigned a color, which
corresponds to a section of the pie chart. The data displayed is classified into:
1. Malware type: Viruses, dialers, jokes, phishing (only in SMTP, POP3, IMAP4 and NNTP),
hacking tools, security risks or spyware.
2. Total number of detections of this type of malware.
3. Percentage of detections of this type of malware with respect to the total files scanned.
The evolution graph shows the evolution of each type of malware during a specific period of
time. The color of each line corresponds with the color of each type of malware.
•
Top 10 detections. A pie chart shows the top ten types of malware most frequently detected,
taking into account the filtering criteria. Each type of malware is assigned a color, which
1. Malware name.
2. Malware type (viruses, dialers, jokes, phishing, hacking tools, security risks or
spyware).
3. Total number of detections of this type of malware.
4. Percentage of detections of this type of malware with respect to the total detections
included in the Top Ten.
•
Top 10 detections by user. A pie chart shows the ten IP addresses of the computers or the
email address of the recipients of the most malicious codes that have been detected, bearing in
mind the filtering criteria. Each computer is assigned a color, which corresponds to a section of
the pie chart. The data displayed is classified into:
1. IP address (for HTTP/S and FTP) of the affected computer or Email address (for mail
and new protocols) of the affected recipient.
2. Total number of detections.
3. Percentage of detections of this computer with respect to the total detections included
in the Top Ten.
Details of the Content Filter protection
The details of the activity of the Content Filter protection can be displayed in a graph.
View selection
•
•
Protocol in which malicious code was detected (HTTP/S, FTP, SMTP -default mode-, POP3,
IMAP4 or NNTP).
33
•
Period. You can specify that the graphs must only show the events that occurred on a certain
date.
• Last 24 hours.
• Last 7 days.
• Last month.
• Last year.
• Specify dates: If you select this option, text boxes will be enabled that will allow you to
Graphs
The information displayed is the following:
•
This section shows two graphs. The pie chart shows the amount and percentage of the items
filtered. Each item is assigned a color, which corresponds to a section of the pie chart. The
data displayed is classified into:
1. Event type. Items allowed and filtered.
2. Total number of times this type of event has been filtered.
3. Percentage with respect to the total files scanned.
The evolution graph shows the evolution of each item filtered during a specific period of time.
The color of each line corresponds with the color of each item.
•
Top 10 content filtered. A pie chart shows the top ten most frequent content filtering events,
taking into account the filtering criteria. Each item is assigned a color, which corresponds to a
section of the pie chart. The data displayed is classified into:
1. Item name.
2. Type of filter applied.
3. Total number of times the item has been filtered.
4. Percentage with respect to the total of the Top 10.
Details of the anti-spam protection
The details of the activity of the anti-spam protection can be displayed in a graph. These details can be
selected by protocol or by a specific date. The graphs will vary depending on the selection criteria.
View selection
•
•
•
Protocol (SMTP (default), POP3, IMAP4 or NNTP).
Period. You can specify that the graphs must only show the messages detected in a certain
interval.
• Last 24 hours.
• Last 7 days.
• Last month.
• Last year.
34
•
Graphs
The information displayed is the following:
•
This section shows two graphs. The pie chart shows the number and percentage of
detections for a specific type of message. Each type of message is assigned a color, which
1. Classification of the message (mail allowed, spam and probably spam).
2. Total number of detections of this type of message.
3. Percentage of detections of this type of message with respect to messages scanned.
The evolution graph shows the evolution of each type of message during a specific period of
time. The color of each line corresponds with the color of each type of message.
•
Top 10 recipients of spam. A pie chart shows the top ten recipients of spam, taking into
account the filtering criteria. Each recipient is assigned a color, which corresponds to a section of
1. Recipient’s email address.
2. Total number of messages classified as spam.
3. Percentage of detections of this spam for this recipient with respect to the total Top
Ten.
Messages classified as probable spam are not included in this graph.
•
Top 10 recipients of spam. A pie chart shows the top ten senders of spam, taking into account
the filtering criteria. Each sender is assigned a color, which corresponds to a section of the pie
chart. The data is classified into:
1. Sender’s email address.
2. Total number of messages classified as spam.
3. Percentage of detections of this spam for this sender with respect to the total Top Ten.
Messages classified as probable spam are not included in this graph.
Information on Web filtering
The details of the activity of the Web filtering can be displayed in a graph. These details can be
selected by a specific date. The graphs will vary depending on the selection criteria.
View selection
•
• Absolute: Shows absolute data in the status graphs (default mode).
•
Period. You can specify that the graphs must only show the access to restricted Web pages
detected in a certain period.
35
•
•
•
•
•
Last 24 hours. Default mode.
Last 7 days.
Last month.
Last year.
Graphs
• Percentages and evolution of pages. This section shows two graphs. The pie chart shows
the number and percentage of detections for a specific type of page. Each type of page is
assigned a color, which corresponds to a section of the pie chart. The data is classified into:
1. Classification of the pages (pages allowed and restricted pages).
2. Total number of detections of this type of page.
3. Percentage of detections of this type of page with respect to the total pages scanned.
The evolution graph shows the evolution of each type of page during a specific period of time.
The color of each line corresponds with the color of each type of page.
•
Top 10 filtered pages visited. A pie chart shows the top ten restricted pages visited, taking
into account the filtering criteria. Each page is assigned a color, which corresponds to a section of
1. Page URL.
2. Category by which it has been filtered.
3. Total number of visits.
4. Percentage of visits to this page with respect to the total in the Top 10.
•
Top 10 most visited domains. Shows the top ten most visited domains, taking into account
the filtering criteria. Each domain is assigned a color, which corresponds to a section of the pie
chart. It displays the data as follows:
1. Domain.
2. Category to which the domain corresponds.
4. Percentage visits with respect to the Top Ten.
•
Top 10 users that most browse the Web. Shows the top ten users that most use the
Internet, taking into account the filtering criteria. Each user is assigned a color, which
corresponds to a section of the pie chart. The data can be classified as follows:
1. User.
3. Percentage visits with respect to the Top Ten.
•
Top 10 user access to blocked pages. A pie chart shows the top ten users that have most
frequently visited blocked pages, taking into account the filtering criteria. Each user is assigned a
color, which corresponds to a section of the pie chart. The data is classified into:
1. IP address. IP address of the user that accesses the restricted pages.
2. Total number of blocked pages visited.
If Panda GateDefender Performa is installed between the Internet and a Web proxy, only
access of the proxy IP will be logged.
36
IM/P2P/VoIP filter details
This offers a graphic display of the activity of the instant messaging, P2P and VoIP protocol filter.
These details can be selected by a specific date. The graphs will vary depending on the selection
criteria.
View selection
•
•
• Absolute: Shows absolute data in the status graphs (default mode).
Period. You can specify that the graphs must only show the access to restricted Web pages
detected in a certain period.
• Last 24 hours. Default mode.
• Last 7 days.
• Last month.
• Last year.
• Specify dates: If you select this option, text boxes will be enabled that will allow you to
The system uses cookies to remember youir preferences.
Graphs
•
Percentages and evolution. This section shows two graphs. The pie chart shows the number
and percentage of detections for each type of protocol. Each type is assigned a color, which
corresponds to a section of the pie chart. The data is classified into:
1. Protocol classification
2. Total number of detections for this type of protocol.
3. Percentage of detections for this type of protocol with respect to all traffic analyzed.
The evolution graph shows the evolution of each type of protocol during a specific period of time.
The color of each line corresponds with the color of each type.
•
Percentages and evolution of the applications. This section shows two graphs. The pie
chart shows the number and percentage of detections for a specific type of access. Each type of
access is assigned a color, which corresponds to a section of the pie chart. The data is classified
into:
• Classification of the applications (connections or access of protocols allowed and
restricted).
• Total number of detections of this type of access generated by the protocols specified.
• Percentage of detections of this type of access generated by the specified protocols, with
respect to all access.
The evolution graph shows the evolution of each type of protocol during a specific period of time.
The color of each line corresponds with the color of each type of protocol.
•
Top 10 restricted protocols . A pie chart shows the top ten restricted resources accessed,
taking into account the filtering criteria. Each application is assigned a color, which corresponds
to a section of the pie chart. The data displayed is classified into:
1. Protocol name
2. Category by which it has been filtered.
37
3.
4.
•
Total number of visits.
Percentage of visits to this application with respect to the total in the Top 10.
Top 10 user access to restricted protocols . A pie chart shows the top ten users that have
most frequently visited restricted protocols, taking into account the filtering criteria. Each user is
assigned a color, which corresponds to a section of the pie chart. The data is classified into:
1. IP address. IP address of the user that accesses the restricted protocols.
2. Total number of restricted protocols visited.
If Panda GateDefender Performa is installed between the Internet and a Web proxy, only
access of the proxy IP will be logged.
Version details
In order to check the version of the different modules incorporated in Panda GateDefender Performa:
1. Select the Status menu in the console main window.
2.
Click the
icon next to Last update.
You can also access the screen by going to Status > Updates and licenses > Last updates.
A window appears with the following data:
•
•
•
•
•
•
Date of the signature files and version of the anti-malware engine.
Date of the signature files and version of the anti-spam engine.
Version of the Web filtering engine.
Date of the IM/P2P/VoIP protocol filter rules.
IM/P2P/VoIP protocol filter engine version.
System software version (firmware).
System status
This displays all information about system operation, through the following graphs:
• System connections
• System load
• Network interface cards
• System data
38
System connections
Indicates the number of current connections, as well as the graphic with data on the number of
connections established and failed.
•
Connections established
Shows the number of connections successfully established through the appliance for the protocols that
the device is scanning.
•
Simultaneous connections.
This is the number of connections open at the same time. In this case, it will indicate the average
number of connections open at the same time for a given period. This information is particularly useful
in order to know the workload of Panda GateDefender Performa at any given moment.
System load
Graph showing the CPU load.
•
Load balancing
If you have more than one unit working in load balancing mode, this section will allow you to view
the rest of the units and access their Web administration consoles. You can also check the status
(master or slave) of all units.
To access the consoles of the other Panda GateDefender Performa units, you must:
1.
2.
Click the Open console link next to the name of the other unit.
Enter the user name and password for accessing the console of the device you want to access.
Network card zone
39
This section shows the Megabytes (or Gigabytes) passed through each network interface card (NIC1
and NIC2), distinguishing inbound and outbound data, and with the corresponding graphic.
System data
A progress bar shows the percentage system load and uninterrupted run time.
Restart statistics
Use this button, at the bottom of the window, to restart the system graphic statistics. Obviously, on
restarting the statistics the data displayed in the Status window will change.
40
Introduction to the settings
When you access the Settings menu of the Panda GateDefender Performa console, you will find the
options grouped into two main sections: protection settings and system settings.
From these sections you can configure specific features of each protection module, general system
features, IP addresses and domains, protection profiles, warnings, etc.
Protection settings
In addition to configuring the anti-malware and anti-spam protection, Panda GateDefender Performa
lets you decide which Web pages to allow users to access, email, Internet or News content to permit or
restrict, and to restrict access to instant messaging and P2P protocols.
You can also add additional ports to the ports that Panda GateDefender Performa uses by default. You
can also create specific profiles and assign them to the appliances you choose.
41
System settings
In this section of the Settings menu you will find options that allow you to configure general system
features, internal networks, IP addresses and domains, warnings, etc.
42
Protection settings
Anti-malware protection
Malware types
Panda GateDefender Performa protects against malware in general and viruses in particular, before
these malicious codes can enter or leave your organization.
Panda GateDefender Performa blocks attacks launched by:
1.
Viruses. Viruses are programs that can enter computers or IT systems in a number of ways,
causing effects that range from simply annoying to highly-destructive and irreparable.
2. Worms. Programs similar to viruses but differ in that all they do is make copies of
themselves (or parts of themselves).
3. Vulnerability exploits. Attempts to exploit vulnerabilities through both e-mail and HTTP.
4. Trojans. Strictly speaking, a Trojan is not a virus, although it is often thought of as such.
Really they are programs that install themselves on computers appearing to be harmless
programs and carry out actions compromising user confidentiality.
5. Dialers. These are programs that are often used to maliciously redirect Internet connections.
They are designed to disconnect the legitimate telephone connection used to hook up to the
Internet and re-connect via a premium rate number. Often, the first indication a user has of
this activity is an extremely expensive phone bill.
6. Jokes. These are not viruses, but tricks that aim to make users believe they have been
infected by a virus.
7. Spyware. Programs that are automatically installed with another, (usually without the user’s
permission and even without the user realizing), which collect personal data (data on
Internet access, action carried out while browsing, pages visited, programs installed on the
computer, etc.). This information could be published, compromising user confidentiality.
8. Hacking tools and potentially unwanted programs. Programs that can be used by a
hacker to carry out actions that cause problems for the user of the affected computer
(allowing the hacker to control the computer, steal confidential information, scan
communication ports, etc).
9. Security risks. Any program that can be used for malicious purposes to cause problems for
the user of the computer. For example, a program for creating viruses or Trojans.
10. Phishing. This is an attack that uses social engineering. It consist of a message that seems
to be sent from a reliable source and tries to trick the user into revealing private information
(passwords, credit card number, etc.), which will then be used for fraudulent purposes (for
example, identity theft).
Anti-malware protection settings
You can configure anti-malware protection (anti-dialers, anti-spyware, anti-jokes, anti-phishing,
heuristic protection and protection against hacking tools and security risks).
Bear in mind that the protocol settings defined for the antivirus protection will be
applied to the rest of the types of anti-malware protection
43
You can configure the following types of protection:
• Antivirus protection: Viruses, worms and Trojans.
• Heuristic protection: Unknown viruses.
• Anti-phishing protection: Private data theft.
• Protection against other risks: Hacking tools and security risks.
• Trusted sites and domains: List of trusted domains and/or IP addresses whose traffic will
not be scanned for malware.
Antivirus protection settings
Protection against jokes, spyware and dialers
If you enable the antivirus protection, the protection against jokes, spyware and dialers will
also be enabled:
• Jokes: These are not viruses, but tricks that aim to make users believe their computers have
been infected by a virus.
•
•
Panda GateDefender Performa deletes jokes detected. As they are not files infected by a
virus, they cannot be disinfected.
Spyware: Programs that are automatically installed with another program, (usually without the
user’s permission and even without the user realizing), which collect personal data (data on
Internet access, action carried out while browsing, pages visited, programs installed on the
computer, etc.).
Panda GateDefender Performa deletes spyware detected. As they are not files infected by
a virus, they cannot be disinfected.
Dialer: These are programs that are often used to maliciously redirect Internet connections. They
normally redirect the connection to a premium-rate number.
Panda GateDefender Performa deletes dialers detected. As they are not files infected by a
virus, they cannot be disinfected.
In all three cases, Panda GateDefender Performa inserts a customizable warning as well as deleting
the threat. For instructions on how to configure the warning, click here.
Antivirus protection settings
To access the antivirus protection settings, click the Settings menu of the main
console window, and select Antivirus.
This window allows you to configure the protocols that Panda GateDefender Performa must scan for
viruses, the file extensions that must be scanned or excluded from the scan and the actions Panda
GateDefender Performa must take when malicious code is detected.
44
Protocols to scan
Panda GateDefender Performa intercepts and scans HTTP, HTTPS, FTP, SMTP, POP3, IMAP4 and
NNTP traffic for viruses, worms and/or Trojans.
If you use Exchange servers in native mode, encrypted traffic generated between them will be
let through without being scanned.
If you disable the checkbox next to any protocol in the antivirus protection settings window, Panda
GateDefender Performa will not scan that protocol for malware.
The protocols configured through the antivirus protection settings window will also be
automatically applied to the rest of the protection types.
Click here to check the configuration options for each protocol.
After configuring the protocols and port, you can configure the Extensions to scan.
If you click on this option, a new window appears in which you can specify if Panda GateDefender
Performa must scan all files (Scan files with any extension) or the files whose extension appears in
the Extensions to scan list (Scan files with the following extensions:).
In this case, select the corresponding checkbox if you want Panda GateDefender Performa to Scan
files without extensions.
Actions to take
In this section, you can specify the action Panda GateDefender Performa must take when malicious
code is detected.
45
Depending on the settings of the events to report, different types of notifications could be available.
For more information, refer to Events to report settings.
The actions that can be taken with messages automatically generated by viruses are:
• Completely delete the message.
• Delete only the infected attachment.
For the rest of the detections, the options are:
•
Disinfect. Panda GateDefender Performa will disinfect the infected file. If disinfection is not
possible because the virus code has overwritten the original code, for example:
o
For the HTTP/S and FTP protocols the file transfer will be blocked or it will be
rendered unusable.
o
For the rest of the protocols the infected files will be deleted.
o
By default, a copy of files that can’t be disinfected will be sent to quarantine. If
you don’t want these files to be stored in quarantine, clear this option.
When messages are deleted, Panda GateDefender Performa will reply to the computer trying
to send the message carrying the malicious code so that it thinks that the message has been
correctly sent.
•
Delete the file. Panda GateDefender Performa will directly delete the infected file.
• For the HTTP/S and FTP protocols the file transfer will be blocked or it will be rendered
unusable.
• For the rest of the protocols: The infected files will be deleted.
• If you enable the checkbox For the SMTP protocol, completely delete the
message (not just the file), email messages that use this protocol will be prevented
from reaching the recipient.
It is advisable to select the option Disinfect, as almost all fake-from messages and messages sent
by mass-mailing worms are infected, and will be deleted when they are detected. Attachments with
useful content in other messages will be disinfected. The recipients of infected messages will be
informed that they have been disinfected and a warning can also be sent to the sender.
Optimization of HTTP/S traffic
In order to optimize HTTP/S traffic, the cache will store certain information about the addresses of
malware downloaded for certain period of time.
This means that during this period, when malware that has already been identified is accessed,
Panda GateDefender Performa will display a warning containing the address, name, type of malware
and action taken. This prevents downloading and scanning the malware again and optimizes HTTP/S
traffic.
If you want to use the cache that stores malware addresses, select the corresponding checkbox. You
can also configure the cache time limit, provided the time value is between 1 and 60 minutes.
46
Protocol settings
Protocols are rules and procedures for communication between computers.
Be particularly careful when configuring the protocols to scan, as these settings will be applied
to the antivirus scan and the other types of anti-malware protection.
Panda GateDefender Performa protects the most widely used communication protocols:
• HTTP/HTTPS: Hyper-Text Transfer Protocol. Internet.
• SMTP: Simple Mail Transfer Protocol.
• POP 3: Post Office Protocol Version 3. Protocol for managing in the Internet.
• IMAP4: Internet Message Access Protocol.
• FTP: File Transfer Protocol. For transferring files between computers that run TCP/IP.
• NNTP: Network News Transfer Protocol. Protocol for accessing newsgroups.
If you use Exchange servers in native mode, encrypted traffic generated between them will be
let through without being scanned.
Antivirus protection for HTTP/HTTPS
When the HTTP scan is enabled, Panda GateDefender Performa:
• Scans the traffic in connections whose target port is 80, or any of the additional HTTP ports
specified (HTTP 1.0 and HTTP 1.1).
• Scans data transferred through download commands (for example: GET), as well as data
transferred through upload commands (for example: POST).
• Scans web mail traffic in both directions, regardless of which side of the appliance establishes the
connection. It scans all the web mail downloaded and sent.
• Scans any transfer that uses HTTP, even those that could prevent the information from being
correctly scanned (files downloaded in chunked HTTP transfer mode, partial files and in several
threads that are downloaded, etc.).
• Scans
FTP
on
HTTP.
Antivirus protection for FTP
When the FTP scan is enabled, Panda GateDefender Performa:
• Scans the traffic in connections whose target port is 21, or any of the additional FTP ports
specified.
• Scans FTP traffic in both directions, regardless of which side of the appliance establishes the
connection. It will scan files transferred through active FTP, passive FTP and extended passive
FTP.
Scans all files downloaded and uploaded.
Antivirus protection for SMTP
When the SMTP scan is enabled, Panda GateDefender Performa:
•
•
•
Scans the traffic in connections whose target port is 25, or any of the additional SMTP ports
specified.
Scans SMTP traffic in both directions, regardless of which side of the appliance establishes the
connection.
Scans any transfer that uses SMTP, even those that could prevent the information from being
correctly scanned (files downloaded in CHUNKING (BDAT) -rfc3030, BINARYMIME -rfc3030,
47
PIPELING
-fr2920
mode,
etc.).
Antivirus protection for POP3
When the SMTP scan is enabled, Panda GateDefender Performa:
• Scans the traffic in connections whose target port is 110, or any of the additional POP3 ports
specified.
• Scans POP3 traffic in both directions, regardless of which side of the appliance establishes the
connection.
Antivirus protection for IMAP4
When the IMAP4 scan is enabled, Panda GateDefender Performa:
• Scans the traffic in connections whose target port is 143, or any of the additional IMAP4 ports
specified.
• Scans IMAP4 traffic in both directions, regardless of which side of the appliance establishes the
connection.
Antivirus protection for NNTP
When the NNTP scan is enabled, Panda GateDefender Performa:
• Scans the traffic in connections whose target port is 119, or any of the additional ports
specified for IMAP4.
• Scans NNTP traffic in both directions, regardless of which side of the appliance establishes the
connection.
Heuristic protection settings
To access the heuristic protection settings, click the Settings menu of the main console
window, and select Heuristic.
The Panda GateDefender Performa heuristic protection detects viruses that are not yet cataloged. The
same protocols as those configured for the antivirus protection will be scanned by the heuristic
protection.
Select Enable unknown threats protection to activate the heuristic protection. The heuristic scan
options are only available when this checkbox is enabled.
Sensitivity level
The sensitivity level of the heuristic scan specifies the tolerance level of the protection to suspicious
files. The higher the level of sensitivity, the higher the protection, but also the risks of a legitimate
message being classified as suspicious.
Action
The actions that can be taken are:
• Send the suspicious file to quarantine. If you choose this option, the rest of the actions will
be disabled.
48
•
•
For HTTP and FTP: Panda GateDefender Performa blocks the transfer of those suspicious files or
renders them unusable if they cannot be blocked.
For the rest of the protocols:
• Delete the suspicious file: When files are deleted, Panda GateDefender Performa
deletes the suspicious file and includes a text in the message that reports the deletion.
• Redirect the message: Panda GateDefender Performa The suspicious message will be
redirected to the email address entered in the textbox corresponding to this option.
Messages will only be completely redirected for SMTP. For other mail and
news protocols, the suspicious content will be deleted and a substitue text can
be configured by clicking on the corresponding link
Click Mail server settings to specify the SMTP server that will be used to redirect mail. For more
information about how to configure the mail server, click here.
Anti-phishing protection settings
To access the anti-phishing protection settings, click the Settings menu of the main
console window, and select Anti-phishing.
The anti-phishing protection will safeguard computers from all types of attacks related to private data
theft such as passwords, banking details, etc. The same protocols as those configured for the antivirus
protection will be scanned by the anti-phishing protection.
The anti-phishing protection will be enabled whenever the protection for any of the email
protocols is enabled in the antivirus protection settings.
To enable this protection, select the Enable Anti-phishing protection checkbox.
In the SMTP traffic to scan checkbox, select the direction of the messages (inbound, outbound,
inbound and outbound) you want to scan, and click Save.
Remember that for this protection to operate correctly, it is important to define the internal networks
in your organization. To do this, click Internal networks.
Action
•
Delete: Panda GateDefender Performa deletes the message.
• For SMTP, Panda GateDefender Performa will completely delete it.
49
•
For the rest of the mail and news protocols, a message can be inserted in the subject
and
body
of
the
original
message.
Enable the checkboxes for each option and enter the text that you want to insert in
either the subject or message body.
•
•
Flag message subject and body: The message will be flagged and a text will be added to the
subject and/or body of the message indicating that it is phishing. Enable the corresponding
checkboxes for each option and enter the text you want to insert in either the subject or message
body.
Redirect the message: The suspicious message will be redirected to the email address entered
in the textbox corresponding to this option.
• Enter the email address to which you want to redirect the message.
• Click Mail server settings to specify the SMTP server that will be used to redirect mail.
For more information about configuring the mail server, click here.
• Enable the corresponding checkboxes for each option and enter the text you want to
insert in either the subject or message body.
Messages will only be redirected for SMTP. For the rest of the mail and news protocols a copy
will the sent to the address specified in the associated textbox.
•
Let it through, just generate report: Lets the file through and generates a detection report.
Protection against other security risks settings
To access the protection against other security risks settings, click the Settings menu
of the main console window, and select Other risks.
The Panda GateDefender Performa protection against other risks keeps your organization safe from
hacking, security risks caused by certain applications and potentially unwanted programs.
The same protocols as those configured for the antivirus protection will be scanned by the
protection against security risks.
Protection against hacking tools and potentially unwanted programs
The Panda GateDefender Performa protection against hacking tools and potentially unwanted programs
safeguards your network from malicious hacking tools. Select Enable protection against hacking
tools and potentially unwanted programs.
If you select Automatically delete potentially unwanted programs, Panda GateDefender
Performa will automatically delete these potentially unwanted programs without prompting you to
confirm.
Depending on the settings of the events to report, different types of notifications could be available.
For more information, refer to Events to report settings.
50
Protection against security risks
The Panda GateDefender Performa protection against security risks neutralizes the security risks caused
by certain applications installed on your system.
This protection is enabled whenever the antivirus protection is enabled, so that your organization will
always be protected against these kinds of threats.
Trusted sites and domains settings in the anti-malware
protection
To access the trusted sites and domains settings, click the Settings menu in the main
console, an in Protection > Anti-malware select Trusted sites and domains.
Sometimes, the traffic sent from certain servers, computers or domains is reliable enough to be
excluded from the scans.
By excluding this traffic from the anti-malware scans, the workload of Panda GateDefender Performa is
reduced and its performance is optimized.
You can create a list of servers, websites, domains, subdomains, IP addresses and ranges that will be
excluded from the list. This action will apply to all protocols. To do this:
1.
2.
3.
4.
Click the Settings menu in the main Console screen.
Go to Protection > Anti-malware and click Trusted sites and domains
This shows the trusted sites and domains configured to date. To add a new domain, subdomain,
range, etc, include it in the New box and click Add. In the case of IP addresses, you can use the
CIDR format, and for sub-domains, you can use wildcards.
The updated list will be displayed in the box. To delete any item, select it and click Delete.
After you have completed these steps, Panda GateDefender Performa will not scan traffic from those
domains, servers or computers for malware.
The correct format for entering a trusted site or domain
•
•
For websites: enter the full URL (for example, mail.pandasoftware.com), or the IP address (for
example, 192.168.1.200 ).
For domains or sub-domains: enter an asterisk (for example: *.subdomain.domain.com or
*.domain.com, etc). You can also enter an asterisk after the final dot of the domain (for example:
www.domain.*).
Bear in mind that it is not possible to use more than asterisk (for example: *.domain.*)
If you do not want to enter sub-domains, you do not need to use the asterisk (for example,
domain.com).
51
Content Filter protection
Content Filter protection settings
Panda GateDefender Performa monitors and filters the content of email attachments, websites and
newsgroups. The Content Filter settings are divided into the following groups:
•
•
•
HTTP/S and FTP protection settings
Mail and news protection settings.
Trusted sites and domains
To access the HTTP/S and FTP protection settings, click the Settings menu of the main
console window, and select Content Filter > HTTPs and FTP.
The Content Filter HTTP/S andFTP protection allows you to control the files that can or cannot enter
your organization through HTTP/S and FTP.
Files to scan
Select Enable the content-filter HTTP/S and FTP protection to use this powerful content filter.
For more information about configuring the files to scan, click here.
52
Traffic to scan
You can choose which traffic to scan. Enable the checkbox for the corresponding protocols: HTTP,
HTTPS and FTP.
Filters
Select Enable file filter. For more information about configuring the file filtering, click here.
Select Enable HTML page filter if you want to delete items that could be dangerous from HTML files.
If this filter is enabled, you can also configure it to Delete embedded scripts in the code of HTML
pages or Delete references to external scripts.
If you selected Delete embedded scripts, click Settings to configure this option.
Files to scan settings
Check Scan compressed files to enable the scan of compressed files.
Files excluded from the scan
Sometimes, certain files might need to be excluded from the file scan of the content-filter protection.
To add a file to the list of exclusions in Panda GateDefender Performa, follow the steps below:
1.
2.
Click on Add...
Select the file you want to exclude.
If you want to import a list of files for the same purpose, click on Import list and select the file to
import.
To delete a file from the list of exclusion, click on the file and then on Delete.
53
To export your list of exclusions, click on Export list.
Click on Clear list to delete all the files from the list, leaving it blank.
File filter settings
The file filter settings section allows you to specify the file types to detect and the action to take of one
of these files is detected. Follow the steps below to configure the file filter:
1.
2.
Enable the checkbox next to the description of each file type to detect.
Select the action to take if one of these messages is detected. The drop-down menu offers the
following actions:
•
•
•
Delete: Eliminates the file detected.
Let it through, just generate report: Lets the file through and generates a detection report.
Send it to quarantine.
3.
You need to specify additional information for some options. In this case, the Settings button will
activate. Click on it and configure the parameters required:
Files with a multiple extension or truncated extension: Panda GateDefender Performa will
show a list with the title: Multiple extensions ending in the following will be filtered: To exclude
any of the multiple extensions in this filter, specify it in the Multiple extensions excluded list.
Attachments whose size exceeds the maximum: Define the maximum size. Panda
GateDefender Performa will block files that exceed this size.
Suspicious compressed files: Define if they are suspicious because they have an excessive
level of nesting, contain an excessive number of files or exceed a maximum size when
decompressed.
Files with dangerous extensions: Define the list of dangerous extensions.
Dangerous MIME type settings: Define the MIME types to detect.
ActiveX: Define the websites from which ActiveX controls and be downloaded or the websites
from which they cannot be downloaded.
Java Applets: Define the websites from which Java Applets controls and be downloaded or the
websites from which they cannot be downloaded.
•
•
•
•
•
•
•
4.
Click on Save.
Mail and news protection settings
Protection for mail and news settings
The content-filter mail and news protection lets you control the messages and attachments
that can enter your organization and those that cannot.
Messages and attachments to scan
Select Enable the content filter mail and news protection.
In the SMTP Traffic to scan checkbox select the direction of the messages (inbound, outbound,
inbound and outbound) you want to scan, and click Save.
54
Remember that for this protection to operate correctly, it is important to define the internal networks
in your organization. To do this, click Internal networks.
For more information about configuring the filter of attachments, click here .
Filters
The message filter allows you to filter messages by their characteristics and delete potentially
dangerous content:
• Enable message filter. The attachment filter scans and filters potentially dangerous items that
could be included in email messages and allows actions to be taken on them or on the messages
carrying
them.
•
For more information about configuring it, click here.
Enable attachment filter. For more information about configuring it, click here.
Anomalies
Certain programs or computer systems have flaws that could be exploited. Panda GateDefender
Performa protects your network from these types of vulnerabilities through its content-filter protection.
Detect malformed messages to detect messages that do not meet messaging
1. Select
standards and could, therefore, pose a threat to your organization.
2. Select the action to take if one of these messages is detected. The drop-down menu offers the
following actions:
•
Delete message.
For SMTP, messages will be completely deleted. For the rest of the protocols, the texts in the
message that the original recipient will receive will be replaced. You can configure the
replacement text by clicking on the associated link.
• Redirect
the
message.
For SMTP, messages will be redirected to the Address configured. You can modify this
address by clicking on the link.
For the rest of the protocols, a copy will be sent to the previous address and the texts in
the message that the original recipient will receive will be replaced. You can configure the
replacement text by clicking on the associated link.
• Let it through, just generate report: Lets the file through and generates a detection
report.
• Send it to quarantine. You can configure automatic sending to quarantine.
3.
Enable
Block partial messages. Allows you to detect partially received messages received,
which can pose a threat due to a possible vulnerability in mail programs. If a partial message is
detected, the content will be replaced with a warning.
Message filter settings
Message content
Content-filter can scan messages by their content and delete potentially dangerous content. Follow the
steps below to configure these settings:
1.
2.
Check Enable text content filter and click on Settings to customize message filtering.
In the Action to take menu, select the action that the message filer must take with messages:
• Delete message.
• Redirect message.
55
•
•
3.
4.
5.
Let it through, just generate report.
Send it to quarantine
Check Delete embedded scripts to delete potentially dangerous code inside messages. Click
on Settings...to customize the filter.
Check Delete only references to external scripts to delete only the references to scripts
outside the message.
Check Delete all external references to delete all the external references. Click on Settings..
to customize the filter.
Number of recipients
Many spam messages can be identified by the high number of recipients they are sent to.
Content-filter allows you to control the number of recipients of a message, deleting messages that
exceed the maximum established. To do this:
1.
2.
Check
Maximum number of recipients for inbound mail and enter the maximum number
you want.
Maximum number of recipients for outbound mail and enter the maximum
Check
number you want.
Mail and News attachment filter settings
The attachment filter settings section allows you to specify the files to detect and the action to take if
one of these file types is detected. Follow the steps below to configure the attachment filter:
1.
2.
Enable the checkbox next to the description of each file type to detect.
Select the action to take if one of these messages is detected. The drop-down menu offers the
following actions:
• Delete attachment.
• Delete message.
For SMTP, messages will be completely deleted. For the rest of the protocols, the texts
in the message that the original recipient will receive will be replaced. You can configure
the replacement text by clicking on the associated link.
• Redirect message.
For SMTP, messages will be redirected to the address configured. You can modify this
address by clicking on the link.
For the rest of the protocols, Panda GateDefender Performa will send a copy to the
previous address and the texts in the message that the original recipient will receive will
be replaced. You can configure the replacement text by clicking on the associated link.
• Let it through (just generate report).
•
3.
Lets the file through and generates a detection report.
Send it to quarantine.
Attachments will be deleted and a replacment text included in the message. You can
configure the replacement text here.
Additional settings can be configured for certain file types. If you have selected one of these
types, the Settings button will be activated. Click this button to define the settings for this file
type.
If the checkbox for a file type is disabled, the Settings button will not be available,
even if this type of file allows additional settings to be defined.
56
Trusted sites and domains settings in the Content Filter
protection
To access the trusted sites and domains settings for the Content Filter, click the
Settings menu in the main console, and select Content Filter > Trusted sites and domains.
Sometimes, the traffic sent from certain servers, computers or domains offers enough guarantees to be
excluded form the Content Filter scans.
By excluding this traffic from the Content Filter, the workload of Panda GateDefender Performa is
In order to exclude trusted sites and domains from the Content Filter, follow the steps below:
1.
2.
3.
4.
5.
6.
Click the Settings menu in the console.
Go to Protection > Content Filter and click Trusted sites and domains
HTTP/S and FTP protocols: use the New text box to enter domains and/or IP addresses (in
CIDR format) whose traffic will not be filtered. You can use wildcards for sub-domains. Click Add.
Mail and News: you can enter domains and IP ranges. You can use wildcards for sub-domains.
Use the New text box to enter IP addresses (in CIDR format) whose traffic will not be filtered.
Click Add.
Trusted sites and domains added will be displayed in a list in the large box. To delete any of
them, select them and click Delete.
If you want to import or export a list of domains or IPs, consult the section Import /Export files
or lists.
After you have completed these steps, the Panda GateDefender Performa Content Filter will not scan
traffic from those domains, servers or computers.
•
•
example, 192.168.1.200 ).
*.domain.com, etc).
domain.com).
Anti-spam protection settings
To access the anti-spam protection settings screen, click on the Settings menu in the main
console screen, and then select Anti-spam > Anti-spam settings.
57
Introduction
Spam is unsolicited email. Panda GateDefender Performa includes several technologies for detecting
spam:
o
o
o
o
Signature-based detection
Detection based on DNSBLs
Anti-backscatter protection
Open Relay Spam protection
To configure the detection based on DNSBL, the protection against unwanted notification
messages and the Open Relay Spam protection, go to the advanced settings screen. In the current
screen you can only configure the signature-based protection.
Anti-spam protection settings
In order to configure the general anti-spam protection, you must specify:
o Which protocols Panda GateDefender Performa must scan for spam (SMTP, POP3 and IMAP4). In
order to enable the scan of each protocol, enable the corresponding checkbox.
o The internal networks. To do this, click the internal networks link and include the IP ranges
of your organization in CIDR format.
o The traffic to be scanned (inbound, outbound or both) depending on the internal networks
defined.
If the internal networks are not defined, all traffic will be considered inbound. This information is
also used by Panda GateDefender Performa when generating reports, indicating the address of mail
cataloged as spam (SMTP in or SMTP out).
o
o
o
Sensitivity of the scan to balance false positives against false positivies.
The action Panda GateDefender Performa must take when it detects spam.
Configure the white lists and blacklists if necessary.
Not all detection technologies are available for all possible scans and protocols. Detection
based on DNSBL, protection against unwanted notification messages and Open Relay Spam
protection are only available for inbound SMTP traffic.
SMTP protocol
To enable anti-spam protection for SMTP:
1. Select the SMTP checkbox.
2. Then, select the option you want from the Traffic to scan menu:
o Inbound: enables detection of spam messages coming from the Internet.
o Outbound: enables detection of spam messages coming from the internal network.
o Inbound and outbound: enables detection of spam messages coming from the internal
network and the Internet.
Click Save to store the traffic to scan settings.
To go to the advanced SMTP anti-spam protection options, click here.
If any of the protection enabled in the SMTP anti-spam protection advanced settings is
incompatible with the selected traffic direction to scan, Panda GateDefender Performa will display a
warning.
58
Sensitivity level
The sensitivity level of the anti-spam protection specifies the tolerance level of the protection to
suspicious files. The higher the level of sensitivity, the higher the protection, but the risks of a
legitimate message being classified as suspicious.
Set the sensitivity level of the anti-spam protection by enabling the corresponding option (high,
medium or low).
Action to take with messages classified as spam or probable spam.
Specify what action Panda GateDefender Performa must take when it classifies an email message as
spam or probable spam:
•
•
•
•
Delete: The suspicious file will be deleted.
o For SMTP: Panda GateDefender Performa will delete it completely.
o For the rest of the mail and news protocols: A text will be inserted in the subject of the
original message.
o You can write the text that you want to appear in the message subject.
Redirect the message: The suspicious message will be redirected to the email address entered
in the textbox associated to this option.
o Click Mail server settings to specify the SMTP server that will be used to redirect mail.
For more information about how to configure the mail server, click here.
o For SMTP: Messages will be redirected to the address specified in the textbox.
o For the rest of the mail and news protocols: A copy of the message will be sent to the
specified address and the text entered in the textbox will be inserted in the subject of
the original message.
Let it through, just generate report: Allows you to let the message through, generating a
detection report.
Send it to quarantine. You can configure automatic sending to Quarantine.
You can write the text that you want to appear in the message subject.
These actions are applicable in the case of signature-based detection and Open Relay Spam
protection. For the other detection technologies, Panda GateDefender Performa offers specific
actions in the SMTP anti-spam protection advanced settings.
Spam white list and blacklist
If a domain or a certain server offers enough guarantees, the messages it sends can be excluded from
the anti-spam scan (white list), lightening the workload of Panda GateDefender Performa and thereby
optimizing performance.
Similarly, you can specify that Panda GateDefender Performa must treat all messages sent from certain
domains or servers as spam (blacklist).
You can also enable the option to Delete messages from the names and addresses included in
the spam blacklist.
Click here for instructions on how to configure the white list and blacklist.
59
Spam white list and blacklist
The spam white list lets you specify trusted senders. Messages from these senders will not be analyzed
by any of the anti-spam measures.
The spam blacklist lets you specify senders you consider to be dangerous. Messages from these
senders will always be classified as spam.
If the Delete messages from the names and addresses included in the spam blacklist
checkbox is enabled, the messages will be deleted; if it is disabled, the action defined in the Action to
take with messages classified as spam section will be applied.
You can specify senders using their IP address, domain name or email address.
Depending on the mail protocol, the data used to determine whether a sender belongs to a list is as
follows:
• SMTP: the IP address from which the message has been sent and the email address of the
sender.
• POP3/IMAP: the IP of the server and the email address of the sender.
• To include an IP address, a domain name or an email address in one of the lists, follow the
steps below:
1.
2.
3.
4.
Select the Protection settings option in the menu on the left of the Web
administration console.
Click Anti-spam protection. At the bottom of the console, you can configure the
white list and the blacklist.
In the box below the option New for each of the lists, enter the IP address, domain
name or email address that you want to include and click Add.
Repeat these steps for every IP, domain or email address you want to add.
In order to remove a domain, IP address or address from one of the lists (white or black), select it and
click the corresponding Delete button. Repeat these steps for all the items you want to remove.
If you want to import the content of the list, click Import list and then select the file to import.
To export a list, click Export.
Click Save to save any changes.
Advanced SMTP anti-spam protection settings
General considerations
You can access the SMTP anti-spam protection advanced settings through the Anti-spam protection
settings link in the main screen.
These settings are only valid for inbound SMTP traffic, and before using them, it is important to define
the internal networks to be able to differentiate between inbound and outbound messages.
Once you have defined the internal networks, you can configure:
-
-
Response to the sender in the event of blocked SMTP messages
-
Protection against unwanted notification messages (anti-backscatter)
60
-
Detection based on DNBLs.
Response to the sender in the event of blocked SMTP messages
When a detection is made in SMTP by any of the anti-spam protections (blacklist, Open Relay Spam
protection, protection against unwanted notification messages, detection based on DNSBLs or the antispam engine protection) and the action involves blocking the message, you can establish an error code
that the sender will receive. This way, on receiving the error, the sender will understand that they
cannot send spam to the recipient in question.
The actions that involve complete blocking of the SMTP message are eliminate, redirecting of the
message and sending to quarantine.
To enable this option, select Reject message during connection in the SMTP Anti-spam
protection advanced settings, and select a Reply code.
The possible error codes are:
• 554 Spam detected (default)
• 552 Exceeded storage allocation
• 452 Requested action not taken: insufficient system storage
• 451 Requested action aborted: local error in processing.
A DNS blacklist is a list of IP addresses of spammers recognized by the community. On
receiving an email, Panda GateDefender Performa checks the IP address from which the message has
been sent against the external DNSBL to determine if the message has been sent by a spammer or not,
without having to analyze the content of the message itself. That's why classification is much faster
that with other methods implemented in Panda GateDefender Performa.
DNSBL is a complementary technology, that works in conjunction with the other anti-spam modules.
The DNSBL lists are accessed through DNS requests. Check that your firewall allows Panda
GateDefender Performa to communicate with external DNS servers.
Detection based on DNSBLs only works with inbound SMTP mail, so it is essential to indicate the
internal networks of your organization so that Panda GateDefender Performa can distinguish between
inbound and outbound traffic. If the internal networks in your organization are not defined, the DNSBL
protection cannot operate.
To enable the DNSBL protection, select Enable detection by DNBLs and choose the action you
want to take on this type of message from the drop-down menu.
If you select Redirect or Let it through, just generate report, you can insert a text in the Subject
field to help you identify the message. In the case of the Redirect option, specify the recipients email
address, and configure the mail server to be used. To do this, click Mail server settings.
61
Enabling DNSBLs
Enable use of DNSBLs recommended by Panda Security
This option lets you enable detection using DNSBLs recommended by Panda Security, and which
have been selected on the grounds of reliability and response time. Bear in mind that Panda Security
can modify the recommended DNSBLs without prior notice.
Enable use of additional DNSBLs
This option lets you add a maximum of three DNSBLs which will be included in the Panda GateDefender
Performa detection process.
You must bear in mind:
1.
2.
3.
4.
5.
That these DNSBLs are not maintained by Panda Security, and therefore it does not guarantee
their content. That the use of additional DNSBLs is outside the responsibility of Panda Security.
That DNSBLs which are poorly maintained will take an indeterminate time to change the status of
any entries, and so IPs which once belonged to spammers will probably continue to figure as
spam. The opposite is also possible: there may be IP's that belong to spammers but do not figure
as such in additional DNSBLs.
You may have to pay for some of these lists. You can find subscription or free black lists on the
Internet, searching for example for “DNSBL” or “RBL”. Make sure you are aware of the terms and
conditions of use when using such third-party lists.
Not all DNSBLs guarantee a 24x7 service. If during communication with any additional server you
have defined there are frequent timeouts or service failures, it is your responsibility to select an
alternative server.
If there is a discrepancy between the DNSBLs recommended by Panda Security and those
configured by the user when it comes to cataloging spam, the former shall have priority.
If your IP or domain has been included in one of these lists, consult the following URL:
/www.blacklistalert.org/?q=IP to find out why. You may have to contact those responsible for
the blacklist to remove your IP or domain from it.
The maximum response time of DNSBLs can be configured in Tools: advanced settings in the
section SMTP settings – Maximum time to reply to DNSBL queries.
To remove a DNSBL, select it in the list and click Delete.
If you want to prevent an IP address from being checked in the DNSBL servers, add the IP to the spam
white list in the Anti-spam protection settings.
Message header analysis
There are two procedures for determining the IP address of the sender of an email:
•
•
Determining the source IP address of the SMTP connection established between the sender MTA
(which could be that of a spammer) and the recipient in your organization. If the IP address of
the sender MTA belongs to a DNSBL it will be classified as a spammer and the mail received will
be marked as spam.
Determining the IP addresses of the MTAs through which the message has passed before
reaching the recipient server, as stored in the Received headers of each mail message.
62
With this option, Panda GateDefender Performa will not analyze the SMTP connection IP address, but
will analyze the IP included in the Received header indicated in the console, determining if it coincides
with any in the DNSBLs configured.
If Panda GateDefender Performa is installed behind the organization's MTA, check that it is
correctly configured to include information about the IP address of the sender MTA in each email.
Some badly-configured mail servers will only include the domain name without indicating the IP
address; in this case Panda GateDefender Performa will display a warning indicating the reason for
the failure in the DNSBL module.
Analysis of the Received header of the message is necessary when Panda GateDefender Performa is
situated in the organization's network in such a way that there is no SMTP communication with the
MTA from which the message has been sent. Given that all MTAs include this information in each
message, it is not possible to determine which of the available headers carries the useful MTA
information, as the number of MTAs through which an email may pass until reaching the client is
variable and depends on the network.
There are therefore several general scenarios possible that will influence which Received header is
considered:
Scenario 1: Panda GateDefender Performa in front of the first MTA
In this scenario it is not necessary to analyze message headers as there is a direct SMTP connection
between the MTA sending the email and the MTA of the organization that receives it. Panda
GateDefender Performa will extract the source IP address of the SMTP connection and check it against
the configured DNSBLs.
63
Scenario 2: Panda GateDefender Performa behind the first MTA
In this scenario, Panda GateDefender Performa has to analyze the message headers, as the connection
that it analyzes will correspond to the download of the mail by the client and not to the connection
between the remote MTA and the internal MTA. The relevant header is the one introduced by the first
MTA of the organization, as it is the only one that can determine the source IP address of the MTA
which has sent the email. The first Received header will be considered.
64
Scenario 3: Panda GateDefender Performa behind the last MTA of 3 MTAs in
relay
In this scenario, Panda GateDefender Performa has to analyze the message headers. The relevant
header is the one introduced by the first MTA of the organization, as it is the only one that can
determine the source IP address of the MTA which has sent the email. The third header is the one to
consider, as each MTA enters its own header on top of the previous one. See image.
The blocking of messages through this detection system will be reflected in the spam report, including
whether the detection has been through recommended or additional DNSBLs.
65
Protection against unwanted notification messages (backscatter)
Protection against unwanted notification messages
(backscatter)
What is a bounce message (NDR)?
In the context of SMTP, a bounce message is a notification in email format, generated automatically by
the MTA when there is a problem in delivering mail. It generally occurs when the recipient does not
exist or there are connection problems with the recipients MTA. There are several different terms for
bounce messages:
• NDR: Non Delivery Report, used in Panda GateDefender Performa.
• DSN: Delivery Status Notification.
• NDN: Non Delivery Notification.
In all cases, the NDR is sent to the sender of the original mail indicating the reasons for which a
message could not be delivered.
NDR messages are generated automatically by the MTA which receives the original email. The origin of
the bounce message is therefore the MTA and the recipient is the sender of the original mail.
NDR message format
The general format of an NDR message, with respect to being identified by Panda GateDefender
Performa, is as follows:
•
•
•
FROM <> (empty) or MAILER-DAEMON or POSTMASTER.
MIME header Content-type=message/Delivery-status; report-type=Delivery-status;
Return-Path field: <MAILER-DAEMON> or <POSTMASTER> or empty
Backscatter
Backscatter is a technique which involves the receipt of an NDR (Non Delivery Report) for a message
which has not really been sent. It is caused by a virus which has infected computers outside of the
user's network. These viruses spoof the sender field ("From:") all of an email message, selecting
addresses at random from the infected computer's contact list.
Spammers also use backscatter techniques. They use legitimate users' addresses as the reply
addresses of the spam messages they send. This way they can send hundreds or even thousands of
email messages to the legitimate user's mail server.
To enable the anti-backscatter protection, select Enable anti-backscatter protection, and select the
action you want to take on these types of messages.
If you select Redirect or Let it through, just generate report, you can insert a text in the Subject
field to help you identify the message. In the case of the Redirect option, specify the recipients email
address, and configure the mail server to be used. To do this, click Mail server settings.
If you select Delete, the option Reject message during connection will not be possible.
Blocking of unwanted notification messages will be reflected in the spam report.
66
Then, select the method you want to use for this type of protection: BATV, or NDR restriction. Bear
in mind that these methods are exclusive of each other.
Backscatter diagram
In this diagram, [email protected] is the spam recipient and [email protected] is an existing but
inaccessible domain.
BATV (Bounce Address Tag Validation)
What is BATV?
This is an anti-backscatter technique involving validating the source of the message through a tag that
authenticates the sender. It is an acronym of Bounce Address Tag Validation. This technique can be
used in MTAs and perimeter security appliances. In our case it is Panda GateDefender Performa that
handles all the BATV information.
How it works:
1.
2.
3.
When sending a message, Panda GateDefender Performa transparently adds a tag in the MAIL
FROM command of the SMTP session. This tag has the following format:
• [email protected]
• K is the key number. It is a number from 0 to 9. This means several keys can be
generated with the same information.
• DDD is the number of days elapsed since 1970, (applying MOD 1000).
• SSSSSS is the value of the three first bytes of the SHA-1 HMAC encryption of the
KDDD string. As K is a number between 0 and 9 there are 9 different keys although
only one of them is in the email.
If the MTA cannot deliver an email, it will generate an NDR for the source of the original
message along with the tag.
Panda GateDefender Performa receives all messages that reach the MTA of the protected
organization. The sequence of steps involved to check the authenticity is as follows:
67
•
•
•
•
•
First it determines whether the message is an NDR or not (with the conditions
described in the point above).
If it is not an NDR, BATV is not applied and the message is delivered to the other
modules: Anti-spam, Content-filter, Anti-malware, etc.
If it is an NDR, the system checks for a tag.
If there is no tag, it is marked as spam.
If there is a tag, the following additional checks are made:
• The DDD value is extracted and compared with the current date. If the
difference is greater than seven days it is rejected (a maximum of seven
days difference with the original message is permitted).
• If the difference is less than seven days, the SSSSSS string is decrypted.
The decrypted SSSSS string must coincide with KDDD.
• If the decrypted SSSSS string does coincide with KDDD, the message is
taken as valid. If not, it is considered spam.
BATV diagram with a legitimate NDR
68
BATV diagram with a malicious NDR
Conflict detection
If the MTA protected by Panda GateDefender Performa supports BATV (i.e. if the mail server already
includes control tags and checks the validity of inbound NDRs), it is important not to overwrite these
tags, as if Panda GateDefender Performa overwrites the control tag included by the MTA the message
will be rejected by the MTA.
Panda GateDefender Performa does not apply BATV if it verifies that outbound messages already have
a tag. It also generates a system event and a warning in the Status page of the Web console.
Before enabling BATV
Remember that:
1.
2.
3.
You must have configured internal networks to be able to differentiate between inbound and
outbound mail.
The traffic to analyze must be inbound or outbound.
It is incompatible to enable BATV in Panda GateDefender Performa and another internal mail
server at the same time.
To enable BATV, select Enable BATV.
White list of domains and addresses excluded from BATV
You can use this list to exclude domains from BATV. To do this, click White list of domains
excluded from BATV.
Restricting the entry of NDR messages
69
To restrict receipt of NDR messages by any of the IP addresses defined in your internal networks,
select Restrict NDR reception to the following IP addresses. Us the buttons Add and Remove to
configure the list of addresses, or Import and Export to import or export lists of addresses.
This option is disabled while traffic direction is outbound and the list of internal networks
defined is empty.
Factors to bear in mind when restricting NDR messages
Normally, NDR messages sent by the company's first relay or MTA, and not by relays or mail servers in
other companies. Nevertheless, this is not always the case, as a remote server may have accepted mail
due to traffic saturation, and when processing it later, realize that the recipient does not exist,
consequently generating a notification message.
If administrators realize they are not receiving NDRs generated by a certain relay or mail server, they
should increase the list. In the spam events report, you can filter the reasons for having blocked
backscatter and thereby check if any of the events blocked are actually correct. In this case you can
include the source IP address of this NDR in the list of servers from which NDR messages are permitted.
Another option is to select Send to quarantine and check the messages in that situation, to see if
there are any legitimate NDR notifications.
This offers additional protection against spam.
Under normal circumstances, all inbound mail must have a local user as a recipient (on internal
domains). This prevents the use of internal SMTP servers as Open Relay servers.
Any inbound SMTP traffic directed to non-local domains is considered Open Relay Spam. Inbound
SMTP is any mail coming from an external network (if no internal networks are defined, all SMTP
traffic is considered inbound). Similarly, non-local domains are those that are not defined in the
Internal domains in the Internal domain management form.
Web and IM/P2P/VoIP filter
Web filtering
Configuring the Web filter
To access the Web filter settings click the Settings menu in the main console window,
and select IM/P2P/VoIP and Web filter > Web filter.
70
Through this filter, Panda GateDefender Performa lets you restrict access to certain content (URLs or
Web pages) on the Internet. To do this, all URLs accessed through HTTP and/or HTTPS are scanned
and blocjed if they are restricted.
Unlike other anti-malware protection, Web filtering can be enabled even though the antivirus
scan is not enabled.
Through the Web filtering settings the administrator can:
•
•
•
•
•
Select the content to which access must be blocked.
Define a timetable for the restrictions. This can be done through the chart displaying the days of
the week and the time. Click the cell corresponding to the day and time to allow/restrict.
Specify the URLs or websites that cannot be accessed under any circumstances (blacklist).
Specify the URLs or websites that can be accessed regardless of their content (white list).
Include a list of users exempt from the Web filter to which no access restrictions will be
applied.
Content with restricted access
Select the categories to which you want to restrict access. Bear in mind that there is a category called
Uncategorized pages, which restricts access to all pages for which the Web filter could not find a
category.
Use the options All and None to select or unselect groups of contents.
The first access to Web pages figure as uncategorized until they are included in the
Commtouch URL cache.
Possible actions
You can perform different actions on the restricted URLs or domains accessed by users:
• Block access to the restricted page
71
If this checkbox is enabled, Panda GateDefender Performa will block access to the restricted
URLs.
If this checkbox is not enabled, Panda GateDefender Performa will allow access to the
restricted URLs, whether they appear in the blacklist or not. It will log the access in the Web
filtering report if configured to do so.
• Show a warning page instead
(If the option Block access to the restricted page is not selected, this option is disabled).
Panda GateDefender Performa prevents access to restricted URLs and displays a screen that
indicates the URL (variable %URL%) and the category (variable %URLCATEGORY%) under
which the URL has been blocked.
This warning page can be configured. To do this click Edit warning page .
Editing substitute texts for the warning page
In the Edit the Web filtering warning page window, enter the title and text of the message you
want to display. Then click Save.
Click Restore to apply the default settings.
The design of the page can be configured in Settings > System > Substitute page for
HTTP/S, where you can choose from three types of design and add the company logo.
Users can automatically report false categorization to Commtouch through a simple link on the warning
page. The report reaches the Web filter database and statistics are monitored from Panda Security to
control the number of false positivies generated by the Web filter.
White list
The Web filtering white list contains domains, sites or specific addresses which, even though they don’t
belong to a restricted category, must be accessible for the network users.
To enable this Web filtering feature:
1. Enable the Enable use of the white list checkbox.
2. Configure the list by clicking on To configure this list, click here.
A window will then open that allows you to define what domains or Web pages should be added to the
white list.
To add a URL to the white list, follow the steps below
1.
2.
3.
4.
5.
6.
Enter the URL that you want to add to the white list in the New field.
Click Add.
Repeat steps 1 and 2 for each URL that you want to add to the list.
To import or export from the list, refer to the section Import / Export files or lists.
If you make a mistake or want to remove a URL from the white list, select the relevant URL in
the list and click Remove.
Click Save.
How to configure the white list
72
To configure the Web filtering white list, you can add:
• Full URL (www.domain.com/address): Only this address will be excluded from the filter (page, file
or directory).
• Website (www.domain.com): All of the addresses belonging to the site will be excluded from the
filter: (www.domain.com, www.domain.com/address_1, www.domain.com/address_2, etc.).
• Domain or sub-domain (domain.com or subdomain.domain.com): All of the addresses belonging
to all the websites in the domain or subdomain will be excluded from the filter (www.domain.com,
www3.domain.com, XXX.domain.com/address). You can use wildcards to define subdomains.
When configuring the white list, you can use a wildcard provided that it is at the beginning of
the string preceeded by the dot. For example: *.panda.com . Or at the end after the dot. E.g.
www.panda.*
Blacklist
The Web filtering blacklist contains domains, sites or specific addresses which, even though they don’t
belong to a restricted category, must not be accessible for the network users. These will always be
filtered, regardless of their category.
To enable this Web filtering feature:
1. Enable the Enable use of the blacklist checkbox.
2. Configure the list. Configure the list by clicking on To configure this list, click here.
When you do this, a window will open that allows you to define what domains or web pages should be
added to the blacklist.
To add a URL to the blacklist, follow the steps below:
1.
2.
3.
4.
5.
6.
Enter the URL that you want to add to the blacklist in the New field.
Click Add.
Repeat steps 3 and 4 for each URL that you want to add to the list.
To import or export from the list, refer to the section Import / Export files or lists.
If you make a mistake or want to remove a URL from the blacklist, select the relevant URL in the
list and click Remove.
When you have finished, click Save.
How to configure the blacklist
To configure the Web filtering blacklist, you can add:
• Full URL (www.domain.com/address): Only this address will be filtered (page, file or
directory).
• Website (www.domain.com): All of the addresses belonging to the site will be filtered:
(www.domain.com, www.domain.com/address_1, www.domain.com/address_2, etc.).
• Domain or sub-domain (domain.com or subdomain.domain.com): All of the addresses belonging
to all the websites in the domain or subdomain will be filtered www.domain.com,
www3.domain.com, XXX.domain.com/address). You can use wildcards to define subdomains.
When configuring the black list you can use wildcards, provided that:
They are at the beginning of the string before the dot. For example: *.panda.com .
Or at the end after the dot. E.g. www.panda.*
73
IM/P2P/VoIP application filter
IM/P2P/VoIP protocol filter settings
To access the IM/P2P/VoIP protocol filter settings, click the Settings menu in the main
console window, and select IM/P2P/VoIP and Web filter > IM/P2P/VoIP filter.
Panda GateDefender Performa monitors and blocks access to instant messaging and file exchange
protocols. Firstly, select Enable the P2P and messaging protocol filter.
Schedule for applying the restrictions
Use the matrix displaying the days of the week and the hours. Click the cell corresponding to the day
and time to allow/restrict.
Retsricted P2P protocols
Select protocols to restricted. Use the corresponding checkbox.
• BitTorrent
• eDonkey
• FastTrack
• Gnutella
• OpenNap
• Ares
• DirectConnect
• Manolito
• Spotify
• Applejuice
Use the link "....." to see the rest of the protocols that can be filtered.
Restricted messaging protocols
Select protocols to restricted. Use the corresponding checkbox.
74
•
•
•
•
•
•
ICQ/AOL
IRC
MSN Messenger
Yahoo! Messenger
Skype
Jabber
Protection level
You can select different security levels in the filtering of protocols you want to restrict:
• If you choose maximum level security, all traffic will be scanned in-depth to restrict the
protocols that you have specified, regardless of the port used. This is the safest option, but it
may reduce the performance of the appliance.
• You can choose a mixed level. This analyzes the traffic in all ports, except those specified. For
example, you can specify that traffic entering protocol ports http (80) or ftp (20) is not analyzed,
so that traffic through these ports is not affected. If several ports are specified, they must be
separated by commas.
• To obtain maximum performance from the appliance, you can choose to scan traffic only in
ports used frequently by the applications you want to restrict. Also, you can specify as many
additional TCP or UDP ports as you like. If several ports are specified, they must be separated by
commas.
If the port that uses the restricted protocols is different from the normal or specified ports, the
protocols cannot be effectively restricted.
Protocols that can be filtered
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
MSN - Version 2009 (Build 14.0.8117.416)
Yahoo Messenger - v10.0.0.1267
Skype - v4.2.0.166
BitTorrent - Oficial Client v6.4 (build 18095). Protocol v11031
Ares - v2.1.5 (Ares Protocol y BitTorrent Protocol)
AppleJuice - v0.70.5/F-1.15
Direct Connect/Advanced Direct Connect (DC++) - v0.761 (r2102)
Emule (Edonkey) - v0.50a
FastTrack / Kazaa
Gnutella/Gnutella2 (Shareaza) - v2.5.2.0
ICQ - v7.1
LimeWire - v5.5.8
Jabber (XMPP)
MP2P - Manolito/Piolet/Blubster v3.1.1
Spotify
Users exempt from filtering
Panda GateDefender Performa lets you create lists of users (computers or subnets) that will be
excluded from the Web and IM/P2P/VoIP filters.
Users excluded from web filtering
In the
1.
2.
3.
Web filter settings screen, follow these steps:
Enable the Enable use of the excluded users list checkbox.
If you want to add a computer to the list of exempt computers or subnets, click New.
Enter the IP address and Net mask details.
75
4.
5.
6.
Click Save.
The computer will appear in the list of computers excluded from filtering.
Repeat steps 2, 3 and 4 for each computer and subnet that you want to exclude from Web
filtering.
Use the corresponding buttons to modify the list or remove any computers from it.
If when you enter an IP address you do not include the corresponding subnet details, the value
255.255.255.255 will ultimately be included, referring solely to this specific IP address.
Users exempt from P2P/IM filtering
In the
1.
2.
3.
4.
5.
6.
IM and P2P settings screen, follow these steps:
Enable the Enable use of the excluded users list checkbox.
If you want to add a computer to the list of exempt computers or subnets, click New.
Enter the IP address and Net mask details.
Click Save.
The computer will appear in the list of computers excluded from filtering.
Repeat steps 2, 3 and 4 for each computer and subnet that you want to exclude from filtering.
Use the corresponding buttons to modify the list or remove any computers from it.
76
Export/Import a list of computers.
Once you have defined a list of computers that are exempt from filtering, you can export it. This also
means you will be able to recover it whenever you want using the Import option, and therefore avoid
having to reenter all the data of all the computers. Refer to the section Import/Export files or lists.
Profiles
Configuration by profiles
Panda GateDefender Performa enables various profiles to be managed easily, by creating
configurations as desired and personalized profiles. To do so, you can use:
• Settings management: This enables settings to be created as required, and which can be used
for the various profiles.
• Protection profile settings: This enables personalized profiles to be created to which the
settings can be applied.
Managing settings
Panda GateDefender Performa lets you set up various configurations which can
subsequently be applied to a protection profile. This lets you configure the protection you can apply
to specific users, addresses or IP ranges, domains, email addresses and specific Web pages.
This is an easier method of managing configuration by profiles. Simply define the configuration
required and apply it to the protection profiles that you have already created.
Follow
1.
2.
3.
4.
5.
these steps to set up a configuration:
In the main screen of the Web console, click Settings.
In Profiles, click List of settings. You will see the Settings manager window.
Click Add.
In the Edit settings window, specify the name with which you want to identify these settings.
Indicate the protection, to configure (Anti-malware, Content Filter, Anti-spam and/or
IM/P2P/VoIP and Web filter). You can use the Comments field to specify the details you create
which will help you identify the configuration in the future.
6. Click Edit settings.
7. Set up the configuration you require for each of the protections specified.
8. Click Accept settings.
Once the required configuration has been set up, it can be modified or deleted by clicking Modify or
Delete.
Edit Settings
Click the following links to find out more about the various protection settings:
•
•
•
•
•
Anti-malware protection
Content Filter protection
Web filtering
IM/P2P/VoIP filter
77
Creating and modifying protection profiles
You can use Panda GateDefender Performa to specify profiles for the protection you
want to apply to users or user groups, IP addresses, domains, email addresses, specific websites, etc.
Before a protection profile can be created, you must first have created a configuration in the Settings
manager.
Follow these steps to create a protection profile.
1.
In the main screen of the Web console, click Settings. Then select Assign settings to local
profiles
Click Add (if you want to create a new profile) or Modify (if you want to modify an existing
profile).
2.
This will take you to the Protection profile manager screen with the following options:
• Name:Descriptive name of the profile.
• Apply to: This specifies the items to which the settings will be applied. Enable the
checkboxes that you want to include in the settings.
The options available are:
o
Users: Select one of the two options offered by Panda GateDefender Performa:
o User groups: This lets you apply a specific protection profile to the user groups or
LDAP groups specified in the User management section.
o Sub-tree/individual users: If you have already specified an LDAP server, you can
specify the branch of the hierarchy to which you want to apply the protection profile. In
the BaseDN field, specify the DN of a container, or else the DN of a specific user.
o IP/IP address group: Enable the checkboxes corresponding to the options you want to
include in the configuration: IP/Source group and IP/target group.
•
•
•
Each of these consists of a list from which you can select the IP address group to which to
apply the protection profile. You must have created it in the IP address management
screen
Domains: Enable the checkboxes corresponding to the options you want to include in the
configuration: Source Domain and Target Domain.
Each of these consists of a list from which you can select the domains to which to apply
the protection profile. You must have created it in the Domain management screen.
Email addresses: Enable the checkboxes corresponding to the options you want to include in
the configuration: Email sender addresses, Email recipient addresses, Domain lists.
Specify a list of addresses for each, separated by commas.
Settings: Select one of the configurations from the drop-down menu. Remember that you
must first have set up a configuration in the settings manager.
Once you have configured the user, click OK to save the changes.
Centralized protection settings
Introduction and access to the centralized settings
78
On occasions, the complexity and extension of the corporate networks Panda
GateDefender Performa must protect in corporate environments require more than one appliance to be
deployed and running. Panda GateDefender Performa’s Web console allows you to manage the
protection provided by the different appliances on the corporate network in a centralized way.
In short, the centralized protection management in Panda GateDefender Performa lets you:
• Select the appliances or groups of appliances to which you want to remotely and automatically
establish and apply protection settings.
• Select protection settings applicable to the different appliances.
• Select different configuration profiles applicable to the appliances.
• Monitor which settings and profiles have or haven't been applied to each appliance.
It is essential that all appliances whose protection settings will be managed centrally, have the
same system version installed.
By using this feature, you will not have to connect individually to each of the appliances every time you
want to apply a protection configuration. You only have to enter the login details when you configure
the appliances.
Below you will find a summarized description of the screens you'll have to use to remotely and centrally
manage the appliances deployed on your network. As you can see, the configuration is simple and
intuitive:
Basic process for centrally configuring the protection
1.
Determine the appliances or groups of appliances to which you want to centrally
apply the settings.
To do this, click the Settings menu in the main Console screen. Then, select Profiles > List
of appliances.
2.
In the List of appliances screen you can indicate which appliances or groups you want to
manage. You can add new appliances or groups, modify them or delete them. You can change
the structure of any group, adding or removing appliances.
Protection management.
From the Assign settings to other appliances screen, you can establish, if you want to
manage individual appliances or the groups defined in the previous step. Once you have
selected the configuration, you can apply it directly to all appliances. This configuration will
be the main or default settings on the target appliances.
3.
If you want to create or edit protection settings to apply to managed appliances, use the
Settings management screen.
Additional Profile selection
You may want to apply certain configuration profiles to appliances or groups of appliances.
In this case, the Profile selection screen lets you select new profiles and assign them, along
with the corresponding configuration, to appliances or groups of appliances.
You can create or edit configuration profiles from the Create and modify profile settings
screen. As you can see in this screen, a profile specifies the user group, domains, IP/address
79
group, etc., to which a certain configuration is applied (Example: blocking access to certain
Web content to the group of IP addresses: 172.16.*.*).
List of appliances
These screens let you indicate which appliances or groups you want to manage. You
can add new appliances or groups, modify them or delete them. You can change the structure of any
group, adding or removing appliances.
To access the List of appliances screen, click the Settings menu in the main console screen, and
select Profiles > List of appliances.
Manageable appliances
In the Manageable appliances section you will see the appliances with their name and the console
IP.
To add a new appliance, click Add. In the Appliance detailsscreen enter the data needed in order to
manage an appliance remotely:
• Name: a name to identify the appliance.
• IP: IP address used to access the console.
• User: name of a user with full administration permissions.
• Password: user password.
• Group: group to which the appliance belongs. This parameter is optional.
• Comment: here you can add additional information. This field is optional.
Then click Save.
Manageable groups
In the Groups of manageable appliances section you will see groups of appliances, the names of
each appliance in the group and the IP address of the console of each appliance.
To add a new group click Add. In the Group details screen, enter the data needed in order to
manage a group remotely:
• Name: name identifying the group.
• Appliances in the group: the table shows appliances that are not assigned to any group. Use
the checkboxes to select the appliances that will make up the group. Then click Save.
Assigning settings to other appliances
Once you have defined in the List of appliances screen, the appliances and groups of
appliances you want to configure remotely, you can assign and apply protection settings. If you want
to create or edit protection settings to apply to managed appliances, use the Settings
management screen.
You may want to apply certain configuration profiles to appliances or groups of appliances. In this case,
the Profile selection screen lets you select new profiles and assign them to appliances or groups of
80
appliances. You can create or edit configuration profiles from the Create and modify profile settings
screen.
Assigning settings to other appliances
1.
2.
3.
Select Profiles > Assigning settings to other appliances.
In the Appliances section, select the appliance to which you want to assign and apply the
settings.
When you click on the name of an appliance, you will access the corresponding Web
console.
4.
5.
6.
Click Modify to access the Centralized management screen.
In the Settings menu, select the settings to assign to the appliance.
Click Set.
The Apply button will only be visible when you select settings from the drop-down menu.
If you want to send an associated settings profile instead, click Edit list to access the
Profile selection screen.
Click Save. Assigning settings to groups of appliances
1.
2.
3.
Select Profiles > Assigning settings to other appliances.
In the Groups of Appliances section, select the group to which you want to assign and apply
the settings.
When you click the triangle next to the group name, you will see the appliances in the group.
4.
5.
Click Modify to access the Centralized management screen.
In the Settings menu, select the settings to assign to the group.
6.
Click Apply.
The Apply button will only be visible when you select settings from the drop-down menu.
If you want to send an associated settings profile instead, click Edit list to access the
Profile selection screen.
Profile selection
When you use the option in Panda GateDefender Performa, you may need a settings profile other than
the one assigned to the appliance in the Assign settings to other appliances screen.
You can use Profile selection to resolve this situation. To do this:
81
1.
2.
3.
In the list of Profiles available, select the profile you want to add to the list of assigned profiles
and click >>. It will be removed from the list of profiles available and added to the list of profiles
assigned.
In the list of Profiles assigned, select the profile you want to remove from the list and click <<.
It will be removed from the list of profiles assigned and added to the list of profiles available.
Click Save.
The new profile will appear in the list of profiles in the Assign settings to other appliances screen.
You can create or edit configuration profiles from the Create and modify profile settings screen. As
you can see in this screen, a profile specifies the user group, domains, IP/address group, etc., to which
a certain configuration is applied (Example: blocking access to certain Web content to the group of IP
addresses: 172.16.*.*).
82
System settings
General settings
Introduction
Click the Settings menu in the main Console screen. In the System section, you will find the Panda
GateDefender Performa general settings options:
•
Access the console: This lets you define the configuration IP address, the time when the
•
Load balancing/high availability: Lets you configure Panda GateDefender Performa to
•
System clock: Lets you set the system date and time.
•
Explicit proxy: If Panda GateDefender Performa is not operating on the network infrastructure
•
configuration console should disconnect automatically and management of permissions and
passwords for using the console.
work in parallel with other units, sharing the workload and increasing the capacity and stability of
the protection. The type of load balancing can be configured: automatic or manual.
along with a proxy, you will have to enable the internal (explicit) proxy for the various
HTTP/HTTPs protection profiles depending on the user.
HTTPS connections and certificates: To manage HTTPS traffic and scan it for malware,
Panda GateDefender Performa
authentication and certificates.
has
to
establish
connections
that
require
•
Advanced settings
•
Quality of Service (QoS) settings: Panda GateDefender Performa has a Quality of Service
feature aimed at ensuring that traffic flow reaches its destination with certain levels of
performance and minimum delays.
Console access settings
Console access
In this screen you can configure different general aspects of the console, such as:
Users
You can configure the users that can access the Web console, their passwords and permissions. You
can add new users and edit existing ones, selecting them and then clicking the corresponding buttons.
This will take you to the Edit user screen.
The default user cannot be deleted and its permissions cannot be changed.
83
Configuration IP
•
•
Configuration IP address. This IP address is vital for accessing the console (not remote). This
address must be unique within the organization. The default IP is 172.16.1.1 and the default net
mask is 255.255.255.0.
The subnets or IP addresses from which users can access. Select Access is only available
from the following IPs or subnets. Use the corresponding buttons to add, modify or remove
IP's and subnets.
Automatic disconnection of the Web console
•
Automatically disconnect the Web console after a certain period of inactivity. By default, the
console will disconnect after thirty minutes of inactivity.
In order to view the factory settings of the appliance, click here.
Editing users
Panda GateDefender Performa lets you change the user name and password for logging into the Web
administration console. It also lets you assign different permissions to each user, depending on the
specific needs of your organization.
Users will be able to access functions in accordance with the specific permissions they have.
Panda GateDefender Performa will ask for a user name and password whenever anyone
accesses the Web administration console. The default user is defaultuser and the default password
is defaultpass. It is advisable to change these details, at least the first time you access the Web
administration console.
For security reasons, the default user cannot be deleted and its Complete Administration
permissions cannot be changed.
Enter the following data:
1.
2.
•
•
•
User name.
Password (twice). Remember that:
The password must be 6 to 12 characters long (numbers and/or letters).
Panda GateDefender Performa does not allow you to copy and paste.
The feature in some browsers that allows you to save previously entered data is disabled.
If you lose or forget these details, you can recover the factory settings.
3.
Permissions
In corporate environments there may be several users that need to access the console, and
each of them may need different permissions depending on the tasks they have to carry out.
Panda GateDefender Performa includes four types of permissions:
•
•
Monitoring: Users have permission to access the Status, Reports and Services
screens.
Protection settings: Users have permission to access the Protection settings,
Definitions, Profiles, Quarantine and Warnings screens.
84
•
Complete administration: Users can access all console functions, including
Updates, License management and Tools. If all three checkboxes are selected, the
user will have Complete administration permissions.
Console access through the configuration IP address
Panda GateDefender Performa has a configuration IP address, which is used to access the web console.
This IP address must be unique and different from the network IP address.
•
•
Configuration IP address. This is the IP address that must be used to access the settings web
console.
Network IP address. This is the IP address that Panda GateDefender Performa uses to
establish connections (to update, send warnings, etc.). It is configured through the System
settings - Network environment window.
All Panda GateDefender Performa units are configured with the same configuration IP address by
default. You can change it but bear in mind that if you forget it, you won’t be able to access the
settings web console unless you restore the factory settings of the appliance.
For information about the factory settings, click here.
What’s more, this configuration IP address must not be in use by any other device in the network.
If several Panda GateDefender Performa units are connected in parallel, set a different a unique
configuration IP address for each of them.
After setting the configuration IP address, you can access the appliance from both sides of Panda
GateDefender Performa, as you can access the console through this IP address or through any of the
network interface cards of Panda GateDefender Performa.
Automatic disconnection of the Web console
You can configure the Web console to automatically disconnect after a certain period of inactivity. To
do this:
•
•
Enable the Automatically disconnect the Web console after XX minutes of inactivity
checkbox in the System settings screen.
In the textbox, enter the number of minutes before the Web console will disconnect.
After completing these steps, the console will stop functioning if no operations are carried out for the
specified period of time. If this happens, in order to use the console again, you will have to log on
again.
85
Load balancing/high availability
Introduction
1.
2.
3.
Panda GateDefender Performa offers three operational modes:
Normal or isolated
High availability
Load balancing
Normal
In normal mode, a single appliance protects the internal network
Both outbound traffic (originating from the internal network) and inbound traffic (originating from the
external network) pass through it and are filtered.
Load balancing
Load balancing allows the workload to be shared between several Panda GateDefender Performa
units. This provides better performance and fault tolerance.
By using this system, if one of the units fails, the rest will take care of the workload automatically. The
time that passes between one unit failing and the rest taking over its workload is no longer than fifteen
seconds.
So that load-balancing appliances can communicate between each other, an IP multicast is required,
meaning that all appliances must have their configuration interfaces on the same subnet. When a new
appliance is installed and configured on a load-balancing cluster, Panda GateDefender Performa detects
it automatically and re-organizes load-balancing depending on the new total number of appliances in
the cluster.
High availability
If load-balancing is disabled, Panda GateDefender Performa allows appliances to operate in high
availability mode when connected in parallel. In this case it will not be necessary to use the IP
multicast, as the appliances do not communicate between each other.
Both load balancing and high availability require the bypass mechanism to be disabled in those
appliances with these types of cards.
86
Bypass
The appliance network cards offer bypass functions, so that:
- Without bypass or with bypass disabled:
If the appliance is switched off (e.g. if the power supply is interrupted) or restarted (system or service
restart), traffic cannot continue to pass through it. The connection with the external network will be cut
off.
- With bypass enabled:
If the appliance is switched off or restarted, bypass will be activated with the advantage that traffic will
continue to pass through, but without being filtered.
On activating high-availability or load balancing, the bypass function will be
disabled. This avoids loops on the network. STP (Spanning Tree Protocol)
Spanning Tree Protocol is a data link level protocol (OSI level 2) that avoids creation of network loops.
Panda GateDefender Performa supports this protocol, as it could be necessary to install appliances in
parallel (high availability and load balancing):
- If there are already devices on the network that support STP, it will not be necessary to enable STP
on the appliances.
- Otherwise (if there is no device with STP on the network on which the appliances are installed), you
will have to enable STP.
To enable STP
Settings > System > General > Advanced settings
In the General settings section, select the checkbox Enable support for STP (Spanning Tree
Protocol)
Support for STP is enabled by default.
It is always advisable to check with the support service before changing any feature in the
Advanced settings screen.
Enable load-balancing/high availabilty
1.
2.
3.
4.
5.
Click the Settings menu in the console.
In the System section, select High availability/Load balancing.
Enable the high availability or load balancing features in the screen as required.
If you want to enable load-balancing, enter the multicast IP in the text box.
Click Save.
At the bottom of the screen there is a list of load-balancing cluster units. A change to the operational
mode of an appliance (slave or master) generates the corresponding system event.
87
To access the console of any appliances in the cluster, click on the name of the appliance.
For load-balancing to take effect, the Enable load-balancing checkbox must be selected in all
appliances.
Load balancing
Load balancing operation
Load balancing enables Panda GateDefender Performa to increase the availability and capacity of the
protection.
By spreading the load, more connections can be scanned
Of all the traffic intercepted by the appliance/master node, a certain amount will be 'balanced' among
the slaves, which will perform the scans. The load is balanced equally, and distributed so that all nodes
have an equal level of occupation.
If the master node should crash, one of the slaves will take over its functions, continuing to scan and
protect the network.
Network diagram with three nodes
88
Multicast
To perform load balancing and maintain communication between the notes, multicast is required.
Multicast addressing allows information to be sent across a network efficiently to a group of recipients
(without broadcasts). For this a group multicast address is needed, through which the nodes send and
receive data.
Multicast diagram (a network node sends data to other nodes):
In Panda GateDefender Performa it is possible to configure this IP address in group or cluster. The IP
address range is (RFC 3171): 224.0.0.0 - 239.255.255.255
By default the IP address of the cluster configured in the appliances is 239.0.0.1
89
Load-balancing deployment
Deployment of load-balancing involves the following steps:
1.
2.
3.
4.
5.
6.
7.
Install/configure the necessary switches on the network
Install the first node
Configure the system in the node (name, IP addresses, etc)
Connect to the network
License
Configure the protection (anti-malware, anti-spam, Content Filter,… )
Enable load balancing
To complete the deployment:
1. Go to the Settings menu.
2. In the System section, in the General sub-section, click High availability/Load-balancing.
3. Enable the Enable high availability checkbox.
4. Enable the Enable load-balancing checkbox.
5. Configure the cluster multicast IP address.
6. Click Save.
7. Install the second node
8. Configure the system
9. Connect to the network
10. License
11. Configure the protection settings identically as for the first node (if you use QoS, enable it and
configure it exactly the same as in the first node).
After having configured the first node, you can send the settings information to the other nodes.
1.
2.
3.
4.
5.
6.
7.
Enable load-balancing (so that the appliances can communicate, the multicast IP address of the
cluster must be the same in all nodes).
Master node name: node-A
Network IP address of the master node: 192.168.1.1/24
Configuration IP address of the master node: 172.16.1.1/24
Default gateway: 192.168.1.100
Multicast IP of the cluster: 239.0.0.1
Slave node name: node-B
90
8.
9.
10.
11.
12.
13.
Network IP address of the slave node: 192.168.1.2/24
Configuration IP address of the slave node: 172.16.1.2/24
Default gateway: 192.168.1.100
Multicast IP of the cluster: 239.0.0.1
The protection settings must be exactly the same in all nodes.
Load-balancing must be enabled in all nodes.
The Status screen will indicate that the appliance is in load-balancing mode. The list of cluster nodes
will also appear.
In the High availability/Load-balancing settings screen there is a table with the cluster nodes
(indicating the IP of each node and whether it is a master/slave).
High availability
High availability mode
This operational mode improves the availability of the protection offered by Panda GateDefender
Performa.
High availability mode operates with an active node (through which traffic passes) and one or more
passive nodes (through which traffic will pass if the active node fails).
Under normal circumstances -with the active node operating- traffic will be filtered by this node and the
passive node will not take any action. If the system or services are restarted in the active node, or if
the appliance is switched off, the passive node will take care of the filtering.
Deployment in High Availability mode
Deployment of high availability involves the following steps:
1.
2.
3.
4.
5.
6.
7.
Install/configure the necessary switches on the network
Install the first node
Configure the system in the node (name, IP addresses, etc)
License
Configure the protection (anti-malware, anti-spam, Content Filter,… )
Enable high availability
91
To complete the deployment:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Go to the Settings menu.
In the System section, in the General sub-section, click High availability/Load-balancing.
Enable the Enable high availability checkbox.
Click Save.
Install the second node
Configure the system
License
Configure the protection settings identically as for the first node (if you use QoS, enable it and
configure it exactly the same as in the first node).
After having configured the first node, you can send the settings information to the other nodes.
System clock
In this window, apart from showing the date and time of the appliance, you can also
set it (in 24-hour format).
First of all, the screen shows the system date and time:
Then, Panda GateDefender Performa allows you to set the date and time of the appliance. To do this,
specify:
•
•
•
•
The Date format: either day/month/year or month/day/year.
The Time zone.
Manual setting. You can manually edit the date and time.
Automatic setting using NTP. Enter the address/URL of the NTP server.
Explicit proxy
If Panda GateDefender Performa is not operating on the network infrastructure along
with a proxy, you will have to enable the internal (explicit) proxy for the various HTTP/HTTPs
protection profiles depending on the user.
As with a normal proxy, the user must be included in one of the local or remote groups (LDAP servers)
defined in Panda GateDefender Performa. The protection profile will be defined by the group to which
the user belongs.
The user must be able to authenticate in the Panda GateDefender Performa internal proxy. Although
this authentication is optional, it is required in order to apply the profile. To access the internal proxy,
the IP of the user must belong to one of the internal networks configured in Panda GateDefender
Performa.
92
Restricted access attempts generate a system event which can be seen in the Security reports
screen. In the Warnings settings screen you can configure this event to be notified to a remote
Syslog server.
Explicit proxy settings screen
The proxy can be configured from System » General » Explicit proxy
To enable the explicit proxy you must have previously configured the internal networks.
Firstly, select Enable operation as proxy for HTTP/HTTPS. Then configure the proxy IP the
entwork mask, and the HTTP and HTTPs ports on which the proxy will listen.
If you configure the proxy with an IP that already exists on the network, a duplicate IP event is
generated, which you will see in the System Report screen, and a warning that will appear in the
Status screen.
Select the Use authentication checkbox and click Select users to configure the groups that can use
the internal proxy.
It is also possible to enable a page cache to increase browsing speed (the cache size is 1024 MB). Use
the Clear button to empty the cache.
HTTPS connections and certificates
Introducción
93
Panda GateDefender Performa can scan encrypted HTTPS traffic for malware, in the same ways as for
HTTP. This HTTPS traffic is basically HTTP traffic across a secure, TLS channel (Transport Layer
Security, previously SSL).
On of the phases for establishing the TLS channel is the authentication of the server's identity. This
authentication is based on digital certificates signed by a certification authority.
In order for the encrypted traffic to be scanned in Panda GateDefender Performa, two encrypted
connections must be established: one between the client and Panda GateDefender Performa, and the
other between the appliance and the server. Without the interception by the appliance, there is only an
encrypted connection between the client and the server.
This type of connection means that not only does Panda GateDefender Performa have to authenticate
the server, but the client will also authenticate Panda GateDefender Performa. Actually, Panda
GateDefender Performa authenticates as if it were the server delivering the page in question.
All of this requires management of digital certificates and certification authorities, which can be done in
the Panda GateDefender Performa Web console, through Systems > General > HTTPS
connections and certificates.
Normally, servers are authenticated by the client browser, although in some rare cases, a
server may require authentication of the client. This represents a limitation for Panda GateDefender
Performa, because client authentication cannot be handled by the transparent interception. However,
it is possible to use IP white lists, so that traffic is not intercepted.
SSL connection policies
To access the screen for configuring SSL connections and certificates, click System » General » HTTPS
connections and certificates.
By enabling the corresponding checkboxes, you can prevent connections for either of these two
situations:
• Don't allow connections with servers with invalid certificates for Panda GateDefender Performa:
The certificate presented by the server must be signed by one of the certificate authorities configured
in GateDefender. If this condition is not met, the corresponding system event will be generated, and
will be visible in the System events screen.
• Don't allow expired certificates:
Do not allow connections if the certificate is expired. If this condition is not met, the corresponding
system event will be generated, and will be visible in the System events screen.
HTTPS URL white list
94
Panda GateDefender Performa lets you define a list of domains, sites or specific pages for which the
validity of the certificate will not be checked. To apply this white list click Enable use of the white
list, and you will go to the HTTPS URL white list screen where you can define the list.
Certification authorities
Internal certification authorities for signing certificates
This certification authority will be used by Panda GateDefender Performa for generating certificates that
will be sent to end users. You can download the corresponding certificate for users to install in their
browsers to prevent them from getting SSL security warnings. The file extension is .crt to ensure
compatibility with Internet Explorer.
You can import a certification authority certificate to use to generate certificates. In this case you will
have to import the private key (RSA or DSA) used to sign them.
You can either download a new internal certification authority or edit an existing one. Either option, in
the case of appliances operating in load-balancing mode, mean that this change will have to be
exported to other units, to avoid having to install different certificates on clients for each appliance.
95
The Export private key button will only be enabled when modifications have been made
to the default certification authority. If you click Restore, the default settings will be restored.
You will then have to import the private key, (previously exported from another Panda GateDefender
Performa) and the certification authority certificate in each of the appliances.
Use the Modify button to change the internal certification authority, editing the corresponding data.
Certification authorities for verifying certificates
Panda GateDefender Performa offers a list of certification authorities for validating certificates received
from HTTPS sites. You can import/export new certificate authorities or delete some existing ones. Use
the corresponding buttons.
If you want to see the details of any of the authorities in the list, select it and click View details.
Restoring HTTPS certificate settings
Use the Restore button if you want to restore the Panda GateDefender Performa factory settings for
the internal certification authority certificates and certification authorities.
Advanced settings
The parameters on this page must not be modified unless specifically requested by
our technical staff. If this is necessary, they will explain the steps to follow.
Quality of Service (QoS) settings
Quality of Service settings
Panda GateDefender Performa has a Quality of Service feature aimed at ensuring that
traffic flow reaches its destination with certain levels of performance and minimum delays.
Panda GateDefender Performa bases this function on the assigning of bandwidth to interface outputs.
For the correct operation of QoS in Panda GateDefender Performa, the external interface or
NIC1 must be connected to the external network (the Internet, for example), while the internal
interface or NIC2 must be connected to the internal network (the corporate network for example).
96
Appliance connection
The most basic way of administering QoS in Panda GateDefender Performa is the configuration of
bandwidth for each interface.
Existing traffic flow
Downstream traffic goes from the external network to the internal network, passing through NIC1 as
inbound traffic, and then through NIC2 as outbound traffic.
Upstream traffic goes from the internal network to the external network, as inbound traffic in NIC2 and
outbound traffic in NIC1.
Panda GateDefender Performa lets you set the outbound bandwidth for NIC1 and NIC2 (marked in
orange):
97
- When you set the maximum outbound traffic in NIC1 this restricts the amount of traffic going to the
external network.
- When you set the maximum outbound traffic in NIC2 this restricts the amount of traffic going to the
internal network.
Example of a network with QoS based on global bandwidth
Existing network
- LAN at 100 Mbps
- ADSL with download speed of 6 Mbps and upload of 1 Mbps
Settings:
- Period in which QoS is applied: by default.
Global bandwidth settings:
or external interface (NIC1):
♣ Maximum outbound traffic: 1 Mbps
or Internal interface (NIC2):
Maximum outbound traffic: 100 Mbps♣
IP and protocol settings:
none Result:
- Maximum upload traffic speed will be 1 Mbps. This will prevent saturating the connection by sending
data at more than 1 Mbps.
- Maximum download traffic speed will be 100 Mbps.
98
To achieve greater control over QoS, you can also use these settings, through which you can define the
rules for managing outbound traffic in the external interface or NIC1:
Using these settings has the advantage that you can add rules, favoring certain types of outbound
network traffic. Protocols and the source IP of data packets (which circulate from the internal network
to the external network) are used to classify traffic flows. These flows can be assigned guaranteed
bandwidth. Even if all outbound bandwidth is occupied, if there is guaranteed bandwidth for an IP
address/protocol, this will be reserved for the IP/protocol.
It is also possible to define maximum bandwidth, thereby controlling the amount of bandwidth for a
certain protocol or group of IPs, leaving bandwidth free for other traffic. Finally, traffic priority is a
factor to bear in mind for unused bandwidth.
QoS sample settings
Concepts used in the examples:
Downstream traffic
Traffic that enters via the Internet or external network and enters the internal network or LAN
Upstream traffic
Traffic that leaves the LAN or corporate network towards the Internet or external network.
Inbound traffic (to an interface)
Traffic that enters through the port of a network card (enters the appliance)
Outbound traffic (to an interface)
Traffic that leaves through the port of a network card (leaves the appliance)
Interface identification
The interfaces are identified as follows:
- NIC1: external interface ( connected to the Internet or an external network )
- NIC2: internal interface ( connected to the corporate network or the internal network to protect )
Internal or inherent appliance traffic
Generated by the network card or the appliance settings (depending on the development)
Interceptable traffic
Traffic that is filtered through the various protection units.
99
Scenario 1: mail and Web
There is an internal network in which outbound Web (HTTP) and email (SMTP, POP3) traffic flows are
generated, both with a similar traffic volume:
HTTP traffic is considered of low importance and to restrict, except for a computer with the IP address:
192.168.1.112, in which case it has high importance.
Existing network:
Upload BW of the external link: 1024 Kbps
Download BW of the external link: 100 Mbps
QoS settings:
(must be adjusted to the previous BW)
Maximum outbound traffic for the external interface (NIC1): 1024 Kbps
Maximum outbound traffic for the internal interface (NIC2): 100 Mbps
Reserved bandwidth: 5 %
The following rules are created:
Rule
Source IP
Protocol
Guaranteed
BW
BW
limit
Priority
1
192.168.1.112/32
HTTP
300 Kbps
Not
limit
ed
High
2
192.168.1.0/24
HTTP
0 Kbps
200
Kbps
Low
3
192.168.2.0/24
HTTP
0 Kbps
200
Kbps
Low
4
Any
SMTP
400 Kbps
Not
limit
ed
medium
5
Any
POP3
100 Kbps
Not
limit
ed
medium
•
Rule 1
Provides guaranteed BW of 300 Kbps to HTTP traffic originating from IP 192.168.1.112. It will also
have high priority in order to get any free BW –if required-.
100
•
Rule 2
For the rest of the subnet 192.168.1.0/24, the HTTP traffic has no guaranteed BW and will be limited
to 200 Kbps. The priority will be low so that it does not compete for free BW.
• Rule 3
For the whole 192.168.2.0/24 subnet, the procedure is the same as the previous rule, limiting HTTP
traffic to 200 Kbps and assigning low priority.
• Rule 4
SMTP traffic, whatever the origen, is guaranteed 400 Kbps (outbound) and will have medium priority.
• Rule 5
POP3 traffic, whatever the origen, is guaranteed 100 Kbps (outbound) and will also have medium
priority.
The buttons to the side of the box let you move the selected rule up and down. The rules are
applied in accordance with the order in which they are listed.
In this scenario, rule 1 should be listed before rule 2, so that it discriminates traffic originating
from the computer or host 192.168.1.112.
Scenario 2: Web
There is an internal network from which outbound Web (HTTP, HTTPS) traffic originates and traffic that
does not conform to the rules.
HTTP and HTTPS traffic is considered important and there is a lesser volume of traffic from other
protocols which is given less importance.
Existing network
QoS settings
Upload BW of the external link: 512 Kbps
(must be adjusted to the previous BW)
Download BW of the external link: 100 Mbps
Maximum outbound traffic for the external
interface (NIC1): 512 Kbps
Maximum outbound traffic for the internal
interface (NIC2): 100 Mbps
Reserved bandwidth: 5 %
The following rules are created:
101
Rule
Source
IP
Protocol
Guaranteed
BW
BW limit
Priority
1
any
HTTP
200 Kbps
Not
limited
High
2
any
HTTPS
200 Kbps
Not
limited
High
•
Rule 1
Guaranteed BW of 200 Kbps to HTTP traffic. It will also have high priority in order to get any free BW –
if required-.
• Rule 2
Guaranteed BW of 200 Kbps to HTTPS traffic. It will also have high priority in order to get any free BW
–if required-. The rest of the traffic will have medium priority, and so will not compete for free BW.
Network settings
Network environment
Configure the Panda GateDefender Performa network environment (IP address, net
mask, default gateway, proxy server IP address and the DNS servers) to access the Internet in the
same way as Internet access for any other computer in the same subnet is configured.
To check the factory settings of Panda GateDefender Performa, click here.
After configuring these parameters, Panda GateDefender Performa will be able to:
• Connect to the Internet to look for updates.
• Send warnings to any computer.
• Download the license file, etc.
Check that the data entered is valid and coherent; otherwise Panda GateDefender Performa will not be
able to establish the connections it needs to operate correctly.
Enter the following data:
• Panda GateDefender Performa name:
• Network data:
• Additional routing table:
• DNS Servers:
• Internet access via HTTP proxy:
• Virtual MAC addresses:
Panda GateDefender Performa name
Name that identifies the Panda GateDefender Performa unit within the organization. This name will be
used in the warnings in order to specify which appliance has sent them. This is not a NetBIOS name.
Network data
Data (network IP address, net mask and default gateway) used by Panda GateDefender Performa to
connect to the Internet.
As it works like a bridge, the appliance only needs one network IP address, which it uses to establish
102
connections through any of its network interface cards. The appliances use the network interface card
that is connected to the network in which the target of the connection is located.
Additional routes table
This allows static routes to be defined. The appliances use these routes when they need to connect to
subnets that cannot be reached through the default gateway. For example, when the server the
appliance must connect to in order to send warning messages is in a different subnet.
You can add new routes by clicking on the New button. Then enter the following data:
• Target: IP address of the host or IP address of the target subnet that will use the route.
• Net mask: The net mask is used with the target in order to determine when the route will be
used.
• Gateway: IP address of the router to which the data for recipients will be sent. These are
determined
by
the
Target
and
Net
mask.
DNS servers
IP addresses of the primary and secondary DNS servers that Panda GateDefender Performa must use
to resolve domain names and IP addresses. You can specify the preferred DNS servers and up to two
alternative DNS servers, which will be used if it is not possible to connect to the preferred server
because it cannot be found or because it returns an error.
The appliances are configured with a default DNS server that you can change to include
the IP addresses or DNS serves that you want to use.
Internet access via HTTP proxy
If Panda GateDefender Performa will access the Internet via a proxy server, enable the checkbox and
enter the following data:
• IP address of the proxy and the port it uses.
• If the proxy server requires authentication, enable the Requires authentication checkbox
and
indicate
a
valid
user
name
and
password
for
the
proxy.
Virtual MAC addresses
Some devices used in complex networks use virtual MAC addresses (usually devices working in load
balancing mode).
In this case, the unit needs to know which of the two network interface cards is connected to each
virtual MAC address being used n the organization.
Click on the Specify virtual MAC addresses link to associate the virtual MAC addresses with the
corresponding network interface card in the appliance.
Network interfaces
Panda GateDefender Performa, by default, has the network cards in Autonegotiation mode and Auto-negotiation speed. It is not advisable to force them to function in a
specific mode ((half-duplex or full-duplex) or at a specific speed (10 Mbps, 100 Mbps, 1 Gbps).
103
However, if really necessary, you can configure the network interface card operational mode and speed.
The options are:
• AutoSensing/Autonegotiation. This is the recommended, default mode. If you select this
option, Panda GateDefender Performa assigns the autonegotiation value to the operational mode
and the speed at which the network interface works.
• Full-duplex. Communication mode in which nodes can simultaneously send and receive data
between one another. Full-duplex communication usually requires you to control the traffic flow
in order to ensure that none of the devices send out data faster than the other can receive it.
• Half-duplex. Communication mode for transmitting data between two points in just one
direction at a time (either of the two). This means that data cannot be sent and received at the
same time, which is possible with full-duplex communications.
When using a hub to interconnect several devices, all should be functioning in the same mode
(half-duplex or full-duplex). If they work in different modes, communication between them will not be
effective. In these circumstances, forcing cards to work in full-duplex or half-duplex mode could
cause problems, considerably reducing network and appliance performance. However, when
switches are used to connect devices, each device can work in a different mode.
You also have the option to configure a set speed at which the network interface card should work.
This can be done provided that the Autonegotiation option is not selected in Mode. The following
speeds are available:
• 10 Mbps.
• 100 Mbps.
• 1 Gbps.
In most cases the default mode (AutoSensing / Autonegotiation) is the most appropriate.
If you select Auto negotiation mode, you will not be able to configure the fixed speed
of the network cards, as this option affects both cases.
Additional port settings
The system uses the standard port for intercepting and filtering the traffic for each
protocol. However, you can also enter additional ports for each protocol.
To access the Port settings screen, click the Settings menu in the console, and in the Network
section, select Additional ports.
The communication that uses the standard ports and the additional ports entered will be scanned by
Panda GateDefender Performa.
Protocol
Default port
HTTP
80
HTTPS
443
FTP
21
SMTP
25
104
POP3
110
IMAP4
143
NNTP
119
Panda GateDefender Performa does not allow you to enter the following ports:
• Invalid ports (higher than 65535, for example).
• Standard ports, as the traffic that passes through these ports will always be scanned (as they are
defined in the factory settings and used by default).
• Ports already entered for other protocols.
Panda GateDefender Performa does not scan traffic in non-standard ports not included in
the additional ports configured here.
Managing internal networks
By defining internal networks you can classify SMTP messages as inbound or outbound.
This configuration is necessary for the anti-spam, anti-phishing and content-filter protections to operate
correctly.
SMTP messages will be classified as inbound in the following cases:
•
•
•
No internal networks have been defined. In this case, all SMTP mail will be considered inbound.
The source IP address does not belong to any of the networks specified in the list of internal
networks.
The source IP address coincides with any of the IP's defined in the list of excluded IP's.
SMTP mail will be classified as outbound provided that the source IP address belongs to one of the
internal networks defined.
Adding internal networks
To access the Internal network management screen, click the Settings menu in the console, and
in the Network section, select Internal networks.
To add an internal network, enter the network address in the Subnet box and click Add. The network
address must be specified in CIDR format (e.g. 192.168.0.0/16). Individual IP addresses can be
specified using 32 as a mask (e.g. 192.168.5.205/32). Repeat these steps for each network defined in
your organization.
To remove an internal network, select it in the list and click Delete. Then accept the confirmation
message.
To import or export content from the list, refer to the section Import / Export files or lists.
The IP addresses defined in the list of internal networks will also have access to the
HTTP/HTTPS explicit proxy.
Excluded IPs
105
1.
2.
3.
4.
To add an IP to the list, enter the IP in the IP address box and click Add. Repeat this step for
all the IPs you want to add to the list.
To remove an IP, select it in the list and click Delete. Then accept the confirmation message.
Click Export to export the content on the list to text file. Each line in the file will be an entry in
the list.
Click Import to display the screen for importing files. Use the Browse button to locate a file
containing a list to import.
Click Save for the settings to take effect.
The IP addresses included in the list of internal networks will not have access to the
HTTP/HTTPS explicit proxy.
Managing internal domains
You have to define internal domains for the protection of SMTP relay servers to operate
correctly (configuration of advanced anti-spam protection options for SMTP). This protection classifies
all inbound SMTP messages to unknown recipients as spam.
The recipient of a message will be considered unknown in the following cases:
• No internal domains have been defined. In this case, all SMTP messages will be understood to be
addressed to unknown recipients.
• The domain of the recipient's address does not coincide with any of the internal domains defined.
The recipient of an SMTP message will be considered as known provided that the address domain
belongs to the list of internal domains.
Adding internal domains
To access the Internal domain management screen, click the Settings menu in the console, and in
the Network section, select Internal domains.
1. To add a domain to the list, enter the domain name in the New section and click Add. Repeat
these steps for each domain defined in your organization.
2. To delete a domain from the list, select it and click Delete.
3. To import or export content from the list, refer to the section Import / Export files or lists.
Configuring the updates
Introduction to updates
Panda GateDefender Performa periodically carries out updates that will not interfere
with the functioning of the unit or allow traffic to enter or leave the corporate network without being
scanned.
There are three types of updates:
•
Update definition files for malware, spam rules and web filtering categories. Panda
•
System software upgrade: for example, the operating system, the hardware drivers, the web
•
GateDefender Performa will attempt to perform this type of update every fifteen minutes.
server used to view the administration console, etc. or the malware and spam scan and detection
engines.
Install hotfixes: Lets you view the hotfixes installed and install new hotfixes.
106
The appliance is updated via the Internet. Panda GateDefender Performa checks if new updates are
available at regular intervals.
•
•
The definition files are automatically updated every 15 minutes and a system event with the
result is generated. An email message is also sent if the corresponding option is enabled and the
SMTP server for sending the warnings has been defined.
When it updates the system software, Panda GateDefender Performa reports if an update is
available and the administrator must decide when the update should be installed (by clicking on
the corresponding option in the Update - System software upgrade window).
Panda GateDefender Performa will only update the definition files of the protection modules that have
an active license.
Updating the protection software
Panda GateDefender Performa periodically looks for updates of the malware signature file, spam rules
and web filter categories, provided the license is active.
Even though the update process is automatic, it is possible to perform an on-demand update of
malware signatures and Web filtering categories at any time.
To do this, click the Update now button in the Automatic update of the protection software
section.
Enable sending of notifications
You can also configure a message to be sent with the results of the updates. To do this, click here,
and in Warnings: Events to report, select the events for which warnings will be sent to the
administrator and the sender.
The warnings will be sent using the email accounts, SMTP, Syslog and SNMP configured previously.
Update settings
Panda GateDefender Performa allows you to select the way in which you want to update malware
signatures.
1. If you want to continue updating them through the Internet, select the From the Internet
option.
2. To update locally, select From a local server and enter the URL to access the pavsig.zip file in
the Update URL text box.
3. Click Save.
4. Confirm if you want to perform updates locally.
5. Once the Panda GateDefender Performa Services have restarted, click OK. This will take you to
the Status screen.
If you select From a local server, the protection modules that require an Internet connection
(anti-spam, IM/P2P protocol and Web filtering, spam quarantine, spam detected report, Web and
IM/P2P protocol filtering report) will be disabled for the time Panda GateDefender Performa works in
local mode.
107
Updating the system software
System software (firmware) includes any software used by the appliances except the definition files, for
example, the operating system, the hardware drivers, the Web server used to view the administration
console, etc. or the malware and spam scan and detection engines.
The appliances look for software updates every 12 hours. When an update is available:
• A warning is displayed in the Update page under Update system software.
• A system event is generated.
Before updating the system software, you can find out about the characteristics of the new version. To
do this, click For more information about the new features in this version, click here.
If the update is 1MB or less, you will access a Web page, where in addition to information
about the new version, you will find the steps to follow in order to download and install it.
In order to perform the update click Update. First of all, the compressed file is downloaded. Through
the progress bar, Panda GateDefender Performa informs you of the status of the download, specifying
the kilobytes downloaded and the total size of the download.
The console indicates if a system software update is available. The appliance can also send you an
email. If you want to receive an email notification when an update is available, click the link and
configure the target email account(s).
If the console and the appliance web server have problems establishing a connection,
after accepting the warning in the browser, Panda GateDefender Performa will open the
access page. In this case, access again and go to the System software update page. The
console will show the current status of the download and application of the update.
Hotfix management
Hotfixes are updates containing improvements and solutions to problems. Every month, a new hotfix
pack is published on our Web page. Follow these steps to open the published hotfxes:
1.
2.
3.
4.
5.
6.
7.
Go to the following page: http://www.pandasecurity.com/enterprise/support/
In the section Other corporate solutions select your version of Panda GateDefender Performa
from the drop-down menu and click Find.
From the first drop-down menu, select Solve incidents with the product, and from the
second, select Solve other incidents with the product. Click Find.
A list of incidents and hotfix packs available appears. You can use the drop-down menu to order
the list by date or number of visits.
Select the hotfix pack you require. Next, a page appears with detailed information on the
features of the hotfix pack and a download link. There are two options:
If the hotfix pack is in a compressed file (zip, or tgz), you can install it from the Panda
GateDefender Performa console, following the instructions given below.
If the hotfix pack is in an ISO image, follow the instructions given on the Web page.
If you have downloaded a hotfix pack in a zip or tgz file, follow these steps to install it from the Panda
GateDefender Performa console:
1.
In the Panda GateDefender Performa console, click Settings.
108
2.
3.
4.
5.
6.
In the Update section, click Update settings.
In Hotfix management, click in the link here. Go the Hotfix management screen to see a
chronological list of hotfixes installed.
Click Browse and find the ZIP or TGZ file you have just downloaded.
Click Install hotfix.
Click Install now to start the process.
Once you have downloaded the hotfix, this will appear in the list which its details (Name, Description,
and Installation date).
The list of hotfixes installed is ordered in reverse chronlogical order.
Hotfix management
To uninstall the latest hotfixes installed, use the button Uninstall. Confirm the uninstallation, and
when you finish the hotfix will disappear from the list, which will now display the most recently installed
hotfix.
If the uninstallation process requires a restart, this will be indicated in the uninstallation confirmation
screen.
Error in the installation/uninstallation
If an error occurs when installing/uninstalling the hotfix, you can consult Panda Security's technical
services directly, as indicated in the error message, or try to install/uninstall the hotfix again from the
Hotfix management screen.
In the event that after uninstalling the hotfix you have to restart the computer, a message will be
displayed in the Hotfix uninstallation confirmation screen.
Domain users
Managing LDAP servers
If you are using LDAP, you can obtain a list of users or user groups to which you can apply a specific
security protocol in the configuration of protection profiles.
To do this, in the Settinings menu of the main window, select Domain users > LDAP sources.
LDAP servers
Follow these steps to add or modify LDAP servers:
Click on the Add button (if you want to enter an LDAP server) or Modify (if you want to modify one
that already exists). This takes you to theDefinitions: LDAP servers screen with the following
options:
•
Name: Descriptive name of the server.
109
•
Server/IP: Server IP address.
You can enter the required data, or if you have specified it previously, select the server from
the list after clicking the icon
•
•
•
•
•
•
•
•
. Select the value you want from the drop-down menu.
BaseDN: Specify the base from which to look up information on the LDAP server.
Type of server: When you select one of the default types, the User and User groups fields are
automatically completed. If your server has a special characteristic, these data can also be
specified manually.
o Active Directory
o LDAP v3
Names of the attributes defined in the LDAP server: Complete or modify these fields to
establish a link between the names of the LDAP server attributes and those used by Panda
GateDefender Performa. The fields are the following:
o For the user: ObjectClass, User ID, Name, Email, Description.
o For the user group: Object, Class, Group ID, Member, Description.
Port: Port used to connect to the server. The default port is 389.
SSL connections.
Bind DN (optional): Specify the DN that enables the appliance to be identified to the LDAP
server. Only if the server requires authentication.
Password and Repeat password (optional): These fields enable you to enter the password
given for Bind DN.
Description (optional).
Management of servers with validation
Panda GateDefender Performa enables you to specify servers whose validation of users is made
through LDAP. In this way, you can obtain LDAP groups to which you can apply a specific security
protocol in the configuration of protection profiles.
To do this, in the Settings menu of the main window, select Domain users > User authentication.
Servers with validation
In the Servers with validation section, click on the Add button (if you want to enter a new address)
or Modify (if you want to modify one that already exists). This takes you to theDefinitions: Servers
with validation screen that displays the following options:
•
•
Name: Specify a name for the server.
Server IP address.
You can enter the required data, or if you have specified it previously, select the server from
the list after clicking the icon
•
•
•
. Select the value you want from the drop-down menu.
Protocol: Protocol operated by the server: HTTP, FTP, SMTP, POP3 or IMAP4.
LDAP servers: LDAP server to be validated. The drop-down menu contains the option localusers
for users specified internally in the appliance, plus the LDAP servers defined previously in the
Definitions: LDAP source management screen.
Description (optional).
110
Agent to identify domain users
You can identify users in environments with Kerberos authentication using agents installed in the
domain controllers. You can also apply protection profiles to P2P/IM/VoIP protocol users in any type of
authenticated environment.
To enable the use of agents for identifying users in domain controllers, select the corresponding
checkbox. Then click Add and go to the Configuration of agent data screen, where you can enter
the following information:
•
•
•
Name
IP address of the domain controller
LDAP servers
The IP address of the domain controller may be among the IP addresses previously defined in the
Definitions: IP addresses screen. If so, click Address settings and select from the list of IP
addresses displayed.
Click Save and check that the agent configured appears correctly in the list in the section Agent for
identifying domain users.
Then enter the port, the time period during which the agent will be consulted (in seconds), and the
password.
Use the button Test connection with agents to check the connection with the agents configured.
The Verification of the connection with the agents screen displays a list of the agents configured
and the progress of the connection with each of them.
User management
This option of Panda GateDefender Performa enables you to create users and groups of
users to which you can apply a specific security protocol through configuration of protection profiles.
To do this, click the Settings menu in the main Console screen. Then select Domain users > Local
groups and users. Go to Definitions: User management.
Users
Follow these steps to add users:
1. In the Users section, click Add.
2. Give a descriptive name for the user, an email address to help identify the user, and the name of
the user you wish to add.
3. Enter a password and confirm it (optional).
4. If you have already created a group of users, this will appear in the Group box. You can add
users to these groups by ticking the relative boxes. This makes it easier to manage users.
5. You can also add a comment, if you want.
6. Click Add.
111
You can modify the data entered, or delete a user whenever you want by clicking the corresponding
buttons.
If you want, you can use the Export option to save this data in a file.
You can import these files again later.
User groups
Follow these steps to add a user group:
1.
2.
3.
4.
5.
In the Panda GateDefender Performa console, click the Definitions > User management
menu.
In the Groups section, click Add.
Specify the name of the user group you wish to add. You can also add a descriptive comment, if
you wish.
If you have already added users, these will appear in the Local users frame. You can add them
to the group by ticking the relative boxes.
Click Add.
You can modify the data entered, or delete a user group whenever you want by clicking the
corresponding buttons.
If you want, you can use the Export option to save this data in a file. You can import these files again
later.
Definitions
Introduction
Panda GateDefender Performa makes it easy for you to access the definition of those elements most
relevant to the operation of the appliance. The options available are:
•
•
•
IP addresses
This enables you to specify IP addresses or ranges of IP addresses to which a specific security
protocol is to be applied through the configuration of protection profiles.
LDAP sources and server management.
This enables you to manage the list of LDAP servers that will later be used to obtain a list of
users, also other servers requiring validation. Next, you can apply the security policy as
required to these users through the configuration of protection profiles.
User management
This enables you to create and modify profiles for users and groups which can be used when
configuring various protections.
•
Domain management
This enables you to create and modify profiles for domains and groups which can be used
when configuring various protections.
112
Managing IP addresses
This option of Panda GateDefender Performa enables you to specify the IP addresses
to which you can apply a specific security protocol through configuration of protection profiles.
To access theIP address management screen click in the Settings menu of the main console
window. Then select Definitions > IP address.
IP addresses
Follow these steps to add IP addresses:
1.
2.
3.
In the Addresses section, click Add.
Add a descriptive name and an IP address in the relative boxes. If you have already created a
group of IP addresses, you can add this IP address to the group by ticking the box next to it.
Click Add.
Groups of IP addresses
Follow these steps to add groups of IP addresses:
1.
2.
3.
4.
In the Panda GateDefender Performa console, click the Definitions > IP Addresses menu.
In the Groups section, click Add.
Specify a name for the group.
Add the IP addresses as required. You can add:
• Previously specified IP addresses.
• Other previously defined groups.
• Specific IP addresses and subnet masks in short format and short CIDR format
(xxx.xxx.xxx.xxx/yy).
yy is the number of bits in binary, starting from the left. For example: 24 = (11111111.
11111111. 11111111.00000000) = 255.255.255.0.
5.
6.
Click Add.
If you wish, you can add a descriptive comment in the field.
Click Add at the bottom of the page to save the changes.
You can modify or delete IP addresses and groups added whenever you want. All you have to do is
highlight the address or group from the list and click Modify or Delete.
later.
113
Domain management
This option in Panda GateDefender Performa enables you to create domains, groups of domains or subdomains to which you can apply a specific security protocol through configuration of protection
profiles.
To go to this screen, click the Settings menu in the main Console screen. Then select Definitions >
Domains.
Domains
Follow these steps to add specific domains or groups of domains:
1.
2.
In the corresponding section (Domains or Groups) use the Add button.
Specify the domain or the group to be added.
•
•
3.
If it is a domain, specify which domain group you wish to add it to by marking the
relative box. A domain group must have been added previously before you can do this.
If it is a domain group, you can also specify additional domains that belong to the group,
separated by commas. In the case of sub-domains, you can use wildcards to define
them.In both cases you add a descriptive text.
Click Add.
You can modify the data entered, or delete a user whenever you want by clicking the corresponding
buttons.
later.
Warnings
Introduction
Panda GateDefender Performa will keep you informed about all the incidents detected. To do this, you
must configure the parameters of the warnings that must be sent via email to syslog servers or to
SNMP managers whenever an incident is logged and select the types of events you want to be
informed about.
•
•
•
Events to report settings. Lets you select which events will be reported via email, Syslog
and SNMP. It allows you to specify the language in which warnings will be received, the events to
report to the administrator or recipient of the message and the events for which replacement
texts will be available for the attached files deleted.
Email warnings settings. Lets you configure parameters related to warnings sent via email.
Allows you to Configure the periodic activity notification and Recipient mail account
details.
Syslog warnings settings. Lets you configure parameters related to warnings sent to a remote
Syslog server. Allows you to configure the name or IP address of the server, the port to which
the events will be sent and other options.
114
•
•
SNMP warning settings. Lets you configure parameters related to warnings sent to
SNMP servers: the general SNMP v1/v2c settings and the communities.
Customize texts. You can choose to keep the default warning texts or to customize them.
Events to report settings
This feature lets you select the events that will be reported via email, SNMP and syslog.
Language
Use the drop-down menu to select the language in which all notifications will be received (to the
administrator, to the sender of the message and the replacement text for attached files deleted from
messages).
Notification to administrators
This allows you to customize the events to report and how notification will be sent (via SMTP, SNMP or
syslog):
•
SMTP, SNMP, syslog:
Various checkboxes can be enabled for each event.
Each checkbox enables an event with a type of notification (SMTP, SNMP, syslog). If the checkbox is
for a main group, click on it to select or clear all of the check boxes for the events in the group.
If the group checkbox is selected, and you clear a check box for one of the events in the group, it will
not be disabled unless all events are disabled.
If groups are partially selected, when opening the page, the groups will be expanded to show the
content and the group will be selected.
If the checkbox for all events is cleared, the check box for the group will also be cleared.
• Event:
Shows the name of the group or event. If it is a group, the name will be preceded by one of two
symbols.
This appears when the group branch is collapsed. If you click , the rows belonging to the group
1.
are expanded.
This appears when the group branch is expanded. If you click , the rows belonging to the group
2.
are collapsed.
To find out how to configure the syslog or SNMP notifications, refer to syslog warnings settings or
SNMP warnings settings.
Notification to sender
Panda GateDefender Performa allows you to send an email message to the sender with notification of
the event. As with the administrator notifications, there are events and main groups; groups made up
of events:
• SMTP:
115
Notifications are sent to the sender’s email address. If the checkbox is for a main group, click on it to
select or clear all of the checkboxes for the events in the group.
If the group checkbox is selected, and you clear a checkbox for one of the events in the group, it will
If the checkbox for all events is cleared, the checkbox for the group will also be cleared.
• Event:
symbols.
1.
This appears when the group branch is collapsed. If you click , the group is expanded.
This appears when the group branch is expanded. If you click , the rows belonging to the group
2.
are collapsed.
Text to replace deleted files
When Panda GateDefender Performa detects certain types of malware, it will delete them and replace
them with a text. Panda GateDefender Performa let you customize events:
• Email, HTTP/FTP:
Several checkboxes can be enabled for each event.
If the checkbox is for a main group, click on it to select or clear all of the check boxes for the events in
the group.
If the group checkbox is selected, and you clear a checkbox for one of the events in the group, it will
If the checkbox for all events is cleared, the checkbox for the group will also be cleared.
• Event:
symbols.
This appears when the group branch is collapsed. If you click on it, the group is expanded.
1.
This appears when the group branch is expanded. If you click on it, the rows belonging to the
2.
group are collapsed.
Syslog warnings settings
The syslog utility allows you to export all errors that occur in the application, as well as
information about its status.
Network administrators can monitor different devices through the information sent by each one
through syslog.
To access the Warnings: Syslog warnings settings screen, click the Settings menu in the main
console window and select Warnings > Syslog warnings.
116
Panda GateDefender Performa includes the option to report the log files to a remote server. To do this:
1.
2.
3.
4.
5.
6.
Select the Syslog Registry checkbox. If you clear the Syslog registry checkbox, Panda
GateDefender Performa will not send any type of message to the remote syslog.
Server: This informs the syslog server that it will receive notifications, using its IP address or
name.
Port to which events will be sent (port 514 by default). Panda GateDefender Performa uses UDP.
Facility (local0 to local7). The messages are sent to the remote server through one of the eight
facilities available. The facility must be the same in the Panda GateDefender Performa syslog and
in the remote syslog. The default value is local0.
Select the CSV format checkbox to use this format. Otherwise, the warning will be sent in plain
text.
Click OK to save the current settings.
If you clear the Syslog registry check box, Panda GateDefender Performa will not send
any type of message to the remote Syslog.
SNMP warnings settings
Panda GateDefender Performa lets you manage warnings through an SNMP manager. If
you use this type of tool on your network, you can conduct queries on the warnings generated by the
appliance, or receive this information directly in the SNMP manager (trap).
To access the Warnings: SNMP warnings settings screen, click the Settings menu in the main
console window and select Warnings > SNMP warnings.
Follow these steps to enable and configure SNMP warnings:
1. Select the SNMP agent checkbox.
2. Complete the fields Description, Location and Contact. The data entered here is not relevant
for the settings.
3. Click Add. You will see the Warnings: SNMP community screen.
4. In the Name field, enter the name of the SNMP manager community to use. This must be a
word (you can use alphanumeric characters) that matches the one entered in the SNMP manager.
Otherwise it won’t be possible to establish a communication between the appliance and the SNMP
manager.
5. Specify the IP address of the SNMP manager. If you are using multiple managers, enter their IP
addresses, separating them with commas.
6. To be able to conduct queries regarding the warnings sent, you must configure the ports the
appliance will receive the queries at. In the Query section, select the checkboxes of the two
available protocols (v1 and v2c) and enter the appropriate ports. These ports will remain open in
the appliance to receive the queries made from the SNMP manager.
7. For the appliance to send warnings to the SNMP manager (trap), indicate the SNMP manager
ports that warnings must be sent to. These ports must be open in the SNMP manager for
warnings to be sent correctly.
Email warnings
Email warnings settings
Allows you to configure preferences and the details of the destination email account.
117
•
Recipient mail account details. Allows you to configure the address or addresses to which the
•
Periodic activity notification settings. Allows you to customize the intervals at which the
warning will be sent and the mail server to use.
notification summary will be received.
Recipient mail account details
•
•
•
•
•
Enter the details of the email account that warnings must be sent to:
Email address(es). Enter the email address of the person that you want to send the message
to. If the warning must be sent to more than one recipient enter the addresses separated by
commas. For example: [email protected], [email protected],
[email protected].
SMTP server Panda GateDefender Performa must use to send warnings.
Port through which communication must be established.
Requires authentication: If the SMTP server requires authentication, enable the
Requires
authentication checkbox and indicate the user name and password that are valid for the mail
server.
Use the following sender. Email address that will appear as the sender of the message.
Periodic activity notification
The periodic activity notification shows a summary of the scan, detection incidents and
system activity for the different types of protection. Each message includes all the detections since the
last time the periodic activity notification was sent.
For information on how to configure the notifications, click here.
The subject of the periodic activity notification is: Periodic activity notification.
The message body is divided into three parts: Header, security protection and system activity.
Header
The header of the warning summary message appears in the following format:
. Panda GateDefender Performa
Start: <Start date> End date: <End date>.
Panda GateDefender Performa identification
System version
Name: <name>
IP address: <IP address>.
Security protection
118
It shows the following fields:
Anti-malware protection:
Files scanned
Detections in mail and news.
Detections in HTTP and FTP.
Evolution graph.
Content Filter protection:
Items scanned.
Filtering in mail and news.
Detections in HTTP and FTP.
Evolution graph.
For the anti-spam protection:
Files scanned
Spam messages.
Evolution graph.
For the Web filtering:
Pages scanned:
Restricted pages
Evolution graph.
IM/P2P/VoIP filter:
Restricted P2P protocols
Restricted IM protocols:
Evolution graph
All protection includes the View details link. Click it to access the details screen, with more detailed
information.
If a protection is not enabled or does not have a license, the content will be displayed in
gray to indicate that it is not available.
System activity
It shows the following fields:
o
System:
Active connections
Connections established
Failed connections
Evolution graph.
119
o
Network cards (NIC1 and NIC2)
Inbound traffic.
Outbound traffic.
Evolution graph.
Periodic activity notification settings
The Periodic activity notification settings option allows you to customize the notification summary
interval.
For more information about the content of the periodic activity notification, click here.
Notification summary interval
Panda GateDefender Performa allows you to configure how often the notification summary will be sent.
The frequency can be daily, weekly or monthly.
1.
2.
Select
Send periodic notification summary to configure the frequency.
Select the frequency (daily, weekly or monthly) with which you want to receive the notification
summary.
• Daily. Will be sent at 00:00 h each day.
• Weekly Will be sent at 00:00 h every Monday.
• Monthly Will be sent at 00:00 h on the first of the month.
3.
Select the format of the numeric values of the warnings from the drop-down menu. The options
available are Percentage and Absolute:
Customizing the texts/pages
Customizing the texts
Panda GateDefender Performa allows you to customize the warnings and substitute
texts for the following events:
•
•
•
•
Detection of malware.
Detection of potentially dangerous file.
Items filtered by the Content Filter protection.
Item deleted because it could not be scanned.
To customize the texts click the Settings menu in the main console window, and select
Customization > Texts for substitute pages and warnings.
For each of the event above, you can edit the following texts:
120
•
•
•
Sender: This option allows you to customize the message to send to the sender of the infected
email message. This field cannot be edited for the warnings sent for events related to files
downloaded from the Internet (HTTP) or to file transfers through FTP.
When you click this link you will see the Customize warning to the sender screen, where
you can define the text of the warning.
Substitute text: When Panda GateDefender Performa detects a malicious code, it will delete it
and replace it with a text. If you click this option, you can edit the text that will be inserted in the
email message, web page or file transferred through FTP.
When you click this link, you will see the Customize replacement text screen, where you
can enter the text to replace the infected item.
Administrator: This option allows you to customize the message to send to the administrator.
When you click this link you will see the Customize warning to the administrator screen,
where you can enter the text to be sent to the administrator.
Customization of the substitute HTTP/S page
Panda GateDefender Performa lets you customize the HTTP/S substitute page, that is,
the page displayed when the anti-malware, Content Filter or Web filter block suspicious content. You
can choose between several screens, adding the logo you want and customizing the text.
Click Settings in the main console window and select Customization > Substitute page for
HTTP/S.
Customizing the substitute page
1.
2.
Select the template you want from those offered by Panda GateDefender Performa.
Logo. Use the Import button to select the logo you want to use. If you use the Default image
button, the page will display the Panda Security logo.
Logo parameters:
jpg or png format
Maximum size: 250 x 100 pixels
3. Descriptive text. Enter the text you want in the dialog box. You can use text and html code.
To see an example of the substitute page, with a sample descriptive text, use the link
Substitute page preview.
4.
User profile information. Enable the checkbox if you want the page to display the protection
profile applied when the suspicious content was blocked.
Click Save.
121
Quarantine
Introduction to quarantine
Panda GateDefender Performa has three quarantine areas:
•
Malware quarantine: This is a place for isolating suspicious files and malware that cannot be
disinfected at the time of detection. Panda GateDefender Performa will attempt to disinfect these
files after each update (if so indicated in the settings), although it is also possible to do this at
any other time using the Analyse quarantine button.
You can also send us these files to be analysed by our experts.
•
Content-filter quarantine: This is the place where all filtered items are sent (as long as this is
•
Spam Quarantine: Contains email messages that have been classified as, or are suspected to
indicated in the settings). It is advisable to review it periodically in order decide on the best way
of dealing with the items stored there. You can restore them, send them to another location,
delete them, etc.
be, spam. It is advisable to review the spam quarantine from time to time in order to take
pertinent decisions about these messages. You can restore them, redirect them to another
location, delete them, etc. You can also add the domains of senders you choose to the blacklist
and white list of the Anti-Spam module.
Malware quarantine
As long as it has been indicated in the anti-malware settings, Panda GateDefender
Performa will isolate all suspicious files and threats that cannot be disinfected at a given moment to
quarantine. Once stored, you can take a series of actions on the items.
Follow these steps to access malware quarantine:
1.
2.
Click the Quarantine menu in the main Console screen.
Select Malware quarantine.
Information about items in quarantine
Panda GateDefender Performa displays a table of items in quarantine, describing the following aspects:
• Entry date: Indicates when the item was included in quarantine for the first time.
• Last entry: Indicates when was the last time the item was included in quarantine.
• Item: Shows the name of the threat.
• Instances: Shows the number of times a threat has been detected.
• Only once: Item details.
• More than once: instance details.
• Reason: Gives details of why the file was included in quarantine. For example, because the file is
suspicious or cannot be disinfected.
• If the item has been sent for scanning, this will be indicated in the corresponding column along
with the date it was sent.
Click on the heading of each column to arrange the information they contain as you want.
122
For much more detailed information, click on the + symbol appearing to the left of each item. You can
see the name and location of the detected file, the source and destination IP, etc.
Instance details
Malware quarantine shows the number of times each threat has been detected. If you want more
information about any of the items, select it and click on the number corresponding to it in the
Instances column.
A screen will appear with information about each detection:
•
•
•
•
The date when it was sent to quarantine.
The item included in quarantine.
The reason why it was included in quarantine.
The source (protocol) in which it was detected.
Exclusions, filter and options
•
•
•
Exclusions: Shows files that have been excluded from quarantine. For more information, consult
the Items excluded from quarantine section.
Filter: with the quarantine filter you can specify which information should be displayed in the list:
date entered, subject, source or target IP, etc.) For more information refer to the section
Malware quarantine filter.
Options: Lets you adjust the quarantine size using various settings. It also permits you to
indicate the number of lines in the list, how to behave towards restored messages, to send
suspicious files to be analyzed, etc. For more information, consult the section on Malware
quarantine settings .
Other options
•
•
•
If any of the items arrived via the SMTP protocol, you can return it to its original location. To do
this, select the item and click Restore.
If the items have arrived via the SMTP protocol, you can resend them to an email address using
the Redirect button. This permits you to review the content of the messages.
You can also delete the items you wish by clicking the corresponding button.
Possible actions in malware quarantine
You can take the following actions on items in quarantine:
• Download file: Permits downloading of a file, as long as it has been detected in the http-ftp
protocols.
• Scan quarantine: Only appears activated if automatic disinfection of quarantine is disabled. In
this case, if you wish you can scan all of the items in quarantine with the latest available file of
virus identifiers, by using the button available for the purpose.
• Sending of suspicious files: You can send suspicious files to be analyzed by experts, by
clicking the corresponding button. If any item selected exceeds the maximum permitted size, it
will not be sent.
• Exclude: With this button you can obtain better quarantine management, avoiding storage there
of already recognized malware, for example. For more information, consult the Items excluded
from quarantine section.
• Delete: Permits removal of items selected from the list. A pop-up window will ask for
confirmation.
• Empty quarantine: Deletes all items without having to select them previously.
123
Malware quarantine settings
Malware quarantine settings allow you to:
•
•
•
•
•
Adjust its size.
Enable the sending of suspicious files for analysis by experts.
Specify the number of lines to display in the list.
Activate automatic analysis of items after each update.
Specify quarantine’s behavior on restoring items to their original location.
Follow these steps to go to the malware quarantine settings:
1.
2.
Click Quarantine in the console and then select Malware quarantine.
Click Settings in the quarantine window.
Let us now look at the settings options in more detail:
Size and time in quarantine
You can specify how quarantine behaves when its maximum capacity is exceeded. There are two
options:
1.
2.
Delete the oldest items: If you select this option, the oldest items will be deleted to free up
space and allow more recent items to be stored.
Reject new items: When it reaches its maximum size no more files will be included in
quarantine.
You can also set the maximum size of files to be sent to quarantine. In this way you will avoid
excessively large files being stored that may saturate quarantine. The maximum size of a file will not be
able to exceed 100 MB.
If a message is received with an attached file that cannot be included in quarantine because it exceeds
the maximum size setting, you can specify a warning message for such a circumstance.
Sending items for analysis
You can set quarantine so that it automatically sends files suspected of being infected, or those that
cannot be disinfected, to the laboratory, as long as their size is less than 10 MB.
General preferences
This section allows you to:
•
•
•
Limit the amount of information that will be shown in each quarantine page. To do this, enable
the Lines to display on each page box, and indicate the number of lines.
Activate automatic analysis of quarantine after each update.
Indicate if you want a copy of items that are restored to their original location to be stored in
quarantine. If you wish, you can include a text in the subject of the messages restored.
Once you have set the configuration you want, click Save.
Items excluded from quarantine
Quarantine exclusions allow it to be better managed, avoiding already recognized malware being stored
there, for example.
124
In order to withdraw malware from quarantine you just have to check the checkboxes that correspond
to the items you want and click on the Exclude button.
You can see the items withdrawn from quarantine by clicking on the Exclusions link. If you want any
excluded item to return to quarantine if it is detected again in the future, click on Consider
dangerous.
Content Filter quarantine
As long as it has been indicated in the anti-malware settings, Panda GateDefender
Performa will isolate all suspicious files and threats that cannot be disinfected at a given moment to
quarantine. Once stored, you can take a series of actions on the items.
Follow these steps to access malware quarantine:
1.
2.
Select Malware quarantine.
The window displayed shows a list of the items isolated in the Content Filter quarantine.
Panda GateDefender Performa displays a table of items in quarantine. The information is separated in
the following columns:
-
Date: Indicates when the item was included in quarantine.
-
Item: Shows the file name or the email subject.
-
Reason: Shows a short text indicating why it was included in quarantine (for example, because
it is a suspicious compressed file, etc.).
-
Source: Indicates in which protocol the item was detected: HTTP / FTP / SMTP / POP3 / IMAP4
/ NNTP.
Click on the heading of each column to arrange the information they contain as you want.
By clicking on the + symbol, appearing to the left of each of the items in quarantine, you will obtain
detailed information about them.
Filter and options
You can configure the listing using the following options:
Filter:You can specify the information to be shown in the listing, using various parameters (date of entry to
quarantine, subject, source or target IP address, etc.). For more information, consult the section on Content Filter
quarantine filter .
125
Options:Lets you adjust the quarantine size using various settings. You will also be able to indicate the number of
lines in the list and how to behave towards restored messages. For more information, consult the section on Content
Filter quarantine settings.
Possible actions in content-filter quarantine
You can take the following actions on items in quarantine:
•
•
•
•
•
Download file: If the file has arrived via protocols http or ftp, you can use this button to
download it.
Restore: Allows you to return the selected items to their original location. This option is available
if the items arrived via the SMTP protocol.
Redirect. Allows the selected items to be sent to the email address indicated. For more
information, consult the section Resend Address.
Delete: Permits deletion of items selected from the list. A pop-up window will ask for
confirmation.
Clear quarantine: Deletes all items without having to select them previously.
Content Filter quarantine settings
Content Filter quarantine settings allow you to:
•
•
•
Adjust the size of the quarantine.
Specify the number of lines to display in the list.
Specify how quarantine operates on restoring items.
Follow these steps to go to Content Filter quarantine settings:
1.
2.
Click Quarantine in the Panda GateDefender Performa console and then select Content Filter
quarantine.
options:
•
•
Reject new items: When it reaches its maximum size no more files will be included in
quarantine.
You can also set the maximum size of an item to be sent to quarantine. In this way you will avoid
excessively large items being stored that may saturate quarantine. The maximum size of an item will
not be able to exceed 20 MB. If you want, you can indicate an email address to which to redirect
messages that exceed this size.
Finally, if you wish, you can indicate the maximum number of days that items will remain in quarantine.
Once this period is reached, the items will be deleted.
126
General preferences
• Limit the amount of information that will be shown in each quarantine page. To do this, enable
• Indicate if you want a copy of items that are restored to their original location to be stored in
quarantine. If you want, you can include a text in the subject of the messages restored.
Spam quarantine
As long as it has been indicated in the anti-spam protection settings, Panda
GateDefender Performa will isolate all email messages classified as spam, or suspected of being so, to
quarantine. Once stored you can take a series of actions on quarantined messages.
Follow these steps to access spam quarantine:
1.
2.
Select Spam quarantine.
The window displayed shows a list of the items isolated in spam quarantine.
Panda GateDefender Performa displays a table of items in quarantine. As well as showing the subjects,
senders and destinations of the messages, you can obtain information about the following aspects:
•
•
•
•
•
•
Date: Indicates when the item was included in quarantine.
Sender: The person that has sent the email message.
Recipient:: the recipient of the message.
Reason: Gives details of why the message was included in quarantine. This allows you to know
if the message was classified as spam, or as probable spam.
Subject: The subject of the message.
Source: Indicates the protocol in which the unwanted message was detected: SMTP / POP3 /
IMAP4.
•
•
•
•
•
•
•
Quarantine name: Indicates the name with which the item appears in the quarantine (it can be
the message subject, etc.).
Original name: Shows the name of the original file.
Reason: Gives details of why the item was included in quarantine. For example, because
disinfection was not possible, because it was possible spam, etc.
Probability of Spam: If it is an unwanted mail message, the information in thus column shows
the percentage of probability of being spam.
Spam engine: Shows the version of the anti-spam engine used.
Status: Shows the status of the item in question. For example, you can see if the item has been
sent to quarantine, if it is possible spam, etc.
Date: Indicates when the item was sent to quarantine.
127
•
•
•
•
If the item has been sent to to be analyzed, it will show you the date when sent. Otherwise, you
will be able see its current status. For example, if it is pending being sent or it is not possible to
send it.
Source: Indicates the protocol in which the item was detected:
Source IP: Specifies the IP address from which the item was sent.
Target IP: Specifies the IP address to which the item was being sent.
In the case of an email, you can see the subject, sender and recipients of the message, as well as a
link to download the message. Click on the heading of each column to arrange the information they
contain as you want.
Filter and options
You can configure the listing using the following options:
•
•
Filter:This allows you to specify the information to be shown in the listing, using a range of
parameters. For example, you can indicate that you only want items shown that were included in
quarantine between two dates, messages with a certain subject, sender or destination, etc. For
more information, consult the section on Spam quarantine filter .
Options: Allows you to adjust the quarantine size using various settings. It also lets you indicate
the number of lines per page in the list and what to do with restored messages. For more
information, consult the section on Spam quarantine settings.
Possible actions in spam quarantine
You can perform the following actions from spam quarantine:
•
•
•
•
•
Add domain to:
o Blacklist: With this button you can add the domains of the messages selected to the
spam blacklist. In this way other messages coming from these domains will always be
treated as spam.
o White list: With this button you can add the domains of the messages selected to the
spam white list. In this way, messages coming from these domains will not be analyzed
for spam.
Restore: This allows you to return the selected messages to their original location, as long as
they have arrived by SMTP.
Redirect. Allows you to redirect the messages selected to a specific email address. For more
information, refer to the Resend address section.
Delete: Allows you to delete messages selected from the list.
Empty quarantine: Deletes all items without having to select them previously.
Spam quarantine settings
The spam quarantine settings allow you, among other things, to:
•
•
•
Adjust the size of the quarantine.
Limit the number of lines to display per page.
Specify its behavior on restoring files to their original location.
Follow these steps to go to spam quarantine settings:
128
1.
2.
Click Quarantine in the Panda GateDefender Performa console and then select Content Filter
quarantine.
options:
•
•
Reject new items: When it reaches its maximum size no more messages will be included in
quarantine.
You can also set the maximum size of a message to be sent to quarantine. In this way you will avoid
excessively large messages being stored that may saturate quarantine. The maximum size of a file will
not be able to exceed 20 MB. If you want, you can indicate an email address to which you want to
redirect the messages that exceed this size.
Finally, if you want, you can indicate the maximum number of days that messages will remain in
quarantine. Once this period is reached, the messages will be deleted.
General preferences
•
•
Limit the amount of information that will be shown in each quarantine page. To do this, enable
Indicate if you want a copy of messages that are restored to their original location to be stored in
quarantine. If you want, you can include a text in the subject of the messages restored.
Quarantine filters
Introduction
Over time, the quarantine may come to show too much information, making it complicated to manage.
To make this task easier, Panda GateDefender Performa includes a filter with which you can specify
exactly what information you want to see.
To enable a filter
You can apply a filter to the information shown by quarantine, by following these steps:
1.
2.
3.
4.
5.
Select the Quarantine option from the menu on the left of the Web administration console.
Click on the quarantine for which you want to filter information (malware quarantine, Content
Filter quarantine or spam quarantine).
Click on the Filter link. Another window appears with the filtering options. For example, you can
indicate that you only want items shown that were included in quarantine between certain dates,
messages from a certain sender, etc.
Once you have indicated the options you want, click on Apply filter.
Click OK for quarantine start to show the information you have just specified.
129
To disable a filter
1.
2.
3.
4.
5.
Select the Quarantine option from the menu on the left of the Web administration console.
Click on the quarantine for which you want to filter information (malware quarantine, spam
quarantine or Content Filter quarantine).
In the new window, click on the Filter link. Another window appears with the filtering options.
Click Disable filter.
Click OK for quarantine start to apply the new filtering settings.
Filtering settings
The filtering options are different for each type of quarantine. To obtain more information on the
available filtering options for each type of quarantine, refer to the following sections:
•
•
•
Malware quarantine filtering
Content Filter quarantine filtering
Spam quarantine filtering
Malware quarantine filtering
Panda GateDefender Performa permits filtering of the malware quarantine so that it only shows events
that meet the characteristics you specify. For example, you can indicate that you only want items
shown that were included in quarantine between certain dates, messages from a certain subject,
sender or recipient, etc.
You can perform filtering by one of the data items available or by a combination of a number of them.
Once you have configured the filter, click on Apply filter and then on OK.
< BACK
Content-filter quarantine filtering
Panda GateDefender Performa permits filtering of the content-filter quarantine so that it only shows
events that meet the characteristics you specify. For example, you can indicate that you only want
items shown that were included in quarantine between certain dates, messages from a certain subject,
Once you have configured the filter as you wish, click on Apply filter and then on OK.
< BACK
Span quarantine filtering
Panda GateDefender Performa permits filtering of the spam quarantine so that it only shows events
that meet the characteristics you specify. For example, you can indicate that you only want items
shown that were included in quarantine between certain dates, messages from a certain subject,
130
You can also filter information on the basis of percentages of probability of spam in the messages in
quarantine. You can indicate the percentages interval desired in the fields for this purpose.
Once you have configured the filter as you wish, click on Apply filter and then on OK.
131
Reports
Introduction
Panda GateDefender Performa generates a series of reports that contain the events related to the
scans and the activity of the appliance. These are:
Protection reports:
•
•
•
HTTP/HTTPS/FTP
Mail/News
IM/P2P/VoIP filter
Security reports:
•
•
Report on access restricted by the explicit proxy
Report on invalid SSL certificates
System report:
•
System events report
To view this report at any time, click the Reports menu and select the report.
As a general rule, these reports contain different options and can be exported to a text file. You can
also use filters to select the information displayed.
•
•
Access to the report settings options
Filtering the information logged in the reports.
To remove the content of the reports, use the Clear report button. If you want to arrange the data in
the columns, click on the column header. The columns that can be rearranged have an arrow icon to
the left of the column name.
Configuring and filtering reports
Report settings
The reports generated by Panda GateDefender Performa include a large amount of significant
information. However, you can filter the information that appears in the reports.
1.
2.
3.
Click the Reports menu in the main Console screen.
Select the report you want to consult.
In the following window, click Options.
132
The options you can configure in the report are:
• Continue generating this report
If you don't want Panda GateDefender Performa to generate the report, unselect the corresponding
checkbox.
• Automatically delete events after XX days
Specify the period for which events should remain in the reports (90 days by default). Panda
GateDefender Performa will automatically delete events after this period.
Exporting the reports
You can save the information displayed in the report to a txt file. To do this, click on
the Export: csv link. The content of the report will be exported to .csv format
Filtering information in the reports
The information displayed in the report can be filtered. This means that Panda GateDefender Performa
allows you to configure the report to display only certain types of events, to display the incidents by
protocol, IP address, etc
Enabling the report filter
1.
2.
3.
Click the Reports menu and select the type of report you want to filter.
In the new window, select the corresponding option from the Filter period drop-down menu.
Set the filter you want. Use the Filtering conditions menu. Use the Add condition button to
add conditions, and click Filter.
When adding conditions, you can use wildcard characters to refine the search ("*", "?", etc)
133
Filtering conditions according to the type of report
Protection report
Security report
System report
If you want to save the filter, use the Save button and enter the name of the filter in the textbox in
Filters stored. Then click Enter. To remove the data from the latest filter click Clean. In addition to
clearing the filter, a report will be generated without filters, corresponding to the filter period All.
Stored filters
Once certain filters have been stored, or you are using certain parameters to filter (even though they
have not been stored), Panda GateDefender Performa lets you take the following actions:
Delete the stored filter:
Once a filter has been stored you can delete it by clicking the 'x' to the right of the name of the filter.
Run the stored filter
If you want to run a stored filter, just click on the name in Filters stored.
Set a filter as default
134
If you want to set one of the stored filters as default, i.e. you want a filter to be applied by default
when a report is opened, just click on the link “Preset”, which appears to the right of the filter name
when you pass the mouse pointer over it.
Bookmark a filter:
Another useful feature in Panda GateDefender Performa is the option to bookmark a filter. To do this
you must first have run a stored filter. This gives you quick access to the filter once it is stored. If the
filter is deleted however, when you try to access via the bookmark, you will open the reports without
applying the filter (or with the default filter if one has been set).
Considerations for the filters.
User and email address: users must be defined in LDAP or Kerberos.
Additional features in the report views
•
•
•
•
•
•
•
•
•
When viewing the reports you can, if you want just display the information that interests you. For
example, if in the protection report you only want to see the mail and news report, just click in
the title area of each report table.
To access the details of each report, just move the mouse pointer over it to see all the
information available for each event.
To highlight the type of protection that has generated the event, the rows are shaded according
to type (e.g. green - anti-malware, blue - Content Filter, red - anti-spam, brown - Web
filter). Above each table there are checkboxes for each of the protection types, by
selecting/clearing these boxes you can display the information for the protection you want. All
aree selected by default.
To highlight the lack of licenses for any type of protection, the corresponding checkbox will be
grayed out.
Use the drop-down menu to select the number of results to display per page, and the Back /
Next arrows to move from page to page.
The columns can be redimensioned and reordered.
You can select the columns you want to view, through a list of all the columns available with
checkboxes.
The information in the reports is not refreshed automatically. Users can refresh all the tables by
clicking F5 or the Refresh button.
The most recent status of the items viewed will always be saved: tables hidden or visible, number
of items displayed, protection displayed and columns displayed. For convenience, these
temporary settings are stored as cookies. This means different users can save their own
preferences.
Protection reports
Introduction
The protection reports offer data on malware and spam, the Content Filter events, and access to Web
pages and P2P, VoIP and IM protocols.
The reports include settings options and can also be exported to .csv format. Also, if you place the
cursor on a selected item, you will get specific information about the event in question.
135
If you want, you can filter the information in the report. You can do this with a simple and easy-to-use
filter tool.
The protection reports are structured into four areas: the filtering tool and another three,
corresponding to HTTP/HTTPS/FTP, Mail/ News and IM/P2P/VoIP protocol filtering.
Protection report
This report offers data on malware and spam, the Content Filter events, and access to Web pages and
P2P, VoIP and IM protocols.
Viewing the malware detected
The information displayed in the report is structured into three areas:
• HTTP/HTTPS/FTP
• Mail/News
• IM/P2P/VoIP filter
HTTP/HTTPS/FTP
Use the
protection data you want displayed in the report.
boxes to select the
The report then displays the data organized into columns. You can select the columns to be displayed
in the report, using the drop-down menu
•
Detection source.
When malware has been detected in HTTP or FTP, the report specifies if it was uploaded or
downloaded.
136
Mail/News
Use the
boxes to select the
protection data you want displayed in the report. If you select Highlight outbound mail, the lines
marked as SMTP Out will be highlighted in bold.
The report then displays the data organized into columns. You can select the columns to be displayed
in the report, using the drop-down menu Columns
-
Protocol
Protocol in which the malware was detected.
IM/P2P/VoIP filter
In this case, select the Columns to be displayed in the report.
Details of the detection
Place the cursor on the
icon to the left of each row to see the Details dialog box with extended
information about each event, which will be different depending on the type of detection.
You can use the report settings options through the Options drop-down menu. For more details about
these options, refer to the section Report settings.
If you want to delete the content of the report, use the option Clear report.
Security reports
Introduction
To access these reports, click the Reports menu in the main console menu, and then
select Security report.
137
The reports include settings options and can also be exported to .csv format. Also, if you place the
cursor on a selected item, you will get specific information about the event in question.
If you want, you can filter the information in the report. You can do this with a simple and easy-to-use
filter tool.
In addition to the system and protection reports, Panda GateDefender Performa offers other reports on
access restricted by the explicit proxy and the use of invalid certification authorities and certificates for
HTTPS.
•
•
This shows authentication attempts restricted by the explicit proxy, because the user does not have
permission to access the proxy, authentication errors, etc.
This shows access to HTTPS sites that have received invalid SSL certificates (expired, unknown
certification authority, invalid certificate name or certificates that don't coincide with the site).
This shows authentication attempts restricted by the explicit proxy, because the user does not have
permission to access the proxy, authentication errors, etc.
Viewing restricted access attempts
Once the filtering conditions have been established, click Filter. The report shows the data, grouped
into columns, that you have selected in the Columns menu:
138
This shows access to HTTPS sites that have received invalid SSL certificates (expired, unknown
certification authority, invalid certificate name or certificates that don't coincide with the site).
Viewing HTTPS sites with invalid SSL certificates
System report
System report
Panda GateDefender Performa shows a detailed report on system events (updates,
restarts, etc.). In order to view this report, click the Reports – System report menu.
Viewing the events logged
139
Some of the events logged in this report are:
• Result of every update process.
• Update performed.
• Update errors, clearly specifying the cause of the error (for example: Could not connect to the
•
•
•
•
•
•
•
•
•
updates server; The updates server has returned an error; An error occurred during the
download process; An error occurred during the update process, etc.).
Error sending email warnings.
Appliance start up.
Problems starting the appliance (the problems and the actions taken to resolve them will be
specified).
Could not connect to the DNS server.
Problems connecting to the proxy server configured (for example, due to a validation error).
Could not connect to the license server.
The license server has returned an error.
Quarantine space about to be used up.
Quarantine space exceeded.
Place the cursor on the [+] icon to the left of each row to see the Details dialog box with extended
140
Tools
Introduction
Panda GateDefender Performa includes a series of useful tools to deal with situations in which the
appliance performance is less than optimum. Use the links below to find out more about them:
•
•
•
•
•
•
•
•
Diagnosis tools
Internal log files
Links to services
Export / Import settings
Sending statistics
Restarting the system services
Complete system restart
Shutting down the system
Diagnosis tools
Panda GateDefender Performa has a series of tools for diagnosing problems on the
appliance.
The options available are:
•
•
•
•
•
•
Ping
Traceroute
DNS resolution
Connectivity with Panda Security
Show network status
Packet capture
Ping
The tools screen has two parts: Tool and Result.
Tools
Settings options:
• Tool: Select Ping.
• Parameters
• Target addresses: Specify the target host.
• Number of pings to be sent. Specify the number of pings.
• TTL: Specify the TTL value.
• Types: Select the type of ping required, TCP, UDP or ICMP.
• If you want to launch the tool, click on Run.
Result
Displays the result obtained from running the tool. If you want to save the result in a file, click on
Export to file.
141
Click on OK to return to the Support tools screen.
Traceroute
Tools
Settings options:
• Tool: Select Traceroute.
• Parameters
o Target addresses: Specify the target host.
o Number of pings to be sent. Specify the number of pings.
o TTL: Specify the TTL value.
o Types: Select the type of ping required, TCP, UDP or ICMP.
Result
Export to file.
DNS resolution
Tools
Settings options:
• Tool: Select DNS resolution.
• Parameters
• Address: Specify the address to be resolved. If an IP is entered, an inverse resolution will
be carried out.
• Request type: Select a value from the list: A, ANY, CNAME, NS, MX, PTR, SOA, TXT, LOC,
RP and SIG.
• Protocols: Select the type of connection required, TCP or UDP.
• Port: Specify the port. The default port is 53.
• Server: Specify the server.
Result
Export to file.
142
Connectivity with Panda Security
Panda GateDefender Performa has to communicate with the following servers to operate correctly.
• System software update server
• License server
• Anti-malware update server
• Malware quarantine server
• Panda cloud scanning server
• Panda cloud data server
• Anti-spam update server
• Web filter data server
You can check that connectivity to these servers is running correctly through the Tools menu in the
console. To do this, follow these steps:
1.
2.
3.
4.
Go to Tools in the Panda GateDefender Performa console.
Click Diagnostic tools.
Select Connectivity with Panda Security from the drop-down menu.
Click Run.
In the Result field, check the connectivity for each of the servers.
You can save the results in a TXT file in your chosen route by clicking Export results.
Display system network status
You can check the status of the network by following these steps:
1. Go to the Tools menu in the Panda GateDefender Performa console.
2. Click on Diagnostic tools.
3. Select Display system network status from the drop-down menu.
4. Click on Run.
If you want to save the result in a text file, click on Export to file.
Packet capture
The Tools screen has two parts: Tool and Result.
Using this tool can negatively affect the performance of your appliance.
Tool
Settings:
1.
2.
Tool: Select Packet capture.
Parameters
- Type of capture: Select the type of capture: Maximum capture time, Maximum
capture size, Maximum packets for capture or Circular capture.
Circular capture consists of a buffer that allows the capture of the last megabytes transferred.
This can be specified in the Value field.
143
Capture size is limited to 300 MB
- Value: Set the capture limit. This can be specified in seconds, megabytes or packets,
depending on the type of capture selected.
- Capture interface: Select the network interface on the appliance.
- Maximum packet size: Select one of these two options: Capture headings or
Complete traffic.
- Filter: Select filtering:
- Capture protocol traffic.
- Capture port traffic.
- Capture special traffic.
- Capture all traffic.
3.
4.
5.
6.
7.
8.
Protocols: This option appears after selecting the Capture protocol traffic filter. It establishes
the protocol to be used in the filter.
Ports: This option is displayed when the Capture port traffic filter is selected. Establish the
ports to be used in filtering. A range can be chosen by specifying two ports separated by a
hyphen.
Source IP: Specify the source IP.
Target IP: Specify the target IP.
If you want to launch the tool, click Run.
If you want to stop the capture, click Stop capture.
Result
Displays the result obtained from running the tool. If you want to save the result in a file, click Export
to file.
Click OK to return to the Support tools screen.
Internal log files
The internal log files allow you to carry out an advanced diagnosis in order to resolve
problems.
These files may be requested by tech support services when resolving an incident. It is
not advisable to generate these files, unless you are asked to do so by Panda Security
technicians.
To generate log files, select the level of detail that the technicians have specified:
1. In the Tools menu of the console, select Internal log files.
2. Select the log generation mode:
144
•
•
Basic mode. Select this option if you want to record basic level information in
the log files.
Debug mode. Select this option if you want to a greater level of detail in the
information in the log files.
4.
Select the level of debugging:
• Standard. Level of detail necessary for most cases.
• Advanced. Lets you control the type of information you want to collect.
Enable the checkboxes according to the options you want.
5.
Select the level of detail you want.
To download the log files onto your computer, click Download logs.
6.
Click Save to save the changes. Otherwise, click Cancel.
Online services
The services provide help and benefits in addition to those offered by the unit.
Thanks to these services, you will always have a team of experts on hand that will help you to resolve
any queries and problems you might have with viruses and other threats.
The services offered by Panda GateDefender Performa are:
•
•
•
•
•
•
Online Support Center: A fast, simple way to find answers to your queries.
Virus encyclopaedia: Detailed and accurate information about the characteristics of each virus
and how to eliminate it.
Virus news: The latest virus news.
Virus Infection Map: Live graphic coverage of the percentage of computers infected by viruses
worldwide.
Suggestion box: Allows you to inform Panda Security of the improvements you would make to
Panda GateDefender Performa. Your suggestions will be thoroughly studied by the Panda
Security technicians.
Global ThreatWatch: Check out the current virus situation, and find out if there are alerts
anywhere in the world or in your country.
In order to use these services, you need an open connection to the Internet.
Exporting/importing the settings
Once the appliance has been correctly configured and is working properly, you can save
the settings parameters.
It is useful to do this as:
• You can recover them (import them) later.
145
•
You can apply the same settings to another unit without needing to do so manually.
Exporting the current settings
In order to export the settings, follow the steps below:
1. Click on the Export button.
2. In the window that opens, click on the Settings link.
3. Select the folder where you want save the settings file.
When this process is complete, the system will generate a file with the current settings, except for the
user name and password for accessing the console.
Importing settings
When importing a settings file from another unit, remember that the name and network
settings of the appliance must be unique. Therefore, these details must be modified if
another unit is using them.
To import or restore settings that you have previously saved, follow the steps below:
1.
2.
3.
4.
Click on Browse...
Find the settings file that you want to install and click on OK.
Then click on Import.
If no warning messages are returned, the appliance will have applied the new settings. If a
warning appears, you will be informed of the problem and the steps for resolving it.
Sending statistics
Select:
1.
2.
Allow information about malware and other threats to be sent if you want to authorize
sending of information about malware and other threats detected by your appliance.
Send information about spam detected if you want to authorize sending of information
about detected by your appliance.
In this way you will be helping improve the detection capacity of Panda GateDefender Performa. The
information is sent anonymously, with no data identifying your company.
3.
Click Save.
Statistics are sent via https, and so all data will be encrypted.
146
Restarting the system services
Restarting the system services can be useful as an initial means for resolving
functionality issues in Panda GateDefender Performa.
The system services can be restarted in two ways:
• Click Restart services in the Tools menu.
• If the appliance has an LCD screen use the Reset Services option.
Panda GateDefender Performa will perform a clean restart of all services without completely restarting
the appliance.
This process is much quicker than completely restarting the system. However, while it is in progress,
the network traffic will be blocked in order to guarantee that no traffic goes through Panda
GateDefender Performa without being scanned.
While Panda GateDefender Performa is restarting the services and the network traffic is blocked, the
console informs you of the status of the appliance.
When the restart is complete, you will see the screen for logging in to the console. If this
doesn't happen after a few minutes, open another window in the browser, and connect again to
Panda GateDefender Performa.
Complete system restart
Restarting the system ensures, in the vast majority of cases, that any possible problems
detected while the unit is running are resolved.
The system can be restarted in two ways:
•
•
Click Restart System in the Tools menu.
If the appliance has an LCD screen use the Reset System option. More information
When the system is restarted:
•
•
•
Panda GateDefender Performa will run a clean restart: It closes all operating system processes
and services in order to avoid problems like corrupting the file system.
If the appliance has a bypass card, network traffic will not be blocked, but will pass through
without being scanned. If the appliance does not have a bypass card, the network traffic will be
blocked to guarantee that no traffic passes through without being scanned. Under no
circumstances will traffic be allowed through until the system has restarted and the appliance is
fully operative. This takes approximately 90 seconds.
The system restart and its result are logged in the system events report.
In order to check if the system has completely restarted, the administrator can check the following:
147
•
•
•
•
The Web console displays a warning while the computer is restarting. If the console access
window does not appear within a few minutes, you must open another browser window and
connect to the appliance again.
Ping the appliance network IP address. When restart has been completed successfully, the IP
address must respond to the ping commands.
Ping a computer connected to the other side of the appliance. Panda GateDefender Performa will
not allow traffic through until it has been started completely. Then, if you get a reply to the ping,
the system has restarted successfully.
Check that the LED display in the appliance is on. This means that restart is complete.
Shutting down the system
Panda GateDefender Performa lets you shut the system down correctly, blocking all
network traffic. If the appliance has a bypass card, the traffic won't be blocked,
The system can be correctly shut down in two ways:
•
Click the Shut down system button in the Tools menu.
A pop-up window will ask for confirmation.
• If the appliance has an LCD screen use the Shutdown option.
Panda GateDefender Performa 9100: It is advisable to completely shut down
the appliance. To do this, press the switch. It will completely shut down after a few
seconds. To restart the appliance, press the switch and wait a few seconds.
Panda GateDefender Performa 9500: It is advisable to completely shut down the
appliance. To do this, disconnect the network cables. To restart the appliance,
reconnect the network cables.
Note: Network traffic through Panda GateDefender Performa will be blocked once the system
has shutdown.
148
How do I...
Activating Panda GateDefender Performa
1.
2.
Click My license, next to the system clock.
In the window that appears, click
Registration/activation details.
on
the
link
(here)
that
appears
under
3.
3.
4.
A new window appears: Enter theuser name and password provided by Panda Security.
Click Save. Panda GateDefender Performa will contact the Panda Security server to get license
information (wait 10 seconds before consulting the information). If an error occurs, a message
will be displayed.
More information.
How do I know when my license expires?
In order to check the status of licenses:
1. Select the Status option in the menu on the left of the administration console.
In the System status section, click on License management that appears with the option Updates
and services expire.
2. A new window opens that shows the status of the licenses you have contracted (expiry date and
days left).
149
How do I update the product?
There are three types of updates:
•
•
•
Update the signature files, malware, spam and web filtering files.
System software upgrade (firmware): for example, the operating system, the hardware
drivers, the web server used to view the administration console, etc. or the malware and spam
scan and detection engines.
Hotfix update. Hotfix updates allow users to include performance improvements and solve
specific problems.
How do I modify the warning messages?
In order to modify the warning messages sent by Panda GateDefender Performa:
1. Select the Warnings option in the menu on the left of the administration console.
2. Configure the events to report.
3. Configure the recipient's mail account.
4. Configure the customizing texts.
Enabling and disabling report generation
Panda GateDefender Performa generates detailed reports on malware , Content Filter, spam , web
filtering and system events.
However, for Panda GateDefender Performa to generate these reports, they must be enabled. To
enable and disable reports follow the steps below:
1. Click the Reports menu in the console.
2. Click on the report you want to enable or disable.
3. Click on Settings in the pop-up window displayed.
4. Enable or disable the Continue generating this report checkbox.
Installing several units in load balancing mode
1.
2.
3.
4.
Assign a unique configuration IP address to each unit.
Assign a unique network IP address to each unit.
Place the units between two switches. An appliance network interface card must be connected to
each switch.
Now connect the switches to the rest of the network.
150
For information about the factory settings, click here.
To install these units in load balancing mode, it is advisable to:
• Use switches instead of hubs. This reduces the number of collisions and increases performance.
• Use Ethernet Gigabit connections only if the unit supports them.
• Check that the appliance network interface cards are working in full-duplex mode .
All of the different types of protection must have the same settings in all the units working in
load balancing mode. The network settings (name, IP address, etc.) must be different.
In order to guarantee the correct operation of several units working in load balancing, all
of the different types of protection must have the same settings in all of them. The network
settings (name, IP address, etc.) must be different.
Exporting/importing the settings
Once the appliance has been correctly configured and is working properly, you can save
the settings parameters.
It is useful to do this as:
• You can recover them (import them) later.
• You can apply the same settings to another unit without needing to do so manually.
Exporting the current settings
In order to export the settings, follow the steps below:
2. In the window that opens, click on the Settings link.
3. Select the folder where you want save the settings file.
When this process is complete, the system will generate a file with the current settings, except for the
user name and password for accessing the console.
151
Importing settings
When importing a settings file from another unit, remember that the name and network
settings of the appliance must be unique. Therefore, these details must be modified if
another unit is using them.
To import or restore settings that you have previously saved, follow the steps below:
1. Click on Browse...
2. Find the settings file that you want to install and click on OK.
3. Then click on Import.
4. If no warning messages are returned, the appliance will have applied the new settings. If a
warning appears, you will be informed of the problem and the steps for resolving it.
Trusted sites and domains settings in the anti-malware
protection
To access the trusted sites and domains settings, click the Settings menu in the main
console, an in Protection > Anti-malware select Trusted sites and domains.
Sometimes, the traffic sent from certain servers, computers or domains is reliable enough to be
excluded from the scans.
By excluding this traffic from the anti-malware scans, the workload of Panda GateDefender Performa is
You can create a list of servers, websites, domains, subdomains, IP addresses and ranges that will be
excluded from the list. This action will apply to all protocols. To do this:
1. Click the Settings menu in the main Console screen.
2. Go to Protection > Anti-malware and click Trusted sites and domains
3. This shows the trusted sites and domains configured to date. To add a new domain, subdomain,
range, etc, include it in the New box and click Add. In the case of IP addresses, you can use the
CIDR format, and for sub-domains, you can use wildcards.
4. The updated list will be displayed in the box. To delete any item, select it and click Delete.
After you have completed these steps, Panda GateDefender Performa will not scan traffic from those
domains, servers or computers for malware.
•
•
example, 192.168.1.200 ).
*.domain.com, etc). You can also enter an asterisk after the final dot of the domain (for example:
www.domain.*).
Bear in mind that it is not possible to use more than asterisk (for example: *.domain.*)
152
domain.com).
Restoring the initial values for signing in to the Web
console.
The option for restoring the initial values for signing in to the Web console allow the user to restore the
factory settings of the configuration IP address, the user name and password for the console.
Follow the steps below for the appliance model you have:
•
1.
2.
Panda GateDefender Performa SB:
Find the F/D button at the back of the appliance.
Hold this button down for a few seconds. The unit restores the factory settings for accessing the
Web console.
Don’t confuse the F/D button with the Reset (system) button, which resets the whole
system.
•
1.
2.
Panda GateDefender Performa 9100 and 9500:
SB, 9100 and 9500 models have a CD drive.
Find the Reset button at the back of the appliance.
Hold this button down for a few seconds. The unit restores the factory settings for accessing the
Web console.
In order to view the factory settings of Panda GateDefender Performa click here .
Restoring the appliance
In the event of serious system errors, you may have to restore the appliance.
There are three methods for restoring the appliance which should be used in the following cases:
1.
Rescovery via CD
This can be used to restore any appliances with CD or DVD drives.
2.
Recovery with a USB device
This can be used to restore any appliances with USB ports and without CD or DVD drives.
3.
Restoring via Live DVD
This can be used to restore any appliances without USB ports and without CD or DVD drives.
Rescovery via CD
The restore CD included with the Panda GateDefender Performa appliance allows you to restore the
system if errors occur.
153
It is important to bear in mind that this method for restoring Panda GateDefender
Performa must only be used as a last resort to solve possible errors. Never use the self-restore
CD if you have not been advised to do so by Panda Security’s technical support team.
To restore the system, follow the steps below:
1.
2.
3.
4.
5.
6.
7.
8.
Export the current settings of the appliance to a file. Click here for instructions on how to do this.
Connect to http://www.pandasecurity.com/enterprise/downloads/tree/
Enter the user name and password of your license.
Go to the section “Downloads available…”
In the section “Software available para Panda GateDefender Performa” > Restore CD, download
the ISO for recovery via CD of the latest version available for the SUN platform.
Insert the CD in the CD drive.
Switch off the Panda GateDefender Performa appliance.
Start the appliance The restore process will automatically start and the appliance software will be
reinstalled.
just exported to apply the settings defined before restoring the appliance. Click here for instructions
on how to do this.
Restoring using the Live DVD
The LiveDVD recovery system is based on a self-executable DVD, which from a computer in the same
network as the appliance, working as an update server, will send the software needed to establish
restore. Having received the necessary software, users can start restoring the system from the
computer.
Restoring Panda GateDefender Performa should always be considered as a last resort. Never
use the self-restore DVD if you have not been advised to do so by Panda Security’s technical
support team.
Requirements for running Live DVD
• Intel Pentium IV Processor, or similar.
• 256 MB RAM.
• DVD drive.
Before starting the process, connect the server and the appliance in a local network using an Ethernet
cable (in the appliance, the cable should be connected to the interface to labeled RES).
Using the Live DVD
In order to use Live DVD, follow the steps below:
154
1.
2.
3.
4.
5.
6.
7.
8.
9.
Connect to http://www.pandasecurity.com/enterprise/downloads/tree/
Enter the user name and password of your license.
Go to the section “Downloads available…”
In the section “Software available for Panda GateDefender Performa” > Restore DVD, download
the ISO for recovery via LiveDVD of the latest version available for the 8000 series and SB.
Export the current settings of Panda GateDefender Performa to a file.
Insert the LiveDVD in the computer and restart it. Live DVD will start, showing the restore
interface.
Restart the Panda GateDefender Performa appliance.
The computer will send and install the software needed for recovery. When this has been done,
the Start restore button is activated, which you must press to start the process.
The appliance will send the information about this process to the computer.
When this process is complete, the following text is displayed in the computer:
Remote host restoration completed
Click OK to restart the appliance from the hard disk.
just exported to apply the settings defined before restoring the appliance.
For more information about the restore process, for example, the minimum
requirements for the restore server, refer to the restore guide available in the downloads
area of the website www.pandasecurity.com/enterprise/downloads/.
Recovery with a USB device
To restore the appliance using a USB device, you must first have created a USB installer. Then, follow
the steps below:
1. Export the current settings of the appliance to a file. Click here for instructions on how to do this.
2. Insert the USB device in one of the appliance ports.
3. To continue with the process, connect a screen to the VGA socket in the appliance.
4. Also, connect a keyboard.
5. Restart the appliance (click here for information about the process of restarting the system).
Once the restart is complete, the restore process will start. When it has finished, you will see the
following notice:
155
6.
7.
To complete the restore process, press ENTER and remove the USB device.
The system will restart and the restored software will start. All of the settings will be lost and the
factory settings will be displayed. Import the settings file that you have just exported to apply the
settings defined before restoring the appliance. Click here for instructions on how to do this.
The LCD screen: definition and use
This section explains the LCD screen and how to use it.
The Panda GateDefender Performa SB and Panda GateDefender Performa 9100 and 9500
models do not have an LCD screen.
Specifications of the interface behavior
The following characters appear at the start of each line in a menu:
To access a submenu, press Enter.
Specifies that you are in a submenu and that you can exit to the main menu. To do this, press ESC.
When in a submenu, the last character of the first line shows one of the following characters:
Press the downward arrow to move to a lower option.
You can press any of the arrows to go up to the previous option or go on to the next option.
Press the upward arrow to move to a higher option.
The appliance LCD screen shows the following:
156
•
•
•
•
•
•
•
•
•
Status. Possible values are:
Running - OK: The appliance is functioning correctly.
Starting: The appliance is starting.
Closing: The appliance is closing.
Restarting: The appliance is re-starting.
You may shutdown: The system has closed but the power source is still on.
CPU use: Shows the load of the appliance.
Configuration. Shows information about the appliance settings.
• Config IP: IP address used to access the console.
• Network IP: Shows the network IP of the appliance.
• Cluster mode Master / Slave: Shows the role of the appliance (Master or Slave).
Version info: Shows the version of the appliance system software.
Serial number: Shows the serial number of the appliance.
Reset access: Allows you to reset the appliance access details (user name, password and IP
address). To confirm, press ENTER. To cancel, press ESC.
Reset Services: Lets you completely restart the services. To confirm, press ENTER. To cancel,
press ESC.
Reset System: Allows you to restart the appliance. To confirm, press ENTER. To cancel, press
ESC.
Shutdown: Allows you to shut down the appliance hardware. To confirm, press ENTER. To
cancel, press ESC.
•
•
•
•
•
Configuring internal networks
1.
In the Settings menu, select Internal networks.
You will see the following screen.
157
2.
Add the IP address ranges of your internal network (protected by Panda GateDefender Performa).
Example 1: If you have just one internal network with IP addresses in the range
192.168.1.0/24, enter this on the page.
Example 2: If you want to protect two internal networks, such as 172.16.1.0/24 and
3.
172.16.2.0/24, include both ranges.
Click Save.
Configuring internal domains
1.
In the Settings menu, select Internal domains.
You will see the following screen.
2.
Add the domains used on your internal network (protected by Panda GateDefender Performa).
Example 1: If you have a single domain 'company.com' include it on this page. Users of the
protected internal network will have email addresses with the format [email protected].
Example 2: If you have several domains (company.com, company.net, company.biz), add
3.
them all.
Click Save.
Using the basic anti-spam settings
1.
2.
In the Settings menu, select Anti-spam protection settings
Select the Enable anti-spam protection checkbox for the following protocols
•
Protocol:
•
Select the SMTP checkbox
158
•
•
•
•
Sensitivity level:
•
•
3.
Select High
Action to take on spam messages:
•
•
•
•
Select traffic to scan: Inbound, Outbound, or Inbound and Outbound
Select the POP3 checkbox
Select the IMAP4 checkbox
Select Delete
Select Insert the following text in the subject
Leave the default text or enter your own text
Action to take on messages classified as probable spam :
•
•
•
Select Send to quarantine
Select Insert the following text in the subject
Leave the default text or enter your own text
Click Save.
Using the advanced anti-spam settings
1.
2.
In the Settings menu, select Anti-spam protection settings
Click To configure the advanced settings, click here.
You will see the advanced settings page.
Response to the sender in the event of blocked SMTP messages:
- Select the Reject message during connection checkbox
- Select the response code 554 Spam detected
- Select the Activar la detección basada en DNSBLs checkbox
- Select Delete
- Select the Enable use of DNSBLs recommended by Panda Security checkbox
- Select the Enable use of additional DNSBLs checkbox
159
Click the existing link. You will see the screen for configuring additional DNSBL servers.
- Select the checkbox that enables zen.spamhaus.org
- Click Save.
Anti-backscatter protection:
- Select the Enable anti-backscatter protection checkbox
- Select the action Delete
- Select Enable BATV
SMTP relay server protection
- Select the Enable SMTP Relay server protection checkbox
- Click Save (in Advanced settings)
- Click Save (in the anti-spam settings page)
160

Panda GateDefender Performa - User Guide

Transcription

Similar documents

Weslayan Plaza - Regency Centers

The following manual is the actual manual that is included with

Magic Carpet Activity Guide

conserving the giant panda

FAIR Newsletter No. 16

Piano Spec Sheet Template

The Stolle Family of Rifle Actions

Panda Corporate Solutions

Branches vol 20 - Caldwell Community College and Technical Institute

Greater Cincinnati Water Works Filter Distribution