7Network Security menu

 

 

inset_32.jpg 

A reduced version of the menu is available on devices of the FL MGUARD 2000 series.

 

7.1Network Security >> Packet Filter

The mGuard includes a Stateful Packet Inspection Firewall. The connection data of an ac­tive connection is recorded in a database (connection tracking). Rules therefore only have to be defined for one direction. This means that data from the other direction of the relevant connection, and only this data, is automatically allowed through.

A side effect is that existing connections are not aborted during reconfiguration, even if a corresponding new connection can no longer be established.

The firewall rules configured under Network security >> Packet filter are not used on IP packets which are directed to an mGuard IP address. They only apply to IP connections or IP traffic which passes through the mGuard.

Default firewall settings

All incoming connections are discarded (excluding VPN).

Data packets of all outgoing connections are allowed through.

The firewall rules here have an effect on the firewall that is permanently active, with the ex­ception of:

VPN connections. Individual firewall rules are defined for VPN connections (see "IP­sec VPN >> Connections" on page 222, "Firewall" on page 252).

User firewall. When a user logs in, for whom user firewall rules are defined, these rules take priority (see "Network Security >> User Firewall" on page 207), followed by the permanently active firewall rules.

 

 

inset_33.jpg 

If multiple firewall rules are defined, these are queried starting from the top of the list of entries until an appropriate rule is found. This rule is then applied. If the list of rules con­tains further subsequent rules that could also apply, these rules are ignored.

  

Firewall settings for devices from the FL MGUARD 2000 series

 

 

inset_52.jpg 

The devices of the FL MGUARD 2000 series have a simple firewall functionality.

The following functions are not supported:

Firewall rule sets cannot be configured.

MAC filters cannot be configured.

A user firewall cannot be configured.

Host names in IP-groups cannot be used.

Caution: configuration profiles which include the corresponding settings cannot be im­ported.

 

Use of host names in IP groups (firewall rules)

Host names can also be specified in IP groups in addition to IP addresses, IP areas, and networks (DNS-based firewall rules). IP address resolution of host names is performed ac­cording to the DNS settings of the mGuard. This allows host names to be used in firewall groups via IP groups (see "IP/Port Groups" on page 197).

 

 

 

inset_42.jpg 

NOTE: When using host names, there is always the risk of an attacker manipulating or blocking DNS requests (i.e. DNS spoofing). You should therefore only configure trust­worthy and secure DNS servers from your internal company network on the mGuard, so as to avoid these types of attacks.

For security reasons, IP groups that contain host names should not be used in firewall rules which execute “Drop” or “Reject” as the action.

 

 

inset_46.jpg 

If a host name from an IP group cannot be resolved, e.g., because a DNS server has not been configured or cannot be reached, this host will not be taken into consideration for the rule. Further entries in the IP group are not affected by this and are taken into consider­ation.

PROFINET RT

The hardware of the FL MGUARD 210X/410X/430X devices is designed in such a way that the WAN side (interface XF1) and the LAN side (interface XF2 or XF2-XF5) are securely separated from each other via the application processor.

In addition, the mGuard firmware 10.x is implemented in such a way that the transmission of Layer 2 datagrams such as PROFINET RT is excluded when using the "Router" network mode (default setting).

mGuard devices can therefore be used as a secure network boundary for PROFINET. They can be used as protective devices for PROFIsafe network cells in environments in which the uniqueness of the PROFIsafe addresses cannot be ensured.

The devices are used in accordance with the IEC 61784-3-3 standard (5.4.2 and 8.1.2).

 

7.1.1Incoming Rules

Netzwerksicherheit_Paketfilter_Eingangsregeln.png

Network Security >> Packet Filter >> Incoming Rules

Incoming

Lists the firewall rules that have been set up. They apply for incoming data connections that are initiated externally (WAN --> LAN).

Special firewall settings apply for the mGuard devices from the FL MGUARD 2000 series (see "Firewall settings for devices from the FL MGUARD 2000 series" on page 181).

All incoming connections are discarded (excluding VPN) in the default setting.

Section0800321.jpg
Section0800323.jpg

 

General firewall set­ting

Accept all connections: the data packets of all incoming connections are allowed.

Drop all connections: the data packets of all incoming con­nections are discarded.

Accept Ping only: the data packets of all incoming connec­tions are discarded, except for ping packets (ICMP). This set­ting allows all ping packets to pass through. The integrated protection against brute force attacks is not effective in this case.

Use the firewall ruleset below: displays further setting op­tions.

 

The following settings are only visible if “Use the firewall ruleset below” is set.

 

Interface

External, All

Specifies via which interface the data packets are received so that the rule applies to them. On devices of the FL MGUARD 2000/4000 series, only the External interface is available.

 

Protocol

All means TCP, UDP, ICMP, GRE, and other IP protocols

 

From IP / To IP

0.0.0.0/0 means all IP addresses. To specify an address area, use CIDR format (see "CIDR (Classless Inter-Domain Rout­ing)" on page 34).

Name of IP groups, if defined. When a name is specified for an IP group, the host names, IP addresses, IP areas or net­works saved under this name are taken into consideration (see IP/Port Groups tab page).

Section0800325.jpg
Section0800327.jpg

 

From port / To port

(Only for TCP and UDP protocols)

any refers to any port.

startport:endport (e.g., 110:120) refers to a port range.

Individual ports can be specified using the port number or the corresponding service name (e.g., 110 for pop3 or pop3 for 110).

Name of port groups, if defined. When a name is specified for a port group, the ports or port ranges saved under this name are taken into consideration (see IP/Port Groups tab page).

 

Action

Accept means that the data packets may pass through.

Reject means that the data packets are sent back and the sender is informed of their rejection.

Section0800329.jpg

Drop means that the data packets are not permitted to pass through. They are discarded, which means that the sender is not informed of their whereabouts.

Name of rule sets, if defined. When a rule set is selected, the firewall rules configured under this rule set take effect (see "Rule Records" on page 192).

Section0800331.jpg
Section0800333.jpg

 

Comment

Freely selectable comment for this rule.

 

Log

For each individual firewall rule, you can specify whether the use of the rule:

Should be logged – activate Log function

Should not be logged – deactivate Log function (default)

 

Log entries for unknown connection attempts

When the function is activated, all connection attempts that are not covered by the rules defined above are logged. (De­fault setting: deactivated)

7.1.2Outgoing Rules

Netzwerksicherheit_Paketfilter_Ausgangsregeln.png

Network Security >> Packet Filter >> Outgoing Rules

Outgoing

Lists the firewall rules that have been set up.

They apply

b)for outgoing data connections that are initiated internally (LAN --> WAN),

c)for data connections initiated from one VLAN network on the LAN side to another VLAN network on the LAN side.

Special firewall settings apply for the mGuard devices from the FL MGUARD 2000 series (see "Firewall settings for devices from the FL MGUARD 2000 series" on page 181).

A rule is defined by default that allows all outgoing connections.

Section0800335.jpg

 

General firewall set­ting

Accept all connections: the data packets of all outgoing con­nections are allowed.

Drop all connections: the data packets of all outgoing con­nections are discarded.

Accept Ping only: the data packets of all outgoing connec­tions are discarded, except for ping packets (ICMP).

Use the firewall ruleset below: displays further setting op­tions.

 

The following settings are only visible if “Use the firewall ruleset below” is set.

 

Protocol

All means TCP, UDP, ICMP, GRE, and other IP protocols

 

From IP / To IP

0.0.0.0/0 means all IP addresses. To specify an address area, use CIDR format (see "CIDR (Classless Inter-Domain Rout­ing)" on page 34).

Name of IP groups, if defined. When a name is specified for an IP group, the host names, IP addresses, IP areas or net­works saved under this name are taken into consideration (see IP/Port Groups tab page).

Section0800337.jpg
Section0800339.jpg

 

From port / To port

(Only for TCP and UDP proto­cols)

any refers to any port.

startport:endport (e.g., 110:120) refers to a port range.

Individual ports can be specified using the port number or the corresponding service name (e.g., 110 for pop3 or pop3 for 110).

Name of port groups, if defined. When a name is specified for a port group, the ports or port ranges saved under this name are taken into consideration (see IP/Port Groups tab page).

 

Action

Accept means that the data packets may pass through.

Reject means that the data packets are sent back and the sender is informed of their rejection.

Section0800341.jpg

.

Drop means that the data packets are not permitted to pass through. They are discarded, which means that the sender is not informed of their whereabouts.

Name of rule sets, if defined. When a rule set is selected, the firewall rules configured under this rule set take effect (see "Rule Records" on page 192).

Section0800343.jpg
Section0800345.jpg

 

Comment

Freely selectable comment for this firewall rule.

 

Log

For each individual firewall rule, you can specify whether the use of the rule:

Should be logged – activate Log action

Should not be logged – deactivate Log action (default)

 

Log entries for unknown connection attempts

When the function is activated, all connection attempts that are not covered by the rules defined above are logged. (De­fault setting: deactivated)

7.1.3DMZ

Network Security >> Packet Filter >> DMZ

Firewall rules for the DMZ

(Only for FL MGUARD 4305)

The DMZ can be protected against attacks from the internal network (LAN interface) and the external network (WAN interface) using a dedicated set of firewall rules. The settings are split into four possible directions of network traffic.

WAN DMZ

 

If no rule has been set, the data packets of all incoming con­nections (excluding VPN) are dropped
(default setting).

DMZ LAN

 

If no rule has been set, the data packets of all outgoing con­nections (excluding VPN) are dropped
(default setting).

DMZ WAN

 

A rule is defined by default that allows all outgoing connec­tions.

LAN DMZ

 

A rule is defined by default that allows all incoming connec­tions.

 

Protocol

All means TCP, UDP, ICMP, GRE, and other IP protocols

 

From IP / To IP

0.0.0.0/0 means all IP addresses. To specify an address area, use CIDR format (see "CIDR (Classless Inter-Domain Rout­ing)" on page 26).

Name of IP groups, if defined. When a name is specified for an IP group, the host names, IP addresses, IP areas or net­works saved under this name are taken into consideration (see IP/Port Groups tab page).

Section0800347.jpg

 

From port / To port

(Only for TCP and UDP proto­cols)

any refers to any port.

startport:endport (e.g., 110:120) refers to a port range.

Individual ports can be specified using the port number or the corresponding service name (e.g., 110 for pop3 or pop3 for 110).

Name of port groups, if defined. When a name is specified for a port group, the ports or port ranges saved under this name are taken into consideration (see IP/Port Groups tab page).

 

Action

Accept means that the data packets may pass through.

Reject means that the data packets are sent back and the sender is informed of their rejection.

Section0800349.jpg

.

Drop means that the data packets are not permitted to pass through. They are discarded, which means that the sender is not informed of their whereabouts.

Name of rule sets, if defined. When a rule set is selected, the firewall rules configured under this rule set take effect (see "Rule Records" on page 192).

Section0800351.jpg

 

 

Comment

Freely selectable comment for this rule.

 

Log

For each individual firewall rule, you can specify whether the use of the rule:

Should be logged – activate Log action

Should not be logged – deactivate Log action (default)

 

Log entries for unknown connection attempts

When the function is activated, all connection attempts that are not covered by the rules defined above are logged. (De­fault setting: deactivated)
Netzwerksicherheit_Paketfilter_DMZ.png

 

7.1.4Rule Records

Netzwerksicherheit_Paketfilter_Regelsaetze_01.png

Firewall rule records are used to combine firewall rules into one rule record. These can then be enabled or disabled together via the rule record.

A rule record – and thus all the firewall rules configured in it – could, for example, be con­trolled via an on/off switch or an established VPN connection (see "Management >> Service I/O" on page 103).

 

 

inset_66.jpg

Notes on the use of rule records that are only temporarily activated

In firewall rule records that are only temporarily activated (e.g. controlled by a switch), so-called "Allow rules" (Action = Accept) should always be used:

   The rule record is activated to allow the configured connections.

   The rule record is deactivated to block the configured connections.

"Deny rules" (Action = Reject/Drop) should not be used in temporarily activated rule re­cords, since corresponding already existing data connections would not be automatically terminated with the activation of the rule record.

 

 

 

inset_40.jpg 

If a connection associated with a firewall rule set has been established and is continuously creating data traffic, deactivation of the firewall rule set might not interrupt this connection as expected.

This happens because the (outgoing) response of a service on the LAN side creates an entry in the connection tracking table which enables a different (incoming) request from an external peer. This peer passes the firewall using the same parameters, however, it is not connected to the firewall rule set.

There are two ways to set up the mGuard so that it interrupts the associated connections when deactivating the firewall rule set.

Activate the "Allow TCP connections upon SYN only"  option under Network Security >> Packet Filter >> Advanced.

In the firewall, block the outgoing connections that operate via the port that is the des­tination for the incoming connections.

If, for example, the firewall rule set enables incoming data traffic on port 22, an outgoing rule can be set up that deactivates any data traffic coming from port 22.

 

Network Security >> Packet Filter >> Rule Records

Rule Records

(This menu item is not part of the FL MGUARD 2000 series functionality.)

 

Initial mode

Disabled / Active / Inactive

Determines the output state of the firewall rule set following a reconfiguration or restart.

The “Active/Inactive” setting is only applicable if a pushbutton is connected. If the firewall rule sets are controlled via a switch or VPN connection, they have priority.

If set to “Disabled”, the firewall rule set cannot be dynamically enabled. The firewall rule set is retained but has no influence.

 

Controlling service input or VPN connec­tion

Service input CMD 1-3 (I 1-3), VPN connection

The firewall rule set can be switched via a pushbutton/switch or a VPN connection.

The pushbutton/switch must be connected to one of the ser­vice contacts (CMD 1-3 / I 1-3).

 

State

Indicates the current state.

 

A descriptive name

The firewall rule set can be freely named/renamed.

 

Activate / Inactivate rule set

Activate / Inactivate

You can enable or disable the rule set by clicking on the ic_play_arrow_black_24dp_2x.png Activate and ic_stop_black_24dp_2x.png Inactivate icons.

Edit

The following tab page appears when you click on the ic_mode_edit_black_48dp_2x.png Edit Row icon:
Netzwerksicherheit_Paketfilter_Regelsaetze__EDIT.png

 

General

A descriptive name

The firewall rule set can be freely named/renamed.

 

Initial mode

Disabled / Active / Inactive

Determines the output state of the firewall rule set following a reconfiguration or restart.

The “Active/Inactive” setting is only applicable if a pushbutton is connected. If the firewall rule sets are controlled via a switch or VPN connection, they have priority.

If set to “Disabled”, the firewall rule set cannot be dynamically enabled. It is retained but has no influence.

 

Controlling service input or VPN connec­tion

Service input CMD 1-3 (I1-3), VPN connection

The firewall rule set can be switched via a pushbutton/switch or a VPN connection.

The pushbutton/switch must be connected to one of the ser­vice contacts (CMD 1-3 / I 1-3).

 

Use inverted control logic

Inverts the behavior of the connected pushbutton/switch or the controlling VPN connection.

If the controlling service input is configured as an on/off switch, it can activate one firewall rule set while simultaneously deac­tivating another, for example. The same is true for the con­trolling VPN connections.

 

Deactivation timeout

Activated firewall rule sets are deactivated after this time has elapsed.

0 means the setting is disabled.

Time in hh:mm:ss (1 day maximum)

The entry can be in seconds [ss], minutes and seconds [mm:ss] or hours, minutes, and seconds [hh:mm:ss].

Firewall Rules

Protocol

All means TCP, UDP, ICMP, GRE, and other IP protocols.

 

From IP

0.0.0.0/0 means all IP addresses. To specify an address area, use CIDR format (see "CIDR (Classless Inter-Domain Rout­ing)" on page 34).

Name of IP groups, if defined. When a name is specified for an IP group, the host names, IP addresses, IP areas or net­works saved under this name are taken into consideration (see IP/Port Groups tab page).

Section0800353.jpg

 

From port / To port

(Only for TCP and UDP proto­cols)

any refers to any port.

startport:endport (e.g., 110:120) refers to a port range.

Individual ports can be specified using the port number or the corresponding service name (e.g., 110 for pop3 or pop3 for 110).

Name of port groups, if defined. When a name is specified for a port group, the ports or port ranges saved under this name are taken into consideration (see IP/Port Groups tab page).

 

Action

Accept means that the data packets may pass through.

Reject means that the data packets are sent back and the sender is informed of their rejection.

Section0800355.jpg

Drop means that the data packets are not permitted to pass through. They are discarded, which means that the sender is not informed of their whereabouts.

Name of rule sets, if defined. When a rule set is selected, the firewall rules configured under this rule set take effect (see "Rule Records" on page 192).

Section0800357.jpg

 

Comment

Freely selectable comment for this rule.

 

Log

For each firewall rule, you can specify whether the use of the rule:

Should be logged – activate Log function

Should not be logged – deactivate Log function (default)

 

7.1.5MAC Filtering

 

 

inset_65.jpg 

This menu item is not part of the FL MGUARD 2000 series functionality.

The incoming and outgoing rules only apply to the Network mode Stealth.

 

Netzwerksicherheit_Paketfilter_MAC-Filter.png

 

The “Incoming” MAC filter is applied to frames that the mGuard receives at the WAN inter­face. The “Outgoing” MAC filter is applied to frames that the mGuard receives at the LAN interface.

In Stealth mode, in addition to the packet filter (Layer 3/4) that filters data traffic, e.g., according to ICMP messages or TCP/UDP connections, a MAC filter (Layer 2) can also be set. A MAC filter (Layer 2) filters according to MAC addresses and Ethernet proto­cols.

In contrast to the packet filter, the MAC filter is stateless. If rules are introduced, correspond­ing rules must also be created for the opposite direction.
If no rules are set, all ARP and IP packets are allowed to pass through.

 

 

inset_34.jpg 

When setting MAC filter rules, please note the information displayed on the screen. The rules defined here have priority over packet filter rules. The MAC filter does not support logging.

    

Network Security >> Packet Filter >> MAC Filtering

Incoming

 

Source MAC

xx:xx:xx:xx:xx:xx stands for all MAC addresses.

 

Destination MAC

xx:xx:xx:xx:xx:xx stands for all MAC addresses.

ff:ff:ff:ff:ff:ff stands for the broadcast MAC address to which all ARP requests are sent, for example.

 

Ethernet protocol

%any stands for all Ethernet protocols.

Additional protocols can be specified in name or hexadecimal format, for example:

IPv4 or 0800

ARP or 0806

 

Action

Accept means that the data packets may pass through.

Drop means that the data packets are not permitted to pass through (they are dropped).

 

Comment

Freely selectable comment for this rule.

Outgoing

The explanation provided under “Incoming” also applies to “Outgoing”.

7.1.6IP/Port Groups

Netzwerksicherheit_Paketfilter_IP-und-Portgruppen_01.png

IP and port groups enable the easy creation and management of firewall and NAT rules in complex network structures.

Host names, IP addresses, IP areas, and networks can be grouped in IP groups and identi­fied by a name. Likewise, ports or port ranges can be grouped in port groups.

If a firewall or NAT rule is created, instead of IP addresses/IP areas or ports/port ranges, the IP or port groups can be selected directly in the corresponding fields and assigned the rule.

 

 

 

inset_36.jpg 

NOTE: When using host names, there is always the risk of an attacker manipulating or blocking DNS requests (i.e. DNS spoofing). You should therefore only configure trust­worthy and secure DNS servers from your internal company network on the mGuard, so as to avoid these types of attacks.

For security reasons, IP groups that contain host names should not be used in firewall rules which execute “Drop” or “Reject” as the action.

 

 

inset_37.jpg 

Use of hostnames

Address resolution of hostnames is performed according to the DNS settings of the mGuard (see "Network >> DNS" on page 136).

If a host name can be resolved in several IP addresses, all IP addresses returned by the DNS server are taken into consideration.

If a host name from an IP group cannot be resolved, e.g., because a DNS server has not been configured or cannot be reached, this host will not be taken into consideration for the rule. Further entries in the IP group are not affected by this and are taken into consider­ation.

If a DNS server resolves a resolved host name with another IP address after the TTL has elapsed, an existing connection to the original IP address is not aborted.

 

 

inset_38.jpg 

mGuard devices of the FL MGUARD 2000 series

The use of host names in IP groups is not supported by mGuard devices of the FL MGUARD 2000 series.

Network Security >> Packet Filter >> IP/Port Groups

IP Groups

Name

The IP group can be freely named/renamed.

 

Comment

Freely selectable comment for this group/rule.

Edit

The following tab page appears when you click on the ic_mode_edit_black_48dp_2x00359.png Edit Row icon:
Netzwerksicherheit_Paketfilter_IP-und-Portgruppen__EDIT_IP-Gruppen.png

 

IP Group Settings

Name

The IP group can be freely named/renamed.

 

Comment

Freely selectable comment for this group/rule.

 

Host name, IP, IP range or network

The entries can specify a host name (e.g., mguard.com), an IP address (e.g., 192.168.3.1), an IP address area (e.g., 192.168.3.1-192.168.3.10) or a network in CIDR format (e.g., 192.168.1.0/24).

Section0800360.jpg
Section0800362.jpg

Port groups

Name

The port group can be freely named/renamed.

 

Comment

Freely selectable comment for this group/rule.

Edit

The following tab page appears when you click on the ic_mode_edit_black_48dp_2x00364.png Edit Row icon:
Netzwerksicherheit_Paketfilter_IP-und-Portgruppen__EDIT_Portgruppen.png

 

Port Group Settings

Name

The port group can be freely named/renamed.

 

Comment

Freely selectable comment for this group/rule.

 

Port or Port Range

The entries can specify a port (e.g., pop3 or 110) or a port range (e.g., 110:120 or 110-120).

7.1.7Advanced

The following settings affect the basic behavior of the firewall.

Netzwerksicherheit_Paketfilter_Erweitert.png

Network Security >> Packet Filter >> Advanced

Global Filters

(This menu item is not part of the FL MGUARD 2000 series functionality.)

 

Block URGENT-flagged TCP traffic

When the function is activated, packets with the URGENT flag set in the TCP header are blocked:

In network mode "Router", the connections over which corresponding packets are sent are terminated.

In network mode "Stealth", the corresponding packets are dropped.

TCP packets with the URGENT flag set that are routed through a VPN tunnel are also blocked.

Consistency Checks

(This menu item is not part of the FL MGUARD 2000 series functionality.)

 

Maximum size of “ping” packets (ICMP echo request)

Refers to the length of the entire packet including the header. The packet length is normally 64 bytes, but it can be larger. If oversized packets are to be blocked (to prevent bottlenecks), a maximum value can be specified. This value should be more than 64 bytes in order to not block normal ICMP echo re­quests.

 

Enable TCP/UDP/ICMP consistency checks

When the function is activated, the mGuard performs a range of tests to check for incorrect checksums, packet sizes, etc. and drops packets that fail these tests.

The function is deactivated by default.

 

Allow TCP keepalive packets without TCP flags

TCP packets without flags set in their TCP header are nor­mally rejected by firewalls. At least one type of Siemens con­troller with older firmware sends TCP keepalive packets with­out TCP flags set. These are therefore discarded as invalid by the mGuard.

When the function is activated, forwarding of TCP packets where no TCP flags are set in the header is enabled. This only applies when TCP packets of this type are sent within an ex­isting TCP connection established in the regular way.

TCP packets without TCP flags do not result in a new entry in the connection table (see "Connection Tracking" on page 202). If the connection is already established when the mGuard is restarted, the corresponding packets are still re­jected and connection problems can be observed as long as no packets with flags belonging to the connection are sent.

These settings affect all the TCP packets without flags. Acti­vation of this function therefore weakens the security func­tions provided by the mGuard.

Network Modes (Router/PPTP/PPPoE)

ICMP via primary external interface for the mGuard

ICMP via DMZ for the mGuard

 

This option can be used to control the behavior of the mGuard when ICMP messages are received from the external network via the primary external interface.

Section0800365.jpg

Drop: all ICMP messages to all IP addresses of the mGuard are dropped.

Allow ping requests: only ping messages (ICMP type 8) to all IP addresses of the mGuard are accepted.

Allow all ICMPs: all types of ICMP messages to all IP ad­dresses of the mGuard  are accepted.

Stealth Mode

Allow forwarding of GVRP frames

The GARP VLAN Registration Protocol (GVRP) is used by GVRP-capable switches to exchange configuration informa­tion.

When the function is activated, GVRP packets are allowed to pass through the mGuard in Stealth mode.

 

Allow forwarding of STP frames

The Spanning Tree Protocol (STP) (802.1d) is used by bridges and switches to detect and allow for loops in the ca­bling.

When the function is activated, STP packets are allowed to pass through the mGuard in Stealth mode.

 

Allow forwarding of DHCP frames

When the function is activated, the client is allowed to obtain an IP address via DHCP – regardless of the firewall rules for outgoing data traffic.

The function is activated by default.

Connection Tracking

Maximum table size

This entry specifies an upper limit. This is set to a value that can never be reached during normal practical operation. How­ever, it can be easily reached in the event of attacks, thus pro­viding additional protection. If there are special requirements in your operating environment, this value can be increased.

Connections established from the mGuard are also counted. This value must therefore not be set too low, as this will other­wise cause malfunctions.

 

Allow TCP connec­tions upon SYN only

SYN is a special data packet used in TCP/IP connection es­tablishment that marks the beginning of the connection estab­lishment process.

Function deactivated (default): the mGuard also allows connections where the beginning has not been registered. This means that the mGuard can perform a restart when a connection is present without interrupting the connection.

Function activated: the mGuard must have registered the SYN packet of an existing connection. Otherwise, the connec­tion is aborted.

If the mGuard performs a restart while a connection is present, this connection is interrupted. Attacks on and the hijacking of existing connections are thus prevented.

 

Timeout for estab­lished TCP connec­tions

If a TCP connection is not used during the time period speci­fied here, the connection data is deleted.

A connection translated by NAT (not 1:1 NAT) must then be reestablished.

If the "Allow TCP connections upon SYN only"  function has been activated, all expired connections must be reestab­lished.

Default setting: 120 hours (120:00:00)

The entry can be in seconds [ss], minutes and seconds [mm:ss] or hours, minutes, and seconds [hh:mm:ss].

 

Timeout for closed TCP connections

The timeout specifies how long the mGuard keeps a TCP-con­nection open when one side ends the connection with a "FIN packet", but the peer has not yet confirmed this.

Default setting: 1 hour (1:00:00)

The entry can be in seconds [ss], minutes and seconds [mm:ss] or hours, minutes, and seconds [hh:mm:ss].

 

Abort existing connec­tions upon firewall reconfiguration

When the function is activated (default), the existing con­nections are reset if the following applies:

If the "Allow TCP connections upon SYN only"  function has been activated and

The firewall rules have been adjusted or

If the function is activated (even without changing the fire­wall rules)

After changing the firewall rules, the mGuard behaves in the same way as after a restart. However, this only applies to the forwarded connections. Existing TCP connections are inter­rupted, even if they are allowed according to the new firewall rules. Connections to the device are not affected, even if the firewall rules have been changed for remote access.

When the function is not activated, the connections remain, even if the firewall rules changed would not allow them or would abort them.

 

FTP

If an outgoing connection is established to call data for the FTP protocol, two methods of data transmission can be used:

With “active FTP”, the called server establishes an additional counter-connection to the caller in order to transmit data over this connection.

With “passive FTP”, the client establishes this additional con­nection to the server for data transmission.

FTP must be activated (default) so that additional connec­tions can pass through the firewall.

 

IRC

Similar to FTP: for IRC chat over the Internet to work properly, incoming connections must be allowed following active con­nection establishment. IRC must be activated (default) in order for these connections to pass through the firewall.

 

PPTP

Default: deactivated

Must be activated if VPN connections are to be established using PPTP from local computers to external computers with­out the aid of the mGuard.

Must be activated if GRE packets are to be forwarded from the internal area to the external area.

 

H.323

Default: deactivated

Protocol used to establish communication sessions between two or more devices. Used for audio-visual transmission. This protocol is older than SIP.

 

SIP

Default: deactivated

SIP (Session Initiation Protocol) is used to establish communi­cation sessions between two or more devices. Often used in IP telephony.

When the function is activated, it is possible for the mGuard to track the SIP and add any necessary firewall rules dynami­cally if further communication channels are established to the same session.

When NAT is also activated, one or more locally connected computers can communicate with external computers by SIP via the mGuard.

7.2Network Security >> DoS Protection

7.2.1Flood Protection

 

 

inset_43.jpg 

This menu is not available on devices of the FL MGUARD 2000 series.

 

 

 

 

inset_70.jpg 

NOTE: Firewall setting affects DoS protection

The DoS protection of the device is not available, if in the menu Network Security >> Packet Filter >> Incoming Rules "Accept all connections" is selected as the General firewall setting (see "Incoming Rules" on page 183).

To provide DoS protection in this case, select the General firewall setting "Use the fire­wall ruleset below" and then create a firewall rule that accepts all connections.

 

Netzwerksicherheit_DoS-Protection.png

 

Network Security >> DoS Protection >> Flood Protection

Maximum number of new TCP connections (SYN)

Incoming/Outgoing

Outgoing: default setting: 75

Incoming: default setting: 25

Maximum values for the number of incoming and outgoing TCP connections allowed per second.

They are set to a value that can never be reached during nor­mal practical operation. However, they can be easily reached in the event of attacks, thus providing additional protection.

If there are special requirements in your operating environ­ment, these values can be increased.

Maximum number of ping frames (ICMP echo request)

Incoming/Outgoing

Outgoing: default setting: 5

Incoming: default setting: 3

Maximum values for the number of incoming and outgoing “ping” packets allowed per second.

They are set to a value that can never be reached during nor­mal practical operation. However, they can be easily reached in the event of attacks, thus providing additional protection.

If there are special requirements in your operating environ­ment, these values can be increased.

The value 0 means that no “ping” packets are allowed through or in.

Maximum number of ARP requests or ARP replies each

(Only in "Stealth" network mode)

Incoming/Outgoing

Default setting: 500

Maximum values for the number of incoming and outgoing ARP requests or replies allowed per second.

They are set to a value that can never be reached during nor­mal practical operation. However, they can be easily reached in the event of attacks, thus providing additional protection.

If there are special requirements in your operating environ­ment, these values can be increased.

7.3Network Security >> User Firewall

 

 

inset_44.jpg 

This menu is not available on devices of the FL MGUARD 2000 series.

 

The user firewall is used exclusively by firewall users, i.e., users who are registered as fire­wall users (see "Authentication >> Firewall Users" on page 159).

Each firewall user can be assigned a set of firewall rules, also referred to as a template.

If a user firewall template or a firewall rule of a template is added, changed, deleted or dis­abled, this immediately affects all firewall users who are logged in.

Existing connections are interrupted. One exception is changing user firewall rules if the function   "Abort existing connections upon firewall reconfiguration"   is deactivated under  Network Security >> Packet Filter >> Advanced  . In this case, a network connection that exists due to a previously permitted rule is not interrupted.

 

 

inset_69.jpg 

If a firewall ruleset (template) is disabled, affected logged in firewall users still appear as logged in. However, the firewall rules from the disabled template no longer apply to them.

If a firewall ruleset (template) is disabled and then enabled again, affected logged in fire­wall users must first log out and then log in again to reactivate the firewall rules from the template for themselves.

 

7.3.1User Firewall Templates

Netzwerksicherheit_Benutzerfirewall_Benutzerfirewall-Templates_01.png

All defined user firewall templates are listed here. A template can consist of several firewall rules. A template can be assigned to several users.

Defining a new template:

In the template table, click on the ic_add_circle_outline_black_48dp_2x.png Insert Row icon to add a new table row.

Click on the ic_mode_edit_black_48dp_2x00367.png Edit Row icon.

Editing a template:

Click on the ic_mode_edit_black_48dp_2x00368.png Edit Row icon in the relevant row.

Network Security >> User Firewall >> User Firewall Templates

 

Enabled

Activates/deactivates the relevant template.

 

A descriptive name

The name of the template. The name is specified when the template is created.

General

The following tab page appears when you click on the ic_mode_edit_black_48dp_2x00369.png Edit Row icon:
Netzwerksicherheit_Benutzerfirewall_Benutzerfirewall-Templates__EDIT_Allgemein.png

 

Options

A descriptive name

The user firewall template can be freely named/renamed.

 

Enabled

When the function is activated, the user firewall template be­comes active as soon as firewall users log into the mGuard who are listed on the Template Users tab page (see below) and who have been assigned this template. It does not matter from which computer and under what IP address the user logs in. The assignment of the firewall rules to a user is based on the authentication data that the user enters during login (user name, password).

 

Comment

Optional explanatory text.

 

Timeout

Default: 8 hours (8:00:00)

Specifies the time at which point the firewall rules are deacti­vated. If the user session lasts longer than the timeout time specified here, the user has to log in again.

The entry can be in seconds [ss], minutes and seconds [mm:ss] or hours, minutes, and seconds [hh:mm:ss].

 

Timeout type

Static / Dynamic

With a static timeout, users are logged out automatically as soon as the set timeout time has elapsed.

With dynamic timeout, users are logged out automatically after all the connections have been closed by the user or have expired on the mGuard, and the set timeout time has subse­quently elapsed.

An mGuard connection is considered to have expired if no more data is sent for this connection over the following peri­ods.

 

Connection expiration period after non-usage:

TCP: 5 days (this value can be set, see "Timeout for established TCP connections" on page 202). 120 seconds are added after closing the connection. (These 120 sec­onds also apply to connections closed by the user.)

UDP: 30 seconds after data traffic in one direction; 180 seconds after data traffic in both directions

ICMP: 30 seconds

Others: 10 minutes

 

VPN connection

Specifies the VPN connection for which this user firewall rule is valid.

This requires existing remote access through the VPN tunnel to the web interface.

Network Security >> User Firewall >> User Firewall Templates >> Edit > ...

Template Users

Specify the names of the users here. The names must correspond to those that have been defined under the Authentication >> Firewall Users menu (see Page 159).
Netzwerksicherheit_Benutzerfirewall_Benutzerfirewall-Templates__EDIT_Templatze-Benutzer.png

 

Firewall Rules

Firewall rules for the user firewall templates.

When the template is configured with dynamic timeout approved UDPs and other net­work packets (excluding ICMP), reset the dynamic timeout to the initial value.

Netzwerksicherheit_Benutzerfirewall_Benutzerfirewall-Templates__EDIT_Firewall-Regeln.png

 

 

Source IP

IP address from which connections are allowed to be estab­lished. If this should be the address from which the user logged into the mGuard, the placeholder “%authorized_ip” should be used.

Section0800370.jpg

 

Protocol

All means TCP, UDP, ICMP, GRE, and other IP protocols.

 

From port / To port

(Only for TCP and UDP proto­cols)

any refers to any port.

startport:endport (e.g., 110:120) > port range.

Individual ports can be specified using the port number or the corresponding service name (e.g., 110 for pop3 or pop3 for 110).

Name of port groups, if defined. When a name is specified for a port group, the ports or port ranges saved under this name are taken into consideration (see "IP/Port Groups" on page 197).

 

To IP

0.0.0.0/0 means all IP addresses. To specify an address area, use CIDR format (see "CIDR (Classless Inter-Domain Rout­ing)" on page 34).

Name of IP groups, if defined. When a name is specified for an IP group, the host names, IP addresses, IP areas or net­works saved under this name are taken into consideration (see "IP/Port Groups" on page 197).

Section0800372.jpg

 

Comment

Freely selectable comment for this rule.

 

Log

For each firewall rule, you can specify whether the use of the rule:

Should be logged – activate Log function

Should not be logged – deactivate Log function (default)