Forum
This is the page containing the posts from users.
Feel lost? Read some instructions about blog usage.
76 Responses to “Forum”
Leave a Reply
You must be logged in to post a comment.
Stonesoft NewsThis is the page containing the posts from users.
Feel lost? Read some instructions about blog usage.
You must be logged in to post a comment.
March 9th, 2009 at 8:18 am
i want to disable spoofing on stone gate firewall for one trusted netwrok kindly help me.
March 9th, 2009 at 10:25 am
mohammedan> In the Top menu, go in configuration > Antispoofing.
Select your firewall
right-click on the trusted network you want to disable spoofing.
and select disable.
regards,
May 5th, 2009 at 3:09 pm
Hello, i use, user authentication on policy, i have a question…
Its posible that web page use stongate credentials on connection method?
Thankz on advance
May 5th, 2009 at 3:44 pm
To my knowledge it is not possible since those credentials are not passed back to the client and web page handles conversation with client’s browser and not with firewall itself.
However, Single Sign On type of operations can be handled using StoneGate SSL VPN solution.
Regards,
RoarinPenguin
August 11th, 2009 at 10:24 am
hi
i need to add the ssl vpn in my smc please help
best regards
August 12th, 2009 at 11:31 am
1. Create a new SSL VPN Gateway element in SMC (you can create it for example from System Status view)
2. Right-click that element and select “Configuration – Save Initial Configuration”
3. Take note of the one-time password that is shown in the dialog
4. Log in to the SSL VPN Web Console and use the one-time password to perform initial contact through “System – Initial Contact”. In the case of a mirrored pair, do this for both nodes (using different passwords).
See more information from SMC Administrator’s Guide (especially pages 336 and 406): http://www.stonesoft.com/en/support/technical_support_and_documents/manuals/current/
August 12th, 2009 at 2:29 pm
2 hsenzarzis:
But as far as I remember SSL v 1.2 and on started to be supported in SMC 4.3.
please also note that there are minimal requirements to the SMC and SSL versions. As most of the time I use the most recent ones, it is not the problem in my case
August 25th, 2009 at 1:06 am
I am new to Stonegate and have done this on other firewalls.
WAN on interface 5 with 2 IP’s xxx.xxx.xxx.74 & yyy.yyy.yyy.2
Interface 3 holds Production traffic
Interface 4 holds an outsourced set networks
I would like to route all traffic from interface 4 through an IP on interface 5 (xxx.xxx.xxx.72/29 to a next hop of (xxx.xxx.xxx.73) to control some issues we have with that group.
But I need all of interface 3 traffic to go through interface 5 through IP (yyy.yyy.yyy.1/24) to next hop (yyy.yyy.yyy.1)
Help I feel a bit lost.
September 1st, 2009 at 8:54 pm
Hi, noah.m!
I feel that you need PBR (policy-based routing) in this kind of scenario – go into the FW properties and click on the “advanced settings” tab. Then select “advanced routing”. Refer to the administrator’s guide for a detailed reference.
I also think that a detailed discussion about this non-typical setup is required (me personally would stay away from using PBR as long as I can) – feel free to consult your local dealer for a good implementation plan or StoneSoft technical support for assistance (it is difficult to imagine the whole picture and exchange details within a small forum post).
September 9th, 2009 at 3:10 pm
Hi Noah.m,
While StoneGate does have policy based routing within the product, there is an easier and cleaner way to accomplish your task. This actually comes down to the NAT rules you put in place. Simply put, add a rule for interface 4 above your OutBound LB rule. It would look something like this.
Your Rule to controlling Interface 4
Src Add — Interface 4
Dst Add — Internet
Service — Whatever is needed
NAT — Dyn Src NAT to xxx.xxx.xxx.72
Your Rule for all Outbound Traffic by default (Or just Interface 3)
Src Add — Internal Networks
Dst Add — Internet
Service — Whatever is needed
NAT — Dyn Src — OutBound LB Element.
Hope this helps.
October 14th, 2009 at 8:41 pm
Hi,
I don´t understand very well the configuration of Cluster.
For example, if I have a WAN connection with this range (194.30.100.30/255.255.255.240) and a LAN with this range 192.168.1.0/255.255.255.0. I have to configure a single firewall with 194.30.100.32 & 192.168.1.2 and the other single firewall with 194.30.100.33 & 192.168.1.3
Then, when I create a new cluster node I have to put in the interface the next:
CVI -> 192.168.1.1
NDI -> Node 1 -> 192.168.1.2
NDI -> Node -> 192.168.1.3
CVI -> 194.30.100.31
NDI -> Node 1 -> 194.30.100.32 -> the ip of one of the single firewal
NDI -> Node 2 -> 194.30.100.33 -> the ip of the other single firewall
Whe I had done this, I´ll can install the policy.
Are the interfaces defined OK?
October 15th, 2009 at 10:07 am
@jbenito:
They look OK, but do not forget to configure the heartbeat network as well (I recommend it to be dedicated network, maybe backed up by a secondary heartbeat network).
Also, you have to define the interfaces “looking” to SMC as “control interfaces” and you should configure at least the default gateway in Routing tab (This is not mandatory if SMC is sitting on network directly connected to the firewall cluster).
One you’re done with this, you can push a policy.
November 5th, 2009 at 8:26 pm
How to do with “Phase 1 negotiation failed. The gateway did not send any Vendor IDs” when trying to connect to a new gateway with Ipsec VPN Client?
Help, please…
November 24th, 2009 at 10:36 am
Hello,
Between 2 sites with Stonesoft firewalls we have two interconnection possibilites:
- MPLS network
- VPN site to site (xDSL)
But I can’t create only one VPN with MPLS and DSL because our MPLS ISP doesn’t support it.
I want to define High Availability with these two lines, assigning critical traffic to MPLS and the rest to xDSL.
Is it possible? How can I do?
Thanks in advance,
Aitor Epelde
December 18th, 2009 at 10:31 am
Hello,
I tried to configure a third party logging profile following documentation (and examples taken from stoneblog). I noticed that pattern validation (either pasting rows or importing a file) works only if the management a client is running on windows (if you make the same test using a linux machine, the validate button dows nothing).
Is it a known issue?
Thanks in advance
December 21st, 2009 at 9:36 pm
@XPC — Do you still have this issue? What versions of FW and client are you using?
December 21st, 2009 at 9:39 pm
@ aepelde
Try configuring the MPLS like any other ISP and use both endpoints in your Site-to-Site configuration. Then disable the crisscross tunnels from the MPLS to ISP and ISP to MPLS since they won’t work anyway.
This will give you two tunnels and if you want MPLS to be the primary and only use the ISP when the MPLS circuit is down, then list the ISP -to ISP tunnel as Standby.
December 21st, 2009 at 9:41 pm
@luchino7773
I would recommend opening a ticket with Stonesoft Support tell the version you are using. I haven’t seen that before myself, so you can also upgrade to the latest SMC before opening a ticket or open a ticket with the screenshot with the missing button.
The more info you can give them the more chances they have to duplicate it.
January 18th, 2010 at 10:57 pm
I’ve tried various incarnations of the following to access our SMC (4.3.6) when out of the office using the Webstart client and monitor. I use both applications happily from the office LAN.
ssh -l user -L8913:smcserv:8913 company.com # client
ssh -l user -L8919:smcserv:8919 company.com # monitor
After I fire off my access credentials I’m prompted with a couple of errors.
Error
–
Internal failure
Connection to Management Server failed.
Connection with the Management Server was lost. You have to restart the StoneGate Management Center.
Connection to server failed.
Connection with the Management Server was lost. You have to restart the StoneGate Management Center.
Connection refused
–
Error
–
Failed to initialise screen lock. Application cannot be started.
Connection to Management Server failed.
Connection to Management Server failed.
Connection with the Management Server was lost. You have to restart the StoneGate Management Center.
Connection to server failed.
Connection with the Management Server was lost. You have to restart the StoneGate Management Center.
Connection refused
any idea what the problem could be?
January 27th, 2010 at 4:41 am
@Slinky — If you are indeed getting an error, then I highly recommend that you open a ticket with support and let them resolve your issue. Also, if you use those commands internally without issue, I can only guess that it is not passing through a firewall. Am I correct? The Client to the Mgmt server needs ports (TCP) 8902 – 8913 and for the monitoring client, you need ports (TCP) 8919 to 8921. Therefore, please make sure that these ports are allowed through the firewall.
February 11th, 2010 at 10:37 am
Hello Is there any option or workaround to make
)
Server Pool Monitoring Agents to make them working on Windows 2008 64bit
( PS in release notes any version of Windows Server 2008 is not supported
I have tried a lot tricks but even the Server pool doesn’t recover back. or doesn’t know when to exclude server.
( port listening or http answer )
February 17th, 2010 at 9:41 am
Hello,
I’m going to upgrade my single firewall to cluster. I have the next interfaces:
- LAN
- DMZ
- WAN1
- WAN 2
- WAN3
Would be possible that the LAN interface would be configured as a Control Interface (C), Authentication Interface (A) and default outgoing route (O) ??
Then I would configured another free interface as a Heartbeat (H).
Thanks
Javi
February 19th, 2010 at 7:07 pm
Yes, provided that interface is reachable and uses routable IP addresses
March 8th, 2010 at 11:02 am
I can’t find a way to contact you guys here, to give an overview of the MultiLink VPN installation with over 100 firewalls, to show it actually works
March 8th, 2010 at 11:32 am
@jebATpop-i: hello. If you want to share your positive experience with StoneGate, register as a user @ http://stoneblog.stonesoft.com/wp-login.php.
I will promote you as an author and you will be able to write posts.
Thank you.
March 8th, 2010 at 12:24 pm
RoarinPenguin: I already did that, user is: jebATpop-i
See you on April 27-28th in Helsinki?
March 8th, 2010 at 1:11 pm
Oh, sorry… was looking without dash
Now you’re author, use the Power with wisdom…
About end of april, don’t know yet…
March 17th, 2010 at 10:34 am
Hi all,
I just wanted to ask if there is no need anymore to have RAID in SG Appliances since there is 1 single SSD built in?
Any experiences with that?
I’m happy for any answer
Many Thanks and best regards
kippis
Frank
May 27th, 2010 at 2:07 pm
Hello,
I’ve configured two rules to public SIP and RTP protocol.
When I try to connect one softphone to my voip server I can’ t. I have seen in my stonegate these logs:
Connection closed by inspection.
How I can fix it?
Best Regards,
June 9th, 2010 at 1:36 pm
ciao, i have a problem with stonegate 5.0.0.
i have added a new user with own password (VPN client), but when i try to connect with VPN dont accept new user.
we have ‘User DB replication ‘active but maybe i need to reset user DB.
question: we have 2 nodes….
should i reset all 2 cluster node?
if i reset user DB replication can i lose some information or not? and which information i can lose with reset ‘user DB replication?
thanks in advance
June 10th, 2010 at 3:07 pm
Hello Stesoo,
Click on your Firewall, and select the “Nodes” to see the status.
“User DB” says “OK” there.
Now rightclick on the Firewall, select “Options/User DB replication”. The User DB now shows”Disabled”.
If you now select “Options/User DB replication” again, the status goes from “Pending” to “Connecting” to “OK”. All local users are now synchronized again.
I don’t know when the SMC synchronizes themselves, it will in time. But this will definately resync.
I guess authentication during “Disabled” and “Pending” state is not possible, at my site this is approx. 20 seconds.
June 11th, 2010 at 8:10 am
thanku for ur answer,
if i select reset db user, user take my new password, but if i use ur suggest have no effect.
now, a problem is that i must reset everytime user db to synchronize user db.
some solution?? please……
June 16th, 2010 at 10:36 pm
@stesoo — Personally, first I would upgrade since you are many versions behind and most of the time upgrading will resolve your issue.
The other thing I would do is search the support website. You can either put in a search term to try and find anything that might explain your issue. Or, and this is my favorite method, you can simply select ‘Know Issues’ under Document Type and hit submit.
Now you can search your version for both your engines or SMC and see if they is anything relating to that by clicking the version your using and search the page.
It also provides you the extra benefit of realizing how many versions have been released and if you a close to the latest version.
July 11th, 2010 at 11:02 am
I’ using StoneGate_IPsec_VPN_5.0.2.202; it worked until some days ago, but now when i try to connect to the gateway it gives the following error:
Failed to acquire virtual ip address
I tried to reinstall but it does not work anymore. Why?
July 20th, 2010 at 6:00 am
I would like to block torrent data download. Any Ideas how can I do this with Stonegate FW? Ideally I would apply it for a particular internal VLAN so that students cannot use the laptops to download .torrent at home then download load data at school
thanks
August 17th, 2010 at 2:19 pm
hi i’m novice in stonegate and i have a problem.
i want to connect 2 computers in different vlan for example
pc1 192.168.3.2/24
pc2 192.168.4.2/24
i have to connect both with a stonegate firewall in virtual
so the first interface connected to pc1 have this address 192.168.3.1/24 (i put them in the same vlan)
and those connected to pc2 have 192.168.4.1/24 as address(same vlan).
so i managed the configuration of the appliance with adequate policies
and the ping between the firewall’s interfaces and the computers connect
on him pass but the ping between the two computers doesn’t pass.
Please i need help
August 18th, 2010 at 2:01 pm
hello i resolve my problem…
September 16th, 2010 at 4:10 pm
@sshoaib — You would need to use the IPS to really resolve your issue. The firewall does not handle all the combinations you need.
October 14th, 2010 at 12:12 pm
Hi all.I am new here. I hope that this is correct place to ask for help. I am new to Sg solutions. I have Stonegate two nodes cluster (version 5.0.4 #7060), ver. of SG management Center is 5.0.0 [8040]. Problem: from internal network ~10 users are connecting to the same VPN server placed outside – in general its working but from time to time they are not able to connect (connection stops on “verifing user name…”) in logs i have:
Service: GRE,
Action: discard,
Event: Requested NAT cannot be done, Information: “Dynamic NAT connection between these hosts is denied, because of excessive number of them. This may be a result of a virus attack.”
How to solve that issue? where number of nat connection can be defined ?
I am lost completely – appreciate any advice.
October 18th, 2010 at 2:00 pm
Question: I have ipsec client VPN services running on an SG 1200 cluster using password authentication. The Windows client is running great. Can anyone explain to me the steps required to configure a Linux client? I am using Ubuntu 10.04. Thanks in advance for any assistance.
October 19th, 2010 at 3:44 pm
@thomas – Maybe you need to allow more ports for for the dynamic NAT. Each connection will consume at least one port.
October 20th, 2010 at 12:10 am
@krugger
)
glad that you responded,
as i found in documentation and you wrote – there may be a lack of ports
but on nat i have all high port range defined so it shouldn’t be an issue
or i checked it in wrong place. can you advice me where to define it?
the log also state that this is only temp. block after a while its working again (but its business – there is no place for “wait”
i am lammer in SG (because till now i used ms ISA)
Regards
October 24th, 2010 at 4:03 am
If you have temp blocking of nat, then it most likely has a more detailed description in the info field.
Can I assume it’s to the same server over the web? If so, setup a new nat rule that uses a different public ip as the source nat and only that given server in the destination field.
December 26th, 2010 at 8:59 pm
Dear all, I would like to configure QoS for the internet access. I have two links with the same speed but I have some doubts:
- Do I have to set a QoS class to all the access rules using this links?
- Do I have to set the link speed and Qos Policy just in the interface these links are connected to, or also to the one connected to the LAN?. Someone told me I should set it to all the interfaces the traffic was going through in or out.
Thanks.
January 4th, 2011 at 7:13 am
Hi all,
I like to inquire if IPhone,IPad, Android VPN is compatible with stonegate? We tried using IPSEC PSK, but we were not successful. I wonder if Stonegate supports the L2TP/IPsec protocol. Thanks in advance! =)
February 17th, 2011 at 10:44 pm
Hi all,
Is it possible to integrate OSSEC logs into SMC?? Any examples please??
Many thanks.
February 23rd, 2011 at 9:55 am
carlopmart, according to OSSEC’s manual, it is possible to forward OSSEC logs to syslog server: http://www.ossec.net/main/manual/manual-sending-alerts-via-syslog/. So, you just need to create a logging profile in your SMC and assign that for the host element that is sending the logs. Here is an video that shows you how the logging profile can be created with SMC: http://stoneblog.stonesoft.com/wp-filez/videos/logging_profile.swf. The GUI has changed a bit after this video has been done but you should get the idea how the log parsing works in SMC…
April 12th, 2011 at 2:45 pm
Hi all
anyone have the problem to moving a firewall in a new Domain created.
the blue bar arrive untill 50% and then stay there and don’t show nothing more…
the SMC is 5.2.3 and FW 5.2.4
thankx
bye
LUCA
June 2nd, 2011 at 7:38 am
I would like to give secondary management IP address to my spoke FW so that it will register to my DR site SMC ( MGT server ) how this is possible …Do Stonesoft have any DR solution. we have HA lic for SMC.( DR TO DC )
Pls guide me if any body
June 14th, 2011 at 12:57 pm
Hello,
I have my stonegate firewall behind an ADSL router, and i try to set a vpn for distant client using stonesoft but it doesn’t work.
could someone help me, and show me how to settle this.
Regards
June 27th, 2011 at 7:20 pm
Hallo,
suche Hilfe für Stonegate SG-500 Geräten. An besten wäre das in Deutsch da mein Englisch nicht so perfekt ist.
Danke
July 22nd, 2011 at 10:40 am
Hi,
i’m new in stonesoft product,
i’m testing the stoneGate SSL VPN, but i have some problems.
i want to add a user in a group and i don’t see how i can do it.
Another question, to make for example an application like ssh avaible, i should create a tunnel?
July 22nd, 2011 at 10:49 am
Hello.
To add a user in a group you have different alternatives. This post could shed some light about them.
About your second question, yes, you can create a tunnel resource and a tunnel set.
Hope this help, enjoy SSL VPN!
July 22nd, 2011 at 11:18 am
Hello,
in fact i have created 4 Users Accounts manually and there are not in a specifik group.
i want to give this users access for resources, but i can’t.
I explain my problem in french:
En fait j’ai crée des comptes d’utilisateurs, je voudrai leurs permettre d’accéder à des ressources mais je ne parviens pas.
Est ce qu’il faut qu’ils soient automatiquement dans un groupe? si oui je ne parviens pas à les ajouter dans un groupe.
Par exemple j’ai crée un groupe que j’ai appelé group de test qui est un groupe de type User property group.
Et je bloque la depuis
July 22nd, 2011 at 11:26 am
Yes, resources are created and protected by user membership group. The logic is not really “I assign a user to a group”, but it is more “I protect a resource with a criteria based on group membership”.
Hence I think you need to create an Access Rule based on group membership, locate the property group you have created and save.
Then you protect the resource with the access rule you have created.
Hope this helps.
July 22nd, 2011 at 12:11 pm
ok i test it and tell you if it make what i want.
July 22nd, 2011 at 2:20 pm
i have make an error, i moved configurations files so now i can’t access to the default page of my vpn ssl.
what is the first file which is loaded when i run my Vpn ssl in the browser, where i can localised it?
Thanks
July 22nd, 2011 at 2:25 pm
Is there an alternative to uninstall?
July 22nd, 2011 at 2:42 pm
I cannot advice on this since details are missing… I suggest you to open a ticket to Support because the troubleshooting should continue by other means.
Thank you.
July 22nd, 2011 at 4:07 pm
Thank You for everything RoaringPenguin,
Now my users have access the resources that i have added and they can access to default page.
July 22nd, 2011 at 4:11 pm
I think that it was network problem, because i restart my interface and my vpn also.
about the index file i retreive a copy and move it at good place.
July 22nd, 2011 at 4:20 pm
On the main menu, click Manage Resource Access.
and Global Resource Settings and in the tab client access i change
Default Page : /wa_default by Default Page : /wa/_welcome.html
and my user can choose now thier authentication mode.
July 22nd, 2011 at 5:13 pm
Yes, correct.
Glad you fixed. Enjoy!
July 25th, 2011 at 10:12 am
Hello,
I try to use multilink VPN (1 tunnel in active mode and 1 in standy mode). When the standby tunnel becomes active, it automatically closed itself as soon as there is no connection required in the tunnel (although the lifetime of the tunnel is fixed to 480 min by default). If I try to ping an equipement over the VPN tunnel (and there was no connection before), 4 packets are lost before answering. Is there some specific settings to configure to get around this issue?
Thanks
Sebastien
October 13th, 2011 at 6:50 am
Hello,
I have two SMC console, each SMC is equipped with managing 2 node license. Is it possible for me to consolidate two SMC console into one ?
That is, could I install 2x two node license into the same SMC such that I could manage 4 nodes at the same time ?
November 16th, 2011 at 11:00 am
Link status alerts
Hello,
During the last month we have messages “link-status” down-up in firewall interface. The LAN group see the same in his logs, switch ports down-up, at the same time.
But, any of us know the cause: firewall, switch, others?
(We have firewall and switch logs)
Please, anyone can suggest possible causes or oriented which logs I need to review and get the causes?
Thanks in advance.
November 18th, 2011 at 5:38 pm
Hi,
Could someone please let me know how to create new access rule for Facetime app using ports 80,53.44.4080,5223 and UDP 16399-16472.
Thanks,
George
November 18th, 2011 at 10:07 pm
Found it, thanks.
George
November 22nd, 2011 at 2:41 pm
No, unfortunately you can not combine your two into one SMC and manage 4. Unless of course, when you say 4 devices, if they are in a cluster and you really only have 2 end devices, then you’re ok. If you really have 4 end devices, you need to talk to your Sales Rep and get an SMC-5.
November 28th, 2011 at 8:30 am
HI ,
can you give me the methode to configure stonegate with an external CA (certification authority ) it is a microsoft CA
and thanks
December 2nd, 2011 at 11:56 am
Hi all,
I have problems defining Access and NAT rules for rules. I have read all docs and this blog post http://stoneblog.stonesoft.com/2011/05/stonegate-5-3-access-control-by-zones/, but for me it doesn’t works. I have defined all zones under interfaces options in firewall configuration. When I try to create a NAT or Access rule, validation returns me everyt time this error:
“The rule @XXX.B is ignored. There is no Source address. Missing Definitions”.
trying to add some network, for example NetA, to de source or destination, produces same error. Why? What am I doing worng??
Thanks.
December 2nd, 2011 at 4:32 pm
carlopmart, I recommend that you contact to Stonesoft support and inform them what version of SMC and FW you are currently running and what was your rule exactly.
Anyway, there is one known issue that is triggered when both Zones and IP-based elements are used in the same Src or Dst cell:
https://my.stonesoft.com/support/document.do?product=StoneGate&docid=1074049
December 2nd, 2011 at 4:51 pm
Thanks Tero. I’ve seen this bug in SMC 5.3.3 release notes. But my problems appears with simple rules like:
Source: Internal_Zones
Destination: Any or any another object, result is the same.
Service: Any or any another object, result is the same.
Is this problem normal with simple?? I have found only one case where zone rules works: under principal firewall policies as a destination in acess rules. It doesn’t works under sub-policies, too …
Until I open a support (I am using trial license at this moment), am I doing something wrong??
December 7th, 2011 at 2:24 pm
Are you sure you have tagged the physical (or VLAN) interfaces of your target engine with the Zone element you are using? The error message claims that SMC generates empty configuration for this rule. So it does not find any interfaces from the target engines that would have this specific zone as a tag.
We have tested the Zone matching succeeds with the most recent SMC and FW versions without a problem with the scenario you described. I would recommend that you contact to Stonesoft support and provide them more detailed information about the engine and policy configuration you are using.
January 30th, 2012 at 2:16 pm
Good morning. I have seemingly some troubles with certificates. When i try to install policy i receive the follwing error message: Received fatal alert: certificate_expired. i receive the same message when i try to get sginfo from firewall nodes. however, if i go to cnofiguration –> configuration –> administration –> other elements –> internal certificates (even in internal certificate authority), all my certificates are active. I tried to make an initial contact with one of my nodes, but nothing changes. did anyone have the same problem?
Thanks to all.
Regards.
February 3rd, 2012 at 5:07 pm
Hello.
I’m trying to install policy on a single firewall connected via pppoe (unfortunately with a dynamic ip address).
Smc and Log are statically natted by another cluster, contact was successful but everytime I try to install a simple policy i get a message like
Failed to connect to Reverse DCP dynamic for {StoneGate firewall node ID:343 SN:1014} … Error 4987
Did anyone have this kind of problem?
Best regards!