StoneBlog.stonesoft.com

There is a nice new shortcut in SMC 5.2 that lets you to convert old policy snapshot as new policy in the SMC. Just right-click any policy snapshot element and select Tools > Restore… The system then imports the snapshot as a new policy element to SMC. This is a nice backup feature if you face the need to revert back to previous policy version.

In SMC 5.2, you can also restore individual element’s old version to your current SMC. Just open some old policy snapshot, right-click the element and select “Restore” from the menu that opens.

Both these restore actions launch Import process in which you still have the possibility to review the changes and change the import action (Import/Do Not Import/Rename). See more details about Import Enhancements in SMC 5.2 in here.

written by teroja - 334 views \\ tags: Policy, Policy Snapshot, Restore, revert policy, SMC

This picture visualizes lots of small enhancements made related to policy editing:

Continue reading »

written by teroja - 205 views \\ tags: Policy, rule, rules, SMC

In many environments Network Address Translation (NAT) seems to be very extensively used. That has resulted in hundreds or even thousands of NAT rules in Firewall Policies. To help managing all these NAT rules, we have now introduce two nice features that you may have already used in Access Rules side.

Continue reading »

written by teroja - 275 views \\ tags: counters, firewall, Links, NAT, NAT rule, Policy, rule, rule tags, Shortcuts, SMC

The limits are valid per Source or Destination address. So if there are multiple Source or Destination addresses used in the policy, the limit applies to all of them separately. As you can see from the snapshot above, you can limit the connections by source and destination simultaneously.

written by teroja - 217 views \\ tags: Connection limiting, Connections, firewall, Limit, Policy, rules, SMC

StoneGate 5.0 allows you to create new policy rules based on the selected log records. With a couple of clicks you can change the action for the specific log records, create an alert when the record next time appears or just say that you don’t want to get log records out of that specific type of event anymore.

How it works then?

1. Launch one of the “Create rule…” actions in the log entry’s right-click menu or in the Log Details view
2. Preview of the auto-generated rule is displayed in the dialog. The system auto-generates the host elements if no hosts already exist with the src and dst addresses of the log entry. The system also figures out what policy is currently installed to the engine that sent the specific record and change the action and logging level according to your wishes.
3. As the last step you can optionally open the desired policy for editing and drag & drop or cut & paste the rule to the correct location. By default, the rule is added to the beginning of the policy.

The Create rule -shortcuts are really convenient way to solve network issues in real-time with just a couple of clicks. However, we recommend that you manually group and reorganize these “exception rules” every now and then.

written by teroja - 1,046 views \\ tags: 5.0, Features, Policy, SMC, stonegate

According to our studies, editing policies is the most frequent task of StoneGate administrators. That’s why we have introduced many new tools to optimize the workflows and tools related to policy editing tasks. Rule comment sections is one of those features.

StoneGate 5.0 creates automatically expandable/collapsable rule comment sections. Now it is easy to organize the policy so that your colleagues understand it too.

written by teroja - 919 views \\ tags: 5.0, Features, Policy, SMC, stonegate

Did you accidentally drag & drop an element to a wrong rule? Or did you move the rule accidentally to a wrong location? Don’t panic – in StoneGate Management Center 5.0 you can undo/redo these kind of accidents now also in the policy editor. The solution we will provide supports unlimited amount of undo/redo steps until the last policy save.

written by teroja - 887 views \\ tags: 5.0, Features, Policy, SMC, stonegate

The refuse action behaves differently depending on the protocol in rule:

• For TCP packets (with any combination of flags), a TCP Reset packet is sent with proper port and sequence number settings.

• For UDP packets, an ICMP Port Unreachable (Type 3, Code 3) is sent with the eight first bytes copied from the original IP packet (exactly like they appear) in the payload.

• For ICMP packets, no responses are sent at all. This is treated like a ‘discard’ action would be used.

• For any other type of IP packets, an ICMP Protocol Unreachable (Type 3, Code 2) is sent with the eight first bytes copied from the original IP packet (exactly like they appear) in the payload.

written by christoph - 663 views \\ tags: action, engine, Policy, refuse, stonegate firewall

Are you having the problem that your security policies have already hundreds or even thousands of rules and you don’t have a clear view anymore what rules are important and what are not? Or you may even suspect that some rules are not needed anymore but you don’t want to take the risk of removing them?

Don’t worry… StoneGate 5.0 introduces the new rule usage analysis tool. You will see directly in the policy editor how many times each rule has matched within the specified time period. The usage of rule counter tool does not even require you to turn the logging on for the rules. Engines send the rule hit counts automatically to SMC to be displayed in the Management Client. Note however that both your engines and SMC need to be version 5.0 or higher.

Rule hit counts, Policy validation tool and Policy comparison tool provides you an efficient set of tools to make your policies easier to understand. Now there is no excuse to postpone the policy clean-up project!

Benefits:

• You can easily find the rules that never match
• You can optimize the order of your rules

written by teroja - 1,099 views \\ tags: 5.0, Features, Policy, SMC, stonegate

Often it could be useful or necessary to share the Stonegate policies to colleagues for consultation, validation or technical archives without give access to SMC.

First, try a simple copy and past from your policy in GUI to a chart in Excel or other, it’s magic

Second, you have in the SMC CDrom a folder named “Tools” where you can found the Policy converter tool :

“The Policy converter tool converts XML-based Security Policy exports taken from
StoneGate Management Center in to an HTML document.

The tool is compatible with policy exports taken from SMC version 4.0

Requirements:
- Linux Operating system
- Java Runtime v1.5 or later

Usage:
1. Extract the content of the zip package to a Linux workstation.
2. Make a Policy export (from the command line or from the Management Client).
Include referenced elements in the export.
3. Place the export zip package in the snapshotHTMLrenderer directory.
4. Execute script.sh and give the export filename as a parameter. For example
“./script.sh export_file.zip”. The script creates file
result_DATEOFEXECUTION.html in the same directory.
5. View the HTML document with a web browser.”

So wonderful to have a clear document in html to share this information.

written by Hokkyokuguma - 1,172 views \\ tags: converter, export, Policy, share, SMC