STONEGATE 5.

SMC INSTALLATION GUIDE

STONEGATE MANAGEMENT CENTER

 Legal Information
End-User License Agreement
The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at
the Stonesoft website:
www.stonesoft.com/en/support/eula.html

Third Party Licenses

The StoneGate software includes several open source or third-party software packages. The appropriate software licensing information for
those products at the Stonesoft website:
www.stonesoft.com/en/support/third_party_licenses.html

U.S. Government Acquisitions

If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions
apply. If the Software is supplied to the Department of Defense (“DoD”), the Software is subject to “Restricted Rights”, as that term is
defined in the DOD Supplement to the Federal Acquisition Regulations (“DFAR”) in paragraph 252.227-7013(c) (1). If the Software is
supplied to any unit or agency of the United States Government other than DOD, the Government’s rights in the Software will be as
defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (“FAR”). Use, duplication, reproduction or disclosure by the
Government is subject to such restrictions or successor provisions.

Product Export Restrictions

The products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC)
N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as
amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities.

General Terms and Conditions of Support and Maintenance Services

The support and maintenance services for the products described in these materials are provided pursuant to the general terms for
support and maintenance services and the related service description, which can be found at the Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/terms/

Replacement Service
The instructions for replacement service can be found at the Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/return_material_authorization/

Hardware Warranty
The appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the
Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/warranty_service/

Trademarks and Patents

The products described in these materials are protected by one or more of the following European and US patents: European Patent Nos.
1065844, 1189410, 1231538, 1259028, 1271283, 1289183, 1289202, 1304849, 1313290, 1326393, 1379046, 1330095,
131711, 1317937 and 1443729 and US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284;
7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525; 7,406,534;
and 7,461,401 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and
StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are
property of their respective owners.

Disclaimer
Although every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes
no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of
the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only.

Copyright © 2010 Stonesoft Corporation. All rights reserved. All specifications are subject to change.

Revision: SGMIG_20100205

2
 TABLE OF CONTENTS

I NTRODUCTION Starting the Management Center. . . . . . . . . . . 31

CHAPTER 1
Using StoneGate Documentation . . . . . . . . . . . 7
How to Use This Guide . . . . . . . . . . . . . . . . . . 8 Accepting the Certificate . . . . . . . . . . . . . . .
Typographical Conventions . . . . . . . . . . . . . . 8 Installing Licenses . . . . . . . . . . . . . . . . . . . .
Documentation Available . . . . . . . . . . . . . . . . . 9 Binding Licenses to Log and Web Portal
Product Documentation. . . . . . . . . . . . . . . . . 9 Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Support Documentation . . . . . . . . . . . . . . . . 10
System Requirements. . . . . . . . . . . . . . . . . . 10
Contact Information . . . . . . . . . . . . . . . . . . . . 10
Licensing Issues . . . . . . . . . . . . . . . . . . . . . 10
Technical Support . . . . . . . . . . . . . . . . . . . . . 10
Your Comments . . . . . . . . . . . . . . . . . . . . . . 10
Other Queries. . . . . . . . . . . . . . . . . . . . . . . . 11
CHAPTER 2
Planning the Management Center Installation . . 13
StoneGate System Architecture . . . . . . . . . . . . 14
Overview to the Installation Procedure . . . . . . . 15
Important to Know Before Installation . . . . . . . 15
Supported Platforms. . . . . . . . . . . . . . . . . . . 15
Date and Time Settings . . . . . . . . . . . . . . . . 15
Hosts File . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Installation Files . . . . . . . . . . . . . . . . . . . . . . . 16
Downloading the Installation Files . . . . . . . . . 16
Checking File Integrity . . . . . . . . . . . . . . . . . . 16
Creating the Installation CD-ROM . . . . . . . . . . 16
License Files . . . . . . . . . . . . . . . . . . . . . . . . . 17
I NSTALLING THE M ANAGEMENT C ENTER
CHAPTER 3
Installing the Management Center . . . . . . . . . . 21
Getting Started with Management Center
Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Installing on Linux . . . . . . . . . . . . . . . . . . . . 22
Configuration Overview . . . . . . . . . . . . . . . . . 22
Starting the Installation. . . . . . . . . . . . . . . . . . 23
Installing a Management Server . . . . . . . . . . 26
Installing a Log Server . . . . . . . . . . . . . . . . . 27
Installing a Web Portal Server . . . . . . . . . . . . 28
Installing in Demo Mode . . . . . . . . . . . . . . . . 29
Finishing the Installation . . . . . . . . . . . . . . . . 30
Starting the Management Server. . . . . . . . . . 31
Starting the Management Client . . . . . . . . . . 31
Logging in to the Management Client. . . . . . . 32
32
33
34
Starting the Log Server and Web Portal
Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Starting Servers Manually. . . . . . . . . . . . . . . 35
If the Log Server or Web Portal Server
Fails to Start . . . . . . . . . . . . . . . . . . . . . . . . 36
Generating Server Certificates . . . . . . . . . . . 36
After the Management Center is Installed . . . . 38
Configuring Secondary Management Servers . . 38
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Installing a License for a Secondary
Management Server. . . . . . . . . . . . . . . . . . . 39
Installing a Secondary Management Server . . 39
Configuring Log Servers for Backup
Management Servers . . . . . . . . . . . . . . . . . . 41
Non-Graphical Installation . . . . . . . . . . . . . . . . 42
CHAPTER 4
Distributing Management Clients through Web
Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Getting Started with Web Start Distribution . . . 46
Configuration Overview . . . . . . . . . . . . . . . . . 46
Distributing Clients from the SMC Servers . . . . 46
Distributing Clients from a Separate Server . . . 48
Accessing the Web Start Clients . . . . . . . . . . . 49
CHAPTER 5
Configuring NAT Addresses for StoneGate
Components . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Configuration Overview . . . . . . . . . . . . . . . . . . 52
Configuration Overview . . . . . . . . . . . . . . . . . 53
Defining Locations . . . . . . . . . . . . . . . . . . . . . 53
Adding SMC Server Contact Addresses . . . . . . 55
Setting the Management Client’s Location . . . . 57

Table of Contents 3
M AINTENANCE

CHAPTER 6
Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Getting Started with Upgrading the Management
Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configuration Overview . . . . . . . . . . . . . . . . . 62
Upgrading Licenses . . . . . . . . . . . . . . . . . . . . 63
Upgrading Licenses Under One Proof Code . . . 63
Upgrading Licenses Under Multiple Proof
Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Installing Licenses . . . . . . . . . . . . . . . . . . . . 65
Checking the Licenses . . . . . . . . . . . . . . . . . 65
Upgrading the Management Center . . . . . . . . . 66
CHAPTER 7
Uninstalling the Management Center . . . . . . . . 71
Overview to Uninstalling the Management Center 72
Uninstalling in Windows . . . . . . . . . . . . . . . . . 72
Uninstalling in Linux . . . . . . . . . . . . . . . . . . . . 73

A PPENDICES

APPENDIX A
Command Line Tools . . . . . . . . . . . . . . . . . . . . 77
Management Center Commands . . . . . . . . . . . 78
Engine Commands . . . . . . . . . . . . . . . . . . . . . 86
Server Pool Monitoring Agent Commands . . . . . 91
APPENDIX B
Default Communication Ports. . . . . . . . . . . . . . 93
Management Center Ports. . . . . . . . . . . . . . . . 94
Firewall/VPN Engine Ports . . . . . . . . . . . . . . . . 96
IPS Engine Ports. . . . . . . . . . . . . . . . . . . . . . . 100
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

4 Table of Contents
I NTRODUCTION
In this section:
Using StoneGate Documentation - 7

Planning the Management Center Installation - 13

5
6
 C H A P TE R 1

USING STONEGATE DOCUMENTATION

Welcome to Stonesoft’s StoneGate™ Management Center. This chapter describes how to use
the StoneGate Management Center Installation Guide and lists other available documentation.
It also provides directions for obtaining technical support and giving feedback.

The following sections are included:

How to Use This Guide (page 8)

Documentation Available (page 9)
Contact Information (page 10)

7
 How to Use This Guide
The Management Center Installation Guide is intended for the administrators who install the
StoneGate Management Center. It describes the installation step by step. The chapters in this
guide are organized in the general order you should follow when installing the system.
Most tasks are explained using illustrations that include explanations on the steps you need to
complete in each corresponding view in your own environment. The explanations that
accompany the illustrations are numbered when the illustration contains more than one step for
you to perform.

Typographical Conventions
The following typographical conventions are used throughout the guide:

Table 1.1 Typographical Conventions

Formatting Informative Uses

Normal text This is normal text.

Text you see in the User Interface (buttons, menus, etc.) and any
User Interface text
other interaction with the user interface are in bold-face.

Cross-references and first use of acronyms and terms are in

References, terms
italics.

File names, directories, and text displayed on the screen are

Command line
monospaced.

User input User input on screen is in monospaced bold-face.

Command parameters Command parameter names are in monospaced italics.

We use the following ways to indicate important or additional information:

Note – Notes provide important information that prevents mistakes or helps you complete
a task.

Caution – Cautions provide critical information that you must take into account to prevent
breaches of security, information loss, or system downtime.

Tip – Tips provide information that is not crucial, but may still be helpful.

8 Chapter 1 Using StoneGate Documentation

Documentation Available
StoneGate documentation is divided into two main categories: Product Documentation and
Support Documentation. Each StoneGate product has a separate set of manuals.
You can access the Online Help by pressing the F1 key, by selecting Help→Help Topics in the
main menu or by clicking the Help button in a dialog. Depending on which window is currently
active, you see either a help topic that is related to the current window or the front page of the
help system.

Illustration 1.1 Online Help

Double-click The top-level

“book” icons to open the
sections.

Product Documentation
The table below lists the available product documentation. PDF guides are available on the
Management Center CD-ROM and at http://www.stonesoft.com/support/.

Table 1.2 Product Documentation

Guide Description
Explains the operation and features of StoneGate comprehensively.
Demonstrates the general workflow and provides example scenarios
Reference Guide
for each feature area. Available for StoneGate Management Center,
Firewall/VPN, and StoneGate IPS.

Instructions for planning, installing, and upgrading a StoneGate

Installation Guide system. Available for StoneGate Management Center, Firewall/VPN,
IPS, and SOHO firewall products.

Describes how to configure and manage the system step-by-step.

Accessible through the Help menu and by using the Help button or
the F1 key in any window or dialog. Available in the StoneGate
Online Help
Management Client and the StoneGate Web Portal. An HTML-based
system is available in the StoneGate SSL VPN Administrator through
help links and icons.

Describes how to configure and manage the system step-by-step.

Available as a combined guide for both StoneGate Firewall/VPN and
Administrator’s Guide
StoneGate IPS, and as separate guides for StoneGate SSL VPN and
StoneGate IPsec VPN Client.

Documentation Available 9
 Table 1.2 Product Documentation (Continued)

Guide Description
Instructions for end-users. Available for the StoneGate IPsec VPN
User’s Guide
client and the StoneGate Web Portal.

Instructions for physically installing and maintaining StoneGate

Appliance Installation Guide appliances (rack mounting, cabling etc.). Available for all StoneGate
hardware appliances.

Support Documentation
The StoneGate support documentation provides additional and late-breaking technical
information. These technical documents support the StoneGate guide books, for example, by
giving further examples on specific configuration scenarios.
The latest StoneGate technical documentation is available at the Stonesoft website at http://
www.stonesoft.com/support/.

System Requirements
The hardware and software requirements for the version of StoneGate you are running can be
found in the Release Notes included on the Management Center CD-ROM and on the software
download page at the Stonesoft website.

Contact Information
For street addresses, phone numbers, and general information about StoneGate and Stonesoft
Corporation, visit our website at http://www.stonesoft.com/.

Licensing Issues
You can view your current licenses at the License Center section of the Stonesoft website at
https://my.stonesoft.com/managelicense.do.
For license-related queries, e-mail [email protected].

Technical Support
Stonesoft offers global technical support services for Stonesoft’s product families. For more
information on technical support, visit the Support section at the Stonesoft website at http://
www.stonesoft.com/support/.

Your Comments
We want to make our products fulfill your needs as well as possible. We are always pleased to
receive any suggestions you may have for improvements.
• To comment on software and hardware products, e-mail [email protected].
• To comment on the documentation, e-mail [email protected].

10 Chapter 1 Using StoneGate Documentation

Other Queries
For queries regarding other matters, e-mail [email protected].

Contact Information 11
12 Chapter 1 Using StoneGate Documentation
 C H A P TE R 2

PLANNING THE MANAGEMENT CENTER

INSTALLATION

This chapter provides important information to take into account before the StoneGate
Management Center installation can begin. It also includes an overview to the installation
process.

The following sections are included:

StoneGate System Architecture (page 14)

Overview to the Installation Procedure (page 15)
Important to Know Before Installation (page 15)
Installation Files (page 16)
License Files (page 17)

13
 StoneGate System Architecture
A StoneGate system consists of the Management Center, Management Client(s), and one or
more firewall/VPN or IPS engines. The Management Center and one or more Management
Clients are always included in the installation. The type and number of engines varies according
to environment and depends on your licenses.

Illustration 2.1 StoneGate System Architecture

The Management Center consists of the following standard components:

• the Management Server
• one or more Log Servers.
The Management Client is a single unified tool that is used for all configuration and monitoring
tasks related to the whole StoneGate system. You can install an unlimited number of
Management Clients.
Optionally, and for a separate license fee, you can also have:
• one or more backup Management Servers
• one or more Web Portal Servers for Web Portal users.
The Management Center components can be installed separately on different machines or on
the same machine, depending on your requirements.
The Management Center can manage several StoneGate firewalls and IPS Sensors and
Analyzers. See the Management Center Reference Guide, Firewall/VPN Reference Guide, and the
IPS Reference Guide for general information on the Management Center, firewalls, and IPS
engines.

14 Chapter 2 Planning the Management Center Installation

Overview to the Installation Procedure
1. Install and configure the Management Center and a Management Client. This is explained
in Installing the Management Center (page 21).
2. (Optional) Set up Management Client distribution through Java Web Start for automatic
installation and upgrade. This is explained in Distributing Management Clients through
Web Start (page 45).
3. If network address translation (NAT) is applied to communications between system
components, define Contact Addresses. This is explained in Configuring NAT Addresses
for StoneGate Components (page 51).
The chapters and sections of this guide proceed in the order outlined above.
Once you have installed the Management Center components and the Management Client, and
configured the communications between the system components, you can proceed to
configuring and installing the firewall/VPN and IPS engines. See the Firewall/VPN Installation
Guide, SOHO Firewall Installation Guide, and the IPS Installation Guide for information on
installing the engines.

Important to Know Before Installation

Consult the Management Center Reference Guide, the Firewall/VPN Reference Guide, or the IPS
Reference Guide if you need more detailed background information on the operation of
StoneGate than what is offered in this chapter.

Supported Platforms
The Release Notes list the basic requirements for a StoneGate installation. For information on
supported and certified hardware, search for the version-specific Hardware Requirements in the
technical documentation search at http://www.stonesoft.com/en/support/.

Date and Time Settings

Make sure that the Date, Time, and Time zone settings are correct on any computer you will use
as a platform for any Management Center component, including the workstations used for the
Management Client. The time settings of the engines do not need to be adjusted, as they are
automatically synchronized to the Management Server’s time setting (with an NTP server on
SOHO firewalls). For this operation, the time is converted to UTC time according to the
Management Server’s time zone setting. StoneGate always uses UTC internally.

Hosts File
Due to a restriction of the Java platform, the Management Server and Log Server hostnames
must be resolvable on the computer running the Management Client (even if running on the
same computer as the servers) to ensure good performance.
To ensure that the hostnames can be resolved, you can add the IP address-hostname pairs into
the local hosts file on the client computer:
• In Linux: /etc/hosts
• In Windows: \WINNT\system32\drivers\etc\hosts

Overview to the Installation Procedure 15

 Installation Files
Depending on your order, you may have received ready-made installation CD-ROMs for the
Management Center. Otherwise, download the installation files from the Stonesoft website.

Downloading the Installation Files

To download the installation files
1. Go to the Stonesoft Downloads page at https://my.stonesoft.com/download.
2. Enter your license code or log in using an existing user account.
3. Download the .iso image files or the installation .zip file.

Checking File Integrity

Before installing StoneGate from downloaded files, check that the installation files have not
become corrupt or been modified. Using corrupt files may cause problems at any stage of the
installation and use of the system. File integrity is checked by generating an MD5 or SHA-1 file
checksum of the downloaded files and by comparing the checksum with the checksum on the
download page at the Stonesoft website.
Windows does not have MD5 or SHA-1 checksum tools by default, but there are several third
party programs available.

To check MD5 or SHA-1 file checksum

1. Look up the correct checksum at https://my.stonesoft.com/download/.
2. Change to the directory that contains the file(s) to be checked.
3. Generate a checksum of the file using the command md5sum filename or sha1sum
filename, where filename is the name of the installation file.
4. Compare the displayed output to the checksum on the website. They must match.

Caution – Do not use files that have invalid checksums. If downloading the files again does
not help, contact Stonesoft technical support to resolve the issue.

What’s Next?
If you downloaded the installation files as a .zip file, you can install the Management
Center from the .zip file. Proceed to License Files.
Otherwise, continue by Creating the Installation CD-ROM.

Creating the Installation CD-ROM

Once you have checked the integrity of the installation files, create the installation CD-ROM from
the files. Use a CD-burning application that can correctly read and burn the CD-structure stored
in the .iso images. If the end result is a CD-ROM file with the original .iso file on it, the CD-
ROM cannot be used for installation.

16 Chapter 2 Planning the Management Center Installation

License Files
You must generate license files and install them on the Management Server using the
Management Client before you can bring your system fully operational. Each Management
Server, Log Server, Web Portal Server, and each engine must have its own license (although
several licenses may be stored in a single file).

Note – SOHO Firewall engines do not require a separate license file.

The Management Center license may be limited to managing a certain number of firewalls and
IPS sensors. Each fully featured single firewall, firewall cluster, single sensor, or sensor cluster
is counted as one managed unit. Each five SOHO firewalls are counted as one managed unit.

To generate a new license

1. Go to the License Center at www.stonesoft.com/license/.
2. Enter the required code (proof-of-license or proof-of-serial number) in the correct field and
click Submit. The license page opens.
3. Click Register. The license generation page opens.
4. Enter the IP addresses of the Management Center components you want to use.
5. Enter the Management Server’s proof-of-license code for the engines you want to license.
• The Management Server’s proof-of-license can be found in the e-mail you received
detailing your licenses. Later, this information is shown in the Management Client for all
licenses imported into the system.
6. Click Submit Request. The license file is sent to you in a moment. It will also become
available for download at the license page.
All licenses include a maximum version on which they are valid. Automatic upgrade and
installation of licenses is enabled by default. If you have disabled automatic license upgrades,
you need to upgrade the licenses when you upgrade to a new major release of the software.

License Files 17
18 Chapter 2 Planning the Management Center Installation
 I NSTALLING THE
M ANAGEMENT C ENTER
In this section:
Installing the Management Center - 21

Distributing Management Clients through Web Start - 45

Configuring NAT Addresses for StoneGate Components - 51

19
20
 C H A P TE R 3

INSTALLING THE MANAGEMENT CENTER

This chapter instructs how to install the StoneGate Management Center on Windows and
Linux platforms.

The following sections are included:

Getting Started with Management Center Installation (page 22)

Starting the Installation (page 23)
Starting the Management Center (page 31)
After the Management Center is Installed (page 38)
Configuring Secondary Management Servers (page 38)
Non-Graphical Installation (page 42)

21
 Getting Started with Management Center Installation
You are ready to start the Management Center installation when you have obtained the
installation CD-ROMs or the installation files, and generated licenses for all the components you
want to install (see Installation Files (page 16)).

Caution – Make sure that the operating system version you plan to install on is supported.
The supported platforms for running the Management Center are listed in the Release
Notes of the Management Center.

Log in to the system where you are installing the Management Center with the correct
administrative rights. In Windows, you must log in with administrator rights. In Linux you must
log in as root.
We recommend installing one Management Client on the system where you are installing the
Management Center using the Installation Wizard as described in this chapter. After this, further
Management Clients can be installed in the same way or they can be made available through
Java Web Start (see Distributing Management Clients through Web Start (page 45)), which
eliminates the need to update all Management Clients individually at each version upgrade. The
Management Client has no configurable parameters, but it must be able to connect to the
Management Server and to Log Servers. See Default Communication Ports (page 93) for a list
of the ports used.

Installing on Linux
The installation creates sgadmin user and group accounts. If there is a pre-existing sgadmin
account, the installation fails. All the shell scripts are owned by sgadmin and can be executed
either by root or the sgadmin user. The shell scripts are executed with sgadmin privileges. After
the installation, the sgadmin account is disabled. The sgadmin account is deleted at
uninstallation.

Configuration Overview
1. Install the Management Center. See Starting the Installation (page 23).
2. Start the Management Center. See Starting the Management Center (page 31).
3. (Optional) Install the secondary Management Server(s). See Configuring Secondary
Management Servers (page 38).

22 Chapter 3 Installing the Management Center

Starting the Installation

Caution – Do not install the Management Center on a StoneGate appliance.

If you downloaded the installation files as a .zip file, you can install the Management Center
from the .zip file. If you downloaded the installation files as .iso images, you must first create
the installation CD-ROM. See Installation Files (page 16) for more information.
This section guides you through a Management Center installation in a graphical user interface.
For command line installation, see Non-Graphical Installation (page 42).

To start the Installation Wizard

1. If you are installing from a .zip file, unzip the file and run install.exe on Windows or
setup.sh on Linux. Alternatively, insert the StoneGate installation CD-ROM and run the
setup executable:
• On Windows, run CD-ROM\StoneGate_SW_Installer\Windows\install.exe
• On Linux, run CD-ROM/StoneGate_SW_Installer/Linux/setup.sh

Note – If the CD-ROM is not automatically mounted, mount the CD-ROM in Linux with
“mount /dev/cdrom /mnt/cdrom”.

2. Wait for the Installation Wizard to start. The Java Runtime Environment (JRE) is first
installed for StoneGate, so this may take a while.
3. When the Installation Wizard shows the Introduction screen, click Next to start the
installation. The License Agreement appears.

To accept the license agreement

1.Select I accept the terms of the

License Agreement.

2. Click Next.
You can click Cancel to stop You can click Previous at
the installation at any time. any time to go back.

Starting the Installation 23

 To select the installation directory

1. (Optional) To change the installation directory,

enter a new location, or click Select to browse.

2. Click Next.

To select where shortcuts are created

1. (Optional) Change the location where you

want to create shortcut icons. Shortcuts
can be used to manually start components
and to run some maintenance tasks.

2. Click Next.

To select which components to install

1. Select the installation type:
Typical installs all mandatory Management
Center components.
Management Client Only installation is meant
for administrators’ workstations.
Demo Mode installation is meant for
administrators who are evaluating StoneGate. It
installs preconfigured Management Center
components.
Custom installation allows you to select the
components (including the Web Portal Server)
to install.

2. Click Next.

24 Chapter 3 Installing the Management Center

 To select components for the custom installation
Custom Installation only

1. Select the components that you want to install.

2. Click Next.

Note – Make sure you have a license for the Web Portal Server before installing it. The
Web Portal Server is an optional component and is not included in standard StoneGate
Management Center licenses.

What’s Next?
The installation proceeds in the following order according to the components you have
chosen for the installation:
• Installing a Management Server (page 26).
• Installing a Log Server (page 27).
• Installing a Web Portal Server (page 28).
For Demo Mode installations, proceed to Installing in Demo Mode (page 29).

Starting the Installation 25

 Installing a Management Server
To configure the Management Server properties
1. Enter the Management Server’s IP address.
The Management Server’s license must be tied
to this IP address.

2. Enter the IP address for the Log Server

that handles any alerts generated by this
Management Server.

3. (Optional) If you have already installed a

primary Management Server and want to install a
secondary Management Server, select Install as
a Secondary Management Server for High
Availability. See Installing a Secondary
Management Server (page 39) for details.

4. Leave Install as a Service selected if you want to install the Management Server as a
service that starts automatically at operating system start-up.
5. Click Next.

Note – The user name for the Management Database is dba. The password is created
randomly, but you can change it using the Management Client.

To create the first administrator account

1. Type in a user name.

2. Type in the same password in both fields.

3. Click Next.

Note – The account you create here is the only account that can be used to log in to the
Management Server after the installation has finished.

26 Chapter 3 Installing the Management Center

 What’s Next?
Proceed to the first relevant section below according to the components you have
chosen for the installation:
• Installing a Log Server.
• Installing a Web Portal Server (page 28).
• Finishing the Installation (page 30).

Installing a Log Server

To configure the Log Server properties
1. Select the IP address. The Log Server’s
license must be tied to this IP address.

2. Type in the IP address of the Management

Server that controls this Log Server.

3. (Optional) If the Log Server and the

Management Server are installed on different
machines, leave Certify the Log Server during
the Installation selected to establish trust with
the Management Server. A running Management
Server is required, unless it is installed at the
same time.

4. Leave Install as a Service selected if you want to install the Log Server as a service that
starts automatically at operating system start-up.
5. Click Next.

To select a log storage location

1. Type in the path of the storage directory for

logs or click Select to browse.

2. Click Next.

What’s Next?
If you are installing a Web Portal Server, continue by Installing a Web Portal Server
(page 28).
Otherwise, proceed to Finishing the Installation (page 30).

Starting the Installation 27

 Installing a Web Portal Server
We recommend placing the Web Portal Server in a DMZ network.

Note – Make sure you have a license for the Web Portal Server before installing it. The
Web Portal Server is an optional component and is not included in standard StoneGate
Management Center licenses.

To configure the Web Portal Server properties

Custom Installation only
1. Type in the IP address. The Web Portal Server’s
license must be tied to this IP address.

2. Type in the IP address for the Management

Server that controls this Web Portal Server.

3. (Optional) If the Web Portal Server and the

Management Server are installed on different
machines, leave Certify the Web Portal Server
during the Installation to establish trust with
the Management Server. A running Management
Server is required, unless installed at the same
time.
4. Leave Install as a Service selected if you want to install the Web Portal Server as a service
that starts automatically at operating system startup.
5. Click Next.

28 Chapter 3 Installing the Management Center

Installing in Demo Mode

Note – Demo mode installation is intended for evaluation purposes only. A Management
Center in Demo mode cannot be used in a production environment, and cannot be
upgraded.

To install in Demo Mode

Click Next.

Make a note of the Demo Mode credentials

and the Server Address. You use these to log
in to the Management Client.
Click Next.

Click Done to close the installer.

What’s Next?
Demo Mode installation is complete.

Starting the Installation 29

 Finishing the Installation

Caution – If you are installing any server components as a service on a Windows system,
make sure the Services window is closed before you proceed.

To finish the installation

1. Check the displayed information.

2. Click Install to install the selected

components or click Previous to make changes.

Depending on the options you selected, you may soon be prompted to generate certificates. If
this happens, see the section To generate a certificate for a StoneGate server (page 37).

To finish the Installation Wizard

Click Done to close the installer.

Note – If any Log Server or Web Portal Server certificate was not retrieved during the
installation, a certificate must be retrieved manually before the server can be started (see
Generating Server Certificates (page 36)).

30 Chapter 3 Installing the Management Center

Starting the Management Center

To start the Management Center for the first time

1. Start the Management Server. See Starting the Management Server (page 31).
2. Log in using the Management Client. See Starting the Management Client (page 31).
3. Install license files using the Management Client. See Installing Licenses (page 33).
4. Start the Log Server and the Web Portal Server. See Starting the Log Server and Web Portal
Server (page 35).

Starting the Management Server

If the Management Server has been installed as a service, the server is started automatically
after the installation and during the operating system boot process.
• In Windows, the StoneGate Management Server service can be started and stopped
manually in the Services window, which can be found in the Windows Control Panel under the
Administrative Tools category.
• If the service has started, proceed to Starting the Management Client.
Otherwise, the Management Server must be started manually:

To start the Management Server manually

• In Windows, use the shortcut icon in the location you selected during installation or run the
script <installation directory>/bin/sgStartMgtSrv.bat.
• In Linux, run the script <installation directory>/bin/sgStartMgtSrv.sh.

Starting the Management Client

To start the Management Client
In Windows, use the shortcut icon in the location you selected during installation or run
the script <installation directory>/bin/sgClient.bat.
In Linux, run the script <installation directory>/bin/sgClient.sh. A graphical
environment is needed for the Management Client.

Starting the Management Center 31

 Logging in to the Management Client
If you installed the Management Center in Demo Mode, use the following credentials and server
address to log in to the Management Client:
• User Name: demo
• Password: demo
• Server Address: 127.0.0.1

To log in to the Management Client

1. Type in the user name and password for
the Administrator you defined during the
Management Server installation.

2. Type in the Management Server’s IP address

or DNS name.

3. Leave this option selected if you want the

Management Client to add the Management
Server’s address permanently in the Server
Address list.
4. Click Login.

Note – If you connect to the Management Server from an external network, you must log
in using the Management Server’s public IP address that may be NATed.

You can access the Online Help system in the Login window or any other window in the
Management Client by pressing the F1 key.

Accepting the Certificate

The Accept Certificate dialog is displayed when the Management Client contacts any
Management Server for the first time. As a precaution, you can ensure that the communication
really is with your Management Server by checking the Certificate Authority fingerprint as
explained below.

To check the Certificate Authority fingerprint

• In Windows, use the shortcut icon in the location you selected during installation (default:
Start→Programs→StoneGate→Show Fingerprint) or run the script <installation
directory>/bin/sgShowFingerPrint.bat.
• In Linux, run the script <installation directory>/bin/sgShowFingerPrint.sh on the
Management Server.
If the fingerprint matches, click Accept.

32 Chapter 3 Installing the Management Center

When you accept the certificate, the Management Client opens the System Status view.

Installing Licenses
To have a working system, you must have a license for all StoneGate server and engine
components. Each Management Server, Log Server, Web Portal Server, and Firewall and IPS
engine (except SOHO Firewall engines) must have its own license, although all the licenses can
be stored together in a single .jar file.
To use a secondary Management Server, you must have a special Management Server license
that includes the high availability features. The license is a combined license for all
Management Servers and it must list the IP addresses of all the Management Servers.
If you have not generated all license files yet, see License Files (page 17). To install licenses,
the license files must be available to the computer you use to run the Management Client. All
licenses can be installed even though you have not yet defined all the elements the licenses will
be bound to.
When there is no valid Management Server license, a license information message is shown
every time you log in using the Management Client.

To install licenses when logging in to the Management Client

If you already have the licenses, click Continue and

select the license file(s) for installing in the dialog
that opens.
Proceed to the section To check that the licenses
were installed correctly (page 34).
If the license information message is not shown, install the licenses as explained in To install
licenses below.

To install licenses

1. Select File→System Tools→

Install Licenses.

2. Select one or more license files in the

dialog that opens.

Starting the Management Center 33

 To check that the licenses were installed correctly

1. Select Configuration→Configuration→
Administration from the menu. The
Administration Configuration view opens.

2. Expand the Licenses branch and select

All Licenses.

Note – You must bind management-bound firewall and IPS engine licenses manually to the
correct engines once you have configured the engine elements.

What’s Next?
If your Log Server or Web Portal Server has a management-bound license, bind the
license to the correct Log Server or Web Portal Server element. Proceed to Binding
Licenses to Log and Web Portal Servers (page 34).
Otherwise, continue by Starting the Log Server and Web Portal Server (page 35).

Binding Licenses to Log and Web Portal Servers

After installing the licenses in the Management Client, you must manually bind the
management-bound Log Server and Web Portal Server licenses to specific Log or Web Portal
Servers, because the licenses contain no IP address information to automatically bind them to
the correct server.

To bind a management-bound license to a Log or Web Portal Server

1. Browse to Administration→ Licenses→
Servers. All installed licenses for the servers
appear in the right panel.

2. Right-click a management-bound license

(a license that states Dynamic in place of
an IP address) and select Bind. The Select
License Binding dialog opens.

34 Chapter 3 Installing the Management Center

3. Select the correct server from the list.

4. Click Select.

The license is now bound to the selected Log or Web Portal Server element. If you made a
mistake, right-click the license and select Unbind.

Note – The license is permanently bound to the Log or Web Portal Server when the server
is started for the first time. Such licenses cannot be re-bound to some other Log or Web
Portal Server without re-licensing or deleting the Log or Web Portal Server element it is
bound to. Until you do that, the unbound license is shown as Retained.

Starting the Log Server and Web Portal Server

If the Log Server and the Web Portal Server have been installed as a service, the servers are
started automatically during the operating system boot process. However, if the operating
system is rebooted and the servers do not yet have a license, you may need to start them as
explained here.
• If you installed the Log Server or Web Portal Server as a service, you can start or stop the
server manually in Windows through the Services window.
• In other cases, you can start the Log Server or Web Portal Server manually as explained in
Starting Servers Manually (page 35).

Starting Servers Manually

To start the Log Server or Web Portal Server manually, run the scripts in a console window. Read
the console messages for information on the progress. Closing the console stops the service.

To start the Log Server and Web Portal Server manually

1. Start the Log Server:
• In Windows, use the shortcut icon in the location you selected during installation (default:
Start→Programs →StoneGate→Log Server) or run the script <installation
directory>/bin/sgStartLogSrv.bat.
• In Linux, run the script <installation directory>/bin/sgStartLogSrv.sh.

Starting the Management Center 35

 2. If you have a Web Portal Server, start it in the same way:
• In Windows, use the shortcut icon in the location you selected during installation (default:
Start→Programs →StoneGate→Web Portal Server) or run the script <installation
directory>/bin/sgStartWebPortalServer.bat.
• In Linux, run the script <installation directory>/bin/
sgStartWebPortalServer.sh.

What’s Next?
If you have started all servers successfully, proceed to After the Management Center is
Installed (page 38).
If you have trouble starting the server, see If the Log Server or Web Portal Server Fails to
Start (page 36).

If the Log Server or Web Portal Server Fails to Start

If the Log Server or Web Portal Server does not start automatically as a service, first try starting
it manually as explained in the previous section to see if there is some error displayed on the
console.
• Check that you have a valid license for the Log Server or Web Portal Server (see the section
To check that the licenses were installed correctly (page 34)). If the Log Server or Web Portal
Server has a management-bound you must also bind the license to the correct server
element (see To bind a management-bound license to a Log or Web Portal Server (page 34)).
• The Log Server or Web Portal Server must also have a valid certificate, which it uses to prove
its identity to the Management Server when the two servers communicate. The certificates
are generated within the system itself. If there are certificate-related problems or problems
you are not able to identify, try (re)generating the certificate manually. Proceed to Generating
Server Certificates.

Generating Server Certificates

Note – If the Management Server is not running, see Starting the Management Server
(page 31).

To manually certify a Server

• In Windows, run the <installation directory>/bin/sgCertifyLogSrv.bat or the
<installation directory>/bin/sgCertifyWebPortalServer.bat script depending on
server type.
• In Linux, run the <installation directory>/bin/sgCertifyLogSrv.sh or the
<installation directory>/bin/sgCertifyWebPortalServer.sh script depending on
server type.

36 Chapter 3 Installing the Management Center

 To generate a certificate for a StoneGate server

1. Enter the user name and password for the account you
created during the Management Server installation.
“Superuser” refers to the administrator privilege level.
Administrators with other privilege levels are not allowed
to generate certificates.

2. Click Accept to accept the certificate fingerprint of the

Management Server’s Certificate Authority.

As a precaution, you can ensure that the communication really is with your Management Server
by checking the Certificate Authority fingerprint as explained in To check the Certificate
Authority fingerprint (page 32).

The Log Server Selection or Web Portal Server Selection dialog opens.

To certify a Log Server or Web Portal Server

1. Select a server on the list or select Create a New Log

Server (or Web Portal Server) and type in a name. The name
is used in the Management Client.

2. Click OK.

Start the Log Server or Web Portal Server as described in Starting the Log Server and Web
Portal Server (page 35), then proceed to After the Management Center is Installed.

Starting the Management Center 37

 After the Management Center is Installed
• If you want to install a secondary Management Server, proceed to Configuring Secondary
Management Servers.
• If you want to allow administrators to install Management Clients through Web Start, continue
to Distributing Management Clients through Web Start (page 45).
• If NAT is applied to communications between any system components, proceed to Configuring
NAT Addresses for StoneGate Components (page 51).
• Otherwise, you are ready to configure the firewall and IPS element(s) in the Management
Client. The elements must be configured before installing the physical engines. See the
Firewall/VPN Installation Guide, SOHO Firewall Installation Guide, and the IPS Installation Guide
for information on configuring the elements and installing the engines.

Configuring Secondary Management Servers

This section guides you through a secondary Management Center installation in a graphical user
interface. For command line installation, see Non-Graphical Installation (page 42).

Caution – You must install and configure the Management Server that you want to use as
the primary Management Server before installing secondary Management Server(s). See
Installing a Management Server (page 26).

Only one Management Server at a time can be used for configuring and managing StoneGate.
A secondary Management Server is only used as a backup for the primary Management Server.
You can use one to five secondary Management Servers with one primary Management Server.
The configuration data stored on the primary Management Server is automatically replicated to
the secondary Management Servers.

Overview
1. If you have not yet installed a license for the secondary Management Server, install the
license. See Installing a License for a Secondary Management Server (page 39).
2. Install the secondary Management Server using the Installation Wizard. See Installing a
Secondary Management Server (page 39)
3. Add the IP addresses of all your Management Servers to the Log Server’s configuration.
See Configuring Log Servers for Backup Management Servers (page 41).

38 Chapter 3 Installing the Management Center

Installing a License for a Secondary Management Server
To use secondary Management Servers, you must have a special Management Server license
that lists the IP addresses of all the Management Servers within the same SMC. You must
install the license in the Management Client before installing the secondary Management
Server(s).
If you do not yet have the license, generate the license at the Stonesoft website after receiving
the Proof-of-License (see License Files (page 17)), and then install the license as described in
Installing Licenses (page 33).

Installing a Secondary Management Server

To install a secondary Management Server
1. If you are installing from a .zip file, unzip the file and run install.exe on Windows or
setup.sh on Linux. Alternatively, insert the StoneGate installation CD-ROM and run the
setup executable:
• On Windows, run CD-ROM\StoneGate_SW_Installer\Windows\install.exe
• On Linux, run CD-ROM/StoneGate_SW_Installer/Linux/setup.sh

Note – If the CD-ROM is not automatically mounted in Linux, mount the CD-ROM with
“mount /dev/cdrom /mnt/cdrom”.

2. Proceed according to the instructions in the Installation Wizard until you are prompted to
select which components you want to install.

To select which components to install

1. If you also want to install a Log Server and a

local Management Client on this computer, leave
Typical selected. Otherwise, select Custom.

2. Click Next.

To select components for the custom installation

Custom Installation only

1. Select the components that you want to install.

Leave at least Management Server selected.

2. Click Next.

Configuring Secondary Management Servers 39

 To configure the secondary Management Server
1. Select the IP address of the secondary
Management Server from the list or type it
in.
2. Enter an IP address for the Log Server
that handles any alerts generated by this
Management Server.

3. Select Install as a Secondary

Management Server for High Availability.

4. Leave Install as a Service selected if you want to install the Management Server as a
service that starts automatically at operating system start-up.
5. Click Next. After a while, a login prompt for Replication opens.

To synchronize the Management Server database

1. Enter the user name and the password for the

superuser account you created during the installation
of the primary Management Server.

2. Click OK. The Management Server Selection dialog

opens.

3. If you have already created an element for the

secondary Management Server in the Management
Client, select the server on the list. Otherwise, select
Create a New Management Server and enter a
name. The name is used in the Management Client.

4. Click OK. The databases are synchronized.

40 Chapter 3 Installing the Management Center

 After successful database synchronization between the secondary Management Server and
primary Management Server, the installation is complete. If the synchronization fails for some
reason (such as a network connection problem), the secondary Management Server is not
installed properly. Rerun the Installation Wizard as above.
Repeat the steps above as necessary to install other secondary Management Servers.

Note – You cannot log in to the secondary Management Server directly. If you want to
check the status of the secondary Management Server or to change its configuration, log
in to the primary Management Server with the Management Client.

Configuring Log Servers for Backup Management Servers

For Log Servers to recognize secondary Management Servers, you must add the IP addresses of
all the secondary Management Servers to the Log Servers’ local configuration.

To configure Management Server IP addresses on Log Servers

1. Open a command line on the Log Server computer.
2. Run the script <installation directory>/bin/sgChangeMgtIPOnLogSrv and give the
IP addresses of all Management Servers (including all previously installed Management
Servers) separated with spaces.
Example sgChangeMgtIPOnLogSrv 192.168.10.200 192.168.10.220
The secondary Management Server configuration is now complete. However, if there is a firewall
between the primary Management Server and the secondary Management Server(s), you must
add rules that allow the communications between the servers when you define your firewall
policy.

What’s Next?
If you want to allow administrators to install Management Clients through Web Start,
continue to Distributing Management Clients through Web Start (page 45).
If NAT is applied to communications between any system components, proceed to
Configuring NAT Addresses for StoneGate Components (page 51).
Otherwise, you are ready to configure the firewall and IPS element(s) in the
Management Client. The elements must be configured before installing the physical
engines. See the Firewall/VPN Installation Guide, SOHO Firewall Installation Guide, and
the IPS Installation Guide for more information.

Configuring Secondary Management Servers 41

 Non-Graphical Installation
In Linux, the Management Center can also be installed on the command line. Before installing,
check the installation package integrity using the MD5 or SHA-1 file checksums as explained in
Checking File Integrity (page 16).

To begin the non-graphical installation

1. Open the shell and change to the directory where the installer is stored.
• If installing from a CD-ROM, the installer is in:
CD-ROM/StoneGate_SW_Installer/Linux/
• If the CD-ROM is not automatically mounted, mount the CD-ROM with command:
mount /dev/cdrom /mnt/cdrom
2. Run the command “./setup.sh -nodisplay” (the “-nodisplay” switch can be omitted if
there is no graphical environment running). The installer starts. You can use the following
general commands at any point where the installer asks for your input:
• Type “back” to return to the previous step.
• Type “quit” to cancel the installation.
3. When prompted, press ENTER to continue. The license agreement is displayed.
4. Press ENTER to scroll through the license agreement and accept by typing “Y”. You are
prompted to select the installation directory.
5. Press ENTER to install to the default installation directory, or specify a different directory. If
you specify a different directory, you are prompted to confirm it.
6. Type “Y”. You are prompted to select the link location for shortcuts to the most commonly
used command line tools.
7. Press ENTER to create the StoneGate links in the default directory or select one of the other
options. A reminder to verify the hosts file appears.
8. Press ENTER to continue.
9. Select the StoneGate components you want to install:
• Press ENTER to install all Management Center components except the Web Portal Server.
• Press 2 to install only the Management Client.
• Press 3 to install a different selection of components.

Note – You need a graphical environment to use the Management Client. It cannot be run
on the command line. Only the server components can be run in a command line-only
environment.

10.(Customized installation only) Enter the numbers of the components you want to select/
deselect, separated by commas.
• Entering the number of a selected component deselects it.
• Entering the number of a component that is not selected selects it.
• By default, the Management Server, Log Server, and Management Client are selected.

42 Chapter 3 Installing the Management Center

The other installation options for the Management Center components are the same as in the
graphical installation.

What’s Next?
To install a Management Server, see Installing a Management Server (page 26).
To install a Log Server, see Installing a Log Server (page 27).
To install a Web Portal Server, see Installing a Web Portal Server (page 28).
After installing all components, continue to Finishing the Installation (page 30).
If you want to install a secondary Management Server after installing the other
components, see Configuring Secondary Management Servers (page 38).

Non-Graphical Installation 43
44 Chapter 3 Installing the Management Center
 C H A P TE R 4

DISTRIBUTING MANAGEMENT CLIENTS

THROUGH WEB S TART

The Management Client can be distributed through Web Start. This eliminates the need for
each administrator to upgrade their client when the SMC is upgraded to a new version (the
version of the client must always match the version of the respective server).

The following sections are included:

Getting Started with Web Start Distribution (page 46)

Distributing Clients from the SMC Servers (page 46)
Distributing Clients from a Separate Server (page 48)
Accessing the Web Start Clients (page 49)

45
 Getting Started with Web Start Distribution
In addition to installing Management Clients through the Installation Wizard, you can also
distribute them through Web Start. Management Clients distributed with Web Start have the
same set of features as clients installed with the installation wizard. The only differences are in
the installation and update process. When the Management Center is upgraded, the Web Start
files are also updated, and Web Start automatically downloads the updated version when the
user logs in.
There are two ways to configure Web Start access:
• you can activate an internal Web server on the Management Server (the server distributes
only Web Start clients). There is no need for manual installation or upgrade.
• you can use a separate web server or network drive for distributing the clients. You must
install these files manually and perform a fresh installation at each SMC version upgrade.

Configuration Overview
1. Enable access to the Web Start files. See Distributing Clients from the SMC Servers
(page 46) or Distributing Clients from a Separate Server (page 48).
2. Access the Management Client(s) using the Web Start package. See Accessing the Web
Start Clients (page 49).

What’s Next?
If you want to enable Web Start access on an SMC Server, proceed to Distributing
Clients from the SMC Servers (page 46).
If you want to set up Web Start access on a separate server or network drive, proceed
to Distributing Clients from a Separate Server (page 48).

Distributing Clients from the SMC Servers

When you install the Management Server, the files needed for distributing the Management
Clients are included in the installation. You can simply enable Web Start access to these files
on the Management Server.

To enable a Web Start server

1. Select Configuration→Configuration→
Administration from the menu. The
Administration Configuration view opens.

46 Chapter 4 Distributing Management Clients through Web Start

2. Select Servers. All the Server
elements are displayed.

3. Right-click the Management Server

element that you want to use as a Web
Start server and select Properties.
The Properties dialog opens.

4. Switch to the Web Start tab.

5. Select Enable. The Web Start server options
are enabled.
6. (Optional) Enter the Host Name that the Web
Start server uses.
7. (Optional) Enter the (TCP) Port Number that
the Web Start Server uses in the Port Number
field. By default, the standard HTTP port 80 is
used.
8. (Op.tional) If the server has several
addresses and only one address is meant for
accessing the Web Start files, enter the IP
address in the Listen Only on Address field.

9. (Optional) Select Generate Server Logs if you want to log all file load events for further
analysis with external web statistics software.

10. Click OK.

Note – Make sure that the port is not used by other listening services on the server. For
ports reserved for StoneGate services, see Default Communication Ports (page 93).

If you leave the Host Name and Listen Only on Address fields empty, the users can access the
Web Start files at any addresses that the Management Server may have.

What’s Next?
Test the Web Start installation by following the instructions in Accessing the Web Start
Clients (page 49).

Distributing Clients from the SMC Servers 47

 Distributing Clients from a Separate Server
You can use Web Start even if you do not want to use the Management Server as a Web Start
server. In this case, you can place the Web Start package on any Web server.
The Web Start package can also be placed on a shared network drive. There is a limitation to
this: the path to the network drive is included in the installation files, so the path, including the
drive letter, must be the same for all administrators who use that particular version of the
installation package. If the network drive paths vary, consider placing the package on a Web
server instead.

Note – You must delete the existing files and install a new Web Start package according to
these instructions each time you upgrade the Management Center. Otherwise, any
administrators who use Web Start-installed Management Clients are not able to log in.

To install the Web Start package

1. Browse to StoneGate_SW_Installer→Webstart on the installation CD-ROM.

Caution – The Web Start installation creates an index.html file. Any existing index.html
file will be overwritten. We strongly recommend creating a new directory for the Web Start
files.

2. Copy all files and all directories from the Webstart directory on the installation CD-ROM to
the directory on the Web server or network drive where you want the Web Start files to be
served.
3. On the command line, change to the directory where the Web Start files are located on your
server.
4. Run the Web Start setup script and give the URL or the path of the directory where the Web
Start files are located on your server as the parameter:
• Windows: cscript webstart_setup.vbs <web start directory>
• Linux: run webstart_setup.sh <web start directory>

Table 4.1 Examples

Installation on Example Web Start Directory

Web server http://www.example.com/webstart/

Network drive file://localhost/c:/webstart/

5. If necessary, modify the configuration of the Web server to return the appropriate MIME
type for.jnlp files (application/x-java-jnlp-file). Consult the manual of your Web
server for instructions on how to configure the MIME type.
6. Delete the webstart_setup.vbs and webstart_setup.sh files from the directory.

48 Chapter 4 Distributing Management Clients through Web Start

Accessing the Web Start Clients
After the Web Start package is installed on a Web server or a network drive, or the Management
Server has been enabled as a Web Start Server, the administrators can access the
Management Client using the Web Start package.
To be able to use the Web Start Management Client, there must be a current version of the Java
Runtime Environment (JRE) installed (the version required is shown on the example login page
provided).

To access the Web Start Clients

1. Enter the Web Start download page address in your Web browser
http://<server address>:<port>
• :<port> is only needed if the server is configured to run on a different port from the HTTP
standard port 80.
2. Click the link for the Web Start client.
• Web Start automatically checks if the version on the server is already installed on your
local computer. If not, the new client is automatically installed on your computer. This is
done each time the client is started this way, automatically upgrading your client
installation whenever needed without any action from you.
• The client starts and displays the login dialog.
3. Log in with your account credentials.

What’s Next?
If NAT is applied to communications between any system components, proceed to
Configuring NAT Addresses for StoneGate Components (page 51).
Otherwise, you are ready to configure the firewall and IPS element(s) in the
Management Client. You must configure the elements before installing the physical
engines. See the Firewall/VPN Installation Guide, SOHO Firewall Installation Guide, and
the IPS Installation Guide for information on configuring the elements and installing the
engines.

Accessing the Web Start Clients 49

50 Chapter 4 Distributing Management Clients through Web Start
 C H A P TE R 5

CONFIGURING NAT ADDRESSES FOR

STONEGATE COMPONENTS

This chapter contains the steps needed to configure Locations and contact addresses when a
NAT (network address translation) operation is applied to the communications between the
Management Center and other StoneGate components.

The following sections are included:

Configuration Overview (page 52)

Defining Locations (page 53)
Adding SMC Server Contact Addresses (page 55)
Setting the Management Client’s Location (page 57)

51
 Configuration Overview
If there is network address translation (NAT) between communicating system components, the
translated IP address may have to be defined for system communications. All communications
between the StoneGate components are presented as a table in Default Communication Ports
(page 93).
You use Location elements to configure StoneGate components for NAT. There is a Default
Location to which all elements belong if you do not assign them a specific Location. If NAT is
applied between two system components, you must separate them into different Locations and
add a contact address for the component that needs to be contacted.
You can define a Default contact address for contacting a component (defined in the main
Properties dialog of the corresponding element). The component’s Default contact address is
used in communications when components that belong to another Location contact the
component and the component has no contact address defined for their Location.

Illustration 5.1 An Example Scenario for Using Locations

Headquarters Location Branch Office Location

Intranet Internet Intranet

Sensor Firewall Firewall Sensor
Management/
Log Server
Analyzer Analyzer

In the example scenario above, a Management Server and a Log Server manage StoneGate
components both at a company’s headquarters and in a branch office.
NAT could typically be applied at the following points:
• The firewall at the headquarters or an external router may provide the SMC servers external
IP addresses on the Internet. The external addresses must be defined as contact addresses
so that the components at the branch offices can contact the servers across the Internet.
• The branch office firewall or an external router may provide external addresses for the
StoneGate components at the branch office. Also in this case, the external IP addresses
must be defined as contact addresses so that the Management Server can contact the
components.
When contact addresses are needed, it may be enough to define a single new Location element,
for example, for the branch office, and group the StoneGate components at the branch office
into the “Branch Office” Location. The same Location element could also be used to group
together StoneGate components at any other branch office if they also need to connect to the
SMC servers at the headquarters and NAT is applied to the communications.
To be able to view logs, the administrators at the branch office must select the “Branch Office”
Location in the Management Client.

52 Chapter 5 Configuring NAT Addresses for StoneGate Components

 Configuration Overview
1. Define Location element(s). See Defining Locations (page 29).
2. Define contact addresses for the Management Server, and Log Server(s). See Adding
SMC Server Contact Addresses (page 55).
3. Select the correct Location for your Management Client. See Setting the Management
Client’s Location (page 57).
4. Select the correct Location for firewalls, SOHO firewalls, and IPS engines when you create
the Firewall or IPS elements. See the Firewall/VPN Installation Guide, SOHO Firewall
Installation Guide, and IPS Installation Guide.

Defining Locations
The first task is to group the system components into Location elements based on which
components are on the same side of a NAT device. The elements that belong to the same
Location element always use the primary IP address (defined in the main Properties dialog of
the element) when contacting each other.

To create a new Location element

1. Click the Configuration icon in the

toolbar, and select Administration. The
Administration Configuration view opens.

2. Expand Other Elements.

3. Right-click Locations and select

New Location. The Location
Properties dialog opens.

Defining Locations 53
 4. Type in a Name.

5. Select element(s).

6. Click Add.

7. Repeat steps 5-6

until all necessary
elements are added.

8. Click OK.

Repeat to create other Locations as necessary.

What’s Next?
If your Management Server or Log Server needs a contact address, proceed to Adding
SMC Server Contact Addresses.
Otherwise, you are ready to configure the firewall and IPS element(s) in the
Management Client. You must configure the elements before installing the physical
engines. See the Firewall/VPN Installation Guide, SOHO Firewall Installation Guide, and
the IPS Installation Guide for information on configuring the elements and installing the
engines

54 Chapter 5 Configuring NAT Addresses for StoneGate Components

Adding SMC Server Contact Addresses
The Management Server and the Log Server can have more than one contact address for each
Location. You must define two or more contact addresses per Location if you have secondary
Management Servers or Log Servers. Multiple contact addresses are required so that remote
components can connect to a Management Server or a Log Server even if the primary
Management Server or Log Server fails. You must define two or more contact addresses per
Location also if you have configured Multi-Link, so that remote components can connect to the
server(s) even if a NetLinks goes down.

To define the Management Server and Log Server contact addresses

1. Right-click a server and select
Properties. The Properties dialog
for that server opens.

2. Select the Location of this server.

3. Enter the Default contact address.

If the server has multiple Default
contact addresses, separate the
addresses with commas.
4. (Optional) Click Exceptions to
define further contact addresses
for contacting the server from
specific Locations. The
Exceptions dialog opens.

Adding SMC Server Contact Addresses 55

 5. Click Add and select the Location. A
new row is added to the table.

6. Click the Contact Addresses cell and

enter the IP address(es) that
components that belong to this Location
must use.
If the server has multiple addresses for
a Location, separate the addresses with
commas.

7. Repeat steps 5-6 to define contact

addresses for other Locations.

8. Click OK.

Note – Elements that belong to the same Location element always use the primary IP
address (defined in the main Properties dialog of the element) when contacting each
other. All elements not specifically put in a certain Location are treated as if they belonged
to the same, Default Location.

Click OK to close the server properties and define the contact addresses for other servers as
necessary in the same way.

What’s Next?
If NAT is performed between your Management Client and a Log Server, proceed to
Setting the Management Client’s Location.
Otherwise, you are ready to configure the firewall and IPS element(s) in the
Management Client. You must configure the elements before installing the physical
engines. See the Firewall/VPN Installation Guide, SOHO Firewall Installation Guide, and
the IPS Installation Guide for information on configuring the elements and installing the
engines.

56 Chapter 5 Configuring NAT Addresses for StoneGate Components

Setting the Management Client’s Location
When NAT is performed between the Management Client and a Log Server, you must select the
correct Location for your Management Client in the status bar at the bottom of the Management
Client window to be able to view logs.

To select the Management Client’s Location

Click the Default Location name in
the status bar at the bottom of the
window and select the correct
Location.

What’s Next?
You are ready to configure the firewall and IPS element(s) in the Management Client.
You must configure the elements before installing the physical engines. See the
Firewall/VPN Installation Guide, SOHO Firewall Installation Guide, and the IPS Installation
Guide for information on configuring the elements and installing the engines.

Setting the Management Client’s Location 57

58 Chapter 5 Configuring NAT Addresses for StoneGate Components
M AINTENANCE
In this section:
Upgrading - 61

Uninstalling the Management Center - 71

59
60
 C H A P TE R 6

UPGRADING

This chapter explains how you can upgrade the StoneGate Management Center.

The following sections are included:

Getting Started with Upgrading the Management Center (page 62)

Upgrading Licenses (page 63)
Upgrading the Management Center (page 66)

61
 Getting Started with Upgrading the Management
Center
When a new version of the Management Center becomes available, you should upgrade as soon
as possible. You can upgrade Management Center components without uninstalling the previous
version. It is important to upgrade the Management Center components before upgrading the
engines, because the old Management Center version may not be able to recognize the new
version engines and generate a valid configuration for them. Older versions of engines can be
controlled by newer Management Center versions. See the Release Notes for possible version-
specific restrictions.

Caution – All the Management Center components (Management Server, Management

Client, Log Server, and the optional Web Portal Server) must use the same software
version.

For more detailed instructions, see the Online Help of the Management Client or the
Administrator’s Guide PDF.
Before upgrading the engines, read the Release Notes for the new engine version at
http://www.stonesoft.com/en/support/technical_support_and_documents.

Configuration Overview
1. Obtain the installation files at https://my.stonesoft.com/download/ and check the
installation file integrity as described in Checking File Integrity (page 16).
2. (If installation files were downloaded as .iso images) Create the installation CD-ROM as
described in Creating the Installation CD-ROM (page 16).
3. (If automatic license updates have been disabled) Update the licenses (see Upgrading
Licenses (page 63)).
4. Upgrade all Management Servers, the Log Servers, and the Web Portal Servers that you
have in your system (see Upgrading the Management Center (page 66)). The operation of
StoneGate engines is not interrupted even if the Management Center is offline.
5. Upgrade the Management Clients (see Distributing Management Clients through Web
Start (page 45)).

What’s Next?
If you are sure you do not need to upgrade your licenses, proceed to Upgrading the
Management Center (page 66).
Otherwise, continue by Upgrading Licenses.

62 Chapter 6 Upgrading
Upgrading Licenses
When you installed StoneGate for the first time, you installed licenses that work with all
versions of StoneGate up to that particular version. If the first two numbers in the old and the
new version are the same, the upgrade can be done without upgrading licenses (for example,
when upgrading from 1.2.3 to 1.2.4). When either of the first two numbers in the old version
and the new version are different, you must first upgrade your licenses (for example, when
upgrading from 1.2.3 to 1.3.0). Automatic regeneration and installation of licenses is enabled
by default. You can also upgrade the licenses at the Stonesoft website.
If you are sure you do not need to upgrade licenses, proceed to Upgrading the Management
Center (page 66).

What’s Next?
Proceed to Upgrading Licenses Under One Proof Code (page 63) to upgrade the
licenses one by one.
Proceed to Upgrading Licenses Under Multiple Proof Codes (page 64) to upgrade one or
more licenses at once.

Upgrading Licenses Under One Proof Code

A license file generated under one POL (proof-of-license) code contains the license information
for several components. You can also always use the multi-upgrade form to upgrade the
licenses (see Upgrading Licenses Under Multiple Proof Codes (page 64)).

To generate a new license

1. Take your Web browser to www.stonesoft.com/license/.
2. Enter the POL code in the License Identification field and click Submit. The license page
opens.
3. Click Update. The license upgrade page opens.
4. Follow the directions to upgrade the license.
Repeat for other licenses.

What’s Next?
Proceed to Installing Licenses (page 65).

Upgrading Licenses 63
 Upgrading Licenses Under Multiple Proof Codes
If you have several existing licenses with different POL (proof-of-license) codes that you need to
upgrade, you can make the work easier by generating the new licenses all at once.

To upgrade multiple licenses

1.Select Configuration→Configuration→
Administration from the menu. The
Administration Configuration view opens.

2. Browse to Licenses→All Licenses. All

the licenses appear in the right panel.

3. Ctrl-select or Shift-select the licenses

you want to upgrade.

4. Right-click one of the selected items and select Export License Info. The StoneGate
License Request Browser dialog opens.

5. Save the license information in a file. A confirmation dialog opens.

6. (Optional) Click Yes to launch the Stonesoft

License Center website's multi-upgrade form in
your default Web browser.

7. Upload the license upgrade request file to the Stonesoft License Center website using the
multi-upgrade form, and submit the form with the required details. The upgraded licenses are
sent to you.

You can view and download your current licenses at the license website (log in by entering the
proof-of-license or proof-of-serial number code at the License Center main page).

64 Chapter 6 Upgrading
Installing Licenses
After you have upgraded the licenses as described above, you install the license file in the
Management Client.

To install StoneGate licenses

1. Select File→System Tools→

Install Licenses.
2. Select one or more license files in the
dialog that opens.

Checking the Licenses

After installing the upgraded licenses, check the license information. When you upgrade
licenses, the old licenses are automatically replaced with the new licenses.

To check that the licenses were installed correctly

Browse to Licenses→All Licenses in the

Administration Configuration view.

Upgrading Licenses 65
 Upgrading the Management Center
This section provides an outline that should be sufficient in most cases. For more detailed
instructions on how to upgrade the StoneGate Management Center, refer to the Management
Center installation process described in Installing the Management Center (page 21).
There is no need to uninstall the previous version. The installer detects the components that
need to be upgraded. When upgrading from an older version, you may need to do an
intermediate upgrade before upgrading to the most recent version. See the Release Notes for
more information.
It is possible to revert automatically to the previous installation if the Management Center
upgrade fails for some reason.
We recommend that you backup the Management Server before upgrading it. You are also
prompted to make an automatic backup of the Management Server data during the upgrade
process. For more information on backing up StoneGate, refer to the Online Help of the
Management Client or the Administrator’s Guide PDF.

To start the Management Center upgrade

1. Stop the previously installed Management Center components running on the target
machine.
2. If you are installing from a .zip file, unzip the file and run install.exe on Windows or
setup.sh on Linux. Alternatively, insert the StoneGate installation CD-ROM and run the
setup executable:
• On Windows, run CD-ROM\StoneGate_SW_Installer\Windows\install.exe
• On Linux, run CD-ROM/StoneGate_SW_Installer/Linux/setup.sh

Note – If the CD-ROM is not automatically mounted, mount the CD-ROM in Linux with
“mount /dev/cdrom /mnt/cdrom”.

3. Wait for the Installation Wizard to start. When the Installation Wizard shows the Introduction
screen, click Next to start the upgrade. The License Agreement appears.

To select upgrade options

1. Read and accept the License Agreement

to continue with the installation.
2. Click Next.

66 Chapter 6 Upgrading
 To select the installation directory

1. (Optional) To change the installation directory,

enter a new location, or click Select to browse.

2. Click Next.

To select which components to upgrade

1. Select the components you want to
upgrade. All installed components must be
upgraded at the same time. You can add
more components if you wish (see
Installing the Management Center
(page 21) for installation instructions).

2. Select Revert to the Previous Installation

to revert to the current Management Center
installation if there are problems with the
upgrade.

To backup the Management Server

(Recommended) Select Yes to back up the

Management Server data to the
<installation directory>/backups/
directory.

Caution – If you are working on a Windows system and you run any StoneGate component
as a service, make sure the Services window is closed before you complete the next step.

Upgrading the Management Center 67

 To start the installation

1. Check the displayed information.

2. Click Install. The upgrade begins.

To finish the Installation Wizard

1. (Optional) If any system components

change in the upgrade, you are notified of
the changes at the end of the upgrade.
Click the link(s) in the notification to view
the report(s) of system changes in your
Web browser.

2. Click Next.

3. Click Done to close the installer.

68 Chapter 6 Upgrading
You may have to reboot before you can start the upgraded components.

What’s Next?
If administrators have Management Clients installed locally, upgrade the Management
Clients in the same way as explained above.
If you are distributing Web Start Management Clients from an external server, install a
new Web Start package in the same way as the original installation was made. See
Distributing Management Clients through Web Start (page 45).
If you are distributing Web Start clients from the SMC servers, there is no need for a
separate upgrade. The local client installations are upgraded automatically when the
administrators launch the clients after the SMC servers are upgraded.
Otherwise, the Management Center upgrade is now complete. See the Firewall/VPN
Installation Guide, SOHO Firewall Installation Guide, and IPS Installation Guide if you are
installing new engine versions as well.

Upgrading the Management Center 69

70 Chapter 6 Upgrading
 C H A P TE R 7

UNINSTALLING THE MANAGEMENT

CENTER

This chapter instructs how to uninstall the Management Center components.

The following sections are included:

Overview to Uninstalling the Management Center (page 72)

Uninstalling in Windows (page 72)
Uninstalling in Linux (page 73)

71
 Overview to Uninstalling the Management Center
It is not possible to uninstall the Management Center components one by one. If you have
several Management Center components installed on the same computer, they are always all
uninstalled. The sgadmin account is deleted during the uninstallation of the Management
Center.
By default, the Management Center is installed in the following directories:
• Windows: C:\stonesoft\stonegate
• Linux: usr/local/stonegate
The .stonegate directory contains the Management Client configuration files. These files are
not automatically deleted but can be removed manually after the uninstallation.

Note – It is recommended to take a backup of the Management Server and the Log Server
before uninstalling the Management Center.

Uninstalling in Windows

To uninstall in Windows
1. Stop the Management Center components on the machine.
2. Open the list of installed programs through the Windows Control Panel, right-click
StoneGate, and select Uninstall. The Uninstallation Wizard opens.
• Alternatively, run the script <installation directory>\uninstall\ uninstall.bat

Illustration 7.1 Uninstall StoneGate Management Center

3. Click Uninstall. All the Management Center components are uninstalled.

72 Chapter 7 Uninstalling the Management Center

Uninstalling in Linux

To uninstall in graphical mode

1. Stop the Management Center components on the machine.
2. Run the script <installation directory>/uninstall/uninstall.sh

To uninstall in non-graphical mode

1. Stop the Management Center components on the machine.
2. Run the script <installation directory>/uninstall/uninstall.sh -nodisplay

Uninstalling in Linux 73
74 Chapter 7 Uninstalling the Management Center
A PPENDICES
In this section:
Command Line Tools - 77

Default Communication Ports - 93

Index - 103

75
76
 APPENDIX A

COMMAND LINE TOOLS

This appendix describes the command line tools for StoneGate Management Center and the
engines.

The following sections are included:

Management Center Commands (page 78)

Engine Commands (page 86)
Server Pool Monitoring Agent Commands (page 91)

77
 Management Center Commands
Most of the Management Server and Log Server commands are found in the <installation
directory>/bin/ directory. In Windows, the command line tools are *.bat script files. In
Linux and Unix, the files are *.sh scripts.

Note – Using the Management Client is the recommended configuration method, as most
of the same tasks can be done through it.

Commands that require parameters must be run through the command line (cmd.exe in
Windows). Commands that do not require parameters can alternatively be run through a
graphical user interface, and may be added as shortcuts during installation.

Table A.1 Management Center Command Line Tools

Command Description
Displays or exports logs from archive. This command is only
available on the Log Server. The operation checks privileges for
the supplied administrator account from the Management Server
to prevent unauthorized access to the logs.
Enclose details in double quotes if they contain spaces.
Host specifies the address of the Management Server. If the
parameter is not defined, the loopback address is used.
login defines the username for the account that is used for
this operation. If this parameter is not defined, the username
root is used.
pass defines the password for the user account.
sgArchiveExport format defines the file format for the output file. If this
[ host=<address> ] parameter is not defined, the XML format is used.
[ login=<login name> ]
i defines the source from which the logs will be exported. Can
pass=<password>
be a folder or a file. The processing recurses into subfolders.
[ format=CSV|XML ]
i=<input file> o defines the destination file where the logs will be exported. If
[ o=<output file> ] this parameter is not defined, the output is displayed on screen.
[ f=<filter file> ] f defines a file that contains the filtering criteria you want to use
[ e=<filter expression> ] for filtering the log data. You can export log filters individually in
[ -h | -help ] [ -v ] the Management Client through Tools→Save for Command Line
Tools in the filter’s right-click menu.
e allows you to type in a filter expression manually (using the
same syntax as exported filter files).
-h or -help displays information on using the script.
-v displays verbose output on the command execution.
Example (exports logs from one full day to a file using a filter):
sgArchiveExport login=admin pass=abc123
i=c:/stonesoft/stonegate/data/archive/firewall/
year2009/month12/day01/ f=c:/stonesoft/
stonegate/export/MyExportedFilter.flp
format=CSV o=MyExportedLogs.csv

78 Appendix A Command Line Tools

Table A.1 Management Center Command Line Tools (Continued)

Command Description
Creates a backup of Log Server configuration data. The backup
file is stored in the <installation directory>/backups/
directory.
sgBackupLogSrv
Twice the size of log database is required on the destination
drive. Otherwise, the operation fails.
Also see sgRestoreLogBackup.

Creates a complete backup of the Management Server (including

both the local configuration and the stored information in the
configuration database). The backup file is stored in the
<installation directory>/backups/ directory.
sgBackupMgtSrv
Twice the size of the Management Server database is required
on the destination drive. Otherwise, the operation fails.
Also see sgRestoreMgtBackup and
sgRecoverMgtDatabase.

Contacts the Management Server and creates a new certificate

for the Log Server to allow secure communications with other
system components. Renewing an existing certificate does not
require changing the configuration of any other system
sgCertifyLogSrv components.
[host=<management server address>
Host specifies the address of the Management Server. If the
[/<domain>]]
parameter is not defined, the loopback address is used.
Domain specifies the administrative Domain the Log Server
belongs to if the system is divided in administrative Domains. If
the Domain is not specified, the Shared Domain is used.

Creates a new certificate for the Management Server to allow

secure communications between the StoneGate system
sgCertifyMgtSrv
components. Renewing an existing certificate does not require
changes on any other system components.

Contacts the Management Server and creates a new certificate

for the Web Portal Server to allow secure communications with
other system components. Renewing an existing certificate does
not require changing the configuration of any other system
sgCertifyWebPortalSrv components.
[host=<management server address> Host specifies the address of the Management Server. If the
[/<domain>]] parameter is not defined, the loopback address is used.
Domain specifies the administrative Domain the Web Portal
Server belongs to if the system is divided in administrative
Domains. If the Domain is not specified, the Shared Domain is
used.

Changes the Management Server’s IP address in the Log

Server’s local configuration to the IP address you give as a
sgChangeMgtIPOnLogSrv <IP address> parameter. Use this command if you change the Management
Server’s IP address. Restart the Log Server service after this
command.

Management Center Commands 79

Table A.1 Management Center Command Line Tools (Continued)

Command Description
Changes the Management Server’s IP address in the local
configuration to the IP address you give as a parameter. Use this
sgChangeMgtIPOnMgtSrv <IP address>
command if you change the Management Server’s IP address.
Restart the Management Server service after this command.

sgClient Starts a locally installed StoneGate Management Client.

Creates a superuser administrator account. The Management

sgCreateAdmin
Server needs to be stopped before running this command.

Exports elements stored on the Management Server to an XML

file.
Enclose details in double quotes if they contain spaces.
Host specifies the address of the Management Server. If the
parameter is not defined, the loopback address is used.
Domain specifies the administrative Domain for this operation if
sgExport the system is divided in administrative Domains. If the Domain is
[host=<management server address> not specified, the Shared Domain is used.
[/<domain>]]
login defines the username for the account that is used for
[ login=<login name> ]
this operation. If this parameter is not defined, the username
pass=<password>
root is used.
file=<file path and name>
type= <all|nw|ips|sv|rb|al> pass defines the password for the user account.
[-recursion] type specifies which types of elements are included in the
[-system] export file: all for all exportable elements, nw for network
[name= <element name 1, element name 2, elements, ips for IPS elements, sv for services, rb for security
...>] policies, or al for alerts.
recursion includes referenced elements in the export, for
example, the network elements used in a policy that you export.
system includes any system elements that are referenced by
the other elements in the export.
name allows you to specify by name the element(s) that you want
to export.

80 Appendix A Command Line Tools

Table A.1 Management Center Command Line Tools (Continued)

Command Description
Controls highly available (active and standby) Management
Servers.
Host specifies the address of the Management Server. If the
parameter is not defined, the loopback address is used.
Domain specifies the administrative Domain for this operation if
the system is divided in administrative Domains. If the Domain is
not specified, the Shared Domain is used.
login defines the username for the account that is used for
this operation. If this parameter is not defined, the username
root is used.
pass defines the password for the user account.
sgHA [host=<management server address> -h or -help displays information on using the script.
[/<domain>]] -set-active sets a standby Management Server as the active
[ login=<login name> ] Management Server, sets the formerly active Management
pass=<password> Server as a standby Management Server, and synchronizes the
[-h|-help] database between them.
[-set-active]
-set-standby sets the active Management Server as a
[-set-standby]
standby Management Server.
[-force-active]
[-sync] -force-active sets a standby Management Server as the
active Management Server without synchronizing the database
with the formerly active Management Server.
-sync functions differently on a standby Management Server
and an active Management Server. If you run it on an active
Management Server, it replicates the active database to every
standby Management Server that does not have the Disable
Database Replication option selected in its properties. If you
run it on a standby Management Server, it replicates the active
database from the active Management Server only to this
standby Management Server (regardless of whether the Disable
Database Replication option is selected in the standby
Management Server’s properties).

Imports StoneGate Management Server database elements from

a StoneGate XML file. When importing, existing (non-default)
elements are overwritten if both the name and type match.
Host specifies the address of the Management Server. If the
sgImport parameter is not defined, the loopback address is used.
[host=<management server address> Domain specifies the administrative Domain for this operation if
[/<domain>]] the system is divided in administrative Domains. If the Domain is
[ login=<login name> ] not specified, the Shared Domain is used.
pass=<password>
login defines the username for the account that is used for
file=<file path and name>
this operation. If this parameter is not defined, the username
root is used.
pass defines the password for the user account.
file defines the file whose contents you want to import.

Management Center Commands 81

Table A.1 Management Center Command Line Tools (Continued)

Command Description
Imports and exports a list of Users and User Groups in an LDIF
file from/to a StoneGate Management Server’s internal LDAP
database. To import User Groups, all User Groups in the LDIF file
must be directly under the stonegate top-level group
(dc=stonegate).
The user information in the export file is stored as plaintext.
Handle the file securely.
sgImportExportUser Host specifies the address of the Management Server. If the
[host=<management server address> parameter is not defined, the loopback address is used.
[/<domain>]] Domain specifies the administrative Domain for this operation if
[ login=<login name> ] the system is divided in administrative Domains. If the Domain is
pass=<password> not specified, the Shared Domain is used.
action=[import|export] login defines the username for the account that is used for
file=<file path and name> this operation. If this parameter is not defined, the username
root is used.
pass defines the password for the user account.
action defines whether users are imported or exported.
file defines the file that is used for the operation.
Example: sgImportExportUser login=admin
pass=abc123 action=export
file=c:\temp\exportedusers.ldif

Imports an additional language to the Web Portal end-user

sgImportWebClientLanguage
[host=<management server address>
[/<domain>]]
[ login=<login name> ]
pass=<password>
file=<file path and name>
interface. You can run the command when the Web Portal Server
service is running, but the imported language does not become
available until the service is restarted.
Host specifies the address of the Management Server. If the
parameter is not defined, the loopback address is used.
Domain specifies the administrative Domain for this operation if
the system is divided in administrative Domains. If the Domain is
not specified, the Shared Domain is used.
login defines the username for the account that is used for
this operation. If this parameter is not defined, the username
root is used.
pass defines the password for the user account.
file defines the file that is used for the operation. The
imported file must use the UTF-8 or UTF-16 text encoding. The
file name must follow the format
messages_XX[_YY[_ZZ]].txt where XX is the two-character
ISO language code, YY the ISO country code and ZZ the ISO
language variant code. The country code and language variant
code are optional.
Example: sgImportWebClientLanguage
host=192.168.1.101/Helsinki login=ricky
pass=abc123 file=messages_sv_fi.txt

82 Appendix A Command Line Tools

Table A.1 Management Center Command Line Tools (Continued)

Command Description
Creates a ZIP file that contains copies of configuration files and
the system trace files. The resulting ZIP file is stored in the
sgInfo logged in user’s home directory. The file location is displayed on
the last line of screen output. Provide the generated file to
Stonesoft support for troubleshooting purposes.

Located in <installation directory>/bin/install. Creates a

sgReinitializeLogServer new Log Server configuration if the configuration file has been
lost.

Restores a Management Server backup from one Management

Server on another Management Server.
-h | --help options display the help message
backup BACKUPNAME option specifies the location of the
sgReplicate [-h|--help]
backup file. If this is not specified, you are prompted to select
[-nodiskcheck]
the backup file from a list of files found in the backups
[backup BACKUPNAME]
directory.
standby-server
MANAGEMENT_SERVER_NAME -nodiskcheck option disables the free disk space check
before the backup restoration.
standby-server MANAGEMENT_SERVER_NAME option
specifies the name of the Management Server on which you are
running the script.

sgRestoreArchive ARCHIVE_DIR
Restores logs from archive files to the Log Server. This command
is available only on the Log Server.
ARCHIVE_DIR is the number of the archive directory (0 – 31)
from where the logs will be restored. By default, only archive
directory 0 is defined. The archive directories can be defined in
the <installation directory>/data/
LogServerConfiguration.txt file:
ARCHIVE_DIR_xx=PATH.

Restores the Certificate Authority (CA) or the Management

sgRestoreCertificate Server certificate from a backup file in the <installation
directory>/backups/ directory.

Restores the Log Server (logs and/or configuration files) from a

sgRestoreLogBackup backup file in the <installation directory>/backups/
directory.

Restores the Management Server (database and/or

sgRestoreMgtBackup configuration files) from a backup file in the <installation
directory>/backups/ directory.

Displays the CA certificate’s fingerprint on the Management

sgShowFingerPrint
Server.

Starts the Log Server’s database. (The Log Server’s database is

sgStartLogDatabase started and stopped automatically when starting/stopping the
Log Server service.)

Management Center Commands 83

Table A.1 Management Center Command Line Tools (Continued)

Command Description
sgStartLogSrv Starts the Log Server and its database.

Starts the Management Server’s database. There is usually no

sgStartMgtDatabase
need to use this script.

sgStartMgtSrv Starts the Management Server and its database.

sgStartWebPortalSrv Starts the Web Portal Server.

sgStopLogSrv Stops the Log Server.

sgStopMgtSrv Stops the Management Server and its database.

Stops the Management Server’s database. There is usually no

sgStopMgtDatabase
need to use this script.

sgStopWebPortalSrv Stops the Web Portal Server.

Stops the Management Server service when run without

sgStopRemoteMgtSrv [host HOST]
[port PORTNUM] [login LOGINNAME]
[pass PASSWORD]
arguments. To stop a remote Management Server service,
provide the arguments to connect to the Management Server.
HOST is the Management Server’s host name if not localhost.
PORT is the Management Server’s Management Client port
number (by default, 8902).
LOGINNAME is a StoneGate administrator account for the login.
PASSWORD is the password for the administrator account.

84 Appendix A Command Line Tools

Table A.1 Management Center Command Line Tools (Continued)

Command Description
Displays or exports current or stored logs. This command is
available on the Log Server.
Enclose the file and filter names in double quotes if they contain
spaces.
The pass parameter defines the password for the user account
used for this operation.
The e parameter defines the filter that you want to use for
filtering the log data. Type the name as shown in the
Management Client. The f parameter defines the StoneGate
exported filter file that you want to use for filtering the log data.
sgTextBrowser pass=PASSWORD The format parameter defines the file format for the output file.
[ e=FILTER_EXPRESSION ] If this parameter is not defined, the XML format is used.
[ f=FILTER_FILE ] The host parameter defines the address of the Management
[ format=CSV|XML ] Server used for checking the login information. If this parameter
[host=Management Server address is not defined, Management Server is expected to be on the
[/domain]] same host where the script is run. If Domains are in use, you
[login=LOGIN_NAME ] can specify the Domain the Log Server belongs to. If domain is
[ o=OUTPUT_FILE ] not specified, the Shared Domain is used.
[ m=current|stored ] The login parameter defines the username for the account that
[ -v ] [ -h ] is used for this export. If this parameter is not defined, the
username root is used.
The o parameter defines the destination output file where the
logs will be exported. If this parameter is not defined, the output
is displayed on screen.
The m parameter defines whether you want to view or export logs
as they arrive on the Log Server (current) or logs stored in the
active storage directory (stored). If this option is not defined, the
current logs are used.
The -h option displays information on using the script.
The -v option displays verbose output on command execution.

Management Center Commands 85

 Engine Commands
The commands in the following two tables can be run on the command line on the analyzer,
firewall, and/or sensor engines. SOHO firewalls do not provide a command line interface.

Table A.2 StoneGate-Specific Command Line Tools on Engines

Engine
Command Description
Type
Can be used to view, add, or delete active blacklist entries.
The blacklist is applied as defined in Access Rules.
Commands:
show displays the current active blacklist entries in format:
engine node ID | blacklist entry ID | (internal) | entry creation
time | (internal) | address and port match | originally set
duration | (internal) | (internal). Use the -f option to specify a
storage file to view (/data/blacklist/db_<number>).
sg-blacklist The -v option adds operation’s details to the output.
show [-v] [-f FILENAME] | add creates a new blacklist entry. Enter the parameters (see
add [ below) or use the -i option to import parameters from a file.
[-i FILENAME] | del deletes the first matching blacklist entry. Enter the
[src IP_ADDRESS/MASK] parameters (see below) or use the -i option to import
[dst IP_ADDRESS/MASK] parameters from a file.
[proto {tcp|udp|icmp|NUM}] iddel NODE_ID ID removes one specific blacklist entry on
one specific engine. NODE_ID is the engine’s ID, ID is the
[srcport PORT{-PORT}]
blacklist entry’s ID (as shown by the show command).
[dstport PORT{-PORT}]
flush deletes all blacklist entries.
[duration NUM]
Add/Del Parameters:
]| firewall, Enter at least one parameter. The default value is used for the
del [ sensor parameters that you omit. You can also save parameters in a
[-i FILENAME] | text file; each line in the file is read as one blacklist entry.
[src IP_ADDRESS/MASK] src IP_ADDRESS/MASK defines the source IP address and
[dst IP_ADDRESS/MASK] netmask to match. Matches any IP address by default.
[proto {tcp|udp|icmp|NUM}] dst IP_ADDRESS/MASK defines the destination IP address
[srcport PORT{-PORT}] and netmask to match. Matches any IP address by default.
[dstport PORT{-PORT}] proto {tcp|udp|icmp|NUM} defines the protocol to match
by name or protocol number. Matches all IP traffic by default.
[duration NUM]
srcport PORT[-PORT] defines the TCP/UDP source port or
]|
range to match. Matches any port by default.
iddel NODE_ID ID |
dstport PORT[-PORT] defines the TCP/UDP destination
flush port or range to match. Matches any port by default.
duration NUM defines in seconds how long the entry is kept.
Default is 0, which cuts current connections, but is not kept.
Examples:
sg-blacklist add src 192.168.0.2/32 proto tcp
dstport 80 duration 60
sg-blacklist add -i myblacklist.txt
sg-blacklist del dst 192.168.1.0/24 proto 47

86 Appendix A Command Line Tools

Table A.2 StoneGate-Specific Command Line Tools on Engines (Continued)

Engine
Command Description
Type
Can be used to edit boot command parameters for future
bootups.
--primary-console=tty0|ttyS PORT,SPEED
parameter defines the terminal settings for the primary
sg-bootconfig console.
[--primary- --secondary-console= [tty0|ttyS PORT,SPEED]
console=tty0|ttyS parameter defines the terminal settings for the secondary
PORT,SPEED] console.
[--secondary-console= --flavor=up|smp [-kdb] parameter defines whether the
[tty0|ttyS PORT,SPEED]] analyzer, kernel is uniprocessor or multiprocessor.
[--flavor=up|smp] firewall,
--initrd=yes|no parameter defines whether Ramdisk is
sensor
[--initrd=yes|no] enabled or disabled.
[--crashdump=yes|no|Y@X] --crashdump=yes|no|Y@X parameter defines whether
[--append=kernel options] kernel crashdump is enabled or disabled, and how much
[--help] memory is allocated to the crash dump kernel (Y). The default
is 24M. X must always be 16M.
apply
--append=kernel options parameter defines any other
boot options to add to the configuration.
--help parameter displays usage information.
apply command applies the specified configuration options.

Use this only if you want to return a StoneGate appliance to

analyzer, its factory settings.
sg-clear-all firewall,
Clears all configuration from the engine. You must have a local
sensor
console connection to the engine to use this command.

Used to display or change the status of the node.

status [-c SECONDS] command displays cluster status.
sg-cluster When -c SECONDS is used, status is shown continuously with
[status [-c SECONDS]] the specified number of seconds between updates.
[online] online command sends the node online.
[lock-online] firewall lock-online command sends the node online and keeps it
[offline] online even if another process tries to change its state.
[lock-offline] offline command sends the node offline.
[standby] lock-offline command sends the node offline and keeps
it offline even if another process tries to change its state.
standby command sets an active node to standby.

Used for establishing a trust relationship with the

analyzer, Management Server as part of engine installation or
sg-contact-mgmt firewall, reconfiguration (see sg-reconfigure below). The engine
sensor contacts the Management Server using the one-time password
created when the engine’s initial configuration is saved.

Engine Commands 87
Table A.2 StoneGate-Specific Command Line Tools on Engines (Continued)

Engine
Command Description
Type
Deletes VPN-related information (use vpninfo command to
view the information). Option -d (for delete) is mandatory.
-u deletes the VPN session of the named VPN client user. You
can enter the user account in the form <username@domain> if
there are several user storage locations (LDAP domains).
sg-ipsec -d
-si deletes the VPN session of a VPN client user based on
[-u <username[@domain]> | session identifier.
-si <session id> |
-ck deletes the IKE SA (Phase one security association)
-ck <ike cookie> | firewall
based on IKE cookie.
-tri <transform id>
-ri <remote ip> | -tri deletes the IPSEC SAs (Phase two security associations)
-ci <connection id>] for both communication directions based on transform
identifier.
-ri deletes all SAs related to a remote IP address in gateway-
to-gateway VPNs.
-ci deletes all SAs related to a connection identifier in
gateway-to-gateway VPNs.

Can be used in scripts to create log messages with the

specified properties.
sg-logger -f FACILITY_NUMBER parameter defines the facility for the
log message.
-f FACILITY_NUMBER
-t TYPE_NUMBER parameter defines the type for the log
-t TYPE_NUMBER analyzer, message.
[-e EVENT_NUMBER] firewall,
-e EVENT_NUMBER parameter defines the log event for the
[-i "INFO_STRING"] sensor
log message. The default is 0 (H2A_LOG_EVENT_UNDEFINED).
[-s] -i "INFO_STRING" parameter defines the information
[-h] string for the log message.
-s parameter dumps information on option numbers to stdout
-h parameter displays usage information.

Configures a new hard drive. This command is only for

StoneGate appliances that support RAID (Redundant Array of
Independent Disks) and have two hard drives.
-status option displays the status of the hard drive.
-add options adds a new empty hard drive.
sg-raid analyzer,
Use -add -force if you want to add a hard drive that already
[-status] [-add] [-re-add] firewall,
contains data and you want to overwrite it.
[-force] [-help] sensor
-re-add adds a hard drive that is already partitioned. This
command prompts for the drive and partition for each
degraded array.
Use -re-add -force if you want to check all the arrays.
-help option option displays usage information.

88 Appendix A Command Line Tools

Table A.2 StoneGate-Specific Command Line Tools on Engines (Continued)

Engine
Command Description
Type
Used for reconfiguring the node manually.
--boot option applies bootup behavior. Do not use this option
sg-reconfigure unless you have a specific need to do so.
analyzer,
[--boot] --maybe-contact option contacts the Management Server
firewall,
[--maybe-contact] if requested. This option is only available on firewall engines.
sensor
[--no-shutdown] --no-shutdown option allows you to make limited
configuration changes on the node without shutting it down.
Some changes may not be applied until the node is rebooted.

Runs cryptography tests on the engine.

sg-selftest [-d] [-h] firewall -d option runs the tests in debug mode.
-h option displays usage information.

analyzer, Displays information on the engine’s status.

sg-status [-l] [-h] firewall, -l option displays all available information on engine status.
sensor -h option displays usage information.

Switches the engine between the active and the inactive

sg-toggle-active SHA1 SIZE |
--force [--debug]
partition. This change takes effect when you reboot the
engine.
You can use this command, for example, if you have upgraded
an engine and want to switch back to the earlier engine
version. When you upgrade the engine, the active partition is
switched. The earlier configuration remains on the inactive
partition. To see the currently active (and inactive) partition,
analyzer, see the directory listing of /var/run/stonegate (ls-l /
firewall, var/run/stonegate.
sensor
The SHA1 SIZE option is used to verify the signature of the
inactive partition before changing it to active. If you downgrade
the engine, check the checksum and the size of the earlier
upgrade package by extracting the signature and size files
from the sg_engine_[version.build]_i386.zip file.
--debug option reboots the engine with the debug kernel.
--force option switches the active configuration without first
verifying the signature of the inactive partition.

Upgrades the node by rebooting from the installation CD-ROM.

sg-upgrade firewall Alternatively, the node can be upgraded remotely using the
Management Client.

analyzer,
sg-version firewall, Displays the software version and build number for the node.
sensor

Engine Commands 89
Table A.2 StoneGate-Specific Command Line Tools on Engines (Continued)

Engine
Command Description
Type
Gathers system information you can send to Stonesoft
support if you are having problems. Use this command only
when instructed to do so by Stonesoft support.
-f option forces sgInfo even if the configuration is encrypted.
analyzer, -d option includes core dumps in the sgInfo file.
sginfo
firewall, -s option includes slapcat output in the sgInfo file.
[-f] [-d] [-s] [-p] [--] [--help] sensor -p option includes passwords in the sgInfo file (by default
passwords are erased from the output).
-- option creates the sgInfo file without displaying the
progress
--help option displays usage information.

The table below lists some general operating system commands that may be useful in running
your StoneGate engines. Some commands can be stopped by pressing Ctrl+c.

Table A.3 General Command Line Tools on Engines

Command Description
dmesg Shows system logs and other information. Use the -h option to see usage.

halt Shuts down the system.

Displays IP address information. Type the command without options to see usage.
ip
Example: type ip addr for basic information on all interfaces.

Tests connectivity with ICMP echo requests. Type the command without options to
ping
see usage.

ps Reports the status of running processes.

reboot Reboots the system.

scp Secure copy. Type the command without options to see usage.

sftp Secure FTP. Type the command without options to see usage.

SSH client (for opening a terminal connection to other hosts). Type the command
ssh
without options to see usage.

tcpdump Gives information on network traffic. Use the -h option to see usage.

Displays the top CPU processes taking most processor time. Use the -h option to
top
see usage.

Traces the route packets take to the specified destination. Type the command without
traceroute
options to see usage.

Displays VPN information and allows you to issue some basic commands. Type the
vpninfo
command without options to see usage.

90 Appendix A Command Line Tools

Server Pool Monitoring Agent Commands
You can test and monitor the Server Pool Monitoring Agents on the command line with the
commands described in the table below.

Table A.4 Server Pool Monitoring Agent Commands

Command Description
Allows you to test different configurations before activating them.
-d Don’t Fork as a daemon. All log messages are printed to stdout
or stderr only.
-v level Set the verbosity level. The default level is 5. Levels 6-8
are for debugging where available.
-c path Use the specified path as the first search directory for the
sgagentd [-d] configuration.
[-v level] test [files]
[-c path] Run in the test mode - status queries do not receive a response. If
[test [files]] you specify the files, they are used for reading the configuration
instead of the default files. The output is directed to syslog or
[syntax [files]]
eventlog instead of the console where the command was run unless
you use the -d option.
syntax [files]
Check the syntax in the configuration file. If no files are specified,
the default configuration files are checked. The output is directed to
syslog or eventlog instead of the console where the command was
run unless you use the -d option.

Server Pool Monitoring Agent Commands 91

 Table A.4 Server Pool Monitoring Agent Commands (Continued)

Command Description
Sends a UDP query to the specified host and waits for a response
until received, or until the timeout limit is reached.
The request type can be defined as a parameter. If no parameter is
given, status is requested. The commands are:
status - query the status.
info - query the agent version.
proto - query the highest supported protocol version.
-p port Connect to the specified port instead of the default port.
sgmon -t timeout Set the timeout (in seconds) to wait for a response.
[status|info|proto] -a id Acknowledge the received log messages up to the specified
[-p port] id. Each response message has an id, and you may acknowledge
[-t timeout] more than one message at a given time by using the id parameter.
[-a id] Note that messages acknowledged by sgmon will no longer appear
host in the firewall logs.
host
The IP address of the host to connect to. To get the status locally,
you may give localhost as the host argument. This parameter is
mandatory.
Return value:
0 if the response was received
1 if the query timed out
-1 in case of an error

92 Appendix A Command Line Tools

 APPENDIX B

DEFAULT COMMUNICATION PORTS

This chapter lists the default ports used in connections between StoneGate components and
the default ports StoneGate uses with external components.

The following sections are included:

Management Center Ports (page 94)

Firewall/VPN Engine Ports (page 96)
IPS Engine Ports (page 100)

93
 Management Center Ports
The illustrations below present an overview to the most important default ports used in
communications between the Management Center (SMC) components and from the SMC to
external services. See Table B.1 for a complete list of default ports.

Illustration B.1 Destination Ports for Basic Communications Within SMC

Management Client

Log Server Management Server

TCP: TCP:
8914-8918 8902-8913
+ 3021 (Log
Server
Certificate
Request)

Illustration B.2 Default Destination Ports for Optional SMC Components and Features
External LDAP Server

Stonesoft’s Update Service TCP: External RADIUS Server

389

Log TCP: UDP:

Server Management
443 Server 1812
Web Portal Secondary
Server Management Server
TCP:
3020 TCP: TCP:
8916 8902-8913 8903 TCP:
8917 8916 8907 8902-8913
8917
TCP, UDP: Monitored
+ 3021
Third Party
514/5514 (Certificate
Components
(Windows/ Request)
Linux)
UDP:
161

94 Appendix B Default Communication Ports

 The table below lists all default ports SMC uses internally and with external components. Many
of these ports can be changed. The name of corresponding default Service elements are also
included for your reference. For information on communications between SMC components and
the engines, see the separate listings.

Table B.1 Management Center Default Ports

Listening Port/ Contacting Service Element

Service Description
Host Protocol Hosts Name
Management
53/UDP, Client,
DNS server DNS queries. DNS (UDP)
53 TCP Management
Server, Log Server

Management External LDAP queries for display/

LDAP server 389/TCP LDAP (TCP)
Server editing in the Management Client.

514/TCP, Syslog reception from third party

514/UDP, Monitored third components. Port 514 is used if Syslog (UDP)
Log Server
5514/TCP, party components installed on Windows, port 5514 if [Partial match]
5514/UDP installed on Linux.

Log Server,
Log Server 3020/TCP Alert sending. SG Log
Web Portal Server

8914- Management
Log Server Log browsing. SG Data Browsing
8918/TCP Client

8916- SG Data Browsing

Log Server Web Portal Server Log browsing.
8917/TCP (Web Portal Server)

Management Log Server, Web System communications certificate SG Log Initial

3021/TCP
Server Portal Server request/renewal. Contact

Management
Management 8902-
Client, Log Server, Monitoring and control connections. SG Control
Server 8913/TCP
Web Portal Server

Monitored
SNMP status probing to external IP
Third Party 161/UDP Log Server SNMP (UDP)
addresses.
Components

Primary Secondary
8903, Database replication (pull) to the
Management Management SG Control
8907/TCP secondary Management Server.
Server Servers

RADIUS Management RADIUS authentication requests for RADIUS

1812/UDP
server Server administrator logins. (Authentication)

Secondary Primary
8902- Database replication (push) to the
Management Management SG Control
8913/TCP secondary Management Server.
Servers Server

Management Center Ports 95

Table B.1 Management Center Default Ports (Continued)

Listening Port/ Contacting Service Element

Service Description
Host Protocol Hosts Name
Update packages, engine upgrades,
Stonesoft Management and licenses from
443/TCP HTTPS
servers Server update.stonesoft.com and
smc.stonesoft.com.

Firewall/VPN Engine Ports

The illustrations below present an overview to the most important default ports used in
communications between firewall/VPN engines and the SMC and between clustered firewall
engines. See Table B.2 for a complete list of default ports for the fully-featured firewall/VPN
engines and Table B.3 for a list of default ports for SOHO Firewalls.

Illustration B.3 Destination Ports for Basic Firewall/VPN Engine Communications

Log Server Firewall Other Node(s) in the Cluster

TCP: TCP: TCP:

636 3002
3020
4950 3003
Management Server 4987 3010
8888 UDP: Multicast
TCP: Or none* (Heartbeat
3021 3000
3001 interfaces)
3023
*Single Firewalls with “node-
initiated contact” selected.

Illustration B.4 Destination Ports for Basic SOHO Firewall Engine Communications
SOHO Firewall

NTP Time Server Log Server

UDP: TCP:
123 Manage- 8923
ment Server
TCP:
8922
8924

96 Appendix B Default Communication Ports

 Illustration B.5 Default Destination Ports for Firewall/VPN Engine Service Communications
LDAP Server RADIUS Server
TACACS+
DNS Server
TCP: UDP: Server
TCP, UDP: 389 1812 TCP:
53 636 1645 49
Server Pool RPC Server

UDP: TCP, UDP:

7777 111

DHCP Server SNMP Server

UDP: Firewall UDP:

UDP: 68 161 UDP:
67 162
UDP: UDP:
500 500
4500 2746
VPN Clients 4500 VPN Gateways

UDP:
500
2746
4500

The table below lists all default ports StoneGate Firewall/VPN uses internally and with external
components. Many of these ports can be changed. The name of corresponding default Service
elements are also included for your reference.

Table B.2 Firewall/VPN Default Ports

Listening Contacting Service Element

Port/Protocol Service Description
Host Hosts Name
Anti-virus
signature 80/TCP Firewall Anti-virus signature update service. HTTP
server

BrightCloud BrightCloud web filtering update BrightCloud

2316/TCP Firewall
Server service. update

Relayed DHCP requests and requests

DHCP server 67/UDP Firewall from a firewall that uses dynamic IP BOOTPS (UDP)
address.

53/UDP,
DNS server Firewall Dynamic DNS updates. DNS (TCP)
53/TCP

Firewall 67/UDP Any DHCP relay on firewall engine. BOOTPS (UDP)

Firewall 68/UDP DHCP server Replies to DHCP requests. BOOTPC (UDP)

Firewall/VPN Engine Ports 97

Table B.2 Firewall/VPN Default Ports (Continued)

Listening Contacting Service Element

Port/Protocol Service Description
Host Hosts Name
Firewall 161/UDP SNMP server SNMP monitoring. SNMP (UDP)

VPN clients,
Firewall 500/UDP VPN negotiations, VPN traffic. ISAKMP (UDP)
VPN gateways

Management
Firewall 636/TCP Internal user database replication. LDAPS (TCP)
Server

User authentication (Telnet) for SG User

Firewall 2543/TCP Any
Access rules. Authentication

StoneGate SG UDP
Firewall 2746/UDP UDP encapsulated VPN traffic.
VPN gateways Encapsulation

SG State Sync
3000-3001/
(Multicast), SG
UDP FW/VPN Heartbeat and state synchronization
Firewall State Sync
3002-3003, engine between clustered firewalls.
(Unicast), SG Data
3010/TCP
Sync

VPN client,
Firewall 4500/UDP VPN traffic using NAT-traversal. NAT-T
VPN gateways

Management SG Remote
Firewall 4950/TCP Remote upgrade.
Server Upgrade

Management Management Server commands and

Firewall 4987/TCP SG Commands
Server policy upload.

Management Connectivity monitoring, status

Firewall 8888/TCP SG Monitoring
Server monitoring for old version engines.

Management
Firewall 15000/TCP Server, Blacklist entries. SG Blacklisting
analyzer

LDAP server 389/TCP Firewall External LDAP queries. LDAP (TCP)

Log and alert messages, monitoring

Log Server 3020/TCP Firewall SG Log
(status, statistics).

Management System communications certificate

3021/TCP Firewall SG Initial Contact
Server request/renewal (initial contact).

Management SG Reverse
3023/TCP Firewall Monitoring (status) connection.
Server Monitoring

Management connection for Single

Management SG Dynamic
8906/TCP Firewall Firewalls with “node-initiated contact”
Server Control
selected.

98 Appendix B Default Communication Ports

Table B.2 Firewall/VPN Default Ports (Continued)

Listening Contacting Service Element

Port/Protocol Service Description
Host Hosts Name
RADIUS
RADIUS 1812, 1645/
Firewall RADIUS authentication requests. (Authentication),
server UDP
RADIUS (Old)

111/UDP, 111/ SUNRPC (UDP),

RPC server Firewall RPC number resolve.
TCP Sun RPC (TCP)

Server Pool Polls to the servers’ Server Pool

SG Server Pool
Monitoring 7777/UDP Firewall Monitoring Agents for availability and
Monitoring
Agents load information.

SNMP server 162/UDP Firewall SNMP traps from the engine. SNMP Trap (UDP)

TACACS+
49/TCP Firewall TACACS+ authentication requests. TACACS (TCP)
server

500/UDP,
2746/UDP VPN traffic. Ports 2746 and 4500
VPN gateways (StoneGate Firewall may be used depending on ISAKMP (UDP)
gateways only), encapsulation options.
or 4500 UDP.

Table B.3 SOHO Firewall Default Ports

Listening Contacting Service Element

Port/Protocol Service Description
Host Hosts Name
SOHO Firewall
500/UDP VPN gateway Internet Key Exchange (IKE) for IPsec. ISAKMP (UDP)
engine

Configuration and status

Management
8922/TCP SOHO Firewall communication to the Management SG SOHO Control
Server
Server.

Management System communications certificate SG SOHO Initial

8924/TCP SOHO Firewall
Server request/renewal (initial contact). Contact

NTP server 123/UDP SOHO Firewall Time synchronization. NTP (UDP)

RADIUS RADIUS
1812/UDP SOHO Firewall RADIUS authentication requests.
server (Authentication)

Firewall/VPN Engine Ports 99

 IPS Engine Ports
The illustration below presents an overview to the most important default ports used in
communications between IPS engines and the SMC and between clustered sensor engines. See
Table B.4 for a complete list of default ports.

Illustration B.6 Default Destination Ports for Basic IPS System Communications
Log Server

TCP:
3020 Other Node(s) in
TCP: Sensor the Cluster
18890
TCP: TCP:
Analyzer 4950 3002
Management 18889 3003
TCP: 3010
Server
4950
18888 UDP:
TCP: 3000
3021
3023

The table below lists all default ports StoneGate IPS uses internally and with external
components. Many of these ports can be changed. The name of corresponding default Service
elements are also included for your reference.

Table B.4 IPS-Specific Ports

Listening Contacting Service Element

Hosts Port/Protocol Hosts Service Description Name
Syslog messages forwarded to
Analyzer 514/UDP Syslog server Syslog (UDP)
Analyzer.

Management SG Remote-
Analyzer 4950/TCP Remote upgrade.
Server Upgrade

Management SG Commands
Analyzer 18889 Management connection.
Server (Analyzer)

Analyzer 18890/TCP Sensor Event data sent from the Sensors. SG Event Transfer

BrightCloud BrightCloud web filtering update BrightCloud

2316/TCP Sensor
Server service update

Log and alert messages from

Analyzer,
Log Server 3020/TCP Analyzers and recording file transfers SG Log
Sensor
from Sensors.

100 Appendix B Default Communication Ports

Table B.4 IPS-Specific Ports (Continued)

Listening Contacting Service Element

Port/Protocol Service Description
Hosts Hosts Name
Management Sensor, System communications certificate
3021/TCP SG Initial Contact
Server analyzer request/renewal (initial contact).

Management Sensor, Backup monitoring (status) SG Reverse

3023/TCP
Server analyzer connection. Monitoring

SG State Sync
3000-3001/
(Multicast), SG
UDP
Sensor Sensor Heartbeat between the cluster nodes. State Sync
3002,3003,
(Unicast), SG Data
3010/TCP
Sync

Management SG Remote
Sensor 4950/TCP Remote upgrade.
Server Upgrade

Management SG Commands
Sensor 18888/TCP Management connection.
Server (Sensor)

Management
Sensor, Server,
15000/TCP Blacklist entries. SG Blacklisting
firewall analyzer,
sensor

IPS Engine Ports 101

102 Appendix B Default Communication Ports
 I NDEX
A J
administration client, see management client java web start , 45–49

B L
binding licenses , 34 licenses , 17
binding, 34
C checking, 34, 65
installing, 33, 65
certificate authority
retained, 35
checking fingerprint, 32
upgrading, 17, 63–64
checksums , 16
linux for management center , 22
command line installation
locations , 51–57
see non-graphical installation
log server
command line tools , 77
contact addresses, 55–57
commands
installing, 27
engine, 86
starting, 35
log server, 78
management server, 78
compatibility with different platforms , 15 M
contact addresses , 51–57 management bound licenses , 34
exceptions, 55 management center
contact information , 10 components, 14
customer support , 10 installing, 21–43
upgrading, 66
D management client
configuration files, 72
database user account , 26
installing, 22, 45–49
date and time settings , 15
installing using web start, 46–48
documentation available , 9
logging in, 32
setting location, 57
E starting, 31
exceptions to contact addresses , 55 web start, 49
management server
F contact addresses, 55–57
database user account, 26
file integrity , 16
installing, 26
fingerprint of certificate authority , 32
starting, 31
fingerprint of certificates , 83
MD5 checksum , 16
monitoring server, see web portal server
G
generating server certificates , 36
GUI client, see management client
N
NAT (network address translation) , 51–57
locations, 51–57
H non-graphical installation , 42–43
hardware requirements , 10
hosts file , 15
O
overview to the installation , 15
I
installation files , 16
creating CD-ROMs, 16
P
planning installation , 13–17
integrity of files , 16
platforms supported , 15

Index 103
 R
requirements for hardware , 10
retained licenses , 35

S
secondary management servers, installing , 38–41
servers
certifying, 36
log server, 27
management server, 26
secondary management servers, 38–41
starting manually, 35
web portal server, 28
sgadmin user account , 22
SHA-1 checksum , 16
starting
log server, 35
management client, 31
management server, 31
servers manually, 35
web portal server, 35
stonegate architecture , 14
support services , 10
supported platforms , 15
system architecture , 14
system requirements , 10

T
technical support , 10
typographical conventions , 8

U
uninstalling , 71–73
upgrading , 61–69
licenses, 63–64
management center, 66

W
web portal server
installing, 28
starting, 35
web start , 45–49
enabling web start server, 46–47
web start files
creating manually, 48

104 Index
 StoneGate Guides
Administrator’s Guides - step-by-step instructions for configuring and managing the system.

Installation Guides - step-by-step instructions for installing and upgrading the system.

Reference Guides - system and feature descriptions with overviews to configuration tasks.

User's Guides - step-by-step instructions for end-users.

For more documentation, visit

www.stonesoft.com/support/

Stonesoft Corporation Stonesoft Inc.

Itälahdenkatu 22 A 1050 Crown Pointe Parkway
FI-00210 Helsinki Suite 900
Finland Atlanta, GA 30338
USA
Tel. +358 9 476 711 Tel. +1 770 668 1125
Fax +358 9 4767 1234 Fax +1 770 668 1131

Copyright 2010 Stonesoft Corporation. All rights reserved. All specifications are subject to change.