Symantec.com
VERITAS.com
Partners
About Symantec
cartCart
WelcomeProducts & ServicesSecurity ResponseSupportSolutions & IndustriesLicensingTrainingStore
Enterprise
Symantec.com > Enterprise > Support > Knowledge Base

PRINT THIS PAGE PRINT THIS PAGE

Configuring outbound restrictions

Question/Issue:
You need information on restricting outbound access for your users.

Symptoms:
Configuring outbound restrictions You need information on restricting outbound access for your users.

Solution:
Configuring outbound restrictions
There are several basic tasks to configure outbound restrictions (details follow):


Create computer entries
Computer entries identify computers on your network to the Symantec? Gateway Security 300 Series appliance. While computer entries are not needed to allow computers on your LAN access to the Internet or WAN, they are necessary for controlling access, applying Content Filtering and Antivirus Policy Enforcement.

To create a new computer entry
  1. In the left pane, click Firewall.
  2. On the Computers tab, in the Host Name text box, type a host name.
  3. In the Adapter (MAC) Address text box, type the address of the host's network interface card (NIC).
  4. If the computer is an application server to which you want to allow access with an inbound rule, or to reserve an IP address for a computer that is not an application server, under Application Server, check Reserve Host.
  5. In the IP Address text box, type the IP address of the host.
  6. Under Computer Group, on the Computer Group drop-down list, select a group for your host to join. (The computer group properties are defined on the Firewall > Computer Groups tab.)
  7. Under Session Association, in the Bind with PPPoE Session drop-down list, select the session to bind to this host. (You must have a multisession PPPoE account with your ISP if you want to bind a host to a PPPoE session. If you do not have an PPPoE account with your ISP, leave the Bind with PPPoE Session drop-down list at Session 1.)
  8. Click Add. (A page appears to say you that the changes will be applied on the next reboot. If you are finished adding computers, click the Reboot button. If you are not finished adding computers, click the link to go back and continue adding computers.)

To check to see if a host is configured, you can check the Host List displayed at the bottom of the window. The fields in the list map to the fields entered when you configured the host.

Add computers to groups
Computer Groups are logical groupings of computers. With Computer Groups, you may make policy decisions for a large number of computers at once. For example, if you have a few computers that need unrestricted outbound access to the Internet or WAN, but want the majority of computers to be restricted, you may move the few computers into a group which has no outbound rules applied to it.

To assign computers to groups
To define computer group properties
  1. In the left pane, click Firewall.
  2. In the right pane, on the Computer Groups tab, under Security Policy, on the Computer Group drop-down list, select the computer group that you want to configure.
  3. Under Antivirus Policy Enforcement, check Enable AntiVirus Policy Enforcement to turn it on.
  4. If you enabled Antivirus Policy Enforcement, click one of the following:
    • Warn Only
    • Block Connections
  5. Under Content Filtering, if you check Enable Content Filtering, you also need to select one of the following:
    • Use Allow List
    • Use Deny List
  6. Under Access Control (Outbound Rules) select one of the following:
    • No restrictions
    • Block ALL outbound access
    • Use rules defined in Outbound Rules Screen.
  7. Click Save.

Create any additional services
Services define the port numbers and protocols that you permit through the firewall. Symantec Gateway Security 300 Series appliances come with preconfigured services for most common protocols and also allow you to create services for the protocols that you use regularly.

To create a service
  1. In the Security Gateway Management Interface (SGMI), in the left pane, click Firewall.
  2. Under Application Settings, in the Name text box, type a name for the service that represents the application.
  3. In the Protocol drop-down list, select TCP or UDP.
  4. In the Listen on Port(s): Start text box, type the first port in the required port range. If you are using a single port, rather than a range, type that port number.
  5. In the Listen on Port(s): End text box, type the last port in the required port range. If you are using a single port, rather than a range, type that port number.
  6. In the Redirect to Port(s): Start text box, type the first port in the required port range. If you are using a single port, rather than a range, type that port number.
    Redirect only applies to inbound rules. If you are creating a service for an outbound rule, leave the Redirect to Port(s) text boxes blank. To redirect inbound traffic to the original destination port, leave the Redirect text boxes blank.
  7. In the Redirect to Port(s): End text box, type the last port in the required port range. If you are using a single port, rather than a range, type that port number.
  8. Click Add.

Configure outbound rules
Outbound rules permit computers inside of your LAN to use the services that your security policy allows. Services that are not used in rules are not permitted through the security gateway if you are using Outbound Rules to define the access for your users.

To create outbound rules
  1. In the SGMI, in the left pane, click Firewall.
  2. In the right pane, on the Outbound Rules tab, under Computer Groups, on the Computer Group drop-down list, select an computer group.
    To see a list of rules for the selected computer group, click View.
  3. In the Name text box, type a unique name for the outbound rule.
  4. Check Enable Rule.
  5. On the Service drop-down list, select an outbound service.
  6. Click Add.
    The configured rule displays in the Outbound Rules List.


Special applications
Some applications, such as Microsoft NetMeeting or Symantec pcAnywhere require two separate connections in different directions. The client software creates a connection to a server and then the server creates a new connection back to the client.

If an application requires this sort of connection method and the ports are different for the two connections, you must configure a Special Application to allow this traffic. The Special Application allows the outbound and inbound connections and associates the with each other. Without this logical association, the inbound connections are blocked.

To create a Special Application entry, you must know the transport protocol type and port numbers for your application's inbound and outbound connections. This information is generally available in the product documentation for your application.

To configure a Special Application
  1. In the SGMI, in the left pane, click Firewall.
  2. In the right pane, on the Special Applications tab, in the Name field, type a name for the Special Application that you are creating.
  3. Check Enable.
  4. Use the Outgoing Protocol drop-down menu to select the appropriate transport protocol for the outbound connection.
  5. For Outgoing Port(s) do the following:
    • In the Start text box, type the first port in the required port range. If you are using a single port, rather than a range, type that port number.
    • In the End text box, type the last port in the required port range. If you are using a single port, rather than a range, type that port number.
  6. Use the Incoming Protocol drop-down menu to select the appropriate transport protocol for the inbound connection.
  7. For Incoming Port(s) do the following:
    • In the Start text box, type the first port in the required port range. If you are using a single port, rather than a range, type that port number.
    • In the End text box, type the last port in the required port range. If you are using a single port, rather than a range, type that port number.
  8. Click Add.
    The new Special Application appears in the Special Application List.




 

Available Translations:



Document ID: 2004041413584854
Last Modified: 10/03/2007
Date Created: 04/14/2004
Product(s): Symantec Gateway Security 300 Series, Symantec Gateway Security 400 Series
Release(s): 320, 360, 360R, 440, 460, 460R, SGS 440, SGS 460, SGS 460R



Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2009 Symantec Corporation