LevelBlue Knowledge Base » Knowledgebase » Legacy Products » Firewall Suite

What versions of Marshal Security products are currently supported by LevelBlue Technical Support?

Charles Creegan — Sun, 26 Nov 2023 18:02:27 GMT

This article applies to:

MailMarshal (SEG)
MailMarshal ECM/MailMarshal Exchange
MailMarshal SPE
MailMarshal SES
Marshal Reporting Console
WebMarshal
Bitdefender for Marshal
McAfee for Marshal
Sophos for Marshal
Other Products
- MailMarshal Appliance e10000
- MailMarshal Management Pack for MOM
- MailMarshal Management Pack for SCOM
- Marshal EndPoint Security
- Security Reporting Center
- Firewall Suite
- imMarshal for MSN
- Counterspy for Marshal
- Kaspersky for Marshal
- PestPatrol for Marshal

Question:

What versions of Content Security (Marshal) products are currently supported by LevelBlue Technical Support?

Information:

For full details about supported versions of current products, see the articles linked below:

Premises Email Security

Article Q20961 covers the following products:
- MailMarshal (SEG)
- MailMarshal ECM/MailMarshal Exchange
- Secure Email Server (SES)

Web Content Security

Article Q20962 covers WebMarshal.

Service Provider Email Security

Article Q20963 covers MailMarshal SPE.

Anti-Virus and Reporting

Article Q20964 covers the following products:
- Bitdefender for Marshal
- McAfee for Marshal
- Sophos for Marshal
- Marshal Reporting Console

Deprecated and Discontinued Products

e10000 (MailMarshal Node Appliance): End of support: March 31, 2011
EndPoint Security: End of support: May 1, 2013
MailMarshal Management Pack for MOM: End of support: May 1, 2013
MailMarshal Management Pack for SCOM: End of support: May 1, 2013
Security Reporting Center (Windows Version): End of support: December 31, 2009
Security Reporting Center (Solaris Version): Withdrawn
Firewall Suite: Withdrawn
imMarshal for MSN: Withdrawn
Counterspy for Marshal: End of support: January 1, 2014
Kaspersky for Marshal: End of support: November 22, 2023
PestPatrol for Marshal: End of support: January 1, 2014

This article was previously published as:: NETIQKB33882

What is NETSTAT?

Charles Creegan — Wed, 01 Apr 2020 00:00:00 GMT

This article applies to:

MailMarshal (SEG)
WebMarshal

Question:

What is NETSTAT?

Information:

You can use the NETSTAT command to check the operation of local ports to see if they are configured properly and if they are receiving data.

You can access a wealth of helpful information about the NETSTAT utility from the Help utility on your Microsoft Windows workstation or server. This information can be found by clicking START | HELP | INDEX and by entering the keyword netstat.

Port	Protocol	NETSTAT - WinNT	NETSTAT - UNIX
21	FTP	`netstat -an 1 \| findstr 21`	`netstat -an 1 \| grep 21`
25	SMTP	`netstat -an 1 \| findstr 25`	`netstat -an 1 \| grep 25`
53	DNS (Note 1)	`netstat -an 1 \| findstr 53`	`Netstat -an 1 \| grep 53`
80	HTTP	`netstat -an 1 \| findstr 80`	`netstat -an 1 \| grep 80`
99	WebTrends Remote Reporting	`netstat -an 1 \| findstr 99`	`netstat -an 1 \| grep 99`
110	POP3	`netstat -an 1 \| findstr 110`	`netstat -an 1 \| grep 110`
137	WINS (Note 2)	`netstat -an 1 \| findstr 137`	`netstat -an 1 \| grep 137`
514	SYSLOG	`netstat -an 1 \| findstr 514`	`netstat -an 1 \| grep 514`
18184	OPSEC LEA	`netstat -an 1 \| findstr 18184`	`netstat -an 1 \| grep 18184`

Note 1: DNS is the acronym for Domain Name Service, a name resolution scheme that originated with the Berkeley version of Unix. DNS is used throughout the Internet for host-name resolution and is a constantly evolving protocol. Along with host-name resolution, it helps in e-mail routing and other TCP/IP-based application services. The most popular Unix-based implementation of DNS is the Berkeley Internet Name Daemon, or BIND.
- SEG/MailMarshal SMTP uses DNS port 53 TCP and UDP.
Note 2: WINS is the acronym for Windows Internet Naming Service, Microsoft's extension of the NetBIOS name resolution scheme. Computers utilize port 137 for WINS resolution.
- If WINS resolution is enabled, local machine names can be resolved without explicit DNS entries.

Once you type the command, look for a response:

If nothing appears, the port is not being utilized.
- If you are checking the response from a Marshal product, check to see if the appropriate service is running. If it is, you may need to restart the server computer and run NETSTAT again.
If the word "ESTABLISHED" appears, then the port is configured properly and it is receiving data.
If the words "TIME-WAIT" appear, the port is configured properly but it is not receiving data.

This article was previously published as: entries: NETIQKB2609

How can I test email connectivity to a server?

Charles Creegan — Sun, 01 Mar 2020 00:00:00 GMT

Question:

What is TELNET?
How can I test email connectivity to a server?
Are there Telnet commands specific for testing MailMarshal SEG/MailMarshal?

Information:

The first step in troubleshooting protocol problems is to verify that you can establish a successful TCP connection to the host. The easiest way to test this is by using the telnet command to connect to the required port. Pinging a host is not a reliable test. The Ping utility does not tell you that the host is listening on a specific port. It is only an indication that a lower-level packet was able to find its way to the correct IP address. In addition, many companies block ping or ICMP packets from entering their networks. Telnet allows you to test exactly the same type of connection that is used to send email.

Note: With recent versions of Windows, the Telnet client is not installed by default. If necessary, use Server Manager to add the feature "Telnet Client".

You can use a Telnet utility to test the basic operation of the SEG Receiver. To get a feel for how Telnet works, try to use Telnet to connect to your SEG computer on port 25. The syntax is:

telnet <ip_address> <port>

For example:

telnet 127.0.0.1 25
telnet mail.domain.tld 25 (.tld represents "top level domain")

Both of the examples above can be used (with the correct values); however, the first example is the most reliable. When addressing systems by their IP address, you eliminate the possibility of name resolution problems. The example above should bring up a Telnet window and a successful connect message indicating that you are ready to send to the host. This indicates that the host is listening on port 25, and that you can probably send an SMTP message to the host. The example above is similar to what the SEG Sender does when it connects to send email. At this point, the Sender starts sending SMTP commands to the host to initiate message transfer.

Many other protocols including POP3, IMAP4, and NNTP (Net News) work in a similar way. They include commands that are sent to the host and the replies that are expected. After you have concluded that a successful connection can be made to the correct port, you can start reviewing the actual responses given to a host when commands are issued.

The best testing method is to actually issue the commands to the host by using a Telnet command. This method is effective if you know exactly what you need to send and how to do it, or if you know what your client/server program is trying to send.

Tip: If you find you are making mistakes when typing commands in a command window, you might want to use a script file to enter the set of commands. A simple Windows Scripting File example is attached to this article. Unzip the archive, modify the WSF file as required, and then simply double-click it to run the script. The progress will display in a command window.

Basic Mail and News Protocol Command and Response Overview

All commands are terminated with a carriage return/line feed (CR/LF).

(.tld stands for top level domain, for instance "com".)

SMTP Commands	Expected Response	Description
HELO	250 OK	Initiates the conversation between hosts.
MAIL FROM: <user@domain.tld>	250 OK	Identifies who is sending the message. Include the email address between angle brackets (the brackets are required).
RCPT TO: <user@domain.tld>	250 OK	Identifies whom the message is to. Include the email address between angle brackets (the brackets are required).
DATA	354 Send Data	Identifies the start point for message data.
. (a single period)	250 OK	Identifies the end point for message data.
QUIT	221	Terminates the session.
The HELO command is issued and the server responds, indicating that it understands and accepts the command. MAIL FROM tells the host who is sending the message. Again, the server responds successfully. RCPT TO tells the host whom to deliver this message to.

POP3 Commands	Expected Response	Description
USER ntdomain/ntaccount/alias	+OK	Initiates the authentication process.
PASS password	+OK	Specifies the password for the user's account.
LIST	+OK	Lists available messages to download.
RETR Message#	The Message Text	Retrieves the message text of Message#.
DELE Message#	+OK	Deletes Message#.
QUIT	+OK	Terminates the session.
The USER command, followed by the appropriate logon credentials, is used to log on to the POP3 mailbox. The PASS command issues the password to gain access. Exchange Server returns "+OK User successfully logged on."

IMAP4 Commands	Expected Response	Description
LOGIN ntdomain/ntaccount/alias password	OK LOGIN	Logs on to the mailbox.
SELECT folder	Folder mode & OK SELECT	Selects a folder to view.
FETCH Message#	Message text & OK FETCH	Retrieves the message by Message#.
STORE Message Flags/flag	OK STORE	Marks a message for deletion or read/unread.
EXPUNGE	OK	Deletes all marked messages.
LOGOUT	OK	Terminates the session.
All commands issued to an IMAP4 server must be prefixed with a command identifier. The client can interpret that to keep track of command and response pairs. For example, when your IMAP client issues local SELECT inbox, the server responds with local OK. A NO response is given when a command is denied.

NNTP Commands	Expected Response	Description
AUTHINFO USER ntdomain/ntaccount/username	381 More Info Needed	Supplies authentication information.
AUTHINFO PASS password	281 Accepted.	Supplies password for authentication.
LIST	List Of Groups	Lists all groups available.
GROUP group	Group Specifications	Sets the current group.
ARTICLE #	Article Text	Retrieves an article by #.
QUIT	205	Terminates the session.
There are two modes of NNTP access: authenticated and anonymous. Authentication requires the first two commands listed (AUTHINFO USER and AUTHINFO PASS).

This article was previously published as:: NETIQKB2699
NETIQKB35161

Where do I send a feature request for a LevelBlue Marshal product?

Charles Creegan — Sun, 01 Mar 2020 00:00:00 GMT

This article applies to:

MailMarshal (SEG)
MailMarshal ECM/MailMarshal Exchange
MailMarshal SPE
WebMarshal

Question:

Where do I send a feature request for a LevelBlue Marshal product?

Procedure:

If you want to request a new feature or you want to suggest an improvement for any product, you can contact Technical Support. You can also enquire through your account manager or reseller.

What is the WELF log file format?

Charles — Wed, 06 Nov 2019 18:24:28 GMT

This article applies to:

WebMarshal 6.X
WebMarshal 7.X
Security Reporting Center 2.X
WebTrends Firewall Suite

Question:

What is the WELF log file format?

Information:

WELF is the WebTrends Enhanced Log file Format.

The WELF Reference defines the WebTrends industry standard log file exchange format. Any firewall or VPN system logging to this format will be compatible with Firewall Suite 2.0 and later, Firewall Reporting Center 1.0 and later, and Security Reporting Center 2.0 and later.

WebMarshal 6.X and WebMarshal 7.X "Traffic Logging" logs can be created in the WELF format.

For full details of the fields logged by WebMarshal, see LevelBlue Knowledgebase article Q21119.

Log File Format

A log file is made up of records. Each record makes up a single line of the file. Records must be in chronological order. The earliest record is the first record in the file; the most recent record is the last record in the file. The WebTrends Enhanced Log Format places no restrictions on log file names or log file rotation policies.

Record Format

A record is terminated by the character sequence carriage return-line feed (0x0D-0x0A). There may be no carriage-returns or line-feeds within a record; this format results in a single record per line.

Each record is made up of fields. The record identifier field (id=) must be the first field in a record. All other fields can appear in any order.

Aside from a few required fields, you can decide which optional fields are included in the record. You may want some fields to appear in only certain records because they are only relevant to certain types of activity (for example, the operation on an HTTP request).

Some optional fields may be left out if the firewall vendor chooses, but doing so typically results in reports that are less complete. Refer to the field descriptions to determine which fields are required for tables.

Sample Record
(In a real log file, the record would reside on one line.)

Note: This sample record should give you a sense of what a record looks like. It does not contain all the fields that are available and described in this document. Additional sample records are fully documented in the HELP Index built into the Firewall Suite product.

id=firewall time="2000-2-4 12:01:01" fw=192.168.0.238 pri=6 rule=3 proto=http src=192.168.0.23 dst 6.1.0.36 rg=www.webtrends.com/index.html op=GET result 0 rcvd=1426

Required Fields	Optional Fields
Record identifier Date/time Firewall IP address or name Priority of the record	Rule Protocol Duration Bytes Transferred Bytes Received Source Source Name Destination Destination Name User Operation URL Accessed Result Code VPN Type Message Referring Site Agent Category Category Action WebMarshal Cache Result WebMarshal Classification

Required Fields (WELF)

Record identifier
The id= field identifies the type of record. For log files conforming to this document, the type will always be firewall. For example,
id=firewall

Date/time
The time= field shows the date and time of the event, in terms of local time. The form of the date/time field is shown below (Note: Since this field contains spaces, it must be enclosed in double quotes):
time="yyyy-mm-dd hh:mm:ss" (where):

yyyy: year (always 4 digits)
mm: number between 1 and 12 (inclusive) to represent the month (1 or 2 digits)
dd: day of the month, 1 based (1 or 2 digits)
hh: hour, based on 24-hour clock (1 or 2 digits)
mm: minute (1 or 2 digits)
ss: second (1 or 2 digits)
For example,
6:00 a.m. on January 1, 2000 would be represented as:
time="2000-1-1 6:0:0"
It could also be represented as:
time="2000-01-01 06:00:00"
6:00 p.m. on the same day would be represented as:
time="2000-01-01 18:00:00"

Firewall IP address or name
The fw= field identifies the firewall that generated the log record. This is most often represented as an IP address or a machine name. Firewall Suite uses this field for licensing. The user's licensing is simplified if the firewall is consistent in logging this field. In other words, a particular firewall should always log its IP address or always log its machine name, but not both. If a firewall is logging its IP address, it should always log the IP address of the internal network interface or always log the IP address of the external network interface, not a mixture of the two.
An example using the IP address of the firewall:
fw=192.168.0.238

An example using the machine name of the firewall:
fw=ACME_FIREWALL

Priority of the record
The pri= field specifies the priority of the event. The following is a list of valid values:

0 - emergency
1 - alert
2 - critical
3 - error
4 - warning
5 - notice
6 - information
7 - debug
Messages are placed in various tables based on the priority. Messages with priorities 0, 1, and 2 are included in the critical errors tables, messages with priorities of 3 and 4 are included in the errors and warnings tables, and messages with priorities of 5, 6, and 7 are included in the informational messages tables. For example:
pri=0 pri=5

Optional Fields (WELF)

The following fields for the WebTrends Enhanced Log File Format are optional:

Rule
The rule= field specifies the rule that triggered the log entry. This field is used to generate tables that help the user understand that the rules they have set up are working properly. Three tables are based on the rule field: internal IP addresses triggering firewall rules, external IP addresses triggering firewall rules, and protocols triggering firewall rules. Most firewalls log this field as an integer identifying a particular rule. However, rules could also be identified by name and logged as such in this field. For example:

rule=4 rule=12

Protocol
The proto= fields specifies the protocol used by the event. A large number of tables and graphs depend on the presence of the protocol field. Although this it is not a required field, without it, reports lack important information. Some firewalls do not log the protocol, but log the service. If this is the case, the service can be logged in this field. For example,
proto=http proto=ftp proto=snmp
Default protocol mapping
Firewall Suite includes a file called wtprotocols.txt that maps protocol fields found in log files to types of traffic that appear in reports (for example, pop3 in the log file is displayed as e-mail in the report).

The following is an extract from the wtprotocols.txt file that ships with WebTrends Firewall Suite:

[web] http https 80/tcp [email] pop3 smtp smap [ftp] ftp ftp-data [telnet] telnet [realaudio] realaudio
Map new protocols
Your log files may contain protocols not included in this file. Map them using the Protocols tab in the Firewall Options dialog in the GUI (a mapping changes file named protocols.txt is created). Or you can create the protocols.txt file and map new protocols. Follow the syntax of the wtprotocols.txt file: use the types of traffic designations enclosed in square brackets and list new protocols for that type of traffic, each on a single line. Note: Unmapped protocols are grouped for reports in a type of traffic designation called "other."

Duration

The duration= field specifies the time that is required to perform the operation, in seconds. For example, for an FTP file transfer, the duration is the amount of time used to perform the transfer. Although Firewall Suite tracks this field, it is not currently shown in any tables or graphs. We recommend that if the this information is available, it should be logged so that it can be used in the future. For example, to indicate that an operation required 3 minutes exactly, the duration field could look like this:

duration=180.00
or like this:

duration=180

Bytes Transferred

The sent= field specifies the number of bytes transferred from the source to the destination. For example,

sent=1426 sent=512

Bytes Received

The rcvd= field specifies the number of bytes transferred from the destination to the source. For example:

rcvd=1426 rcvd=512

Source

The src= field specifies the IP address that generated the event. For example:

src=192.168.0.23 src 6.0.2.1

Source Name

The srcname= fields is a more user-friendly version of the src= field. For example,

srcname=mickm@example.com srcname=www.example.com srcname=JIMS_SYSTEM

Destination

The dst= field specifies the IP address that received the event. For example,

dst=192.168.0.23 dst 6.0.2.1

Destination Name

The dstname= field is a more user-friendly version of the dst= field. For example,

dstname=EXAMPLE_SERVER dstname=www.example.com

User

If users are authenticating through the firewall, then the authenticated user name can be logged in the user= field. For example,

user=JohnB user=MarySmith

Operation

For HTTP and FTP requests, the op= field is the operation such as GET, POST, etc. For example,

op=GET op=POST

URL Accessed

For HTTP and FTP requests, the arg= field is the URL accessed. For example,

arg=/PRODUCTS/GOODIES/GIFS/IWAWARD2.gif arg=/PRODUCTS/GOODIES/download.htm?Product=Standard

Result Code

For HTTP requests, the result= field is the standard result code, such as 200 for success, 304 for returned from cache, etc. For example,

arg 0 arg=304 arg=404

VPN

The vpn= field identifies a particular VPN. This value is used to generate tables showing the most highly used VPNs and tables correlating particular users to particular VPNs. For example,

vpn="NY Branch VPN" vpn=Sales

Type

The firewall vendor can use the type= field to cause records to be placed into the tables relating to VPN events or relating to firewall management events. (Other categories may be defined in the future.)
A record can be put into more than one category by separating values by commas.
The currently defined types are:

· vpn - the record is a VPN event.

· mgmt - the record is a firewall management event. For example,

type=vpn type=mgmt type=vpn,mgmt

Message

The msg= field is the basis for the tables showing detailed Critical Events, Errors and Warnings, VPN events, and Firewall Management events. Firewall Suite generates summary tables showing these types of events. Firewall Suite will also generate detailed tables associating users with these events. To make this happen, the user(s) need to be identified using the Src=, Srcname=, Dst=, Dstname=, or User= fields. For example,

msg="VPN starting" msg="Possible port scan detected" msg="Firewall configuration changed"

Referring Site

For incoming web records, the ref= field contains the referring site. For example,

ref=http://search.yahoo.com/bin/search?p=trends%20internet

Agent

For incoming or outgoing web records, the agent= field contains the agent (usually the browser).

agent="SPRY_Mosaic/v8.32 (Windows 16-bit)" agent="Microsoft Internet Explorer/4.40.308 (Windows 95)" agent="Mozilla/3.0 (WinNT; I)"

Category

The cat= field contains the categories to which the accessed site belongs. It is used only for firewalls or proxies capable of categorizing web sites. For example, www.msnbc.com might be categorized as "General News", "Investment", and "Entertainment". If a site belongs to more than one category, these categories should be given in the same cat= field, with a comma separating each category. Note: If a field contains spaces, it must be enclosed in double quotes.

Use this field should only if dst= (or dstname=) is also present.
For example:

dst=www.msnbc.com cat=News dst=www.msnbc.com cat="General News" dst=www.msnbc.com cat=News,Investment,Entertainment dstname=www.msnbc.com cat=News,Investment,Entertainment

Category Action

The cat_action= field contains the action taken for the category value of the cat= field. For example, access to gambling web sites may be blocked.
This field should only be present if cat= is also present.
Possible values for this field are: block and pass.
For example:

dst=www.gambling.com cat=Gambling cat_action=block dst=www.msnbc.com cat=News cat_action=pass

WebMarshal Cache Result

The wmcache= field contains the result of a WebMarshal cache lookup request.

Cache status is not written for HTTPS or FTP requests. Only HTTP supports caching.

This custom field cannot be reported by Security Reporting Center.
Possible values for this field are: HIT, MISS, REFRESH_HIT or REFRESH_MISS.

wmcache=HIT indicates that the item was served from cache without checking the origin server.

wmcache=MISS indicates that the item was not in cache and had to be retrieved from the origin server.

wmcache=REFRESH_HIT indicates that the cache item required revalidation, and that revalidation was successful.

wmcache=REFRESH_MISS indicates that the cache item required revalidation, and that the origin server sent back new data.

WebMarshal Classification Result

Two fields record the result of WebMarshal classification:

dclass= indicates a WebMarshal Domain Classification
fclass= indicates a WebMarshal File Classification

If WebMarshal records multiple classifications, they are included as a comma separated list within double quotes.

For instance: dclass="Safe Sites,Search Engines"

Sample Records

See the document entitled WebTrends Enhanced Log Format (WELF) For Firewalls & VPNs or the HELP Index built into the Firewall Suite product for examples of records that conform to the WebTrends Enhanced Log File Format. Included among the examples provided are:

Sample Web Records
Sample E-mail Records
Sample Telnet Records
Sample FTP Records
Sample RealAudio Records
Sample Management Records
Sample Error Messages

This article was previously published as:: NETIQKB1301

Error: "java.lang.OutOfMemory"

Oliver Stanley — Wed, 25 Jun 2008 03:23:00 GMT

This article applies to:

Firewall Suite 4.1x
Security Reporting Center 2.X

Symptoms:

Error: "java.lang.OutOfMemory"
Out of memory errors are received when trying to view reports.

Causes:

The Java component does not allocating enough memory for reports with large amounts of data to load successfully.

Information:

For the report to display successfully, allocate more memory to Java. To do this please follow the steps below:

Important Note! Before making any changes, please make a backup of your registry.

Allocating Java memory on Windows:

Open the Registry Editor by running the regedit command.
Navigate to the following entry:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NetIQTomcatService/Parameters
Add two new strings:
- JVM Option Number 2
  value: -Xms10M
- JVM Option Number 3
  value: -Xmx500M
Change the "JVM Option Count" parameter from 2 to 4, because we have added two new parameters. Without making this change, the memory will not be affected.
Restart the NetIQ Apache and NetIQ Tomcat services in Service Control Manager.

Warning: Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Trustwave cannot guarantee that problems resulting from the incorrect use of Registry Editor can be resolved. Make sure that you backup your Registry prior to making any changes.

This article was previously published as:: NETIQKB35391

How do I export Check Point log files?

Oliver Stanley — Wed, 25 Jun 2008 03:19:00 GMT

This article applies to:

Security Reporting Center 2.x
WebTrends Firewall Suite 4.x
Check Point Firewall-1
Check Point NG

Question:

How do I export Check Point log files?

Symptoms:

Unable to analyze Check Point exported log files.

Procedure:

To export Check Point FW-1 log files, follow these steps.

From the machine on which the firewall is installed, access a command prompt.
Change to the directory where the fw.exe file is located.
Enter the following text to export the fw.log log files.
fw logexport -d ; -i fw.log -o[log_path]\fw.log
Enter the following text to export the fw.alog log files.
fw logexport -d ; i fw.alog -o [log_path]\fw.alog

To export Check Point NG log files, follow these steps:

On the computer where the firewall is installed, open a command prompt.
Switch to the \winnt\fw1\NG\bin directory where the fw.exe file is located.
Export the log files using the following command:
fwm logexport -i <input file> -o <output file>
Note: If you do not specify an input file Check Point exports the current log.

Notes:

Check Point NG does not produce an .alog file. This information is now combined into the regular .log file.

This article was previously published as:: NETIQKB5691

What is a UNC path?

Oliver Stanley — Mon, 12 May 2008 01:11:00 GMT

This article applies to:

Firewall Suite 4.X

Question:

What is a UNC path?

Information:

UNC is short for Universal Naming Convention, a Windows format for specifying the location of resources on a local-area network (LAN). UNC uses the following format:

\\server-name\shared-resource-pathname

The shared resource pathname can be a single name, or a longer directory path. It can mount at any point on a logical drive (not necessarily at the root of the drive).

What is UNC?

View a definition provided by Microsoft:
http://msdn.microsoft.com/library/officedev/off2000/idh_ofdefuniversalnamingconventionunc.htm

View definitions from Google:
http://www.google.com/search?hl=en&q=define%3AUNC

This article was previously published as:

NETIQKB2474

Is the Check Point Safe@Office device supported?

Oliver Stanley — Mon, 29 Oct 2007 20:40:00 GMT

This article applies to:

Firewall Suite 4.x
Security Reporting Center 2.x

Question:

Is the Check Point Safe@Office device supported?

Reply:

Unfortunately this device has not been quality tested so Marshal cannot support it at this time.

For a list of our supported devices please see the following Trustwave Knowledgebase article:

Q10939: Which firewalls are supported?

This article was previously published as:: NETIQKB40278

How do I continue logging when Check Point Firewall log files need to be rotated?

Oliver Stanley — Thu, 20 Sep 2007 03:26:00 GMT

This article applies to:

Firewall Suite

Question:

How do I continue logging when Check Point Firewall log files need to be rotated?

Procedure:

When rotating the log file for a Check Point firewall, below are the proper steps to follow.

Stop the LEA Server service.
Delete the lastrecord.txt files in the log file directory, located below:
Rotate the log file on the Check Point firewall.
Start the LEA Server service.

Notes:

When Firewall Suite retrieves log file information via the LEA connection with a Check Point Firewall, the last record received in a file called lastrecord.txt is always kept. When the log file is rotated on the Check Point Firewall, this record will not be present in the new log file, and the retrieval process will not be able to retrieve new information, as it does not know where it left off. By deleting the lastrecord.txt file, and by restarting our LEA service, the data retrieval process can be reset to properly receive data from a newly created log file.

This article was previously published as:: NETIQKB1619

How do I determine if a Cisco Pix log file is in the 6.2 format?

Oliver Stanley — Wed, 02 May 2007 03:48:00 GMT

This article applies to:

Security Reporting Center 2.x
WebTrends Firewall Suite 4.1x
Cisco Pix 6.2

Question:

How do I determine if a Cisco Pix log file is in the 6.2 format?

Procedure:

If the log contains entries similar to "from inside:10.x.x.x/3338 to outside:10.x.x.x", then it is in 6.2 format. A sample of information from a Cisco Pix 6.2 log file looks like this:

WTsyslog[2002-04-04 10:20:35 ip=10.0.0.1 pri=6] <166>%PIX-6-305011: Built dynamic TCP translation from inside:127.0.0.1/1111 to outside:1.1.1.1/1026 WTsyslog[2002-04-04 10:20:35 ip=10.0.0.1 pri=6] <166>%PIX-6-302013: Built outbound TCP connection 3 for outside:127.0.0.1/80 (64.28.67.114/80) to inside:1.1.1.1/1026(172.16.0.200/1026) WTsyslog[2002-04-04 10:20:35 ip=10.0.0.1 pri=6] <166>%PIX-6-305011: Built dynamic TCP translation from inside:127.0.0.1/1111 to outside:1.1.1.1/1026 WTsyslog[2002-04-04 10:20:35 ip=10.0.0.1 pri=6] <166>%PIX-6-302013: Built outbound TCP connection 4 for outside:127.0.0.1/80 (64.28.67.57/80) to inside:1.1.1.1/1026 (172.16.0.200/1027) WTsyslog[2002-04-04 10:20:35 ip=10.0.0.1 pri=6] <166>%PIX-6-305011: Built dynamic TCP translation from inside:127.0.0.1/443 to outside:1.1.1.1/1026 WTsyslog[2002-04-04 10:20:35 ip=10.0.0.1 pri=6] <166>%PIX-6-302013: Built outbound TCP connection 5 for outside:127.0.0.1/443 (64.28.67.57/80) to inside:1.1.1.1/1026 (172.16.0.200/1028) WTsyslog[2002-04-04 10:20:35 ip=10.0.0.1 pri=6] <166>%PIX-6-305011: Built dynamic TCP translation from inside:127.0.0.1/1111 to outside:1.1.1.1/1026

Notes:

To run reports for Cisco Pix 6.2 log files, please install Firewall Suite 4.1c. If you are using 4.1a, please apply the patch noted in the following knowledge base article:

Q10450: How do I run reports for a Cisco Pix 6.2/6.3 log file?

This article was previously published as:: NETIQKB12761

How do I specify several days of log files in the log file path, using date macros with a pipe (|) character?

Oliver Stanley — Wed, 02 May 2007 03:40:00 GMT

This article applies to:

Firewall Suite 4.X

Question:

How do I specify several days of log files in the log file path, using date macros with a pipe (|) character?

Symptoms:

Some daily reports are missing.
Profile is configured to analyze yesterday's log file, and analyzes once each day.

Causes:

When a profile is configured to access yesterday's log file via FTP, and if the FTP client is unsuccessful in accessing that log file, a result could be 'missing days' in your WebTrends reports.

Procedure:

To avoid 'missing days' in your reports, the profile can be configured to access multiple days. Therefore, if for some reason the FTP client is unsuccessful today in accessing yesterday's log file, tomorrow it can attempt again to access the log file it missed in addition to the current log file.

Date macros can be used in the log file path within the profile configuration. For example, your log file name for today's log file is ex20020615.exe (year 02, month=Feb., and day=15). The following string can be used to retrieve log files for multiple days.

ftp://www.domain.com/logs/ex%date-1%%yyyy%%mm%%dd%.log | ftp://www.domain.com/logs/ex%date-2%%yyyy%%mm%%dd%.log | ftp://www.domain.com/logs/ex%date-3%%yyyy%%mm%%dd%.log

With this type of configuration, each time the analysis begins, three days of log files are accessed. So, if for some reason the FTP client is unsuccessful today in accessing the log files, most likely they will be accessed the following day.

Notes:

To review further information about date macros that can be used in Firewall Suite, please review the following knowledge base article.

Q10272: How do I configure date macros?

This article was previously published as:: NETIQKB4680

Error: 'The Word report converter requires Microsoft Office 2000 or better. A search of the system registry failed to locate the required version of Office.'

Charles Creegan — Wed, 14 Mar 2007 01:49:00 GMT

This article applies to:

Security Reporting Center 2.1
Firewall Suite 4.1x

Symptoms:

Error: 'The Word report converter requires Microsoft Office 2000 or better. A search of the system registry failed to locate the required version of Office.'
Error occurs when using the Document Utility with Microsoft Word 2003.

Causes:

The Document Utility distributed with the product versions named above does not support Microsoft Office 2003.

Resolution:

Microsoft Word 2003 is supported by the latest version of Document Conversion Utility. You can obtain the latest version of Document Conversion Utility as a standalone installation from the Security Reporting Center Support page.

This article was previously published as:: NETIQKB45132

Which firewalls are supported?

Charles Creegan — Mon, 08 May 2006 23:26:00 GMT

This article applies to:

Firewall Suite 4.1x
Security Reporting 2.x

Symptoms:

Which firewalls are supported?

Information:

Marshal Firewall Reporting products are compatible with the following systems. Please refer to the specific product documentation for configuration information.

SRC=Security Reporting Center
FWS=Firewall Suite

Company name	Device/Version (Versions up to)	WELF Certified	Works with...
3Com	OfficeConnect Internet Firewall 25 v4.1.0, 5.x	Yes	SRC, FWS
	OfficeConnect Firewall DMZ v4.1.0, 5.x	Yes	SRC, FWS
	SuperStack 3 Firewall v5.x	Yes	SRC, FWS
	SuperStack 3 WebCache 1000/3000 v2.0	Yes	SRC, FWS
ARKOON Network Security	ARKOON 2.20	Yes	SRC, FWS
Aventail	Extranet Center v3.0	Yes	SRC, FWS
BorderWare	BorderWare Firewall Server v5.0		SRC, FWS
CacheFlow	600, 6000, 700, 7000		SRC, FWS
Clavister	Clavister Firewall	Yes	SRC
Check Point	VPN-1/FireWall-1 v4.0 (including NG)		SRC, FWS
Cimcor	CimTrak Web Security Edition 1.3	Yes	SRC, FWS
Cisco Systems	Pix Secure Firewall v4.x, 5.x, 6.x		SRC, FWS
	IOS Firewall Feature Set v11.3, 12.1		SRC, FWS
	Cache Engine v2.01		SRC, FWS
CyberGuard	CyberGuard Firewall v4.1, 4.2, 4.3, 5.1	Yes	SRC, FWS
Fortinet	FortiGate family v2.26	Yes	SRC, FWS
Global Technologies	Gnatbox (GB-1000) 3.3.0+	Yes	SRC, FWS
Ingate	Ingate firewall: 1200, 1400, 1800/1880	Yes	SRC, FWS
Inktomi	Traffic Server, C—Class and E—Class	Yes	SRC, FWS
Internet Dynamics	Conclave Firewall v1.52x, 2.x		SRC, FWS
Lucent	Security Management Server V. 6.0.471	Yes	SRC, FWS
Microsoft	ISA Server 2000		SRC, FWS
Microsoft	Proxy Server v2.x		SRC, FWS
Netasq	F10, F100 v3.x	Yes	SRC, FWS
Netopia	S9500 Security Appliance v1.6	Yes	SRC, FWS
Netscape	Netscape Proxy Server v1.x, 2.x, 3.x		SRC, FWS
NetScreen	Neoteris Access IVE	Yes	SRC
Network-1	CyberwallPLUS-WS	Yes	SRC, FWS
Network-1	CyberwallPLUS-SV	Yes	SRC, FWS
Network Appliance	NetCache v3.3		SRC, FWS
Novell	BorderManager v2.x and 3.x		SRC, FWS
RapidStream	All Models	Yes	SRC, FWS
Recourse Technologies	ManHunt v1.2, 1.21	Yes	SRC, FWS
St. Bernard Software	iPrism 3.2	Yes	FWS
Secure Computing	Sidewinder v5.x	Yes	SRC, FWS
	Gauntlet Firewall for Unix v4.x		SRC, FWS
	Gauntlet Firewall for NT v2.x, 5.x		SRC, FWS
SecureSoft	SUHOSHIN v2.0 and 3.0	Yes	SRC, FWS
SonicWALL	TELE, SOHO, PRO, GX v4.10, 5.x, 6.x	Yes	SRC, FWS
Squid Project	Squid Internet Object Cache v1.1, 2.x		SRC, FWS
Sun Microsystems	SunScreen Firewall v3.1	Yes	SRC, FWS
Symantec	Raptor, VelociRaptor v5.x, 6.x, Enterprise FireWall v6.5		SRC, FWS
Symantec	Raptor Eagle v3.x, 4.x		SRC, FWS
Top Layer	AS 3500	Yes	SRC, FWS
WatchGuard	All Firebox Models v2.x, 3.x, 4.x, 5.x	Yes	SRC, FWS

This article was previously published as:: NETIQKB37051; NETIQKB1963

How does the Syslog Service work?

Charles Creegan — Thu, 13 Apr 2006 03:56:00 GMT

This article applies to:

Firewall Suite

Question:

How does the Syslog Service work?

Information:

The purpose of the Syslog Service is to make firewall log files accessible to the Firewall Suite machine. The Syslog daemon of the Firewall Suite Syslog Service collects firewall log data from the firewall via UDP 514. The daemon collects the firewall data and creates a log file on the machine running WebTrends where they will remain until the user deletes them.

The Syslog Service standardizes the prefix of the firewall log file records. In the following example, the part of the firewall record that is formatted by Syslog Service appears in bold.

WTsyslog [2001-11-01 00:31:41 ip=192.168.9.1 pri=6] 304001 192.168.10.20 accessed URL 192.9.24.116:template/sunstyle.css

To verify that data is streaming to the Firewall Suite machine, click Tools | Monitor LEA/Syslog. The program will find any traffic being collected by the WebTrends machine and display it in a small window.

If data is appearing in the syslog viewer but not being written to a log file, then the IP address specified in the "Firewall IP address" field in the profile editor is incorrect. Firewall Suite checks each syslog packet received for its originator and tries to match this to the Firewall IP address. This enables you to include data from more than one firewall in your report using syslog servers. By looking at these packets and comparing their IP addresses, Firewall Suite can tell which syslog data packet belongs to which firewall.

Notes:

The firewall must be configured to use the Syslog Service. Please refer to the Firewall Configuration Guide for instruction. The guide can be found on the following Documentation page:

https://support.levelblue.com/Firewall-Suite/Documentation.asp

Because the Syslog Service runs as a Windows service, you must run Firewall Suite on a Windows NT, Windows 2000, Windows 2003, or Windows XP system and you must have administrator rights to configure the application to run as a service.

This article was previously published as:: NETIQKB7128

Zeros for kilobytes transferred result in report on Check Point firewall.

Charles Creegan — Thu, 13 Apr 2006 03:50:00 GMT

This article applies to:

Firewall Suite
Check Point NG
Check Point VPN-1/FireWall-1

Symptoms:

Zeros for kilobytes transferred result in firewall report.

Causes:

Bandwidth information is not being captured within the regular log file. This information is logged in the accounting log files.

Information:

If you are analyzing log files from a Check Point Firewall, make sure you are generating both the regular and accounting log files.

The regular log file contains information regarding your firewall activity, while the accounting log file contains the bandwidth and duration information. WebTrends uses this accounting log file information to report the kilobytes transferred. Make sure the account log files are being generated.

Please refer to the Firewall Configuration Guide for instructions on how to configure your firewall to create the accounting log file.

https://support.levelblue.com/Firewall-Suite/Documentation.asp

This article was previously published as:: NETIQKB7305

How do I create a profile for my Network Appliance NetCache log files?

Charles Creegan — Thu, 13 Apr 2006 03:46:00 GMT

This article applies to:

Firewall Suite
Network Appliance NetCache 3.3

Question:

How do I create a profile for my Network Appliance NetCache log files?

Symptoms:

'Network Appliance NetCache' is not available in the list of log file formats when creating a profile in the 'General Activity' cartridge.

Causes:

The log created by Network Appliance NetCache is in "Squid" format. Since the information captured in the log file only contains inbound and outbound activity, the only cartridges that will analyze the log files successfully are the "Incoming Firewall Activity" and "Outgoing Firewall Activity" cartridges.

Procedure:

Follow these steps to configure a profile to analyze Network Appliance NetCache log files.

From the main console, select either the Outgoing Firewall Activity or Incoming Firewall Activity cartridge.
Click the New Profile link in the left menu.
A new dialog opens. Select whether you firewall resides on a single physical machine or on multiple machines, and click Next.
Enter a Description of the profile in the text box provided.
From the Log File Format drop-down menu, select Network Appliance NetCache Log File (Squid).
Continue with the remaining requests for information until the profile configuration is complete.

This article was previously published as:: NETIQKB8986

Error: SNMP agent failed to start because wtagent.dll is missing or unconfigured.

Charles Creegan — Thu, 13 Apr 2006 03:43:00 GMT

This article applies to:

Firewall Suite 4.X
Windows NT 4.0

Symptoms:

Error: SNMP agent failed to start because wtagent.dll is missing or unconfigured.
SNMP agent failed to start.

Changes Made:

This occurs on a new install of Windows NT or if you have recently installed any Microsoft software of srervice pack.

Causes:

The wtagent.dll is missing or is not configured.

Information:

Follow these steps to resolve the error:

First, verify that the SNMP service is installed.
- To do this, right click Network Neighborhood and choose Properties.
- You will see a Services tab (this is not the same services from control panel).
- Verify that SNMP is listed. If not, you will need to choose Add and install it.
Once you have verified that SNMP is installed, re-install the Windows NT Service Pack that was currently installed. Even if SNMP was installed, you must re-install the service pack.

When you see the SNMP agent failed to start because wtagent.dll is missing or unconfigured error, it is almost always because of the above reasons.

This article was previously published as:: NETIQKB1350

How do I create a report which includes activity from a single IP address or computer name?

Charles Creegan — Thu, 13 Apr 2006 03:39:00 GMT

This article applies to:

Firewall Suite 4.X

Question:

How do I create a report which includes activity from a single IP address or computer name?

Procedure:

If you wish to create a report, which includes activity from a single IP address or computer name, complete the following steps.

Determine the IP address of the activity you wish to include.
Edit an existing profile or a new one may be created. Within that profile, access the Filters tab.
Delete the Include Everything filter.
Create a new Include filter and enter a meaningful description.
Select Include Activity Based Upon and check Users(IP) or Internal User Address or External User Address.
Select Next.
Enter the IP address or computer name (Fully Qualilfied Domain Name or FQDN, such as machine.example.com) of the specific user, and then select Next, followed by Finish.
If a new profile is being created, complete the creation, or if an existing profile is being edited, save the profile and start the analysis of the log file.

Different types of ranges can be entered for this filter. For example:

204.245.240.0-63
Specifies all numeric IP addresses from 204.245.240.0 through 204.245.240.63
204.245.240.0-204.245.240.64
Specifies all numeric IP addresses from 204.245.240.0 through 204.245.240.64
204.245.240.64/26
CIDR notation. Specifies all addresses of this classless subnet: 204.245.240.64 - 204.245.240.127.
111.92.76.0/26
CIDR notation. Specifies all subnet addresses from 111.92.76.0 through 111.92.76.63.
*.WebTrends.com
Specifies only those addresses that have a sub-domain that appears to the left of this domain (such as., www.WebTrends.com, ftp.WebTrends.com, etc.) This would not include addresses without a sub-domain.
*WebTrends.com
Any address that includes the specified domain, with or without a sub-domain (such as., www.WebTrends.com, ftp.WebTrends.com, or WebTrends.com).

Notes:

For General Firewall Activity reports, the Users IP option is not available when creating a filter. Instead, it can either be specified as an Internal User Address or External User Address.

This article was previously published as:: NETIQKB3892

IP addresses are listed under Top Sites in Core Categories.

Charles Creegan — Thu, 13 Apr 2006 03:32:00 GMT

This article applies to:

WebTrends Firewall Suite 4.1+

Symptoms:

IP addresses are listed under Top Sites in Core Categories.
'Do not categorize IPs' is checked in the Advanced URL Categorization options.

Procedure:

There are several factors that can influence what information is reported. Checking or unchecking this option, as well as if the profile uses either "quick mode" or "resolve mode" for DNS resolution, can influence results.

If 'Do Not Categorize IPs' is not checked (default setting) then the following will occur.

IP address in firewall log file	DNS look-up resolves to host name	Host name used by SurfControl to categorize site
IP address in firewall log file	DNS look-up resolves to host name	The original IP is used by SurfControl to categorize site, but the resolved name is displayed in the report
IP address in firewall log file	No DNS look-up (quickmode) or IP is unresolvable	IP address used by SurfControl to categorize site

If 'Do Not Categorize IPs' is checked, then the following will occur.

IP address in firewall log file	DNS look-up resolves to host name	Host name used by SurfControl to categorize site
IP address in firewall log file	DNS look-up resolves to a host name not contained in the SurfControl database	No categorization occurs
IP address in firewall log file	No DNS look-up (quick mode) or IP is unresolvable	IP address used by SurfControl to categorize site

This article was previously published as:: NETIQKB9452

How do I configure Check Point NG to produce log files Firewall Suite can analyze?

Charles Creegan — Thu, 13 Apr 2006 03:31:00 GMT

This article applies to:

Firewall Suite

Question:

How do I configure Check Point NG to produce log files Firewall Suite can analyze?

Procedure:

To create logs that can be read by Firewall Suite, Check Point NG firewalls require additional configuration beyond that required by the Firewall-1 product from Check Point. The latest version of the Firewall Configuration Guide contains information for Check Point NG. You can obtain this document from the following page:

https://support.levelblue.com/Firewall-Suite/documentation.asp

For your convenience the additional information is repeated below.

Instructions:

Perform the following steps at the end of the "OPSEC LEA (server-side configuration)".

Server-side configuration for Check Point NG

Check Point NG requires the following additional configuration for retrieval of log records via OPSEC LEA.

Edit the file fwopsec.conf, found in %NG_INSTALL_DIR%/conf/. Delete the following lines.
Replace with the following lines, appended to the bottom of the file.
Stop the firewall by typing fwstop at a command prompt.
Restart the firewall and load the changes by typing fwstop at a command prompt.
In the Policy Editor at Manage | Network Objects | New | Workstation, define the Firewall Suite machine as a workstation.
In the Policy Editor at Manage | OPSEC Applications | New | OPSEC Application, define the Firewall Suite as an OPSEC application. In the Hosts drop-down list, select the workstation you defined in the previous step.

Notes:

If you are using Check Point NG with a Feature Pack (FP) installed, additional configuration to the fwopsec.conf file needs to be made.

The following line must be added in addition to the changes above for the OPSEC LEA connection to work properly.

For an authenticated connection:

lea_server auth_type auth_opsec

For an unauthenticated connection:

lea_server auth_type none

This article was previously published as:: NETIQKB2395

Unable to update URL Categorization database.

Charles Creegan — Thu, 13 Apr 2006 03:28:00 GMT

This article applies to:

WebTrends Firewall Suite 4.1c
Security Reporting Center 2.1

Symptoms:

Unable to update URL Categorization database.
Error: 'Download Aborted.'
Error: 'No URL Categorization information found.'
Error: 'No information for this section has been analyzed.'

Causes:

Firewall Suite is unable to access the SurfControl download site due to a proxy server restriction.

Information:

In order to resolve this issue you will need to make sure that your firewall and/or proxy server allows access to listsrv.surfcontrol.com.

Once you have verified that the proxy server is configured to allow a connection to this site, you will need to configure Firewall Suite to access the Internet through the proxy server:

Click Tools | Options.
Expand Main.
Select Access to Internet.
Check the box next to Connect through a Proxy Server.
Configure your proxy address and port.
Only check HTTP access requires a Username / Password if your proxy server requires authentication.
Click OK.

After this has been done you should be able to update your URL Categorization database.

Notes:

If you access the Internet through a firewall please verify that there is no rule on the firewall that prevents access to listsrv.surfcontrol.com.

Firewall Suite only supports basic and NTLM authentication through a proxy server.

This article was previously published as:: NETIQKB1428

How do I get rid of the old logfiles from Firewall Suite?

Charles Creegan — Thu, 13 Apr 2006 03:24:00 GMT

This article applies to:

Firewall Suite 4.0x
Firewall Suite 4.1x

Question:

How do I get rid of the old logfiles from Firewall Suite?

Symptoms:

When attempting to delete log files from the SYSLOG or LEACache directories in Firewall Suite, the logs are not deleted or the machiine appears to hang.

Causes:

This behavior can be caused if the Firewall Suite Scheduler service is analyzing a profile in the background.

Procedure:

To delete the logfiles from the Firewall Suite (FWS) machine, perform the following steps:

In the FWS main menu, select File | Exit and Unload. This will stop the FWS application and the Scheduler service.
Delete the desired files from the X:\Program Files\WebTrends Firewall Suite\SYSLOG and X:\Program Files\WebTrends Firewall Suite\SYSLOG\LEACache directories, where X: is the installation drive.
Restart the Firewall Suite application and Scheduler service to resume profile analysis.

If the files cannot be deleted by using the above method, then the files are most likely being locked by the host operating system. In this scenario, a system restartt may be required to release the files from the locked state.

This article was previously published as:: NETIQKB37260

The Firewall report is showing incoming e-mail as outgoing activity.

Charles Creegan — Thu, 13 Apr 2006 03:15:00 GMT

This article applies to:

Firewall Suite

Symptoms:

The Firewall report is showing incoming e-mail as outgoing activity.

Causes:

If a company has a mail server located outside of its firewall, then all e-mail, whether POP or SMTP, will be reported as outgoing activity. This is because the user is initiating the connection to the mail server to retrieve his or her mail. This is similar to web activity. Even though all of the files are coming in through the firewall, it is considered outgoing activity because it was initiated by a user behind the firewall.

Information:

The definition of incoming activity is that the destination is inside the firewall. Outgoing activity is defined as activity that has a destination outside of the firewall.

For example, when a user is working from within the firewall and is trying to retrieve mail from a server that is outside, the user is connecting to the mail server and not the other way around.

This article was previously published as:: NETIQKB2532

In the firewall activity reports for Gauntlet, internal and external users are confused by the e-mail traffic sections.

Charles Creegan — Thu, 13 Apr 2006 03:14:00 GMT

This article applies to:

Firewall Suite

Symptoms:

In the firewall activity reports for Gauntlet, internal and external users are confused in the e-mail traffic sections.

Causes:

Because of the manner in which Gauntlet firewalls record e-mail traffic, it is necessary to add an additional entry in the IP's Behind Firewall section of the profile set-up for the domain of the internal e-mail senders.

Procedure:

For example, if the domain is example.com, add *@example.com to the IP's behind Firewall tab. This will place the e-mail senders in their correct areas of the final report.

This article was previously published as:: NETIQKB2368