Overview
Document to capture and discuss frequently asked questions about various components of 8e6 filtering and reporting platform.
R3000 Filter
General
Life After Quickstart
Q: I've following the 8e6 Quickstart Guide, what now?
A: Suggest you review following for frequently encountered issues and topics: Setup Highlights
Q: How do I insure I'm using maximum 8e6 protections against web proxies?
A: Please review following web topic: 8e6 Proxy Protection
8e6 Support
Q: 8e6 support needs remote access to my 8e6 appliance? What firewall rules are required?
A:
You need to setup public IP address with either (a) static NAT, or (b)
TCP port forward, to 8e6 appliance. The specifics depend on your
firewall vendor.
8e6 connection source and protocol are listed below for granular inbound firewall rule:
208.90.236.132, 208.90.236.133
Service Activation
Q: What is affected by 8e6 R3000 "activation"?
A:
8e6 R3000 activation provides primary features of (a) library, and (b)
software updates to R3000 appliance. The R3000 appliance ships with
fully operational library in place. The R3000 activation does not affect operation of web filter (ie.
product will still inspect, log, integrate with domain, and block
traffic -- regardless of whether box "activated" or not). The
longer a R3000 operates without activation, the more potential for
issues because of outdated library and outdated appliance software.
Operating for a few days (or even weeks) should not provide any
noticeable issues.
Q: Does 8e6 Enterprise Reporter require "activation"?
A:
YES. A new ER appliance will only store LIVE data for two weeks (this
is evaluation mode). A new ER appliance (and ER service on R3000-IR
appliance) will display a pop-up warning upon logon to ER
administration page. Note: ER administration GUI on port #88 for
stand-alone ER, and port #808 on R3000-IR. The ER pop-up includes
"expiration" warning and button to allow entry of activation code.
The ER service activation code is provided from 8e6 support. Push
button on ER warning pop-up and copy/paste the three lines (hostname,
MAC address, IP) into email and send to "support@8e6.com" with your
contact details (ie. company name). 8e6 support will respond with ER
activation code to "unlock" ER.
Q: 8e6 R3000 activation page complains that R3000 hostname not in public DNS. Is this a problem?
A:
The 8e6 R3000 activation service (hosted by 8e6) provide update service
based solely on hostname value. The presence of R3000 hostname in
public DNS (and IP configuration) have nothing to do with update
service and will NOT affect successful download of library and software
updates by R3000 appliance. Again, the hostname value is THE key
used by 8e6 update service to grant access to updates. We suggest
you assign a FQDN hostname to R3000 appliance (ie. fully-qualified
hostname -- "r3000.domain.com").
Q:
Is it OK to change hostname of operational R3000 appliance affect
anything (ie. a R3000 that has been activated and receiving
library/software updates)?
A: The hostname of R3000 is the
"key" used in 8e6 update service database. If you change hostname of
R3000 from previously activation value, you will be unable to connect
and receive updates. Send an email to "support@8e6.com" with (a)
your company contact details, (b) former hostname, and (c) new hostname
of R3000 with request to "update hostanme of R3000 in activation
database".
Problem Applying R3000 Patch
Q:
I'm unable to apply 8e6 R3000 2.x patch. I select the patch from
available section of R3000 mgmt GUI and hit "apply" button. Nothing
happens. What am I doing wrong?
A: With the introduction of
R3000 v2.0 software, 8e6 now requires acceptance of EULA contract prior
to applying software patch (ie. end-user license agreement). The EULA
is presented in a browser pop-up window immediately following click on
"apply" button for patch in R3000 mgmt GUI. Once you select "accept"
in EULA, the appropriate R3000 software patch is applied.
Note: please check topic below about Browser Pop-Up Blockers. You can click HERE to test your browser.
Problems Introduced by Browser Pop-Up Blockers
Q: What problems will be introduced by browser pop-up blockers for (a) 8e6 administrator, and (b) end-users?
A: Many sites exist on web that will check browser for presence of pop-up blocker. Please check HERE (note this link does NOT include pop-up).
8e6 administrator: problems applying patches to both R3000 and Enterprise Reporter appliances.
End-user:
web-based authentication. Both tier2 (time-based) and tier3 (session
based java applet) both include pop-up window.
Note:
As of ER v4.1, the Web-base Reporter Client does check for pop-up
blocker. An warning will be displayed if pop-up blocker detected. Real Time Traffic Log
Q: What are the entries in R3000 shadow.log?
A: Each line in shadow.log represents a single browser GET request for web page or object. Each line could also indicate pattern detection entry for IM, P2P, streaming media, or remote desktop.
Q: What does PASSED indicate in shadow.log for category designation?
A: A request marked with PASSED for category indicates (a) URL could not be categorized, and (b) that default behavior for RULE is to allow uncategorized traffic (ie. not block or warn).
Filter Policy
R3000 Profile
Remember the following:
- The 8e6 filter policy assigned to end-user is defined by PROFILE configured by 8e6 administrator.
- Profiles are assigned to "policy objects" under GROUP tab in R3000 management GUI.
- An 8e6 RULE defines filter behavior for R3000 categories (ie. allow, block, warn, quota, etc). A Rule is part of PROFILE assigned to end-user policy object (GROUP tab).
- Filter PROFILE defined as combination of three things: (a) rule, (b) block page preference, and (c) filter options (x-strikes, safe-search, URL/search engine keywords). See below. Note that '==' means "defined as".
"8e6 filter policy" == "R3000 Profile" == "Rule" + "Block Page Preference" + "Filter Options"
R3000 Policy Precedence
Q: what is R3000 precedence for applying filter policy?
A:
8e6 R3000 Precedence
| Profile Type
| Comment
|
Highest Precedence
| Over ride account
|
|
| Authenticated Profile
| High to low: Individual, OrgUnit, Group Membership, Domain Default
|
| IPGROUP
|
|
Lowest Precedence
| Global Group Profile
|
|
Q: how does R3000 evaluate category precedence in RULE?
A: 8e6 library architecture allows for URL (static or wildcard) to be in any number of R3000 categories. A good example is "facebook.com" which is placed in three 8e6-provided categories (by default). The question arises specifically how RULE categories are evaluated.
Precedence | Rule behavior |
Highest | Allow (aka "always allow") |
| Warn |
| Quota |
| Block
|
Lowest | Pass (aka "implied default behavior") |
Q: Which should be used most often in RULE definitions: "Allow" or "Pass"?
A: Keep the following "best practices" in mind when defining RULE:
- Always use "Pass" action in rule definition to grant access to category (ie. PASS is the implied behavior -- unless something else blocks/warns/quota/etc).
- Only use CUSTOM categories with "Allow" action. Specifically, the custom "white list" categories (example: "Teacher Pass", "IT Pass", etc).
- A large majority of categories are typically marked with "Pass" action or "Block" action.
Wildcards
Q: What are wildcards and where are they used in management of 8e6 filter policy?
A:
wildcards allow 8e6 administrator to add entries to 8e6 R3000 filtering
datbase with granular control over what portion of site content is
allowed/blocked.
Q: Site-level wildcards?
A:
Site wildcards are specified in 8e6 R3000 category URL property. 8e6
admin can include any subdomain for specific "site" by use of
left-hand-side wildcard. Example: "*.google.com". Such notation
will also include the "site domain", example: "google.com".
Q: What is syntax for wildcards on right-hand end of URL?
A: don't forget the trailing "/" -- slash.
HTTPS Filtering and Exceptions
Q: Can I over-ride unexpected blocks to SSL-encrypted HTTPS sites due to problems with web-server setup and violation to R3000 HTTPS Filtering and/or HTTPS "Forward certificate CN to DNS for Validation" features?
A: YES. The 8e6 R3000 library will accept explicit "https://site.domain.com/" entries. The key: use the CN value of web-server SSL certificate for the R3000 library entry. Thus, if web server SSL certificate has CN value of "secure.bigsite.com", then the R3000 libary entry must be explicitly: "https://secure.bigsite.com".
Important Notes:
- Using CN value of https site in 8e6 library category requires that R3000 HTTPS Filtering level set to Medium or High (Medium is the default value and recommended).
- Granting https access assumes site added to custom category where RULE specifies ALLOW for end-user access.
- Alternatively, you can add IP address of SSL-enabled web server to R3000 custom category with ALLOW in RULE.
Pattern Detection and Exceptions
Q: Can I allow per-site exceptions for streaming video when our default R3000 policy BLOCKS all streaming video (R3000 // Library tab // Bandwidth category group)? Example use-case: all streaming video is blocked by R3000 policy, but you need to grant access for small number of sites that incorporate QuickTime video.
A: YES. Streaming video, Instant Messaging, Peer to Peer and example of protocols classified by 8e6 R3000 pattern detection engine. For a full list, please check attached 8e6 Application Control List . The use-case detailed above requires a per-site Pattern Detection exception. As of R3000 v2.1x software, you are unable to grant per-site Pattern Detection exceptions in R3000 GUI (tentatively on road-map for v3.0). 8e6 support can update R3000 configuration to exempt remote IP addresses from Pattern Detection engine (via remote SSH access).
Important Note:
- IP address entry disables ALL Pattern Detection and Logging for specified IP (ie. disables detection of all P2P, IM, Streaming Media, etc).
- The standard HTTP request will still be logged, but if site includes embedded streaming media object (on server with IP address exemption) the object access will not be logged.
Custom Block Page
Q: Can I change the contents of default 8e6 block page?
A: Yes. The 8e6 GUI allows for various block page customizations (//System tab/Customizations).
Note: 8e6 does not support manual file modification of 8e6-provided block page on appliance.
Q: I want to provide basic 8e6 block page functionality, but update block site contents with CSS, custom graphics, and additional "help" text specific to my organization.
A: Yes. 8e6 provides HTML/javascript template of block page. You can include the template to generate any type of block page you wish. The key for this strategy: you place block page on separate non-8e6 web server and update 8e6 filter policy to reference this block page for appropriate policy objects. Please download block page template HERE .
Q: We want to use custom block page everywhere (ie. any time 8e6 serves up block page). Having to specify block page URL for every 8e6 PROFILE is tedius, is there a work-around?
A: Yes. There is R3000 command-line configuration option to change the "default" block page URL. Once updated, any time you reference the "default" block page in R3000 GUI, your custom block page URL will be used. Please contact DirSec and/or 8e6 support for further details.
Hardware Management and IT Operations
Secure GUI Access (SSL)
Q: can I connect to various 8e6 web interfaces using HTTPS/SSL connection?
A: YES. Please reference the following: 8e6 Secure Ports
Remote SSH Support
Q: Can I access 8e6 appliance via SSH?
A:
Not by default. By default, the SSH service is configured to only
allow certificate based authentication (ie. not password
authentication). Contact 8e6 support and/or DirSec for steps to
enable remote SSH access.
Appliance Power Status
Q: lights are flashing on front of appliance, is it ON?
A:
Front panel lights will flash for network activity even if appliance is
OFF. You need to insure POWER LED light is on. This is typically
the right-hand LED on front panel.
Graceful Shutdown and Appliance Health
Q: is it bad to pull power plug on booted 8e6 appliance?
A:
YES. The 8e6 appliance runs a customized variation of Red Hat
Enterprise Linux (RHEL). Standard accepted OS procedures should be
used for 8e6 appliances. Similar to most Enterprise-ready Operating
Systems today, non-graceful shutdown can lead to various problems; to
include: file-system corruption, file corruption, loss of data (ie. HD
write cache), database service corruption.
SNMP Support
Q: what can I monitor with 8e6 SNMP support enabled?
A:
8e6 SNMP support only for underlying Red Hat Linux Operating System.
There are no 8e6-specific statistics available via SNMP. Example of
what's NOT possible: statistics for Hits/sec. Example of what IS
possible: status of eth1 network interface (ie. up or down, network
statistics for interface, etc).
Authentication
Windows Domain Integration Options
( // System tab / Authentication / Enable_Disable Authentication )
Q: Pros and Cons of 8e6 Authenticator and DC_Agent for windows domain integration?
A:
Virtual Authentication IP Address
( // System tab / Authentication / Authentication settings )
Q: Can I PING the R3000 "virtual" authentication IP address specified in R3000 authentication setup?
A: NO. However, the service tied to virtual IP address does answer to 'telnet' on port #139. You can test network connectivity between workstation and R3000 virtual authentication IP address by executing the following on workstation in windows command prompt (CMD): "telnet <virt_auth_IP> 139". Example: "> telnet 10.10.1.100 139".
Legacy Windows NT Preferences
( // System tab / Authentication / Authentication settings )
Q: do I need to enter information under "NT Authentication Server Details" when setting up Domain integration?
A: NO. The R3000 does NOT need to join domain as part of domain integration setup. Please ignore all "NT" references anywhere in 8e6 R3000 GUI. 8e6 is in process of removing all NT-related options from GUI.
Backup and Restore
Q: Are there any limitations for 8e6 R3000 backup and restore mechanism?
A: 8e6 requires that R3000 software versions must be same for backup archive source and destination platforms.
Q: Does 8e6 R3000 backup archive include any "versioning" to identify source platform software versions (example: 2.1.05)?
A: No. We suggest following procedure to include R3000 software version in backup archive file naming. Note that comment field is only stored on SOURCE system and not part of archive in any way (ie. once you download archive, the archive comments are lost). The source R3000 platform version stored at following path in archive: /usr/local/shadow/etc/version.
Q: Are there any operational consideration for restoring 8e6 R3000 backup archive to appliance?
A: Yes. A restore of 8e6 backup archive deletes the Core URL Library on 8e6 appliance. Once backup archive restored, a full Manual URL Update must complete (ie. download, parse, insert, etc). This means R3000 filter will PASS all web traffic for upwards of 1.5hrs for R3000-IR, 45min for R3000-S, and 20-30min for R3000-H (based on uni-core appliances).
Backup vs Synchronization
Q: Which strategy is suggested when migrating to upgraded R3000 appliance (ie. Backup/restore vs Synchronization).
A: Both are perfectly valid strategies, but each have caveats related to extended configuration and filter service availability. Please contact DirSec for further details.
- Synchronization: The synchronization strategy works well. This allows the NEW R3000 hardware to be powered-on, minimally configured with unique IP address and TARGET profile, activated, and BURNED IN for period before going live. The significant caveat for this strategy is fact (a) LDAP domain object configuration, and (b) over-ride accounts are not synchronized. The solution involves are relatively trivial work-around of archiving and moving configuration files manually from current SOURCE to TARGET box (ie. from OLD to NEW appliance).
- Backup/Restore: This strategy insures NEW R3000 has all current production preferences. The two primary caveats are as follows: (a) no uptime burn-in period, and (b) restoring backup archive to R3000 deletes "core" filter database and requires a Full URL Download. The R3000 can not enforce filter policy until this is complete -- upwards of 90minutes. Note: the work-around for this involves restoring backup archive, rebooting, immediately changing (a) physical IP, and (b) virtual auth IP, rebooting, and then allowing appliance to complete Full URL Download.
Deployment Considerations
Proxy Environments
Q: Should I use the "Proxy Environment Settings" in R3000 GUI?
A:
NO. These are legacy configuration options and are rarely required in
any production environment (proxy or otherwise). Only use R3000 proxy
configuration preferences if specifically told to do so by DirSec or
8e6 support.
reference ( // System tab / Mode / Proxy Environment Settings )
Q: We use web proxy, how do I setup switch SPAN/monitor session for 8e6 R3000 filter?
A:
Whether web proxy used for (a) all, or (b) a portion of end-user
workstations, the 8e6 R3000 filter must "see" web traffic passing TO
the proxy. Thus, a switch SPAN/monitor session must be setup where
copy of all network traffic to web proxy (ie. physical switch port) is
sent to 8e6 R3000 filter.
Q: We use web proxy for half our users, the remaining workstations browse directly to Internet. How do we setup R3000?
A: The
R3000 "SNIFF" interface (typically LAN1) must receive a copy of network
traffic passing to BOTH of the following: (a) inside interface of
perimeter firewall, and (b) web proxy. This can be accomplished in
one of two ways:
- Most switch monitor sessions can
include multiple SOURCES -- and multiple destinations. The swtich
monitor session (example Cisco) should include SRC of internal firewall
port and web proxy port.
- If swtich vendor or physical
consideration make #1 impossible, then can use "link aggregation"
device that will combine traffic from two SPAN/monitor sessions into
one cable. Example: http://datacomsystems.com/
Note: this may a permanent configuration or may be true during migration period during conversion to 8e6 R3000 filter platform.
