Visitor Number:
***Help info within this site is currently for Sygate 5.x series. Updates will be added as needed.***
***NOTE that as of Sygate Pro 5 b1116 Help file that some of the info here is now included there. Regardless, I will put it up for those that prefer a web interface, those that are thinking of trying out Sygate, and for those who are just curious to how Sygate works, so enjoy!***
Part 1: The Basics
Contents
For quick navigation, use the jump links below:
Hi, I'm KING. Some of you might have met me online, if you haven't...nice to meet you. The following information will hopefully put you on the road to mastering not only Sygate Personal Firewall and Pro versions, but computer security via software firewall in general. Sygate is a good learning tool. So they say, if you build it they will come. Well here is the info, so come on and learn.
To submit requests for this help site (helpful suggestions only please) scroll down and hit the mailbox to email me. User feedback is appreciated. Let me know how much the site helped or didn't help you. I don't know it all, I'm open to learn though. :D
So let's get down to business, shall we?
Learning to navigate Sygate will make things so much easier, so this section will teach you just that. If you are feeling like you don't need that, then skip this section although you might miss terminology and be confused later down the page. :)
This is the Sygate Personal Firewall main GUI, short for Graphical User Interface a.k.a. what the user sees, the OS just sees the code.
From here on out, I will refer to it as just the GUI in general and main GUI in particular.
This is the GUI with the message console window open.
Message Console Window
The message console window shows program dialog such as startup and shutdown times, other system info, including changes made to the program. I prefer to leave it off and use the logs if need be, but do what fits your own tastes.
Just use this button to show or hide the message console.
Here is what you will usually find in the message console window, although it lists startup and shutdown, plus any critical information.
Graphs
Notice those line and bar graphs? What are they for? Well basically just another visual aid for the end user (you and me) so that we can clearly see what the computer sees.
Here is the Incoming Traffic Bar Graph and Incoming Traffic Line Graph.
Here is the Outgoing Traffic Bar Graph and Outgoing Traffic Line Graph.
Basically, the bar graphs show current traffic or rather traffic occurring at that very point and time. The line graphs show traffic over a period of time.
Running Applications Window
Here is the Running Applications window. This area of the GUI shows you what applications are running in 4 different views from the View Menu. I'm only going to show Connection Details, to me the only useful of the views. I suggest every use connection details view, the small and large icon views are pointless. So is the list view. The application details view is ok for a quick peek but not extended viewing.
How do you use this thing you say? It is too complex for you? No, not at all. If you look closer, you will see it is in plain English...well somewhat ;).
Each tab is self explanatory.
Application Tab - shows the running application(s)
Protocol Tab - shows the protocol(s) in use by the application(s)
Status Tab - shows the status of the connection(s) the application(s) is/are making. Listen means waiting for a connection. Connect means currently connected.
Local Port - Local port(s) involved in the connection(s) described in the status, protocol and application tabs.
Remote Port - Remote port(s) involved in the connection(s) described in the status, protocol, and application tabs.
IP Addresses - the IP addresses involved in the connection. The left IP is the owner of the local port. The right IP is the owner of the remote port. This reads like this... 0.0.0.0->0.0.0.0
Process Tab - shows the unique process ID of the application making connection(s).
Application Path Tab - shows where on your computer the application making connection(s) is located.
Simple right? Read it again and again if you need to until you get it. It will be worth it in the end. Understanding what is going on is the key to learning.
Quick Tip: Use Running Applications Window shortcuts...
Just right click empty space to see a drop down list which you can use to switch views quickly. Just click a connection in connection details or an icon in the other views and you get the View selections, plus you can set to Ask, Allow, or Block. Most important, you can terminate applications you want ended by right clicking that connection.
Hide Broadcast Traffic and Hide Windows Services
Last item on the main GUI is the Hide Broadcast Traffic and Hide Windows Services check boxes.
Hide Broadcast Traffic just hides broadcast, or connection/ISP traffic from being displayed in the graphs. Hide Windows Services hides windows services from being shown in the running application window. These service cannot access your connection without you letting them. I prefer to not hide anything and show it all.
Hot click Menu
This menu has shortcuts to select parts of the GUI.
Block All - Hit this when you need to quickly block ALL traffic both inbound and outbound.
Applications - Takes you to the Application Filtering/Rule section of the firewall where restricting applications is done in a few clicks and keystrokes.
Logs plus drop down - Takes you to logs. The drop down arrow will drop down a list of each log you can instantly jump to.
Test - Takes you to S.O.S. - Sygate Online Scans, to run full scans on your machine and firewall. S.O.S. is not Opera compatible due to Opera blocking ports for security so you must use another browser other than Opera to run this AFAIK.
Help - Takes you to the offline help file.
Systray: What do those colors mean?
Now, about the traffic legend. This portion will explain what all the colors in the systray mean. ***The down arrow on the left side= incoming, the up arrow on the right side= outgoing.***
This is how the systray icon looks when there is no traffic at the moment. This also means that the firewall is in normal mode. When in normal mode, then any special allows/blocks and other configurations are applied to both incoming and outgoing traffic. This is the recommended mode to run in 24/7/365 and put as many restrictions in place as you possibly can with Advanced Rules, Application Rules, and in Options.
When the systray icon has this image on it, this means Sygate is in Block ALL mode. All traffic incoming and outgoing is blocked regardless of firewall configuration. Good for a quick lock down of the internet either while AFK(away form keyboard) or when a suspected attack has taken place and you need to run damage control.
When the systray icon has this image on it, this means Sygate is in Allow ALL mode. All traffic incoming and outgoing is allowed regardless of firewall configuration. This mode is just foolish if you ask me,it defeats the purpose of the firewall completely. If you want to run in allow all mode, email me and I'll direct you to "firewalls" that do this at their top level of security. :D
This mode may be one for concern. WHen the systray icon looks like this, it means something needs your immediate attention. From port scans to trojans, all of these things and anything in between will put the firewall in alert mode. Double clicking the icon when it is in alert mode will take you to the logs of the alert. You can use this to decide what to do next, or to do anything at all.
When the systray icon looks like this, it means that both incoming and outgoing traffic is being allowed.
When the systray icon looks like this, it means that both incoming and outgoing traffic is being blocked.
This icon means that incoming traffic is being allowed and outgoing traffic is being blocked.
This icon means that incoming traffic is being blocked and outgoing traffic is being allowed.
This icon means that incoming traffic is being allowed and there is no outgoing traffic.
This icon means that incoming traffic is being blocked and there is no outgoing traffic.
This icon means that there is no incoming traffic and outgoing traffic is being allowed.
This icon means that there is no incoming traffic and outgoing traffic is being blocked.
Systray Icon Shortcuts via Right Click
This includes...
SPF or SPF Pro which will maximize the main GUI
Block All, Normal, Allow All modes with easy access
Applications
Logs
Options
Advanced Rules
Hide System Tray Icon
Help, About, and Exit Firewall
Once you master the main GUI, these shortcuts can be used as time savers.
Ok, now to get into the Options of Sygate...
Go to main GUI > Tools > Options or right click the Sygate icon in the systray > Options.
General
Here you see the Options > General window.
You can use this section to...
- hide the systray icon from the systray
- automatically load Sygate at Windows startup (recommended)
- block all Network Neighborhood traffic when the screen saver is on
- hide notification messages
- beep before notify (makes a beep noise before each notification pop up)
- set a password (good for extra security)
- require the password be entered in order to exit the firewall (makes the password feature twice as effective)
Network Neighborhood
Here you can choose options for your NIC (Network Interface Card(s)) that relate to the Network Neighborhood part of the OS. It is very straight forward.
Allow to browse Network Neighborhood files and printer(s) allows or blocks the selected NIC from seeing Network Neighborhood.
Allow others to share my files and printer(s) allows or blocks you from sharing your files or printers over this NIC with others online.
IF YOU DO NOT CHECK ALLOW TO BROWSE NETWORK NEIGHBORHOOD FILES AND PRINTER(S) THEN YOU WILL NOT BE ABLE TO SEE YOUR OWN NETWORK! IF YOU DON'T CHECK ALLOW OTHERS TO SHARE MY FILES AND PRINTER(S) THEN NO OTHER COMPUTERS CAN SEE/SHARE YOUR FILES OR PRINTERS, INCLUDING OTHER COMPUTERS ON YOUR OWN NETWORK!
If you don't have a network, are not on a network, or for whatever reason do not need to use a network then disable all options for all NIC in this section. Why? Because, if you don't know what you are doing setting up a network, you can easily and will most likely just open holes in your system. A badly configured network makes you easy to track and hack. A badly configured network ensures you will broadcast who you are everywhere you go and never come up stealth anywhere. If you are unsure about these settings PLEASE ASK @ Sygate Support Forums If you don't need networking then go ahead and disable it in the OS.
Security
Ah, the security options, my favorite! This is where the total control of Sygate begins to come into play. These options, when compatible with your setup, enhance your security.
Security Enhancement
Enable Intrusion Detection System(IDS)
This feature sets Sygate apart from other true firewalls out there. The IDS inspects all inbound and outbound network/system activity including data inside packets for known security threats. These threats are automatically blocked. The IDS is the first line of defense in Sygate. Recommendation: to leave it on 24/7/365 unless you really know what you are doing and have an adequate alternative.
Enable Portscan Detection
This feature allows Sygate to analyze all blocked traffic to determine if you are being port scanned. If you are, then Sygate will use one of the blue systray notification pop ups to tell you. Hackers do port scans to find holes in your security to exploit. Recommendation: optional
Enable Driver Level Protection
There are probably some people still wondering "why is this *.vxd connecting or listening? Well this is why. Sygate has this feature which treats protocol drivers that access the network just like any other application *.exe. This gives us total control over these to block or allow just like any other program. Recommendation: optional if you wish BUT it is very beneficial in knowing 100% of what is going on with your connections.
Enable Stealth Mode Browsing
Hides your OS and browser from web sites. May cause some web sites to not work. Recommendation: optional, I choose to do this with Proxomitron and Opera
Block All Traffic While the Service is Not Loaded
This is probably my favorite option of them all. Sygate has termination process protection, meaning that in theory Sygate cannot be terminated. Now nothing is foolproof, so layered protection is best. So say Sygate does get terminated...with this option enabled, NO TRAFFIC GOES INBOUND OR OUTBOUND! It is all blocked, every last packet. Again, nothing is foolproof. Common sense tells you that two fences around your yard will make your property harder to penetrate. ;) Recommendation: Do you really need to know? On 24/7/365! Anything less is just not taking advantage of Sygate's POWERS!
Active Response
a.k.a Automatically block attackers IP for...?seconds.
This feature does exactly what it says, an automated block on ANY IP that has traffic belonging to an attacker. Let's define attacker: Any traffic in violation of the IDS, Advanced Rules, Application Filtering, and certain Options is considered an attacker. By default, the attacker is blocked by IP for a duration of 10 minutes. Pretty nifty if you ask me. The duration, time=x, is configurable in seconds. Recommendation: *On
* If you do a lot f firewall testing such as simulating attacks on your system to test your firewall, it is advised to disable this first. Why? Because you will get false results due to Active Response blocking all of the fake attackers traffic for time X.
**Sygate will also block the offending application making the connection with said attacker(s). To get this application working again, restart it otherwise it will be blocked until time X expires.
***I keep Active Response off 24/7/365 only cause I"m always testing things. This is not recommended unless you are a power user conducting tests frequently. Again, I repeat that this is my preference and not recommended.
Enable DLL Authentication
This feature will catch any new and/or malicious DLL (Dynamic Link Library) trying to run in the content of a trusted application. Any applications, from the point of installing Sygate on, will ask you if they can load a DLL for the first time. You can allow it or refuse it. Recommendation: ^On 24/7/365.
*Some argue that it is annoying and disable it. These people are just less protected from new exploits. But Sygate is all about user configuration and compatibility to meet your needs, so you have the choice to disable even the helpful things.
Automatically Allow Known DLL's
This option cures the complaint that DLL authentication is too annoying because of all the prompts. Together, this option plus DLL authentication allows DLL to be authenticated, but also lets Sygate learn your habits. Sygate keeps a record of commonly used DLL per application and allows these without prompting the user. Not using this feature may cause constant prompting when using complicated applications such as browsers, FTP clients, email clients, games, etc. If DLL authentication alone is too annoying for you, don't disable it. Instead, enable this option plus DLL auth and the annoyance is gone, the security remains intact. Recommendation: Optional
Reset All Fingerprints for All Applications
This will clear all the information for DLL authentication and Allow known DLL's for all of your applications. This is good if you want to start fresh and re-record Allow known DLL's or just only use DLL authentication. Recommendation: Use as needed.
Enable Anti MAC Spoofing
The MAC a.k.a Adapter Address can be spoofed in order to intrude into your system. This feature protects the MAC address table from being reset by another computer. This will protect you from MAC spoofing. Recommendation: On 24/7/365
Enable Anti IP Spoofing
This feature will randomize the TCP sequence number making IP spoofing as close to impossible as it gets. Recommendation: On 24/7/365
Enable OS Fingerprint Masquerading
Stops your computer OS from being fingerprinted by common methods. This works best with anti IP spoofing on. Recommendation: On 24/7/365
NetBIOS Protection
Formerly known as Smart NetBIOS, this feature was changed to make setting up networks easier. This will allow you to use Network Neighborhood file and print sharing on your LAN, but block all NetBIOS exploits from any external network. Recommendation: On 24/7/365
Smart Traffic Handling
Enable Smart DNS
Automatically allows applications to resolve domain names using Domain Name Service(DNS) while at the same time protecting against DNS attacks form the network. If you disable this then you will be prompted for permission to resolve domain names or DNS traffic will be blocked. Recommendation: On 24/7/365
Enable Smart DHCP
Automatically allow a Dynamic Host Configuration Protocol (DHCP) client machine to get its IP address form a DHCP server while providing protection against DHCP attacks on the network. Recommendation: On 24/7/365
E-mail Notification
Easy to setup section for enabling Sygate to email you every time an attack is taking place. Recommendation: Optional
Log
Here you can manage how the firewall logs to the extent of total file size, how much logs to save in days, you can enable the packet log, and you can clear all logs. Recommendation: Optional.
Updates
Here you can check for Sygate signature updates and program updates. You have the option to automate these updates. Recommendation: Optional.
Email Me
Sygate is Copyright © 1997-2002 Sygate Technologies, Inc.
Copyright © 2002 All contents of this site not otherwise
specified should be considered my property and should not be used without permission.