When a program runs and tries to get access to the net, by default Sygate will add it to a list. This list is known as Applications from the main GUI. It is used in order to allow users the opportunity to fine tune each and every program that requires net access in a rule like fashion, filtering them by applying traffic limits.
After the IDS, the Advanced Rules are the next point of defense. This is the place in Sygate where your imagination can run wild because ANY kind of rule can be written in regards to protocols, ports, IP address, NIC, and then even apply these globally or per drop down(s). Total control. To get here go to Tools in the main GUI > Advanced Rules OR right click the systray icon > Advanced Rules. The tabs here just summarize the advanced rules part by part. If you hover the mouse over any rule, a tool tip summary should pop up with the same info in a summary box.
Advanced Applications Configuration
And here is the interface where you limit an application. Learn it well. To get to this screen, hit Applications > Highlight a program > hit the Advanced button.
Now to master making Application Rules (common terminology for the settings per application that you make in Advanced Application Configuration):
Name of Application
This field is where you choose the drop down to apply the current Application Rule to. It should contain every application in your Applications list.
Application Restrictions
Trusted IP's
You can limit an drop down to connect to only select IP's and/or select IP blocks. Just input them like this x.x.x.x,y.y.y.y,x.x.y.y-y.y.x.x and you are all set. Any IP not put here are blocked for this application. That is a very useful way to restrict and ban IP's. Allow only those trusted and all others are automatically blocked.
Remote Server Port(s)
Use the top TCP field and top UDP fields to limit the remote server ports the application can connect to.
Local Port(s)
Use the bottom TCP field and bottom UDP field to limit the local ports the drop down can use.
*For both the remote server port(s) and local port(s) here is how you enter them.
examples only use the proper ports for your application(s)
Block of ports: 1024-5000
Single Port(s): 88,567,32243
Both block and single: 1024-5343,53,25,7875
Allow ICMP
This check box, allows or blocks an drop down from using ICMP.
Recommendation: Most applications don't need ICMP, so try them without and see if they still function properly
***Act As Server***
Important BTW, thanks to cam @ Sygate Support Forums for giving these detailed descriptions of Act as Server/Client.
"Act as Server" means that the application is allowed to accept unsolicited connection attempts. That is, it "listens" for connections on a unique port number. For example, Apache listens for connections on port 80. Telnet SERVERS listen for connections on port 23. SMTP SERVERS listen for connections on port 25. These are servers.
Recommendation: Uncheck all apps for act as server/off 24/7/365...see below
Most applications don't need to act as a server. It is this way by default in Sygate because that is how it is by default in the OS. This way, conflict is avoided by default, but Sygate gives you full control of OS features you otherwise wouldn't be able to control. That said, make sure you uncheck all applications to act as server since this weakens your security if an application doesn't need it. Go ahead and experiment. Uncheck all of the apps act as server box then run each one as you normally do, see if they still function. If they do then leave it off. If they don't, then you need to check the box back and try to limit them to ports, protocol, and IP's.
***Act As Client***
"Act as client" means that the application is allowed to INITIATE a connection attempt to a listening server. Most of the applications you run fall into this category. IE initiates connections to remote web sites that are listening on port 80.
Recommendation: Most applications run in this way. For those who don't need this method, then disable it just to add to the amount of control you have over your system. This is very rare, if any at all. These type applications will not be found on the average users computer.
Quick Q&A....
Q: Why when I run S.O.S. do I not come up all BLOCKED(stealth)?
A: Besides the check boxes, SPF partly treats these actions as separately acknowledgeable actions. For example, if you set IE to both act as server and act as client, and set it to "ask", then
1. When you start IE, you will be prompted "IE is trying to connect to....". That is, it is trying to be a client.
2. When you run the stealth test, SOS can see what port IE is using on your PC, and it tries to initiate an unsolicited connection to it. SPF will then prompt you with "IE is being connected by the remote machine..." Notice the slight difference in wording. There is a world of difference in their meaning. That is, something is trying to use IE as a server. by cam @ Sygate Support Forums
Allow during Screen saver mode
Self explanatory. :) Otherwise, when screen saver is active, this application will be blocked if this box is unchecked.
Enable Scheduling
This feature gives you the option to either allow the rule for a limited time OR to allow it all the time and block it for a select time frame. This is really good for controlling updates even more. :) It can also be used to lock people out of certain apps, etc.
Advanced Rules
Advanced Rule Creation
Now that you are in the right spot you can create advanced rules.
General
Rule Description
Put the name of the rule here, try to make it significant. Don't name a rule to block yahoo.com (just example) to be named Peanut Butter and Jelly. :D
Action
Block or Allow
Advanced Settings
Apply Rule to Network Interface
Allows you to either specify a Network Interface Card (NIC) for the rule to work on, or just select globally by choosing All Network Interface Cards.
Apply this rule during Screen saver mode
On will apply it when the screen saver is active only. Off will apply it when the screen saver is not active only. Both will make the rule work both with and without screen saver running.
Record this traffic in the packet log
Does exactly what it says.
Hosts
Remote Host
All Addresses
Applies the rule to all addresses.
MAC Address
To obtain the MAC address, a.k.a. Adapter Address, go to Start > Run > type in "winipcfg" for WIn 9x/ME (use no quotes) or "ipcfg" Win 2k/XP (use no quotes). This will find your own MAC addy, which you can then use to only apply rules to your machine.
IP Address(es)
IP address(es) go here in order for the rule to only apply to them. This can be found in a numerous amount of ways. Easiest way is to use the Sygate logs to find IP and back trace them, etc making sure you block/allow the right ones.
Subnet
A Subnet of Addresses and the Subnet mask go here in order to apply a rule to a subnet only.
Ports and Protocols
Pay good attention because here is the core of the Advanced Rule. You apply your rule to select ports and protocols. This is the fine tuning section. If a firewall is considered a filter for your internet connection, which it should be, then this is the section where you can either make your filters filter more or less. Remember, limiting ports and protocols puts total control in the hands of the end user and not allowing your connection to control you. FYI for the protocols that use ports, there are a total of 0-65535 ports.
Direction
You see a drop down menu in this screen labeled Direction. This is where you decide which direction your rule applies to. The directions are...
Incoming - meaning that the rule will apply to traffic from all other networks/the internet to your network/system.
Outgoing - meaning that the rule will apply to traffic from your network/system to all other networks/the internet.
Both - meaning the rule applies to both incoming and outgoing traffic.
TCP
TCP (Transmission Control Protocol), which is the most common protocol, can be limited to any local and/or remote ports you desire. Click the link to read more about TCP.
UDP
UDP (User Datagram Protocol), can also be set to any of the 65535 ports both remote and local to strengthen your security. Click the link to read more about UDP.
ICMP
ICMP (Internet Control Message Protocol) is a message control nd error reporting protocol and less common than TCP and UDP. There are 255 ICMP types. You can set rules for 0,3,4,5,8,9,10,11,12,13,14,15,16,17,18 in Sygate. Here are some links to see them all and read up on them.
ICMP Type and Code Numbers1
ICMP Type and Code Numbers2
ICMP Type and Code Numbers3
IP Type
Sygate Can allow or block by IP type in any direction. There are 255 IP types. I'm still looking at most of them. Sygate recognizes them all and all can be allowed or blocked and in any direction. Some of the IP types are ICMP, TCP, UDP, IGMP (Internet Group Management Protocol), IGRP (Interior Gateway Routing Protocol), and many more. What are all these you ask? Most of them you will never see, so why are they there? For compatibility and full range of allow/block control. I have a rule to block ALL IP type but TCP and UDP. ;) This makes up for most of my rule set, which is mostly block rules because I"m a control freak.
ALL
The rule will apply to all ports and all protocols.
Enable Scheduling
This feature gives you the option to either allow the rule for a limited time OR to allow it all the time and block it for a select time frame. This is really good for controlling updates even more. :) It can also be used to lock people out of certain apps, etc. ;)
***Applications***
Another section to pay close attention to because this is the cut off point here. Why? YOU SHOULD NEVER EVER MAKE A GLOBAL ALLOW RULE IF THAT CAN BE AVOIDED! Well, thanks to this great feature in rule making, you can make rules specific to whichever application(s) you want. It is simple. The Application list form the main GUI has all the same programs listed here. Any not found here, you can Browse the network/system and find them. I couldn't do without the control this feature provides. :D
A simple check box by each application you want the rule to apply to will do the trick. ;) After this last section of the rule, hit OK once. Now you can highlight each rule and order them by using the up and down arrows. Ordering sometimes makes the difference, other times it is irrelevant.
Import/Export Rules in SPF Pro only!
You should now be back in Tools > Advanced Rules OR systray > Advanced rules right now. Pro users read below.
YOU CAN USE MOUSE CLICK TO HIGHLIGHT A RULE THEN USE CTRL OR SHIFT TO HIGHLIGHT MORE THAN ONE AT A TIME. After doing this, you can right click the rules and Export them saving them one at a time or in groups to one file or many files. You can later import these files back if you wish. Don't try any so called tricks to save rules if you are using SPF freeware. Some claim they work, when I tried all it did was make Sygate and the OS very unstable and not work properly. That is just me, you can try if you like and at your own risk.
THE KEY TO MASTERING SYGATE...IT IS IN THE LOGS! They aren't complex like people make them out to be. They are rather to the point and in simple enough form for everyone to understand.
TIP: Don't forget you can highlight then right click an entry in the Security, Traffic and Packet logs to run a Backtrace and Whois on the event. Very useful for investigating and rule making.
