1. No category

Administrative Guide

iboss Firesphere Guidance
Version 1.6
March 22, 2016
Note: Please refer to the User Manual for the latest updates.
Copyright © by iboss, Inc. All rights reserved. No part of this publication may be
reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any
language or computer language, in chemical, manual or otherwise, without the prior written
permission of Phantom Technologies Inc.
iboss Cybersecurity makes no representations or warranties, either expressed or implied,
with respect to the contents hereof and specifically disclaims any warranties,
merchantability or fitness for any particular purpose. Any software described in this manual
is sold or licensed "as is". Should the programs prove defective following their purchase, the
buyer (and not this company, its distributor, or its dealer) assumes the entire cost of all
necessary servicing, repair, and any incidental or consequential damages resulting from any
defects. Further, this company reserves the right to revise this publication and make
changes from time to time in the contents hereof without obligation to notify any person of
such revision of changes.
All brand and product names mentioned in this manual are trademarks and/or registered
trademarks of their respective holders.
www.iboss.com
Open Source Code
This product may include software code subject to the GNU General Public License (“GPL”),
GNU Lesser General Public License (“LGPL”), or other open-source software licenses. Copies
of the GPL and LGPL licenses are available upon request. You may also visit www.gnu.org
to view more information regarding open-source licensing.
The GPL, LGPL and other open-source code used in Phantom Technologies Inc products are distributed
without any warranty and are subject to the copyrights of their authors. Upon request, open-source
software source code is available from Phantom Technologies Inc via electronic download or shipment
on a physical storage medium at cost. For further details and information please visit
www.iphantom.com/opensource.
Page 2 of 40
Table of Contents
1
Document Overview ............................................................................................................................. 5
2
Introduction .......................................................................................................................................... 6
3
Getting Started...................................................................................................................................... 7
3.1
Identification ................................................................................................................................. 7
3.2
Environment.................................................................................................................................. 7
3.3
Technical Requirements................................................................................................................ 8
3.3.1
3.4
4
Procedural Requirements ..................................................................................................... 9
Installation .................................................................................................................................... 9
3.4.1
User Accounts ..................................................................................................................... 10
3.4.2
Cryptographic Operations ................................................................................................... 12
Security Functions ............................................................................................................................... 13
4.1
Security Audit .............................................................................................................................. 13
4.2
Local Console Access ................................................................................................................... 13
4.3
Administration ............................................................................................................................ 13
4.3.1
Time .................................................................................................................................... 13
4.3.2
Trusted Updates .................................................................................................................. 14
4.3.3
Inter TSF Trusted Channel Configuration ............................................................................ 14
4.3.4
Configuration of Trusted Services ....................................................................................... 14
4.4
Configuring the Cryptographic Engine ........................................................................................ 15
4.5
Configuring the Random Bit Generation (RBG) .......................................................................... 15
5
Management for data logging ............................................................................................................ 16
6
Design Specification ............................................................................................................................ 17
6.1
Keys ............................................................................................................................................. 17
6.1.1
Key Protection ..................................................................................................................... 17
6.1.2
Key Zeroization.................................................................................................................... 17
6.2
Error State ................................................................................................................................... 17
6.3
Firmware update process ........................................................................................................... 17
6.4
DRBG and NDRNG ....................................................................................................................... 17
6.5
Physical Security Mechanisms .................................................................................................... 18
6.6
Inhibit data on Key generation and zeroization.......................................................................... 18
Page 3 of 40
7
Audit Records ...................................................................................................................................... 19
8
Processes............................................................................................................................................. 38
9
Features .............................................................................................................................................. 39
9.1
Evaluated Features...................................................................................................................... 39
9.2
Disabled Features........................................................................................................................ 39
9.2.1
Features Disabled in Common Criteria and FIPS mode ...................................................... 39
9.2.2
Features Disabled in FIPS mode .......................................................................................... 39
9.3
Modified Features ....................................................................................................................... 39
9.3.1
Report Manager .................................................................................................................. 39
9.3.2
Secure Web Gateway .......................................................................................................... 40
9.4
Unevaluated Features ................................................................................................................. 40
9.5
Out of Compliance Features ....................................................................................................... 40
Page 4 of 40
1 Document Overview
This document includes all of the applicable requirements from the PP and PPE. All of the text that is
straight from the PP and PPE is prefixed by its associated SFR identifier.
The goal of the Common Criteria guidance is to:
1.
2.
3.
4.
5.
6.
Uniquely Identify the TOE and all of its parts.
Describe how to verify TOE upgrades.
Describe how to configure the TOE in a manner consistent with the PP and PPE.
Describe all of the CC Evaluated security functions.
Describe the format of the audit records.
List the processes running on the TOE that are capable of processing network traffic.
Page 5 of 40
2 Introduction
This document describes the Common Criteria evaluated security features of the iboss Firesphere
14600_fips (SWG) and iboss Firesphere 7960_fips (Report Manager). The SWG and Report Manager
were evaluated against the Protection Profile for Network Devices, Version 1.1, June 8, 2012; and
Security Requirements for Network Devices Errata #3, November 3, 2014. These documents are referred
to as PP and PPE throughout this document.
Page 6 of 40
3 Getting Started
3.1 Identification
The evaluated servers consists of the following components:









Iboss Firesphere Guidance - This document
Firesphere 14600_FIPS
Firesphere 14600_ FIPS Server Software: Version 8.2.0.10
Firesphere 7960_ FIPS
Firesphere 7960_FIPS Server Software: Version 8.2.0.10
Secure Web Gateway Quick Start Guide: Version 8.2.0.10
Secure Web Gateway User Manual: Version 8.2.0.10
Report Manager Quick Start Guide: Version 8.2.0.10
Report Manager User Manual: Version 8.2.0.10
Iboss FireSphere Security Target 15-3460-R-0007: Version 0.7. Section 1.3.4 specifies TLS and cipher
suite support
3.2 Environment
As demonstrated the SWG can be configured as a standalone inline server that processes network
traffic. In this configuration the SWG utilizes an internal Report Manager for the aggregation of data,
report generation, audit logging, and alerting. For most networks, the SWG is configured to utilize an
external Report Manager. When configured with an external report manager, the internal reporter on
the SWG is utilized to communicate current network status to the external reporter for real time traffic.
When utilizing an internal Report Manager no additional configuration is necessary to configure the
SWG or Report Manager to communicate. When utilizing an external Report manager Section 3.8 of the
Page 7 of 40
Report Manager User Manual describes how to configure the Report Manager to communicate with the
SWG. Section 7 of the Secure Web Gateway User Manual describes the steps that are necessary to
configure the SWG to communicate with the Report Manager.
3.3 Technical Requirements
The iboss Firesphere servers are compatible with the following devices, servers, and protocol versions:
TOE
Hardware
7960
7960
7960
7960
Functionality
LDAP(RFC 4510)
Syslog(RFC 3164)
HTTPS
Trusted Update
(pudsus1.ibossconnect.com)
TLS Versions
Ciphersuites
1.1 (RFC4346)
1.2 (RFC5246)
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
1.1 (RFC4346)
1.2 (RFC5246)
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
1.1 (RFC4346)
1.2 (RFC5246)
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
1.1 (RFC4346)
1.2 (RFC5246)
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
7960
SMTP(RFC 3207)
1.1 (RFC4346)
1.2 (RFC5246)
14600
LDAP(RFC 4510)
1.0 (RFC2246)
1.1 (RFC4346)
1.2 (RFC5246)
14600
HTTPS
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
1.1 (RFC4346)
1.2 (RFC5246)
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
14600
Trusted Update
(pudsus1.ibossconnect.com)
1.1 (RFC4346)
1.2 (RFC5246)
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
7960 and
14600
Intra-TSF Communication
1.0 (RFC2246)
1.1 (RFC4346)
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
Page 8 of 40
1.2 (RFC5246)
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
The iboss Firesphere servers are able to work with the following browsers:




Internet Explorer Version 10
Chrome Version 35
Firefox Version 26
Safari Version 6
3.3.1 Procedural Requirements
The following protections must be provided by the operational environment the TOE is deployed in.
The iboss Firesphere Servers are physically protected from unauthorized access. These countermeasures
should be commensurate with the value of the data and networks being protected by the iboss
Firesphere Servers.
The Administrators must be trusted, and they must follow and apply all administrator guidance.
The TOE must be installed in the network in a manner that will allow the TOE to effectively enforce its
policies on network traffic flowing among attached networks. See the network diagram in Section 3.2.
The TOE must have a live internet connection to pudsus1.ibossconnect.com through the management
interface.
3.4 Installation
This section describes the steps to configure the iboss Firesphere Servers in a manner that is consistent
with the requirements in the PP and PPE.
Before beginning, verify that the hardware and documentation matches Section 3.1.
Familiarize yourself with the user interface of the SWG and Report Manager by reviewing section 4 of
the Secure Web Gateway User Manual and section 1.5 of the Report Manager User Manual.
This iboss Fireshere Servers come with a 3 network port configuration (1 network port for
LAN, 1 network port for WAN, and 1 network port for the Management Interface).
The LAN and WAN port form a fully transparent network bridge that behaves similar to a
layer 2 network switch. The LAN/WAN port do not route packets (like a firewall/router). The
network interfaces (LAN/WAN) forward packets between interfaces like a switch. A packet
received on the WAN port is sent on the LAN port. A packet received on the LAN port is sent
on the WAN port.
The IP Address is assigned to the “Management” interface. This port is used to access the
SWG configuration web interface. The LAN/WAN port are blind and the web configuration
interface cannot be accessed via those two ports.
Page 9 of 40
Connect the power and network interfaces of the iboss Firesphere servers according to the Secure Web
Gateway Quick Start Guide and Report Manager Quick Start Guide.
Section 3.8 of the Report Manager User Manual descriptions the steps to establish secure
communication between the Secure Web Gateway and the Report Manager.
3.4.1
User Accounts
3.4.1.1 Password Management
The SWG and Report Manager are configured initially to require a minimum password length of 15
characters. The administrator of the server can change the minimum password to a length between 15
and 32 characters. On the SWG the minimum length can be changed by navigating to Preferences and
then the System Settings submenu. On the Report Manager the minimum length can be changed by
navigating to Settings, then General submenu, and then Additional Settings section. The administrator
can then provide a numeric value between 15 and 32 characters for the minimum password length and
save.
An administrator can change the password of a user on the Report Manager by navigating to the
Settings Menu. Then to the Users submenu. Locate the user that requires a password change and click
the key
icon. On the SWG by navigating to the Preferences, then System Settings. Clicking the
“Change” link next to the Administration Password option.
A dialog will be displayed to provide the new password and to confirm the new password. In the case of
the SWG, the user must also be able to provide the existing password for the system in order to change
the admin password. The length of the new password will be enforced to the minimum password length
configured. The password can contain characters a – Z, 0 – 9, and the characters @!#$%^&*(). When
the update password button is clicked the system will validate that the provided values match and then
perform a sha256 hash of the value and store it within the system database.
Iboss recommends the use of strong passwords to secure accounts. Strong passwords should consist of
a mix of letters, both upper and lower case, as well as the use of numeric and special characters.
3.4.1.2 User Identification and Authentication
The iboss Firesphere servers are initially configured with a default administrator account. The default
administrator username is admin and the default password is documented in the Quick Start Guide for
the SWG or Report Manager. Iboss recommends that the administrator of the system change the
default administrator password to a more secure password as soon as possible after delivery of the
server.
To change the admin password on the Report Manager
Prior to enabling the iboss Firesphere Servers for general use the administrator should establish trusted
web certificates. The process of configuring SSL certificates is detailed in section 3.4.2 of this document.
Page 10 of 40
3.4.1.3 Establishing users
Section 4.5.5 of the Secure Web Gateway User Manual and section 3.3 of the Report Manager User
Manual provide instructions for creating users. Users that are created as a Full Administrator are able to
adjust TSF Data. A user that is created as a Delegated Administrator will need to be assigned specific
permissions to allow the management of TSF data. The Secure Web Gateway session timeout under the
“Add User” modal does not apply to “Settings Administrator” “Administrator Type” Full.
To set the session timeout for a SWG “Settings Administrator” perform the following:
Preferences->System Settings
To set the session timeout for a Reporter “Settings Administrator” perform the following:
Page 11 of 40
Settings->General->Additional Settings and set the “User Session Timeout” field.
3.4.2
Cryptographic Operations
3.4.2.1 Configuration of TLS
All TLS configuration comes preconfigured within the firmware. Please reference Section 3.3 to see the
list of protocols and ciphers.
3.4.2.2 Establishing SSL Certificates for SWG
Section 4.8.3 of the Secure Web Gateway User Manual documents the proper process of configuring the
SSL Certificates for secure communication between the SWG and the end users browser. The Report
Manager comes configured with a factory default certificate. This certificate and private key must be
replaced with either a customer generated self-signed certificate or with a certificate that has been
purchased by a trusted certificate authority.
Section 4.8.2 of the Secure Web Gateway User Manual documents the proper process of configuring the
SSL Decryption functionality. SSL Decryption is allowed but it has not been evaluated as part of the
Common Criteria.
Other cryptographic engines were not evaluated nor tested during the CC evaluation of the TOE.
3.4.2.3 Establishing SSL Certificates for Report Manager
Section 3.7 of the Report Manager User Manual documents the proper process of configuring the SSL
certificates for secure communication between the Report Manager and the end users browser. The
Report Manager comes configured with a factory default certificate. This certificate and private key
must be replaced with either a customer generated self-signed certificate or with a certificate that has
been purchased by a trusted certificate authority.
Other cryptographic engines were not evaluated nor tested during the CC evaluation of the TOE.
Page 12 of 40
4 Security Functions
This section describes the security functions that were evaluated against the PP and PPE, but were not
discussed in Section 3.4.
4.1 Security Audit
Section 3.1.14 of the Report Manager User Manual provides instructions on how to configure an
external syslog server for storage for audit events and for the storage of URL and IPS log events.
The SWG forwards audit messages to the Report Manager by writing records to the
url_log_entry_current table and identifying the record as an audit. The Report Manager, processes each
record from the url_log_entry_current in a sequential fashion and when an audit log is encountered, the
audit log is immediately forwarded to the system configured Syslog server.
On the Report Manager when an audit event is generated, the audit event is immediately forwarded to
the configured Syslog server.
In the event that the Syslog server is unavailable, the audit message is lost.
Section 7 of this document details the various audit events that can occur from the iboss Firesphere
servers.
4.2 Local Console Access
The SWG and Report Manager provides limited access to the shell of the device through an RS-232 Serial
Port. Section 2.2.2 of the Secure Web Gateway User Manual and Section 1.2 of the Report Manager
User Manual provides instruction on how to connect to the serial port. Once connected, the
administrator will be prompted to provide login credentials. The credentials are the same values as
used to access the web interface. Once authenticated the administrator will be able to configure the IP
Address of the device, reset the device, or view the current network settings. The SWG provide local
console access only to the “admin” user account.
4.3 Administration
4.3.1 Time
The SWG allows the administrator to set a timezone. The SWG then utilizes NTP to establish a time
based upon the provided timezone. The administrator sets the timezone by navigating to Preferences
then Timezone submenu. The administrator can also choose if daylight savings should be enforced.
Once the settings have been configured the administrator can persist these changes by clicking the save
button.
The Report Manager provides the ability for the administrator to configure an NTP server endpoint and
to establish a timezone for the server. The administrator sets these by navigating to the Settings and
then the System Time submenu. When the settings have been configured the administrator can persist
these changed by clicking the save button. The server will then need to restart to apply these changes.
Page 13 of 40
4.3.2 Trusted Updates
The SWG and Report Manager expose an update process that will validate if new firmware is available
for the server. If an update is available the administrator can trigger the download of the update.
Upload download the SWG or Report Manager will perform an RSA2048SHA256 signature verification of
the update to confirm that the update is trusted. When the signature has been verified the
administrator will be prompted to install the new update. The SWG or Report Manager will need to
restart in order to apply the changes. In order to perform a trusted update of the SWG and Reporter
manager network access to pudus1.ibossconnect.com over port 443 must be accessible.
The process of updating the SWG can be found in the Secure Web Gateway User Manual Section 4.1.3.
To update the Report Manager refer to section 5 of the Report Manager User Manual.
When the firmware update is successful a green banner will be displayed stating the successful update.
If the firmware update fails, a red banner will be displayed and a reason for the update failure will be
provided. The user can also validate that the firmware version on either the firmware page of the SWG
or the System Info page of the Report Manager instance.
4.3.3 Inter TSF Trusted Channel Configuration
When utilizing both an SWG and Report Manager within a single environment. They need to be
configured to communicate over a trusted channel. The configuration of the trusted channel will allow
the Report Manager to query current network status and allow the SWG to record networking data as
well as any actions that were taken to block suspicious traffic. If the trusted channel is unintentionally
broken communication between the SWG and Report Manager will cease. When the channel is
restored protected communication will be resumed without the need of administrative action
4.3.3.1 Configuring Report Manager on SWG
The Secure Web Gateway User Manual in section 4.9.2 instructions are provided to establish the secure
connection from the SWG to Report Manager.
4.3.3.2 Configuring Gateways on Report Manager
The Report Manager User Manual in section 3.8 instructions are provided to establish the secure
connection from the Report Manager to the SWG. Note that depending on the network configuration it
may be necessary to configure multiple SWGs on the Report Manager. The administrator will also need
to establish a Behavioral Data & Threat Gateway configuration pointing to the appropriate SWG
instances.
4.3.4 Configuration of Trusted Services
The iboss Firesphere Servers can be configured to communicate securely to trusted services. The iboss
Firesphere Servers support communication with LDAP, SMTP, Syslog, and time services.
4.3.4.1 LDAP Configuration
A full administrator of the SWG and either a full administrator or delegated administrator with
permissions to edit settings on the Report Manager can configure access to LDAP. For instructions on
how to configure LDAP authentication on the SWG, please refer to section 4.6.2 of the Secure Web
Page 14 of 40
Gateway User Manual. Section 3.1.8 of the Report Manager User Manual details the settings that are
necessary to configure LDAP authentication on the Report Manager. Refer to section 3.3 of this
document for details on supported cipher suites and protocols.
4.3.4.2 SMTP Configuration
The SWG does not send emails, rather sending of email is delegated to the Report Manager. A full
administrator or delegated administrator with permissions to edit settings on the Report Manager can
configure access to send emails through SMTP. For instructions on how to configure SMTP on the
Report Manager, please refer to section 3.1.2. Refer to section 3.3 of this document for details on
supported cipher suites and protocols.
4.3.4.3 Syslog Configuration
Syslog is utilized to record audit records to an external audit server. The SWG does not send audit
records directly to the syslog server, rather audit messages are delegated to the Report Manager. A full
administrator or a delegated administrator with permissions to edit settings on the Report Manager can
configured the Syslog integration. Instructions on how to integrate the Syslog server with the Report
Manager are in section 3.1.14 of the Report Manager User Manual. Section 3.3 of this document details
the supported ciphers suites and protocols that are supported.
4.3.4.4 System Time
The SWG comes preconfigured to communicate to time.nist.gov NTP Server to synchronize time. At this
time, the NTP server for the SWG cannot be modified. An administrator can change the timezone and
daylight savings settings from the SWG user interface. Section 4.10.3 of the Secure Web Gateway User
Manual provides additional information on setting the system timezone. The standalone Report
Manager allows the full administrator to configure the system time of the Report Manager. Section 3.6
of the Report Manager User Manual provides information about configuring the Report Manager to
utilize NTP for synchronizing time.
4.4 Configuring the Cryptographic Engine
The cryptographic engine is self-contained and no configuration is needed by an end user. The SWG and
Report Manager perform a known answer test on each cryptographic algorithm to ensure the
cryptographic engine has been configured properly.
4.5 Configuring the Random Bit Generation (RBG)
The RBG is self-contained and no configuration is needed by an end user. The SWG and Report Manager
perform a known answer test on each cryptographic RBG to ensure it has been configured properly.
Page 15 of 40
5 Management for data logging
The Report Manager User Manual section 2.9.2 describes how audit logs are added to the events logs
and that they can be filtered to specifically view only those. IPS based logs are under section 2.9.6 of
the Report Manager User Manual.
Page 16 of 40
6 Design Specification
6.1 Keys
6.1.1 Key Protection
The restrictive management interfaces does not provide the user with commands to view pre-shared
keys, symmetric keys, passwords, and private keys. Key Association
With the exception of temporal keys for TLS connections, the module does not associate keys with a
specific user or entity, all keys are considered global configuration values. Temporal keys are created
within the context of the thread created for that specific TLS connection and the association is handled
by the thread management aspect of the operating system.
6.1.2 Key Zeroization
The SWG and Report Manager zeroizes persistent CSPs whenever a file containing CSPs is modified or
deleted by reading the size of the file in bytes and overwriting with zeros that amount. The file is then
truncated to a length of 0 and overwritten with new data if modified.
6.2 Error State



The SWG and Report Manager will transition to an error state under the following events:SelfTest Error
Crypto Error
Settings Error
All cryptographic functions are inhibited by disabling all crypto services when in an error state.
6.3 Firmware update process
The SWG and Report Manager perform an RSA 2048 with SHA-256 signature verification of any
candidate update image. The TSF verifies that the image is signed by the iboss certificate. This certificate
is persistently stored in the TOE file system (i.e. hard-coded). If the signature check fails, the SWG and
Report Manager will not install the update and the following message will be shown to the user “An
error occurred while downloading the firmware update”
Upon power-up, the TSF performs a SHA-256 of the kernel, all executables, and all interpreted files. The
SWG and Report Manager also perform a known answer test on each cryptographic algorithm. The SWG
and Report Manager then begins normal operation, if all of the executables are unchanged and the
cryptographic algorithms are operating correctly.
6.4 DRBG and NDRNG
The DRBG outputs 384 bits per call.
The NDRNG outputs 128 bits per call.
Page 17 of 40
6.5 Physical Security Mechanisms
The SWG and Reporter Manager use tamper stickers for physical security.
6.6 Inhibit data on Key generation and zeroization
The SWG makes use of the openssl library for key generation. Openssl will inihibit any data output
during key generation by blocking the calling thread until complete.
During zeroization the SWG will reboot guaranteeing there is no data output.
Page 18 of 40
7 Audit Records
The iboss Servers will produce the following audit messages. Each audit event starts with the date time
when the audit event was received by the syslog server, the name of the Report Manager that provided
the message to the syslog server, and the time when the Report Manager processed the request.

Startup/Shutdown of the audit function.
Jan 20 12:13:05 reporter.ibosstest.com Wed
FIPS_LOG_ENTRY MESSAGE=SWG Audit Logging Started
Jan
20
12:13:05
PST
2016
Fields Contained in the Entry:
Message identifying audit loggin has started for the SWG Jan 21 10:35:29
reporter.ibosstest.com Thu Jan 21 10:35:29 PST 2016 FIPS_LOG_ENTRY MESSAGE=SWG
Audit Termination
Fields Contained in the Entry:
Message identifying audit loggin is stopping for the SWGJan 20 10:23:40
reporter.ibosstest.com
Wed
Jan
20
10:23:40
PST
2016
FIPS_LOG_ENTRY
MESSAGE=ibreporter audit logging started
Fields Contained in the Entry:
Message identifying audit loggin has started for the Report Manager
Jan 20 10:21:35 reporter.ibosstest.com Wed Jan 20 10:21:35 PST
FIPS_LOG_ENTRY MESSAGE=Initiating iboss reporter shutdown IDENTITY=admin
2016
Fields Contained in the Entry:
Message identifying audit loggin is stopping for the Report Manager
Identity is the username of the user who initiated the shutdown of the Report
Manager

Failure/Establish/termination a TLS session. Reason for the failure in a human readable format
(i.e. not an error code). IP address of the non-TOE endpoint.
a. 14600 <-> 7960
i. Failure
Jan 20 11:09:48 reporter.ibosstest.com Wed Jan 20 11:09:48 PST 2016
FIPS_LOG_ENTRY MESSAGE=Failed web connection because of IO Exception
connect timed out DESTINATION=192.168.1.10 IDENTITY=swg.ibosstest.com
REASON=Other configuration issue SERVICE TYPE=WEBCOMMUNICATION
Fields Contained in the Entry:
Message identifying the failure to connect to the remote host
Destination is the remote IP address
Identity is the hostname of the remote server
Reason is the general classification of the error
Service type is the kind of network communication
Page 19 of 40
Jan 20 11:10:51 reporter.ibosstest.com Wed Jan 20 11:10:51 PST 2016
FIPS_LOG_ENTRY MESSAGE=Failed web connection because of IO Exception
No route to host DESTINATION=192.168.1.10 IDENTITY=swg.ibosstest.com
REASON=Other configuration issue SERVICE TYPE=WEBCOMMUNICATION
Fields Contained in the Entry:
Message identifying the failure to connect to the remote host
Destination is the remote IP address
Identity is the hostname of the remote server
Reason is the general classification of the error
Service type is the kind of network communication
ii. Establishment
Jan 20 13:09:47 reporter.ibosstest.com Wed Jan 20 13:09:47 PST 2016
FIPS_LOG_ENTRY
MESSAGE=Connecting
to
remote
host
DESTINATION=192.168.1.10
IDENTITY=swg.ibosstest.com
SERVICE
TYPE=WEBCOMMUNICATION
Fields Contained in the Entry:
Message identifying the connection to the remote server
Destination is the remote IP address
Identity is the hostname of the remote server
Service type is the kind of network communication
iii. Termination
Jan 21 06:59:44 reporter.ibosstest.com Thu Jan 21 06:59:44 PST 2016
FIPS_LOG_ENTRY
MESSAGE=Disconnecting
from
remote
host
DESTINATION=192.168.1.10
IDENTITY=swg.ibosstest.com
SERVICE
TYPE=WEBCOMMUNICATION
Fields Contained in the Entry:
Message identifying the disconnection from the remote server
Destination is the remote IP address
Identity is the hostname of the remote server
Service type is the kind of network communication
b. 14600 LDAP
i. Failure Logs from [v1.2]
Jan 19 16:28:54 reporter.ibosstest.com Tue Jan 19 16:28:54 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update network ldap test Bind to LDAP server
failed. Code -1. IDENTITY=igl
Fields Contained in the Entry:
Message identifying the failure to connect to the LDAP server
Identity is the user name attempting to establish the connection test
Jan 21 06:59:05 reporter.ibosstest.com Thu Jan 21 06:59:05 PST 2016
FIPS_LOG_ENTRY MESSAGE=Server chose TLSv1, but that protocol version
is
not
enabled
or
not
supported
by
the
client.
DESTINATION=192.168.1.1
IDENTITY=ldap.ibosstest.com
REASON=Other
configuration issue SERVICE TYPE=LDAP
Fields Contained in the Entry:
Page 20 of 40
Message identifying the failure to connect to the LDAP server
Destination is the remote IP address of the LDAP server
Identity is the hostname of the LDAP server
Reason is the classification of the error message
Service type is the kind of network communication
ii. Establishment
Jan 20 14:36:47 reporter.ibosstest.com Wed Jan 20 14:36:47 PST 2016
FIPS_LOG_ENTRY MESSAGE=Binding to LDAP Server IDENTITY=10.128.16.101
Fields Contained in the Entry:
Message identifying the starting of the connection to the LDAP server
Identity is the IP Address of the LDAP server
iii. Termination
Jan 20 14:36:47 reporter.ibosstest.com Wed Jan 20 14:36:47 PST 2016
FIPS_LOG_ENTRY
MESSAGE=UnBinding
to
LDAP
Server
IDENTITY=10.128.16.101
Fields Contained in the Entry:
Message identifying the disconnecting for the LDAP server
Identity is the IP Address of the LDAP server
c. 14600 Update
i. Failure Logs
Jan 21 08:51:39 reporter.ibosstest.com Thu Jan 21 08:51:39 PST 2016
FIPS_LOG_ENTRY MESSAGE=206.125.47.2 Failed to download firmware
update.
Fields Contained in the Entry:
Message identifying the download of a firmware
including the IP Address of the iboss update server
update
failed
ii. Establishment
Jan 21 08:51:19 reporter.ibosstest.com Thu Jan 21 08:51:19 PST 2016
FIPS_LOG_ENTRY MESSAGE=206.125.47.2 Successfully checked for firmware
update.
Fields Contained in the Entry:
Message identifying the check for firmware from the iboss update
server including the IP Address of the server
iii. Termination
Jan 21 08:16:51 reporter.ibosstest.com Thu Jan 21 08:16:51 PST 2016
FIPS_LOG_ENTRY MESSAGE=Successfully downloaded firmware update.
Fields Contained in the Entry:
Message identifying the download of a firmware update including the
IP Address of the iboss update serverOR
Jan 21 08:51:39 reporter.ibosstest.com Thu Jan 21 08:51:39 PST 2016
FIPS_LOG_ENTRY MESSAGE=206.125.47.2 Failed to download firmware
update.
Page 21 of 40
Fields Contained in the Entry:
Message identifying the failure to download a
including the IP Address of the iboss update server
firmware
update
d. 7960 LDAP
i. Failure
Jan 20 12:24:13 reporter.ibosstest.com Wed Jan 20 12:24:13 PST 2016
FIPS_LOG_ENTRY
MESSAGE=sun.security.validator.ValidatorException:
PKIX
path
building
failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find
valid
certification
path
to
requested
target
DESTINATION=192.168.1.1
IDENTITY=ldap.ibosstest.com
REASON=Other
configuration issue SERVICE TYPE=LDAP
Fields Contained in the Entry:
Message identifying a failure to communicate with the LDAP and a
reason why the failure occurred
Destination provides the remote LDAP server
Identity provides the hostname of the LDAP server
Reason provides the classification of error
Service type defines the type of communication
Jan 20 12:33:57 reporter.ibosstest.com Wed Jan 20 12:33:57 PST 2016
FIPS_LOG_ENTRY
MESSAGE=javax.naming.InvalidNameException:
[LDAP:
error
code
34
invalid
DN];
remaining
name
''
DESTINATION=192.168.1.1
IDENTITY=ldap.ibosstest.com
REASON=Other
configuration issue SERVICE TYPE=LDAP
Fields Contained in the Entry:
Message identifying a failure to communicate with the LDAP and a
reason why the failure occurred
Destination provides the remote LDAP server
Identity provides the hostname of the LDAP server
Reason provides the classification of error
Service type defines the type of communication
ii. Establishment
Jan 20 12:24:13 reporter.ibosstest.com Wed Jan 20 12:24:13 PST 2016
FIPS_LOG_ENTRY
MESSAGE=Starting
LDAP
communication
DESTINATION=192.168.1.1 IDENTITY=ldap.ibosstest.com SERVICE TYPE=LDAP
Fields Contained in the Entry:
Message identifying the start of LDAP communication
Destination provides the remote LDAP server
Identity provides the hostname of the LDAP server
Service type defines the type of communication
iii. Termination
Jan 20 12:24:13 reporter.ibosstest.com Wed Jan 20 12:24:13 PST 2016
FIPS_LOG_ENTRY
MESSAGE=Completed
LDAP
communication
DESTINATION=192.168.1.1 IDENTITY=ldap.ibosstest.com SERVICE TYPE=LDAP
Page 22 of 40
Fields Contained in the Entry:
Message identifying the end of the LDAP communication
Destination provides the remote LDAP server
Identity provides the hostname of the LDAP server
Service type defines the type of communication
e. 7960 Syslog
i. Failure: N/A, the TSF does not cache and re-send audit logs generated while the
Syslog server is unavailable.
ii. Establishment
Jan 21 08:28:56 reporter.ibosstest.com Thu Jan 21 08:28:56 PST 2016
FIPS_LOG_ENTRY MESSAGE=Syslog system has initialized and started
DESTINATION=192.168.1.1
IDENTITY=syslog.ibosstest.com
SERVICE
TYPE=SYSLOG
Fields Contained in the Entry:
Message identifying the start of the syslog connection
Destination provides the remote host of the syslog server
Identity provides the hostname of the syslog server
Service type defines the type of communication
iii. Termination
Jan 21 09:37:33 reporter.ibosstest.com Thu Jan 21 09:37:33 PST 2016
FIPS_LOG_ENTRY
MESSAGE=Syslog
system
is
shutting
down
DESTINATION=192.168.1.1
IDENTITY=syslog.ibosstest.com
SERVICE
TYPE=SYSLOG
Fields Contained in the Entry:
Message identifying the termination of the syslog connection
Destination provides the remote host of the syslog server
Identity provides the hostname of the syslog server
Service type defines the type of communication
f.
7960: SMTP
i. Failure
Jan 20 12:47:14 reporter.ibosstest.com Wed Jan 20 12:47:14 PST 2016
FIPS_LOG_ENTRY MESSAGE=Error while sending email. Error message is:
454 4.7.0 TLS not available due to local problem REASON=Other
configuration issue SERVICE TYPE=EMAIL
Fields Contained in the Entry:
Message identifying the failure to send an email including a reason
why
Reason provides the classification of the error
Service type defines the type of communication
Jan 20 12:50:54 reporter.ibosstest.com Wed Jan 20 12:50:54 PST 2016
FIPS_LOG_ENTRY MESSAGE=Error while sending email. Error message is:
Could not convert socket to TLS REASON=Other configuration issue
SERVICE TYPE=EMAIL
Page 23 of 40
Fields Contained in the Entry:
Message identifying the failure to send an email including a reason
why
Reason provides the classification of the error
Service type defines the type of communication
ii. Establishment
Jan 20 12:42:28 reporter.ibosstest.com Wed Jan 20 12:42:28 PST 2016
FIPS_LOG_ENTRY
MESSAGE=Preparing
to
send
email.
DESTINATION=192.168.1.1
IDENTITY=smtp.ibosstest.com
SERVICE
TYPE=EMAIL
Fields Contained in the Entry:
Message identifying the start of the transaction
Destination provides the IP address of the remote host
Identity provides the hostname of the remote host
Service type defines the type of communication
iii. Termination
Jan 20 12:42:28 reporter.ibosstest.com Wed Jan 20 12:42:28 PST 2016
FIPS_LOG_ENTRY
MESSAGE=Completed
sending
email.
DESTINATION=192.168.1.1
IDENTITY=smtp.ibosstest.com
SERVICE
TYPE=EMAIL
Fields Contained in the Entry:
Message identifying the completion of the transaction
Destination provides the IP address of the remote host
Identity provides the hostname of the remote host
Service type defines the type of communication
g. 7960: Update
i. Failure
Jan 20 10:25:12 reporter.ibosstest.com Wed Jan 20 10:25:12 PST 2016
FIPS_LOG_ENTRY MESSAGE=Failed web connection because of SSL Exception
sun.security.validator.ValidatorException:
PKIX
path
validation
failed:
java.security.cert.CertPathValidatorException:
Algorithm
constraints
check
failed:
SHA1withRSA
DESTINATION=206.125.47.2
IDENTITY=pudsus1.ibossconnect.com
REASON=Cryptographic
Mismatch
SERVICE TYPE=WEBCOMMUNICATION
Fields Contained in the Entry:
Message identifying a failure to connect to the remote host including
a reason for the failure
Destination provides the IP address of the remote host
Identity provides the hostname of the remote host
Reason for the failure to establish the connection
Service type defines the type of communication
ii. Establishment
Page 24 of 40
Jan 20 10:25:12 reporter.ibosstest.com Wed Jan 20 10:25:12 PST 2016
FIPS_LOG_ENTRY
MESSAGE=Connecting
to
remote
host
DESTINATION=206.125.47.2
IDENTITY=pudsus1.ibossconnect.com
SERVICE
TYPE=WEBCOMMUNICATION
Fields Contained in the Entry:
Message identifying a web connection is being made to a remote host
Destination provides the IP address of the remote host
Identity provides the hostname of the remote host
iii. The Service type defines the type of communication
Jan 21 09:39:38 reporter.ibosstest.com Thu Jan 21 09:39:38 PST 2016
FIPS_LOG_ENTRY
MESSAGE=Disconnecting
from
remote
host
DESTINATION=192.168.1.10
IDENTITY=swg.ibosstest.com
SERVICE
TYPE=WEBCOMMUNICATION
Fields Contained in the Entry:
Message identifying disconnecting web connection from a remote host
Destination provides the IP address of the remote host
Identity provides the hostname of the remote host
The Service type defines the type of communication

Failed web interface authentication, provided user identity and the IP Address of the non-TOE
endpoint. The event will also identify when the account is locked from further attempts.
o
Establishment/Termination are covered by FIA_UIA_EXT.1 and FTA_SSL_EXT.4.
o
14600 Failure to establish:
Jan 21 10:25:19 reporter.ibosstest.com Thu Jan 21 10:25:19 PST
FIPS_LOG_ENTRY MESSAGE=192.168.1.100 SSL ERROR: Cryptographic Mismatch
2016
Fields Contained in the Entry:
o
Message identifying a remote host provided an invalid ssl request that did not match
the supported ssl configuration including the origin of the remote client7960 Failure to
establish:
Jan 20 12:13:42 reporter.ibosstest.com Wed Jan 20 12:13:42 PST 2016
FIPS_LOG_ENTRY
MESSAGE=Login
Attempt
Failed
ORIGIN=192.168.1.100
IDENTITY=admin
Fields Contained in the Entry:
Message identifying user attempted to login
The origin of the remote host
The identity of the username provided for login attempt

Successful website authentication, authenticated user identity and use of the local console
identification and authentication mechanism
o
14600:
Jan 20 12:49:16 reporter.ibosstest.com Wed Jan
FIPS_LOG_ENTRY MESSAGE=Login Failed IDENTITY=nouser
20
12:49:16
PST
2016
Page 25 of 40
Fields Contained in the Entry:
Message identifying user attempted to login
The identity of the username provided for login attempt
Jan 20 12:49:36 reporter.ibosstest.com Wed Jan 20 12:49:36
FIPS_LOG_ENTRY MESSAGE= fips banner Login Success IDENTITY=igl
PST
2016
Fields Contained in the Entry:
Message identifying user successfully logged into the SWG
The identity of the user who logged in
Jan 20 12:50:36 reporter.ibosstest.com Wed Jan 20 12:50:36 PST 2016
FIPS_LOG_ENTRY MESSAGE=User Password incorrect for console IDENTITY=igl
Fields Contained in the Entry:
Message identifying user attempted to login with an incorrect password
The identity of the user who attempted to login
Jan 20 12:50:46 reporter.ibosstest.com Wed
FIPS_LOG_ENTRY
MESSAGE=Admin
Successfully
IDENTITY=admin
Jan 20
logged
12:50:46 PST 2016
in
to
console
Fields Contained in the Entry:
Message identifying successful user login to the local console
The name of the user who accessed the serial port
o
7960: Logs from [v1.2]
Jan 15 16:35:18 reporter.ibosstest.com Fri Jan 15 16:35:18 PST 2016
FIPS_LOG_ENTRY MESSAGE=Login Successful ORIGIN=192.168.1.100 IDENTITY=admin
Fields Contained in the Entry:
Message identifying successful user login to the Report Manager interface
The origin is identifying the remote IP Address
The name of the user who logged into the Report Manager
Jan 15 16:37:01 reporter.ibosstest.com Fri Jan 15 16:37:01 PST 2016
FIPS_LOG_ENTRY
MESSAGE=Login
Attempt
Failed
ORIGIN=192.168.1.100
IDENTITY=admin
Fields Contained in the Entry:
Message identifying a user failed to log into Report Manager interface
The origin is identifying the remote IP Address
The name of the user who attempted to login
Jan 15 16:31:57 reporter.ibosstest.com Fri Jan 15 16:31:57
FIPS_LOG_ENTRY MESSAGE=Login Attempt Failed ORIGIN=Serial Port
PST
2016
Fields Contained in the Entry:
Message identifying a user failed to log into the local console
The origin is identifying the local serial port
Jan 15 16:32:11 reporter.ibosstest.com Fri Jan 15 16:32:11 PST 2016
FIPS_LOG_ENTRY MESSAGE=Login Successful ORIGIN=Serial Port IDENTITY=admin
Fields Contained in the Entry:
Message identifying a user successfully logged into the Report Manager
Page 26 of 40
The origin is identifying the local serial port
The identity of the user who is logging into the console

Changes to the time caused by the NTP server (if over a minimum threshold). Old and new
values for the time and IP address of the NTP server.
o
14600 NTP:
Jan 20 14:27:27 reporter.ibosstest.com Wed Jan 20 14:27:27 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update
preferences time
Changing System Time from
Wed Jan 20 16:45:32 PST 2016 IDENTITY=admin
Fields Contained in the Entry:
Message identifying the system time is being updated from the time value
The identity of the user who is making the adjustment to the time
Jan 20 14:27:27 reporter.ibosstest.com Wed Jan 20 14:27:27 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update
preferences time
Success Changing System
Time to 16:55:32 1.20.2016 IDENTITY=admin
Fields Contained in the Entry:
Message identifying the update to the system time including the new time
value
o
The identity of the user who made the time change7960 Admin
Jan 20 14:19:02 reporter.ibosstest.com Wed Jan 20 14:19:02 PST 2016
FIPS_LOG_ENTRY
MESSAGE=System
DateTime
has
changed
IDENTITY=admin
ORIGINAL_VALUE=1/20/16 2:19 PM NEW_VALUE=1/20/16 11:55 AM
Fields Contained in the Entry:
Message identifying the system time was updated by NTP
The identity of the user who triggered the time check
The original time value before the update
The new value after the time update
o
7960 NTP:
Jan 20 12:00:16 reporter.ibosstest.com Wed Jan 20 12:00:16 PST 2016
FIPS_LOG_ENTRY MESSAGE=System time updated by NTP, elapsed change is 8891
IDENTITY=time.nist.gov ORIGINAL_VALUE=1453320007609 NEW_VALUE=1453320016500
Fields Contained in the Entry:
Message identifying the system time was updated by NTP and the amount of the
change
The identity of the time server that was used to determine the time
The original time value before the update
The new value after the time update

Termination of a web session due to user logout. Identity of the user who logged out and IP
Address of the non-TOE endpoint.
Page 27 of 40
o
14600 Local:
Jan 20 12:56:56 reporter.ibosstest.com Wed Jan 20 12:56:56 PST
FIPS_LOG_ENTRY MESSAGE=Admin User Logout of console IDENTITY=admin
2016
Fields Contained in the Entry:
Message identifying a user logged out of the local console
The identity of the user who logged out
o
14600 Remote:
Jan 20 12:56:46 reporter.ibosstest.com Wed Jan 20 12:56:46 PST
FIPS_LOG_ENTRY MESSAGE=You have successfully logged out. IDENTITY=igl
2016
Fields Contained in the Entry:
Message identifying a user logged out of the SWG interface
The identity of the user who logged out
o
7960 Local:
Jan 20 11:29:06 reporter.ibosstest.com Wed Jan 20 11:29:06 PST 2016
FIPS_LOG_ENTRY MESSAGE=Session terminated due to logout ORIGIN=Serial Port
IDENTITY=admin
Fields Contained in the Entry:
Message identifying the user logged out of the local console
The origin indicating that the connection was on the local serial port
The identity of the user who logged out
o
7960 Remote:
Jan 20 11:38:20 reporter.ibosstest.com Wed Jan 20 11:38:20 PST 2016
FIPS_LOG_ENTRY MESSAGE=Session terminated due to logout ORIGIN=192.168.1.100
IDENTITY=admin
Fields Contained in the Entry:
Message identifying the user logged out of the Report Manager
The origin of the remote session
The identity of the user who logged out

Termination of a web session due to timeout. Identity of the user who logged out and IP
Address of the non-TOE endpoint.
o
14600:
Jan 21 18:42:34 reporter.ibosstest.com Thu Jan 20 18:42:34 PST 2016
FIPS_LOG_ENTRY MESSAGE=192.168.1.100 User logged into admin interface, but
session timed out IDENTITY=igl
Fields Contained in the Entry:
Message identifying a user was logged out because of a session timeout
including the remote IP address of the user
The identity of the user who was logged out
o
7960:
Page 28 of 40
Jan 20 11:43:43 reporter.ibosstest.com Wed Jan
FIPS_LOG_ENTRY
MESSAGE=Session
terminated
ORIGIN=192.168.1.100 IDENTITY=admin
20 11:43:43
due
to
PST 2016
timeout
Fields Contained in the Entry:
Message identifying a user was logged out because of a session timeout
The origin of the remote request to the Report Manager
The identity of the user who was logged out

Changes to TOE related settings that affect the operation of the system, the name of the setting
and the username of the authorized user who made the change
h. 7960:
i. Change own password: Logs from [v1.2]
Jan 18 09:59:01 reporter.ibosstest.com Mon Jan 18 09:59:01 PST 2016
FIPS_LOG_ENTRY
MESSAGE=User
updated
IDENTITY=test
NEW_VALUE=UserName:test,FirstName:,LastName:
Fields Contained in the Entry:
Message identifying a user has been updated on the Report Manager
The name of the user who updated the user
The new value field contains the name of the user who was updated
ii. Change other password: Logs from [v1.2]
Jan 18 10:07:13 reporter.ibosstest.com Mon Jan 18 10:07:13 PST 2016
FIPS_LOG_ENTRY
MESSAGE=User
updated
IDENTITY=admin
NEW_VALUE=UserName:test,FirstName:,LastName:
Fields Contained in the Entry:
Message identifying a user has been updated on the Report Manager
The name of the user who updated the user
The new value field contains the name of the user who was updated
iii. New User: Logs from [v1.2]
Jan 18 09:28:02 reporter.ibosstest.com Mon Jan 18 09:28:02 PST 2016
FIPS_LOG_ENTRY
MESSAGE=User
created
IDENTITY=admin
NEW_VALUE=UserName:test,FirstName:,LastName:
Fields Contained in the Entry:
Message identifying a user has been removed from the Report Manager
The name of the user who deleted the user
The new value field contains the name of the user who was removed
iv. Delete User: Logs from [v1.2]
Jan 18 10:07:42 reporter.ibosstest.com Mon Jan 18 10:07:42 PST 2016
FIPS_LOG_ENTRY
MESSAGE=User
deleted
IDENTITY=admin
NEW_VALUE=UserName:test2,FirstName:,LastName:
Fields Contained in the Entry:
Message identifying a user has been removed from the Report Manager
The name of the user who deleted the user
Page 29 of 40
The new value field contains the name of the user who was removed
v. Configure Syslog:
Jan 20 13:14:55 reporter.ibosstest.com Wed Jan 20 13:14:55 PST 2016
FIPS_LOG_ENTRY
MESSAGE=SyslogLoggingPort
setting
changed
IDENTITY=admin ORIGINAL_VALUE=6514 NEW_VALUE=514
Fields Contained in the Entry:
Message identifying the syslog port has been updated
The name of the user who modified the settings
The original value for the syslog port
The new value for the syslog port
vi. Configure LDAP:
Jan 20 12:36:57 reporter.ibosstest.com Wed Jan 20 12:36:57 PST 2016
FIPS_LOG_ENTRY
MESSAGE=LdapAdminPassword
setting
changed
IDENTITY=admin
Fields Contained in the Entry:
Message identifying the password for the ldap user has been updated
The name of the user who modified the settingsJan 20 12:36:57
reporter.ibosstest.com Wed Jan 20 12:36:57 PST 2016 FIPS_LOG_ENTRY
MESSAGE=LdapAdminUsername
setting
changed
IDENTITY=admin
ORIGINAL_VALUE=sdlab\minion1
NEW_VALUE=cn=igl_admin,dc=ibosstest,dc=com
Fields Contained in the Entry:
Message identifying the ldap server usename has been changed
The name of the user who modified the settings
The original ldap username
The new value for the ldap username
Jan 20 12:36:57 reporter.ibosstest.com Wed Jan 20 12:36:57 PST 2016
FIPS_LOG_ENTRY
MESSAGE=LdapHost
setting
changed
IDENTITY=admin
ORIGINAL_VALUE=dc1.sdlab.iblabs.loc NEW_VALUE=ldap.ibosstest.com
Fields Contained in the Entry:
Message identifying the ldap server has been updated
The name of the user who modified the settings
The original ldap server
The new value for the ldap server
Jan 20 12:36:57 reporter.ibosstest.com Wed Jan 20 12:36:57 PST 2016
FIPS_LOG_ENTRY MESSAGE=LdapSearchBase setting changed IDENTITY=admin
ORIGINAL_VALUE=dc=sdlab,dc=iblabs,dc=loc
NEW_VALUE=dc=ibosstest,dc=com
Fields Contained in the Entry:
Message identifying the ldap search base has been modified
The name of the user who modified the settings
The original value of search base
The new value for the search base
Page 30 of 40
vii. Configure SMTP:
Jan 20 13:07:57 reporter.ibosstest.com Wed Jan 20 13:07:57 PST 2016
FIPS_LOG_ENTRY MESSAGE=SMTPServer setting
changed IDENTITY=admin
ORIGINAL_VALUE=it.ibosstest.com NEW_VALUE=smtp.ibosstest.com
Fields Contained in the Entry:
Message identifying the smtp server settings were changed
The name of the user who modified the smtp server settings
The original value of the smtp server
The new value for the smtp server
viii. Min PW Length Change: Logs from [v1.2]
Jan 18 10:10:25 reporter.ibosstest.com Mon Jan 18 10:10:25 PST 2016
FIPS_LOG_ENTRY
MESSAGE=UserMinimumPasswordLength
setting
changed
IDENTITY=admin ORIGINAL_VALUE=15 NEW_VALUE=32
Fields Contained in the Entry:
Message identifying the minimum password length was changed
The name of the user who changed the password length setting
The original value for the password length
The new value for the password length
ix. FTA TAB: Logs from [v1.2]
Jan 18 10:10:55 reporter.ibosstest.com Mon Jan 18 10:10:55 PST 2016
FIPS_LOG_ENTRY MESSAGE=LoginBannerText setting changed IDENTITY=admin
ORIGINAL_VALUE=CC Login Banner NEW_VALUE=CC Login Banner 2
Fields Contained in the Entry:
Message identifying the login banner text was changed
The name of the user who changed the login banner text
The original value of the login banner text
The new value of the login banner text
i. NTP Server Config:
Jan 20 12:03:26 reporter.ibosstest.com Wed Jan 20 12:03:26 PST 2016
FIPS_LOG_ENTRY MESSAGE=NTP Time server has changed IDENTITY=admin
ORIGINAL_VALUE=time.nist.gov NEW_VALUE=it.ibosstest.com
Fields Contained in the Entry:
Message identifying the time server was changed
The name of the user who changed the time server
The original time server being utilized by the Report Manager
The new time server that will be utilized by the Report Manager
ii. Delete Gateway: Logs from [v1.2]
Jan 18 14:56:35 reporter.ibosstest.com Mon Jan 18 14:56:35 PST 2016
FIPS_LOG_ENTRY
MESSAGE=Gateway
removed.
IDENTITY=admin
NEW_VALUE=192.168.1.9
Page 31 of 40
Fields Contained in the Entry:
Message identifying a SWG was unregistered from the Report Manager
The name of the user who removed the gateway
The IP Address of the gateway that was removed
iii. Add Gateway: Logs from [v1.2]
Jan 18 14:55:49 reporter.ibosstest.com Mon Jan 18 14:55:49 PST 2016
FIPS_LOG_ENTRY
MESSAGE=New
gateway
added.
IDENTITY=admin
NEW_VALUE=192.168.1.9
Fields Contained in the Entry:
Message identifying a new SWG was registered with the Report Manager
The name of the user who added the new gateway
iv. Report Manager Database Password change:
Jan 20 13:08:43 reporter.ibosstest.com Wed Jan 20 13:08:43 PST 2016
FIPS_LOG_ENTRY MESSAGE=DatabasePassword setting changed
Fields Contained in the Entry:
Message identifying the database password was changed
The name of the user who updated the password
v. Change Idle Timeout:
Jan 20 11:35:29 reporter.ibosstest.com Wed Jan 20 11:35:29 PST 2016
FIPS_LOG_ENTRY
MESSAGE=UserSessionTimeoutSeconds
setting
changed
IDENTITY=admin ORIGINAL_VALUE=1800 NEW_VALUE=300
Fields Contained in the Entry:
Message identifying the user session timeout setting was adjusted
The name of the user who updated the setting
The original value before the change was made
The new value after the change was applied
i.
14600:
i. Change own password: Logs from [v1.2]
Jan 15 17:46:34 reporter.ibosstest.com Fri Jan 15 17:46:34 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update
preferences password
Successfully
updated password. IDENTITY=admin
Fields Contained in the Entry:
Message identifying that a user updated their own password
The name of the user who updated their password
Jan 15 17:59:44 reporter.ibosstest.com Fri Jan 15 17:59:44 PST 2016
FIPS_LOG_ENTRY
MESSAGE=Update
changePasswordSelfServiceSubmit
Successfully updated password! IDENTITY=test
Fields Contained in the Entry:
Message identifying that a user updated their own password
ii. The name of the user who updated their passwordChange other password:
Page 32 of 40
Jan 20 13:01:16 reporter.ibosstest.com Wed Jan 20 13:01:16 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update
users
Successfully updated user.
IDENTITY=admin
Fields Contained in the Entry:
Message identifying the update of a user by the administrator
The name of the user who made the update
iii. New User: Logs from [v1.2]
Jan 15 17:58:04 reporter.ibosstest.com Fri Jan 15 17:58:04 PST 2016
FIPS_LOG_ENTRY MESSAGE=Create
users
Successfully added user.
IDENTITY=admin
Fields Contained in the Entry:
Message identifying the creation of a new user in the SWG
The name of the user who added the new user
iv. Delete User: Logs from [v1.2]
Jan 15 18:32:44 reporter.ibosstest.com Fri Jan 15 18:32:44 PST 2016
FIPS_LOG_ENTRY MESSAGE=Delete
users
Successfully removed user(s).
IDENTITY=admin
Fields Contained in the Entry:
Message identifying the deletion of users from the SWG
The name of the user who deleted the users
v. Configure LDAP: Logs from [v1.2]
Jan 15 18:36:54 reporter.ibosstest.com Fri Jan 15 18:36:54 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update network ldap
Successfully added LDAP
server!. IDENTITY=admin
Fields Contained in the Entry:
Message identifying the change in network ldap settings
The name of the user who made the change
vi. Min PW Length Change: Logs from [v1.2]
Jan 15 18:35:14 reporter.ibosstest.com Fri Jan 15 18:35:14 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update
preferences settings
Settings saved
successfully. IDENTITY=admin
Fields Contained in the Entry:
Message identifying the change in SWG report Settings
The name of the user who made the change
vii. FTA TAB: Logs from [v1.2]
Jan 15 18:35:14 reporter.ibosstest.com Fri Jan 15 18:35:14 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update
preferences settings
Settings saved
successfully. IDENTITY=admin
Fields Contained in the Entry:
Message identifying the change in SWG report Settings
The name of the user who made the change
viii. Report Manager Database Password change:
Page 33 of 40
Jan 20 13:09:06 reporter.ibosstest.com Wed Jan 20 13:09:06 PST 2016
FIPS_LOG_ENTRY
MESSAGE=Update
preferences
reportSettings
Successfully stored settings. IDENTITY=admin
Fields Contained in the Entry:
Message identifying the change in SWG report Settings
The name of the user who made the change
ix. Change Idle Timeout: Logs from [v1.2]
Jan 15 15:51:12 reporter.ibosstest.com Fri Jan 15 15:51:12 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update
preferences settings
Settings saved
successfully. IDENTITY=admin
Fields Contained in the Entry:
Message identifying the change in SWG preferences
The name of the user who made the change

Termination of a local session due to timeout or logoff
o
14600 Local:
Jan 20 12:56:56 reporter.ibosstest.com Wed Jan 20 12:56:56 PST
FIPS_LOG_ENTRY MESSAGE=Admin User Logout of console IDENTITY=admin
2016
Fields Contained in the Entry:
Message identifying the end of the session with the local Report Manager
interface
o
The name of the user who initiated the logout request14600 Remote:
Jan 21 18:37:24 reporter.ibosstest.com Thu Jan 21 18:37:24 PST
FIPS_LOG_ENTRY MESSAGE=192.168.1.100 You have successfully logged
IDENTITY=admin
2016
out.
Fields Contained in the Entry:
Message identifying the end of the session with the SWG interface including
the remote IP address connected to the interface
The name of the user who initiated the logout request
o
7960 Local:
Jan 20 11:29:06 reporter.ibosstest.com Wed Jan 20 11:29:06 PST 2016
FIPS_LOG_ENTRY MESSAGE=Session terminated due to logout ORIGIN=Serial Port
IDENTITY=admin
Fields Contained in the Entry:
Message identifying the end of the session with the local Report Manager
interface
An indicator that it came form the serial port
The name of the user who initiated the logout request
o
7960 Remote:
Jan 20 11:38:20 reporter.ibosstest.com Wed Jan 20 11:38:20 PST 2016
FIPS_LOG_ENTRY MESSAGE=Session terminated due to logout ORIGIN=192.168.1.100
IDENTITY=admin
Fields Contained in the Entry:
Page 34 of 40
Message identifying the end of the session with the Report Manager
The remote IP address that was accessing the interface
The name of the user who initiated the logout request

Initiation of an update
o
14600:
Jan 21 08:15:51 reporter.ibosstest.com Thu Jan 21 08:15:51 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update firmware checkForUpdate
IDENTITY=admin
Fields Contained in the Entry:
Message identifying the request to check for firmware update
The name of the user who initiated the request
Jan 21 08:15:51 reporter.ibosstest.com Thu Jan 21 08:15:51
FIPS_LOG_ENTRY MESSAGE=Successfully checked for firmware update.
PST
2016
Fields Contained in the Entry:
Message identifying the successful check for firmware update
Jan 21 08:16:11 reporter.ibosstest.com Thu Jan 21 08:16:11 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update firmware downloadFirmware Firmware download
started. IDENTITY=admin
Fields Contained in the Entry:
Message identifying the start of the download of the firmware update
The identity of the user who initiated the download.
Jan 21 08:16:51 reporter.ibosstest.com Thu Jan 21 08:16:51
FIPS_LOG_ENTRY MESSAGE=Successfully downloaded firmware update.
PST
2016
Fields Contained in the Entry:
Message identifying the successful download of the firmware update
Jan 21 08:17:31 reporter.ibosstest.com Thu Jan 21 08:17:31 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update
firmware install
Installing Firmware
IDENTITY=admin
Fields Contained in the Entry:
Message identifying the start of the firmware update process
The name of the user who initiated the installation of the update
Jan 21 08:34:19 reporter.ibosstest.com Thu Jan 21 08:34:19 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update firmware downloadFirmware Firmware download
started. IDENTITY=admin
Fields Contained in the Entry:
Message identifying the start of the firmware update process
The Identity of the user who initiated the action
Jan 21 08:34:49 reporter.ibosstest.com Thu Jan 21 08:34:49 PST 2016
FIPS_LOG_ENTRY MESSAGE=206.125.47.2 Failed to validate signature on download
Fields Contained in the Entry:
Message identifying failure to validate firmware update and the IP address
of
the
iboss
update
server
hosting
the
updateJan
21
08:34:49
Page 35 of 40
reporter.ibosstest.com
Thu
Jan
21
08:34:49
PST
2016
MESSAGE=206.125.47.2 Failed to download firmware update.
FIPS_LOG_ENTRY
Fields Contained in the Entry:
Message identifying failure to download firmware update including the IP
address of the iboss update server hosting the update
o
7690:
Jan 21 11:26:41 reporter.ibosstest.com Thu Jan 21 11:26:41 PST
FIPS_LOG_ENTRY MESSAGE=Checking for firmware update IDENTITY=admin
2016
Fields Contained in the Entry:
Message identifying a request to check for a firmware update
The Identity of the user triggering the firmware update check
Jan 21 11:27:01 reporter.ibosstest.com Thu
FIPS_LOG_ENTRY
MESSAGE=Initiating
firmware
Contained in the Entry:
Jan 21 11:27:01 PST 2016
update
IDENTITY=adminFields
Message identifying a firmware update was started
The
Identity
of
the
user
initiating
the
updateJan
21
09:39:33
reporter.ibosstest.com
Thu
Jan
21
09:39:33
PST
2016
FIPS_LOG_ENTRY
MESSAGE=Checking for firmware update IDENTITY=admin
Fields Contained in the Entry:
Message identifying that a firmware update was requested
The Identity of the user initiating the action
Jan 21 09:40:08 reporter.ibosstest.com Thu Jan 21 09:40:08
FIPS_LOG_ENTRY
MESSAGE=Failed
to
verify
signature
of
DESTINATION=206.125.47.2
IDENTITY=pudsus1.ibossconnect.com
TYPE=UPDATE
PST 2016
download
SERVICE
Fields Contained in the Entry:
Message identifying failure to valid firmware update
The Destination ip of the iboss update server
The URL of the iboss update server
An indicator that the server was attempting to perform an update

Changes to the time as a result of an administrative action
o
14600 NTP:
Jan 20 14:27:27 reporter.ibosstest.com Wed Jan 20 14:27:27 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update
preferences time
Changing System Time from
Wed Jan 20 16:45:32 PST 2016 IDENTITY=admin
Fields Contained in the Entry:
Message identifying a user requested a change to the system time including
the value before update
The Identify of the user who made the change
Jan 20 14:27:27 reporter.ibosstest.com Wed Jan 20 14:27:27 PST 2016
FIPS_LOG_ENTRY MESSAGE=Update
preferences time
Success Changing System
Time to 16:55:32 1.20.2016 IDENTITY=admin
Page 36 of 40
Fields Contained in the Entry:
Message identifying a user successfully changed the system time including
updated value after update
The user who made the change
o
7960 Admin
Jan 20 14:19:02 reporter.ibosstest.com Wed Jan 20 14:19:02 PST 2016
FIPS_LOG_ENTRY
MESSAGE=System
DateTime
has
changed
IDENTITY=admin
ORIGINAL_VALUE=1/20/16 2:19 PM NEW_VALUE=1/20/16 11:55 AM
Fields Contained in the Entry:
Message identifying that a user manually updated the server time
The Identity of the user who made the change
The original value before the Update
The new value after the Update
o
7960 NTP:
Jan 20 12:00:16 reporter.ibosstest.com Wed Jan 20 12:00:16 PST 2016
FIPS_LOG_ENTRY MESSAGE=System time updated by NTP, elapsed change is 8891
IDENTITY=time.nist.gov ORIGINAL_VALUE=1453320007609 NEW_VALUE=1453320016500
Fields Contained in the Entry:
Message identifying that the time was updated by the NTP service and the
amount that the time was adjusted
The Identity of the NTP server that was utilized to adjust the time
The original value before NTP Update
The new time after NTP Update
Page 37 of 40
8 Processes
Process
Server
Lockbox.bin SWG
HW
Ring
4
SW Privilege
Root
Description




ibreports
SWG and
Report
Manager
4
Root



Httpd
SWG and
Report
Manager
4
Root

Squid
SWG
4
Root

Snort
SWG
4
Root

SWG accepts connections on port 80 and
443 for user activities.
SWG listens on all ports 1 – 65535 to
sense potentially dangerous traffic
entering or leaving the network.
Performs requests over TLS on port 443
to check for available updates and to
perform the download of updates.
SWG secure front end interface on port
7443
SWG dns port 53
Report Manager communicates with
LDAP, SMTP, NTP, and Syslog services
over configured ports.
Performs requests over TLS on port 443
to check for available updates and to
perform the download of updates.
Apache web server that listens on port 80
and 443 to process http web traffic from
end users. Requests to port 80 are
redirected to port 443.
Daemon process that listens for proxy
requests on port 7009 by default and also
listens on port 9443 in order to perform
SSL MITM Decryption.
Performs analysis of network traffic in tap
mode to identify and prevent signature
based threats.
Page 38 of 40
9 Features
9.1 Evaluated Features
Unless noted in the following sections the remaining features on the SWG and Report Manager have
been evaluated for Common Criteria Protection Profile.
9.2 Disabled Features
9.2.1
Features Disabled in Common Criteria and FIPS mode
9.2.1.1





Report Manager
Settings – General Settings – SNMP Monitoring
Settings – OAuth2 Integration
Settings – SDN Controller Integration
Settings – iboss MobileEther MDM Integration
Settings - Remote Management
9.2.1.2 Secure Web Gateway
 Remote Management
9.2.2
Features Disabled in FIPS mode
9.2.2.1 Secure Web Gateway
 LDAP Authentication
 TLS Protected communication between Secure Web Gateway and Report Manager
9.3 Modified Features
The following features are modified while in FIPS and Common Criteria mode
9.3.1 Report Manager
The following feature will only allow communication over a channel that utilizing TLS v 1.1 or 1.2



Settings – LDAP Settings
Settings - Syslog Logging
Settings – Email Server Settings
The following features have been modified to not display private key data or passwords


SMB – Backup of reports and logs
Settings – Certificates
The following features have the ability to modify the level of compliance of the system

Settings – Additional Settings – Compliance Mode
Page 39 of 40
9.3.2 Secure Web Gateway
The following features have the ability to modify the level of compliance of the system

Preferences – System Settings
9.4 Unevaluated Features
The following features have not been evaluated for compliance with common criteria










Man in the Middle SSL Decryption IPS and data loss protection
Web Filtering
Auto Sandboxing
Bandwidth Shaping
BYOD, AD Plugin, Google SSO, iboss NetID SSO, eDirectory (User Authentication related to web
filtering)
Data Redirectors
Bandwidth Tracking
Clustering
Settings – Splunk Integration
Utilization of the internal Report Manager
9.5 Out of Compliance Features
The following features can be enabled. However, when they are enabled they will compromise the
validity of the common criteria certification.


SMB backup of log data does not meet the trusted channel requirements. If this feature is
enabled, this will be out of compliance of common criteria.
SNMP is out of compliance
Page 40 of 40

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz