Table of contents

Titel
Table of contents
1. Airlock Secure Access Hub
1.1. Semantic versioning scheme for Airlock Secure Access Hub components
2. About this document
2.1. How information is structured in this manual
2.2. Leveled prerequisites
2.3. Warning tiers in this document
2.4. Additional panel types
2.5. Advanced Lucene searches within this online help
2.6. Standardized example mappings in this manual
3. About Airlock Gateway
3.1. Airlock Gateway license and sales
3.2. 3rd party software license conditions
3.3. System and hardware requirements
3.3.1. Resource requirements for on-premises installations
3.3.2. Resource requirements for cloud installations
3.3.3. Performance considerations on load and configuration
3.3.4. Hardware configuration recommendations
3.3.5. Supported SSL/TLS versions
3.4. About the Airlock Gateway user interfaces
3.4.1. About the Airlock Gateway admin menu
3.4.2. About the Airlock Gateway Configuration Center
4. Release notes
4.1. Airlock Gateway 8.0 release notes
4.1.1. Actions required when upgrading
4.1.2. Changelog
5. Getting started
5.1. Quick installation guide for Airlock Gateway on-premises installation
5.2. Prepare a bootable USB flash drive for installation
5.3. Updating Airlock Gateway using the admin menu
5.3.1. Apply an update interactively
5.3.2. Apply an update non-interactively
5.4. NIC setups for cloud and on-premises installations
5.4.1. Public cloud installations
5.4.2. On-premises installations
6. General warnings and recommendations
7. Basic concepts and functional overviews
7.1. Airlock Anomaly Shield
7.1.1. Terms and definitions related to Airlock Anomaly Shield
7.1.2. Architecture overview
7.1.3. Anomaly detection
7.2. Airlock Gateway rewrite engine with URL encryption
7.3. Airlock Gateway Smart Form Protection
7.4. API access control with Airlock Secure Access Hub
7.4.1. Solution overview
7.4.2. Tech-Client management
7.5. Attribute locking in the Configuration Center
7.6. Back-end load balancing and failover
7.6.1. Runtime behavior
7.6.2. Load balancing example cases
7.7. Clustering, load-balancing, and failover scenarios for Airlock Gateway setups
7.8. Cookie handling and cookie types
7.8.1. Environment cookies
7.8.2. Cookie security attributes
7.9. Cross-Site Request Forgery (CSRF) protection
7.10. Customizing events
7.11. Dynamic back-end group selection
7.12. Entry path to back-end path settings
7.12.1. Entry path as Directory or Regular expression
7.12.2. Option Enforce trailing slashes
7.13. HTTP/HTML rewriting
7.14. JSON filtering
7.15. JWKS and JWK selection by filtering
7.15.1. Reference lists of supported JWKS algorithms
7.16. Multitenancy feature
7.16.1. Terms and definitions
7.16.2. Role and rights management for tenant-users
7.16.3. Security considerations
7.16.4. Manage tenant-users
7.16.5. Practical applications and examples
7.17. Rewrite variables
7.18. Rule-based filtering
7.19. Simultaneous administration and configuration merge
7.19.1. How does configuration merge work in general?
7.19.2. When does the merge process fail?
7.19.3. Cancel vs. overwrite a configuration
8. REST API based Airlock Gateway configuration and management interface
9. Airlock Gateway Configuration Center – the web-based configuration GUI
9.1. Button – Activate
9.2. Menu – Dashboard
9.2.1. Section – Users logged in
9.2.2. Section – System health
9.2.3. Section – Proxy statistics
9.3. Menu – System Setup
9.3.1. Submenu – License
9.3.2. Submenu – Updates
9.3.3. Submenu – Nodes & Interfaces
9.3.4. Submenu – Routes
9.3.5. Submenu – Hosts
9.3.6. Submenu – Network Services
9.3.7. Submenu – Threat Intelligence
9.3.8. Submenu – IP Address Lists
9.3.9. Submenu – System Admin
9.4. Menu – Application Firewall
9.4.1. Submenu – Reverse Proxy
9.4.2. Submenu – Policy Learning
9.4.3. Submenu - Anomaly Shield
9.4.4. Submenu – Geolocation Filter
9.4.5. Submenu – Certificates
9.4.6. Submenu - JWKS Providers
9.4.7. Submenu – Session
9.4.8. Submenu – Default Actions
9.4.9. Submenu – Deny Rules
9.4.10. Submenu – API Security
9.4.11. Submenu – Dynamic IP Deny List
9.4.12. Submenu – Error Pages
9.5. Menu – Log & Report
9.5.1. Submenu – Log Viewer
9.5.2. Submenu - Reporting
9.5.3. Submenu – Session Viewer
9.5.4. Submenu – System Monitor
9.5.5. Submenu – Settings
9.6. Menu – Configuration
9.6.1. Submenu – Configuration Files
9.6.2. Submenu – Configuration Summary
9.7. Menu – Expert Settings
9.7.1. Submenu – Security Gate / Apache
9.7.2. Submenu – Add-on Modules
10. Configuration examples and guides for general configuration tasks
10.1. Airlock Anomaly Shield configuration
10.1.1. Part 1 – Preconfigure an Airlock Anomaly Shield application
10.1.2. Part 2 – Training and model enforcement
10.1.3. Part 3 – Trigger, pattern and rule configuration
10.1.4. Part 4 – Activate detection and response action (log-only mode)
10.1.5. Part 5 – Analyze and adjust threat handling settings
10.1.6. Optional configuration of Traffic Matchers
10.1.7. Airlock Anomaly Shield logs, tuning and advanced configuration
10.2. Airlock Gateway failover setup for on-premises installations
10.2.1. Setup a failover cluster
10.2.2. Remote activation within an Airlock Gateway failover cluster
10.2.3. Maintaining actions on cluster nodes
10.2.4. Hardware replacement in failover cluster
10.3. Allow rule configuration
10.4. API access control configuration for Airlock IAM and Airlock Gateway
10.4.1. Configure the Airlock IAM API policy service
10.4.2. Configure Tech-Client management in Airlock IAM
10.4.3. Configure API gateway for API key-based access control
10.5. Configure and manage custom HTTP error pages
10.6. Configuration example cases for URL encryption
10.7. Configure filter rules using regular expression patterns
10.7.1. Regular Expressions - Basics page
10.7.2. Regular Expressions - Experts Page
10.8. Cookie parsing according to RFC 6265
10.9. Deny rule configuration
10.9.1. Security levels
10.9.2. Dealing with false positives
10.9.3. Blocking and logging
10.9.4. Deny rule exceptions
10.10. Remote Elasticsearch access with HTTPS
10.11. Syslog forwarding with SSL
10.12. TLS/SSL Certificate creation
11. Integration tasks for web applications and 3rd-party software
11.1. Control API
11.1.1. Control API cookie
11.1.2. ICAP control API header
11.1.3. General command syntax
11.1.4. Session authorization
11.1.5. Basic-Auth propagation
11.1.6. NTLM propagation
11.1.7. Session control
11.1.8. Session tracking mode
11.1.9. Audit token
11.1.10. Setting HTTP headers
11.1.11. Kerberos user and domain
11.1.12. Session timeout
11.1.13. Authentication workflow
11.1.14. Session variables
11.1.15. Pseudo code
11.1.16. Unconditional control API commands
11.1.17. Summary of syntax rules
11.1.18. Expert Settings
11.2. Configure Cross-Site Request Forgery (CSRF) protection for SPAs
11.3. Configure ICAP
11.4. Configure local and remote JWKS Providers
11.5. Integrated 3rd-party solutions
11.5.1. Let's Encrypt as certificate provider
11.5.2. Threat Intelligence by Webroot
11.6. Microsoft integration guides
11.6.1. Publishing Microsoft Exchange 2016
11.6.2. Publishing Microsoft Exchange 2019
11.6.3. Publishing Microsoft SharePoint 2016
11.6.4. Publishing Microsoft SharePoint 2019
11.6.5. Publishing Microsoft WebDAV
11.6.6. Kerberos integration
12. Tasks to maintain and improve the operation
12.1. Airlock Gateway failover cluster upgrade with full system installation
12.2. Airlock Gateway Configuration Center access via IAM
12.2.1. Configure Airlock IAM access management using URL parameters (recommended)
12.2.2. Configure IAM access management using cookies (alternative)
12.2.3. Emergency access and troubleshooting
12.3. Automatic configuration backup with SCP
12.4. System backup/restore via the Airlock Gateway admin menu or scripts
12.5. Client connection handling keepalive using the Apache MPM module instead of the Apache HTTP Server
12.6. Configure automatic updates for the geolocation database
12.7. Increasing the Java heap space for Configuration Center Tomcat and the Airlock management agent
12.8. Logs and diagnostics
12.9. SSH login with public/private key authentication
12.10. User administration via shell script
13. Airlock Gateway default deny rule groups and request/response actions
13.1. Default deny rule groups
13.1.1. Deny Rule Group – (default) SQL Injection (SQLi) in Parameter Value
13.1.2. Deny Rule Group – (default) SQL Injection (SQLi) in Header Value
13.1.3. Deny Rule Group – (default) Cross-Site Scripting (XSS) in Parameter Value
13.1.4. Deny Rule Group – (default) Cross-Site Scripting (XSS) in Header Value
13.1.5. Deny Rule Group – (default) Cross-Site Scripting (XSS) in Path
13.1.6. Deny Rule Group – (default) Template Injection
13.1.7. Deny Rule Group – (default) HTML Injection in Parameter Value
13.1.8. Deny Rule Group – (default) HTML Injection in Header Value
13.1.9. Deny Rule Group – (default) HTML Injection in Path
13.1.10. Deny Rule Group – (default) UNIX Command Injection in Parameter Value
13.1.11. Deny Rule Group – (default) UNIX Command Injection in Header Value
13.1.12. Deny Rule Group – (default) Windows Command Injection in Parameter Value
13.1.13. Deny Rule Group – (default) Windows Command Injection in Header Value
13.1.14. Deny Rule Group – (default) LDAP Injection in Parameter Value
13.1.15. Deny Rule Group – (default) LDAP Injection in Header Value
13.1.16. Deny Rule Group – (default) PHP Injection in Parameter Value
13.1.17. Deny Rule Group – (default) PHP Injection in Header Value
13.1.18. Deny Rule Group – (default) Object Graph Navigation Library injection
13.1.19. Deny Rule Group – (default) Insecure Direct Object Reference in Parameter Value
13.1.20. Deny Rule Group – (default) Insecure Direct Object Reference in Path
13.1.21. Deny Rule Group - (default) NoSQL Injection in Parameter Name
13.1.22. Deny Rule Group - (default) NoSQL Injection in Parameter Value
13.1.23. Deny Rule Group - (default) NoSQL Injection in Header Value
13.1.24. Deny Rule Group – (default) Parameter Name Sanity
13.1.25. Deny Rule Group – (default) Parameter Value Sanity
13.1.26. Deny Rule Group – (default) Header Name Sanity
13.1.27. Deny Rule Group – (default) Header Value Sanity
13.1.28. Deny Rule Group – (default) Path Sanity
13.1.29. Deny Rule Group – (default) Encoding and Conversion Exploits in Parameter Value
13.1.30. Deny Rule Group – (default) Encoding and Conversion Exploits in Header Value
13.1.31. Deny Rule Group – (default) HTTP Response Splitting
13.1.32. Deny Rule Group – (default) HTTP Parameter Pollution
13.1.33. Deny Rule Group – (default) Automated Scanning
13.2. Default request actions reference list
13.3. Default response actions reference list
14. Reference lists of log messages and events
14.1. Log Fields
14.2. Request Summary
14.2.1. Log fields
14.3. Block Summary
14.3.1. Log fields
14.3.2. Log messages
14.4. Reject Summary
14.4.1. Log fields
14.4.2. Log messages
14.5. Back messages
14.5.1. Log fields
14.5.2. Log messages
14.6. Session Start and End Messages
14.6.1. Session Start Message
14.6.2. Session End Message
14.6.3. TLS Session Start Message
14.7. Events
14.7.1. List of frequent events
15. Expert settings collection
15.1. Regular Expressions - Experts Page
15.2. Session tracking with bearer tokens
15.3. Modification of default Apache SSL/TLS settings
15.4. Deploy Apache mod_status for analysis purposes
16. Tips for troubleshooting
16.1. Network traffic tracing using tcpdump and TShark/Wireshark