Allnet ALL1297FW User Guide

Allnet ALL1297FW User Guide
Internet Firewall
User’s Manual
1
Contents
CONTENTS OF PACKAGE.......................................................................... 3
INTERNET FIREWALL OVERVIEW ........................................................... 3
HARDWARE DESCRIPTION ....................................................................... 6
QUICK SETUP................................................................................................ 8
ADMINISTRATION....................................................................................... 11
CONFIGURATION........................................................................................ 21
ADDRESS...................................................................................................... 38
SERVICE........................................................................................................ 52
SCHEDULE ................................................................................................... 58
POLICY .......................................................................................................... 61
VPN................................................................................................................. 75
VIRTUAL SERVER ...................................................................................... 80
CONTENT FILTERING
LOG ................................................................................................................ 92
ALARM........................................................................................................... 98
STATISTICS ................................................................................................ 100
STATUS........................................................................................................ 101
GLOSSARY................................................................................................. 103
2
TROUBLE-SHOOTING ............................................................................. 115
SETUP EXAMPLES................................................................................... 120
SPECIFICATIONS...................................................................................... 127
Contents of Package
Internet Firewall
AC Power adapter
Quick Install Guide
Manual
INTERNET FIREWALL Overview
The INTERNET FIREWALL provides three 10/100Mbit Ethernet network
3
interface ports which are the Internal/LAN, External/WAN, and DMZ port. It
also provides an easily operated software WebUI which allows users to set
system parameters or monitor network activities using a web browser.
INTERNET FIREWALL security feature
Some functions that are available in the firewall are: Packet Filter, Proxy
Server, Hacker invasion alarm, Packet monitor log, Policy, etc.
4
INTERNET FIREWALL installation
This product is a hardware firewall. Therefore the installation is much easier
than a software firewall. First the user has to prepare three network cables,
and connect them to the internal, external and DMZ connectors
respectively. The internal interface has to connect to the office’s internal
network on the same HUB/Switch. The external interface has to connect
with an external router, DSL modem, or Cable modem. The DMZ interface
connects to an independent HUB/Switch for the DMZ network.
INTERNET FIREWALL function setting
The INTERNET FIREWALL has a built in WEBUI (Web User Interface). All
configurations and management are done through the WEBUI using an
Internet web browser.
INTERNET FIREWALL monitoring function
The firewall provides monitoring functions which contains traffic log, event
log, traffic alarm, event alarm, and traffic statistics. Traffic alarm records the
packets of hacker invasions. Not only does the firewall log these attacks, it
can be set up to send E-mail alerts to the Administrator automatically for
immediate hacker’s invasion crisis management.
INTERNET FIREWALL supporting protocols
The INTERNET FIREWALL supports all the TCP, UDP and ICMP protocols,
such as HTTP, TELNET, SMTP, POP3, FTP, DNS, PING, etc. System
Administrators can set up proprietary protocols according to operating
requirements.
5
Hardware Description
DMZ Port
Factory Reset
WAN
External Port
LAN Port
Internal Port
LAN port L
ED
WAN port LED
Internal Port
DC Power
outlet
DMZ port LED
Internal Port
DMZ Port: Use this port to connect to the company’s server(s), which
needs direct connection to the Internet (FTP, SNMP, HTTP, DNS).
External Port (WAN): Use this port to connect to the external router, DSL
modem, or Cable modem.
Internal Port (LAN): Use this port to connect to the internal network of
the office.
Reset: Reset the INTERNET FIREWALL to the original default settings.
DC Power: connect one end of the power supply to this port, the other
end to the electrical wall outlet.
6
Connecting Example:
Firewall :
Internal Port = 192.168.1.1
External Port = x.x.x.x (provided by ISP)
DMZ Port = 192.168.2.1
Connection Type: 10/100 Mbps Cable Connection
All ports supports MDI/MDI-X auto crossover capability that is the port can
connect either the PC or hub without crossover cable adjustment.
7
INTERNET FIREWALL Software (management tool)
description
INTERNET FIREWALL management tool: Web UI
The main menu functions are located on the left-hand side of the screen, and
the display window will be on the right-hand side. The main functions include
12 items, which are: Administrator, Configuration, Address, Service,
Schedule, Policy, VPN, Virtual Server, Log, Alarm, Statistics, and Status.
Quick Setup
WebUI Configuration example
Step 1:
Connect both the Administrator’s PC and the Internal (LAN) port of the
INTERNET FIREWALL to a hub or switch. Make sure there is a link light on
the hub/switch for both connections. The INTERNET FIREWALL has an
embedded web server used for management and configuration. Use a web
browser to display the configurations of the firewall (such as Internet Explorer
4(or above) or Netscape 4.0(or above) with full java script support). The
default IP address of the firewall is 192.168.1.1 with a subnet mask of
255.255.255.0. Therefore, the IP address of the Administrator PC must be in
the range between 192.168.1.2 /24– 192.168.1.254/24.
If the company’s internal IP Address is not subnet of 192.168.1.0, (i.e.
Internal IP Address is 172.16.0.1) the Administrator must change his/her PC
IP address to be within the same range of the internal subnet (i.e.
192.168.0.0). Reboot the PC if necessary.
By default, the INTERNET FIREWALL is shipped with its DHCP Server
function enabled. This means the client computers on the internal (LAN)
network including the Administrator PC can set their TCP/IP settings to
automatically obtain an IP address from the INTERNET FIREWALL.
The following table is a list of private IP addresses. These addresses may
not be used as an External IP address.
10.0.0.0 ~ 10.255.255.255
172.16.0.0 ~ 172.31.255.255
192.168.0.0 ~ 192.168.255.255
Once the Administrator PC has an IP address on the same network as the
8
INTERNET FIREWALL, open up an Internet web browser and type in
http://192.168.1.1 in the address bar.
A pop-up screen will appear and prompt for a username and password. A
username and password is required in order connect to the firewall. Enter the
default login username and password of Administrator (see below).
Username: admin
Password: admin
Step 2:
After entering the username and password, the INTERNET FIREWALL
WEBUI screen will display.
Select the Configuration tab on the left menu and a sub-function list will be
displayed. Click on Interface from the sub-function list, and enter proper
Layer 3 network setup information. (for example)
9
Internal interface
External
IP Address
NetMask
192.168.1.1
255.255.255.0
IP address
211.22.93.2
NetMask
255.255.255.0
Default Gateway 211.22.93.1
Note: The above figures are only examples. Please fill in the
appropriate IP address information provided to you by the ISP.
Click on the Policy tab from the main function menu, then click on Outgoing
from the sub-function list.
Click on New Entry button.
When the New Entry option appears, then enter the following configuration:
Source Address – select “Inside_Any”
Destination Address – select “Outside_Any”
Service - select “ANY”
Action - select “Permit”
Click on OK to apply the changes.
The configuration is successful if you see the screen below. Make sure that
all the computers that are connected to the Internal (LAN) port have their
Default Gateway IP Address set to the Firewall’s Internal IP Address (i.e.
192.168.1.1). At this point, all the computers on the Internal network should
gain access to Internet immediately. If a firewall filter function is required,
please refer to the Policy section.
10
Administration
The INTERNET FIREWALL Administration and monitoring control is set by
the System Administrator. The System Administrator can add or modify
System settings and monitoring mode. The sub Administrators can only read
System settings but not modify them. In Administration, the System
Administrator can:
(1) Add and change the sub Administrator’s names and passwords;
(2) Back up all Firewall settings into local files;
(3) Set up alerts for Hackers invasion.
What is Administration?
“Administration” is the managing of settings such as the privileges of packets
that pass through the firewall and monitoring controls. Administrators may
manage, monitor, and configure firewall settings. All configurations are “readonly” for all users other than the Administrator; those users are not able to
change any settings for the firewall.
The three sub functions under Administrator are Administrator, Setting,
and Software Update.
Administrator: has control of user access to the firewall. He/she can
add/remove users and change passwords.
Setting: The Administrator may use this function to backup firewall
configurations and export (save) them to an “Administrator” computer or
anywhere on the network; or restore a configuration file to the INTERNET
FIREWALL; or restore the firewall back to default factory settings. Under
Setting, the Administrator may enable e-mail alert notification. This will alert
Administrator(s) automatically whenever the firewall has experienced
unauthorized access or a network hit (hacking or flooding). Once enabled,
an IP address of a SMTP(Simple Mail Transfer protocol) Server is required.
Up to two e-mail addresses can be entered for the alert notifications.
Software Update:
Administrators may visit distributor’s web site to
download the latest firmware. Administrators may update the INTERNET
FIREWALL firmware to maximize its performance and stay current with the
latest fixes for intruding attacks.
11
Firewall Administration setup
On the left hand menu, click on Administration, and then select
Administrator below it. The current list of Administrator(s) shows up.
12
Settings of the Administration table:
Administrator Name: The username of Administrators for the firewall. The
user admin cannot be removed.
Privilege: The privileges of Administrators (Admin or Sub Admin)
The username of the main Administrator is Administrator with read/write
privilege.
Sub Admins may be created by the Admin by clicking New Sub Admin.
Sub Admins have read only privilege.
Configure: Click Modify to change the “Sub Administrator’s” password and
click Remove to delete a “Sub Administrator.”
Adding a new Sub Administrator:
Step 1.
In the Administration window, click the New Sub Admin button to
create a new Sub Administrator.
Step 2. In the Add New Sub Administrator window:
•
Sub Admin Name: enter the username of new Sub Admin.
•
Password: enter a password for the new Sub Admin.
•
Confirm Password: enter the password again.
Step 3. Click OK to add the user or click Cancel to cancel the addition.
(match whole word only)
Changing the Sub-Administrator’s Password:
Step 1. In the Administration window, locate the Administrator name you
want to edit, and click on Modify in the Configure field.
Step 2. The Modify Administrator Password window will appear. Enter in
the required information:
13
•
•
•
Password: enter original password.
New Password: enter new password
Confirm Password: enter the new password again.
Step 3. Click OK to confirm password change or click Cancel to cancel it.
Removing a Sub Administrator:
Step 1. In the Administration table, locate the Administrator name you want
to edit, and click on the Remove option in the Configure field.
Step 2. The Remove confirmation pop-up box will appear.
Step 3. Click OK to remove that Sub Admin or click Cancel to cancel.
14
Settings
The Administrator may use this function to backup firewall configurations and
export (save) them to an “Administrator” computer or anywhere on the
network; or restore a configuration file to the device; or restore the firewall
back to default factory settings.
Entering the Settings window:
Click Setting in the Administrator menu to enter the Settings window. The
Firewall Configuration settings will be shown on the screen.
Exporting INTERNET FIREWALL settings:
Step 1. Under Firewall Configuration, click on the Download button next
to Export System Settings to Client.
Step 2.
When the File Download pop-up window appears, choose the
destination place in which to save the exported file. The
Administrator may choose to rename the file if preferred.
15
Importing Firewall settings:
Step 1.
Under Firewall Configuration, click on the Browse button next to
Import System Settings. When the Choose File pop-up window
appears, select the file to which contains the saved Firewall
Settings, then click OK.
Step 2.
Click OK to import the file into the Firewall or click Cancel to
cancel importing.
Restoring Factory Default Settings:
Step 1. Select Reset Factory Settings under Firewall Configuration.
Step 2. Click OK at the bottom-right of the screen to restore the factory
settings.
16
Enabling E-mail Alert Notification:
Step 1.
Select Enable E-mail Alert Notification under E-Mail Settings.
This function will enable the Firewall to send e-mail alerts to the
System Administrator when the network is being attacked by
hackers or when emergency conditions occur.
Step 2. SMTP Server IP: Enter SMTP server’s IP address.
Step 3.
E-Mail Address 1: Enter the first e-mail address to receive the
alarm notification.
Step 4.
E-Mail Address 2: Enter the second e-mail address to receive the
alarm notification. (Optional)
Step 5.
Click OK on the bottom-right of the screen to enable E-mail alert
notification.
Web Management (External Interface)
The number is the port number, which you can access the Web Management
Interface from WAN port. Web Browsers use port 80 by default for
connection. For security reasons, you can change the port number or clear
the check box to disable it in Configuration \ Interface \ External Interface \
WEB UI
MTU Setting
PPPoE uses a Maximum Transmission Unit (MTU) setting of 1492 bytes,
while all client computers (Windows IE browsers) usually use the default
MTU of 1500 bytes. The existing Internet standards to address this issue,
however, some web sites do not conform to these standards, which causes
the access problem
To-Firewall Packets Log
Select this option to the INTERNET FIREWALL’s To-Firewall Packets Log.
17
Once this function is enabled, every packet to this appliance will be recorded
for system manager to trace.
Firewall Reboot
Select this option to the INTERNET FIREWALL’s Firewall Reboot. Once
this function is selected, the firewall will be reboot.
18
Date/Time
This option can synchronize the system clock of the appliance. This will allow
the logs to be time stamped correctly according to the computer clock time.
Step 1. Click System →Date/Time.
Step 2. Click the down arrow to select the offset time from GMT, or click
Assist to select a time zone in the pop-up screen.
Step 3. Enter the Server IP Address or Server name with which you want to
synchronize, or click Assist to select a Network Time Server.
Step 4. Update system clock every minutes You can set the interval
time to synchronize with outside servers. If you set it to 0, it means
the device will not synchronize automatically.
Step 5. Synchronize system clock with this client: You can synchronize
the system clock with this client computer by clicking the Sync
button.
Step 6. Click the OK button below to change the setting or click Cancel to
discard changes.
19
Language
The software provides Traditional Chinese Version Simplified Chinese
Version and English version for you to choose.
Step 1. Click Language.
Step 2. Select the language version you want Traditional Chinese
Version Simplified Chinese Version and English version .
Step 3. Click OK to change the language version or click Cancel to discard
changes.
Logout the firewall
Select this option to the INTERNET FIREWALL’s Logout the firewall, this
function protects your system while you are away
Software Update
Under Software Update, the admin may update the INTERNET FIREWALL’s
software with a newer software.
Step 1. Click Software Update tab
Step 2. Click Browse button and specify the file path on local host
Step 3. Click OK button
20
Configuration
What is System Configuration?
In this section, the Administrator can:
(1) Set up the internal, external and DMZ IP addresses
(2) Set up the Multiple NAT
(3) Set up the Firewall detecting functions
(4) Set up a static route
(5) Set up the DHCP Server
(6) Set up DNS Proxy
(7) Set up Dynamic DNS
Note: After all the settings of the Firewall configuration have been set,
the Administrator can backup the System configuration into the
local hard drive as shown in the Administrator section of this
manual under the Settings.
21
Interface:
In this section, the Administrator can set up the IP addresses for the office
network. The Administrator may configure the IP addresses of the Internal
(LAN) network, the External (WAN) network, and the DMZ network. The
netmask and gateway IP addresses are also configured in this section.
Entering the Interface menu:
Click on Configuration in the left menu bar. Then click on Interface below
it. The current settings of the interface addresses will appear on the screen.
Configuring the Interface Settings:
22
Internal Interface
Using the Internal Interface, the Administrator sets up the Internal (LAN)
network. The Internal network will use a private IP scheme. The private IP
network will not be routable on the Internet.
IP Address: The private IP address of the Firewall’s internal network is the
IP address of the Internal (LAN) port of the INTERNET FIREWALL. The
default IP address is 192.168.1.1.
Note:
The IP Address of Internal Interface and the DMZ Interface is
a private IP address only.
If the new Internal IP Address is not 192.168.1.1, the Administrator needs
to set the IP Address on the computer to be on the same subnet as the
Firewall and restart the System to make the new IP address effective. For
example, if the Firewall’s new Internal IP Address is 172.16.0.1, then enter
the new Internal IP Address 172.16.0.1 in the URL field of browser to connect
to Firewall.
NetMask: This is the netmask of the internal network. The default netmask of
the INTERNET FIREWALL is 255.255.255.0.
Ping: Select this to allow the internal network to ping the IP Address of the
Firewall. If set to enable, the INTERNET FIREWALL will respond
to ping packets from the internal network.
Web UI: Select this to allow the INTERNET FIREWALL WEBUI to be
accessed from the Internal (LAN) network.
23
External Interface
Using the External Interface, the Administrator sets up the External (WAN)
network. These IP Addresses are real public IP Addresses, and are routable
on the Internet.
PPPoE (ADSL User):
This option is for PPPoE users who are required to enter a username and
password in order to connect, such as ADSL users.
Current Status: Displays the current line status of the PPPoE
connection.
IP Address: Displays the IP Address of the PPPoE connection
Username: Enter the PPPoE username provided by the ISP.
Password: Enter the PPPoE password provided by the ISP.
IP Address provided by ISP:
Dynamic: Select this if the IP address is automatically assigned by
the ISP.
Fixed: Select this if you were given a static IP address. Enter the IP
address that is given to you by your ISP.
Service-On-Demand:
Auto Disconnect: The PPPoE connection will automatically
disconnect after a length of idle time (no activities). Enter in the
amount of idle minutes before disconnection. Enter ‘0’ if you do not
want the PPPoE connection to disconnect at all.
Ping: Select this to allow the external network to ping the IP Address
of the Firewall. This will allow people from the Internet to be able to
ping the Firewall. If set to enable, the INTERNET FIREWALL will
respond to echo request packets from the external network.
WebUI: Select this to allow the INTERNET FIREWALL WEBUI to be
accessed from the External (WAN) network. This will allow the
WebUI to be configured from a user on the Internet. Keep in mind
that the INTERNET FIREWALL always requires a username and
password to enter the WebUI.
Dynamic IP Address (Cable Modem User):
This option is for users who are automatically assigned an IP address by
their ISP, such as cable modem users. The following fields apply:
24
IP Address:
The dynamic IP address obtained by the Firewall from the
ISP will be displayed here. This is the IP address of the
External (WAN) port of the INTERNET FIREWALL.
MAC Address: This is the MAC Address of the INTERNET FIREWALL.
Hostname: This will be the name assign to the INTERNET FIREWALL.
Some cable modem ISP assign a specific hostname in
order to connect to their network. Please enter the
hostname here. If not required by your ISP, you do not
have to enter a hostname.
Ping:
Select this to allow the external network to ping the IP Address
of the Firewall. This will allow people from the Internet to
be able to ping the Firewall. If set to enable, the
INTERNET FIREWALL will respond to echo request
packets from the external network.
WebUI:
Select this to allow the INTERNET FIREWALL WEBUI to be
accessed from the External (WAN) network. This will
allow the WebUI to be configured from a user on the
Internet. Keep in mind that the INTERNET FIREWALL
always requires a username and password to enter the
WebUI.
Static IP Address
This option is for users who are assigned a static IP Address from their ISP.
Your ISP will provide all the information needed for this section such as IP
Address, Netmask, Gateway, and DNS. Use this option also if you have
more than one public IP Address assigned to you.
IP Address: Enter the static IP address assigned to you by your ISP.
This will be the public IP address of the External (WAN)
port of the INTERNET FIREWALL.
Netmask: This will be the Netmask of the external (WAN) network. (i.e.
255.255.255.0)
Default Gateway: This will be the Gateway IP address.
Domain Name Server (DNS): This is the IP Address of the DNS server.
Ping:
Select this to allow the external network to ping the IP Address
of the Firewall. This will allow people from the Internet to
be able to ping the Firewall. If set to enable, the
INTERNET FIREWALL will respond to echo request
packets from the external network.
25
WebUI:
Select this to allow the INTERNET FIREWALL WEBUI to be
accessed from the External (WAN) network. This will allow
the WebUI to be configured from a user on the Internet.
Keep in mind that the INTERNET FIREWALL always
requires a username and password to enter the WebUI.
DMZ Interface
The Administrator uses the DMZ Interface to set up the DMZ network. The
DMZ network consists of server computers such as FTP, SMTP, and HTTP
(web). These server computers are put in the DMZ network so they can be
isolated from the Internal (LAN) network traffic. Broadcast messages from
the Internal network will not cross over to the DMZ network to cause
congestions and slow down these servers. This allows the server computers
to work efficiently without any slowdowns.
IP Address: The private IP address of the Firewall’s DMZ interface.
This will be the IP address of the DMZ port. The IP address the
Administrator chooses will be a private IP address and cannot use
the same network as the External or Internal network.
NetMask: This will be the netmask of the DMZ network.
26
Multiple NAT
Multiple NAT allows local port to set multiple subnetworks and connect with
the internet through different external IP Addresses.
For instance The lease line of a company applies several real IP Addresses
168.85.88.0/24 and the company is divided into R&D department, service,
sales department, procurement department, accounting department, the
company can distinguish each department by different subnetworks for the
purpose of convenient management. The settings are as the following
1. R&D department subnetwork
192.168.1.11/24(Internal) ÅÆ 168.85.88.253(External)
2. Service department subnetwork
192.168.2.11/24(Internal) ÅÆ 168.85.88.252(External)
3. Sales department subnetwork
192.168.3.11/24(Internal) ÅÆ 168.85.88.251(External)
4. Procurement department subnetwork
192.168.4.11/24(Internal) ÅÆ 168.85.88.250(External)
5. Accounting department subnetwork
192.168.5.11/24(Internal) ÅÆ 168.85.88.249(External)
The first department(R&D department) was set while setting interface IP, the
other four ones have to be added in Multiple NAT after completing the
settings, each department use the different WAN IP Address to connect to
the internet. The settings of each department are as the following
Service IP Address 192.168.2.1
Subnet Mask 255.255.255.0
Default Gateway 192.168.2.11
The other departments are also set by groups, this is the function of Multiple
NAT.
Add Multiple NAT
Step 1. Click Multiple NAT in the Configuration menu to enter Multiple
NAT window.
Step 2. Click the New Entry button below to add Multiple NAT.
Step 3. Enter the IP Address in the website name column of the new
window.
•
External Interface IP WAN IP address (public IP)
•
Alias IP of internal Interface LAN IP address (private IP)
•
Netmask Netmask of your network
Step 4. Click OK to add Multiple NAT or click Cancel to discard changes.
27
Modify Multiple NAT
Step 1. Click Multiple NAT in the Configuration menu to enter Multiple
NAT window.
Step 2. Find the IP Address you want to modify and click Modify
Step 3. Enter the new IP Address in Modify Multiple NAT window.
Step 4. Click the OK button below to change the setting or click Cancel to
discard changes.
Remove Multiple NAT
Step 1. Click Multiple NAT in the Configuration menu to enter Multiple
NAT window.
Step 2. Find the IP Address you want to delete and click Remove.
Step 3. A confirmation pop-up box will appear, click OK to delete the setting
or click Cancel to discard changes.
Hacker Alert
The Administrator can enable the INTERNET FIREWALL’s auto detect
functions in this section. When abnormal conditions occur, the Firewall will
send an e-mail alert to notify the Administrator, and also display warning
messages in the Event window of Alarm.
„ Detect SYN Attack: Select this option to detect TCP SYN
attacks that hackers send to server computers continuously to
block or cut down all the connections of the servers. These attacks
will prevent valid users from connecting to the servers. After
enabling this function, the System Administrator can enter the
number of SYN packets per second that is allow to enter the
network/firewall. Once the SYN packets exceed this limit, the
28
activity will be logged in Alarm and an email alert is sent to the
Administrator. The default SYN flood threshold is set to 200
Pkts/Sec .
„ Detect ICMP Flood: Select this option to detect ICMP flood
attacks. When hackers continuously send PING packets to all the
machines of the internal networks or to the Firewall, your network
is experiencing an ICMP flood attack. This can cause traffic
congestion on the network and slows the network down. After
enabling this function, the System Administrator can enter the
number of ICMP packets per second that is allowed to enter the
network/firewall. Once the ICMP packets exceed this limit, the
activity will be logged in Alarm and an email alert is sent to the
Administrator. The default ICMP flood threshold is set to 1000
Pkts/Sec.
„ Detect UDP Flood: Select this option to detect UDP flood
attacks. A UDP flood attack is similar to an ICMP flood attack.
After enabling this function, the System Administrator can enter the
number of UDP packets per second that is allow to enter the
network/firewall. Once the UDP packets exceed this limit, the
activity will be logged in Alarm and an email alert is sent to the
Administrator. The default UDP flood threshold is set to 1000
Pkts/Sec.
„
Detect Ping of Death Attack: Select this option to detect the
attacks of tremendous trash data in PING packets that hackers
send to cause System malfunction This attack can cause network
speed to slow down, or even make it necessary to restart the
computer to get a normal operation.
„
Detect Tear Drop Attack: Select this option to detect tear drop
attacks. These are packets that are segmented to small packets
with negative length. Some Systems treat the negative value as a
very large number, and copy enormous data into the System to
cause System damage, such as a shut down or a restart.
„
Detect IP Spoofing Attack: Select this option to detect spoof
attacks. Hackers disguise themselves as trusted users of the
network in Spoof attacks. They use a fake identity to try to pass
through the Firewall System and invade the network.
„
Filter IP Source Route Option: Each IP packet can carry an
optional field that specifies the replying address that can be
different from the source address specified in packet’s header.
29
Hackers can use this address field on disguised packets to invade
internal networks and send internal networks’ data back to them.
„
Detect Port Scan Attack: Select this option to detect the port
scans hackers use to continuously scan networks on the Internet
to detect computers and vulnerable ports that are opened by those
computers.
„
Detect Land Attack: Some Systems may shut down when
receiving packets with the same source and destination addresses,
the same source port and destination port, and when SYN on the
TCP header is marked. Enable this function to detect such
abnormal packets.
„ Default Packet Deny: Denies all packets from passing the
Firewall. A packet can pass only when there is a policy that allows
it to pass.
After enabling the needed detect functions, click OK to activate
the changes.
30
Route Table
In this section, the Administrator can add static routes for the networks.
Entering the Route Table screen:
Click Configuration on the left side menu bar, then click Route Table below
it. The Route Table window appears, in which current route settings are
shown.
Route Table functions:
•
Interface: Destination network, internal or external networks.
•
Destination IP: IP address of destination network.
•
NetMask: Netmask of destination network.
•
Gateway: Gateway IP address for connecting to destination network.
•
Configure: Change settings in the route table.
Adding a new Static Route:
Step 1.
In the Route Table window, click the New Entry button.
Step 2.
In the Add New Static Route window, enter new static route
information.
Step 3.
In the Interface field’s pull-down menu, choose the network to
connect (Internal, External or DMZ).
Step 4. Click OK to add the new static route or click Cancel to cancel.
Modifying a Static Route:
Step 1.
In the Route Table menu, find the route to edit and click the
corresponding Modify option in the Configure field.
Step 2.
In the Modify Static Route window, modify the necessary routing
addresses.
Step 3.
Click OK to apply changes or click Cancel to cancel it.
Removing a Static Route:
Step 1.
In the Route Table window, find the route to remove and click the
31
corresponding Remove option in the Configure field.
Step 2.
In the Remove confirmation pop-up box, click OK to confirm
removing or click Cancel to cancel it.
32
DHCP
In the section, the Administrator can configure DHCP (Dynamic Host
Configuration Protocol) settings for the Internal (LAN) network.
Entering the DHCP window:
Click Configuration on the left hand side menu bar, then click DHCP below
it. The DHCP window appears in which current DHCP settings are shown on
the screen.
Dynamic IP Address functions:
•
Subnet : Internal network’s subnet
•
NetMask : Internal network’s netmask
•
Gateway: Internal network’s gateway IP address
•
Broadcast: Internal network’s broadcast IP address
33
Enabling DHCP Support:
Step 1.
In the Dynamic IP Address window, click Enable DHCP Support.
Step 2.
Domain Name: The Administrator may enter the name of the
Internal network domain if preferred.
Step 3.
Domain Name Server: Enter in the IP address of the DNS Server
to be assigned to the Internal network.
Step 4.
Client IP Address Range 1: Enter the starting and the ending IP
address dynamically assigning to DHCP clients.
Step 5.
Client IP Address Range 2: Enter the starting and the ending IP
address dynamically assigning to DHCP clients. (Optional)
Step 6. Click OK to enable DHCP support.
34
DNS-Proxy
The INTERNET FIREWALL’s Administrator may use the DNS Proxy function
to make the INTERNET FIREWALL act as a DNS Server for the Internal and
DMZ network. All DNS requests to a specific Domain Name will be routed to
the firewall’s IP address. For example, let’s say an organization has their mail
server (i.e., mail.dfl300.com) in the DMZ network (i.e. 192.168.10.10). The
outside Internet world may access the mail server of the organization easily by
its domain name, providing that the Administrator has set up Virtual Server or
Mapped IP settings correctly. However, for the users in the Internal network,
their external DNS server will assign them a public IP address for the mail
server. So for the Internal network to access the mail server
(mail.dfl300.com), they would have to go out to the Internet, then come back
through the Firewall to access the mail server. Essentially, the internal
network is accessing the mail server by a real public IP address, while the mail
server serves their request by a NAT address and not a real one.
This odd situation occurs when there are servers in the DMZ network and
they are bound to real IP addresses. To avoid this, set up DNS Proxy so all
the Internal network computers will use the INTERNET FIREWALL as a DNS
server, which acts as the DNS Proxy.
If you want to use the DNS Proxy function of the INTERNET FIREWALL,
the end user’s main DNS server IP address should be the same IP
Address as the INTERNET FIREWALL.
35
Entering the DNS Proxy window:
Click on Configuration in the menu bar, then click on DNS Proxy below it.
The DNS Proxy window will appear.
Below is the information needed for setting up the DNS Proxy:
• Domain Name: The domain name of the server
• Virtual IP Address: The virtual IP address respective to DNS Proxy
• Configure: modify or remove each DNS Proxy policy
Adding a new DNS Proxy:
Step 1:
Click on the New Entry button and the Add New DNS Proxy
window will appear.
Step 2:
Fill in the appropriate settings for the domain name and virtual IP
address.
Step 3:
Click OK to save the policy or Cancel to cancel.
36
Modifying a DNS Proxy:
Step 1:
In the DNS Proxy window, find the policy to be modified and click
the corresponding Modify option in the Configure field.
Step 2:
Make the necessary changes needed.
Step 3:
Click OK to save changes or click on Cancel to cancel
modifications.
Removing a DNS Proxy:
Step 1:
Step 2:
In the DNS Proxy window, find the policy to be removed and click
the corresponding Remove option in the Configure field.
A confirmation pop-up box will appear, click OK to remove the DNS
Proxy or click Cancel.
37
Dynamic DNS (DDNS)
The Dynamic DNS (require Dynamic DNS Service) allows you to alias a
dynamic IP address to a static hostname, allowing your device to be
more easily accessed by specific name. When this function is enabled,
the IP address in Dynamic DNS Server will be automatically updated
with the new IP address provided by ISP.
Click Dynamic DNS in the Configuration menu to enter Dynamic DNS
window.
The nouns in Dynamic DNS window
•
! (Update Status)
Connecting; Update succeed; Update
fail; Unidentified error
•
Domain name Enter the password provided by ISP.
•
WAN IP Address IP Address of the WAN port.
•
Modify Modify dynamic DNS settings. Click Modify to change the
DNS parameters; click Delete to delete the settings.
How to use dynamic DNS
The firewall provides service providers, users have to register first to use
this function. For the usage regulations, see the providers’ websites.
How to register
First, Click DDNS in the Configuration menu to enter Dynamic DNS
window, then click New Entry button on the right side of the service
providers, click Sign up, the service providers’ website will appear, please
refer to the website for the way of registration.
Dynamic DNS settings
Step 1: Click DDNS in the Configuration menu to enter Dynamic DNS
38
window.
Step 2: Click New Entry button.
Step 3: Click the information in the column of the new window.
•
•
•
•
•
•
•
Service providers Select service providers.
Sign up to the service providers’ website for registration.
External IP IP Address of the WAN port.
Automatically Check to automatically fill in the external IP.
User Name Enter the registered user name.
Password Enter the password provided by ISP (Internet
Service Provider).
Domain name Your host domain name provided by ISP.
Step 4: Click OK to add dynamic DNS or click Cancel to discard changes.
Modify dynamic DNS
Step 1: Click Dynamic DNS in the Configuration menu to enter Dynamic
DNS window.
Step 2: Find the item you want to change and click Modify.
Step 3: Enter the new information in the Modify Dynamic DNS window.
Step 4: Click OK to change the settings or click Cancel to discard changes.
Delete Dynamic DNS
Step 1: Click Dynamic DNS in the Configuration menu to enter Dynamic
DNS window.
Step 2: Find the item you want to change and click Delete.
39
Step 3: A confirmation pop-up box will appear, click OK to delete the
settings or click Cancel to discard changes.
40
Address
The INTERNET FIREWALL allows the Administrator to set Interface
addresses of the Internal network, Internal network group, External network,
External network group, DMZ and DMZ group.
What is the Address Table?
An IP address in the Address Table can be an address of a computer or a
sub network. The Administrator can assign an easily recognized name to an
IP address. Based on the network it belongs to, an IP address can be an
internal IP address, external IP address or DMZ IP address. If the
Administrator needs to create a control policy for packets of different IP
addresses, he can first add a new group in the Internal Network Group or
the External Network Group and assign those IP addresses into the newly
created group. Using group addresses can greatly simplify the process of
building control policies.
With easily recognized names of IP addresses and names of address groups
shown in the address table, the Administrator can use these names as the
source address or destination address of control policies. The address table
should be built before creating control policies, so that the Administrator can
pick the names of correct IP addresses from the address table when setting
up control policies.
41
Internal
Entering the Internal window:
Step 1.
Click Internal under the Address menu to enter the Internal
window. The current setting information such as the name of the
internal network, IP and Netmask addresses will show on the
screen.
Adding a new Internal Address:
Step 1.
Step 2.
Step 3.
In the Internal window, click the New Entry button.
In the Add New Address window, enter the settings of a new
internal network address.
Click OK to add the specified internal network or click Cancel to
cancel the changes.
Modifying an Internal Address:
Step 1.
In the Internal window, locate the name of the network to be
modified. Click the Modify option in its corresponding Configure
field. The Modify Address window appears on the screen
immediately.
Step 2.
In the Modify Address window, fill in the new addresses.
Step 3.
Click OK to save changes or click Cancel to discard changes.
Removing an Internal Address:
Step 1.
Step 2.
In the Internal window, locate the name of the network to be
removed. Click the Remove option in its corresponding Configure
field.
In the Remove confirmation pop-up box, click OK to remove the
address or click Cancel to discard changes.
Internal Group
42
Entering the Internal Group window:
The Internal Addresses may be combined together to become a group.
Click Internal Group under the Address menu to enter the Internal Group
window. The current setting information for the Internal network group
appears on the screen.
Adding an Internal Group:
Step 1.
In the Internal Group window, click the New Entry button to enter
the Add New Address Group window.
Step 2. In the Add New Address Group window:
•
•
•
Available Address: list the names of all the members of the
internal network.
Selected Address: list the names to be assigned to the new
group.
Name: enter the name of the new group in the open field.
Step 3.
Add members: Select names to be added in Available Address
list, and click the Add>> button to add them to the Selected
Address list.
Step 4.
Remove members: Select names to be removed in the Selected
Address list, and click the <<Remove button to remove these
members from Selected Address list.
Step 5. Click OK to add the new group or click Cancel to discard changes.
43
Modifying an Internal Group:
Step 1.
In the Internal Group window, locate the network group desired to
be modified and click its corresponding Modify option in the
Configure field.
Step 2.
A window displaying the information of the selected group appears:
•
•
Available Address: list names of all members of the Internal
network.
Selected Address: list names of members which have been
assigned to this group.
Step 3.
Add members: Select names in Available Address list, and click
the Add>> button to add them to the Selected Address list.
Step 4.
Remove members: Select names in the Selected Address list,
and click the <<Remove button to remove these members from
the Selected Address list.
Step 5.
Click OK to save changes or click Cancel to discard changes.
44
Removing an Internal Group:
Step 1.
In the Internal Group window, locate the group to be removed and
click its corresponding Remove option in the Configure field.
Step 2.
In the Remove confirmation pop-up box, click OK to remove the
group or click Cancel to discard changes.
External
Entering the External window:
Click External under the Address menu to enter the External window. The
current setting information, such as the name of the External network, IP and
Netmask addresses will show on the screen.
Adding a new External Address:
Step 1.
Step 2.
Step 3.
In the External window, click the New Entry button.
In the Add New Address window, enter the settings for a new
external network address.
Click OK to add the specified external network or click Cancel to
discard changes.
Modifying an External Address:
Step 1.
Step 2.
Step 3.
In the External table, locate the name of the network to be modified
and click the Modify option in its corresponding Configure field.
The Modify Address window will appear on the screen
immediately. In the Modify Address window, fill in new addresses.
Click OK to save changes or click Cancel to discard changes.
Removing an External Address:
45
Step 1.
Step 2.
In the External table, locate the name of the network to be
removed and click the Remove option in its corresponding
Configure field.
In the Remove confirmation pop-up box, click OK to remove the
address or click Cancel to discard changes.
External Group
Entering the External Group window:
Click the External Group under the Address menu bar to enter the External
window. The current settings for the external network group(s) will appear on
the screen.
46
Adding an External Group:
Step 1.
In the External Group window, click the New Entry button and the
Add New Address Group window will appear.
Step 2.
In the Add New Address Group window the following fields will
appear:
• Name: enter the name of the new group.
• Available Address: List the names of all the members of the
external network.
• Selected Address: List the names to assign to the new
group.
Step 3.
Add members: Select the names to be added in the Available
Address list, and click the Add>> button to add them to the
Selected Address list.
Step 4.
Remove members: Select the names to be removed in the
Selected Address list, and click the <<Remove button to remove
them from the Selected Address list.
Step 5.
Click OK to add the new group or click Cancel to discard
changes.
47
Editing an External Group:
Step 1.
In the External Group window, locate the network group to be
modified and click its corresponding Modify button in the
Configure field.
Step 2.
A window displaying the information of the selected group appears:
•
Available Address: list the names of all the members of the
external network.
•
Selected Address: list the names of the members that have
been assigned to this group.
Step 3.
Add members: Select the names to be added in the Available
Address list, and click the Add>> button to add them to the
Selected Address list.
Step 4.
Remove members: Select the names to be removed in the
Selected Address list, and click the <<Remove button to remove
them from the Selected Address list.
Step 5. Click OK to save changes or click Cancel to discard changes.
Removing an External Group:
Step 1.
In the External Group window, locate the group to be removed
and click its corresponding Modify option in the Configure field.
Step 2.
In the Remove confirmation pop-up box, click OK to remove the
group or click Cancel to discard changes.
48
DMZ
Entering the DMZ window:
Click DMZ under the Address menu to enter the DMZ window. The current
setting information such as the name of the internal network, IP, and
Netmask addresses will show on the screen.
Adding a new DMZ Address:
Step 1.
Step 2.
Step 3.
In the DMZ window, click the New Entry button.
In the Add New Address window, enter the settings for a new
DMZ address.
Click OK to add the specified DMZ or click Cancel to discard
changes.
49
Modifying a DMZ Address:
Step 1.
Step 2.
Step 3.
In the DMZ window, locate the name of the network to be modified
and click the Modify option in its corresponding Configure field.
In the Modify Address window, fill in new addresses.
Click OK on save the changes or click Cancel to discard changes.
Removing a DMZ Address:
Step 1.
Step 2.
In the DMZ window, locate the name of the network to be removed
and click the Remove option in its corresponding Configure field.
In the Remove confirmation pop-up box, click OK to remove the
address or click Cancel to discard changes.
50
DMZ Group
Entering the DMZ Group window:
Click DMZ Group under the Address menu to enter the DMZ window. The
current settings information for the DMZ group appears on the screen.
Adding a DMZ Group:
Step 1.
In the DMZ Group window, click the New Entry button.
Step 2.
In the Add New Address Group window:
•
•
Available Address: list names of all members of the DMZ.
Selected Address: list names to assign to a new group.
Step 3. Name: enter a name for the new group.
Step 4.
Add members: Select the names to be added from the Available
Address list, and click the Add>> button to add them to the
Selected Address list.
Step 5.
Remove members: Select names to be removed from the
Selected Address list, and click the <<Remove button to remove
them from the Selected Address list.
Step 6.
Click OK to add the new group or click Cancel to discard changes.
51
Modifying a DMZ Group:
Step 1.
In the DMZ Group window, locate the DMZ group to be modified
and click its corresponding Modify button in the Configure field.
Step 2.
A window displaying information about the selected group
appears:
Available Address: list the names of all the members of the
DMZ.
Selected Address: list the names of the members that have
been assigned to this group.
•
•
Step 3.
Add members: Select names to be added from the Available
Address list, and click the Add>> button to add them to the
Selected Address list.
Step 4.
Remove members: Select names to be removed from the
Selected Address list, and click the <<Remove button to remove
them from Selected Address list.
Step 5. Click OK to save changes or click Cancel to cancel editing.
Removing a DMZ Group:
Step 1.
In the DMZ Group window, locate the group to be removed and
click its corresponding Remove option in the Configure field.
Step 2.
In the Remove confirmation pop-up box, click OK to remove the
group.
Service
In this section, network services are defined and new network services can
be added. There are three sub menus under Service which are: Predefined, Custom, and Group. The Administrator can simply follow the
instructions below to define the protocols and port numbers for network
communication applications. Users then can connect to servers and other
computers through these available network services.
What is Service?
52
TCP and UDP protocols support varieties of services, and each service
consists of a TCP Port or UDP port number, such as TELNET(23),
SMTP(21), POP3(110),etc. The INTERNET FIREWALL defines two
services: pre-defined service and custom service. The common-use services
like TCP and UDP are defined in the pre-defined service and cannot be
modified or removed. In the custom menu, users can define other TCP port
and UDP port numbers that are not in the pre-defined menu according to
their needs. When defining custom services, the client port ranges from
1024 to 65535 and the server port ranges from 0 to 1023.
How do I use Service?
The Administrator can add new service group names in the Group option
under Service menu, and assign desired services into that new group.
Using service group the Administrator can simplify the processes of setting
up control policies. For example, there are 10 different computers that want
to access 5 different services on a server, such as HTTP, FTP, SMTP, POP3,
and TELNET. Without the help of service groups, the Administrator needs to
set up 50 (10x5) control policies, but by applying all 5 services to a single
group name in the service field, it takes only one control policy to achieve
the same effect as the 50 control policies.
Pre-defined
Entering a Pre-defined window:
Click Service on the menu bar on the left side of the window. Click Predefined under it. A window will appear with a list of services and their
associated port numbers. This list cannot be modified.
53
54
Custom
Entering the Custom window:
Click Service on the menu bar on the left side of the window. Click Custom
under it. A window will appear with a table showing all services currently
defined by the Administrator.
Adding a new Service:
Step 1
In the Custom window, click the New Entry button and a new
service table appears.
Step 2 In the new service table:
•
Service Name: This will be the name referencing the new
service.
•
Protocol: Enter the network protocol type to be used, such as
TCP, UDP, or Other (please enter the number for the protocol
type).
•
Client Port: enter the range of port number of new clients.
•
Server Port: enter the range of port number of new servers.
The client port ranges from 1024 to 65535 and the server port ranges from 0
to 1023.
Step 3 Click OK to add new services, or click Cancel to cancel.
55
Modifying Custom Services:
Step 1. In the Custom table, locate the name of the service to be modified.
Click its corresponding Modify option in the Configure field.
Step 2.
A table showing the current settings of the selected service
appears on the screen
Step 3.
Enter the new values.
Step 4.
Click OK to accept editing; or click Cancel.
Removing Custom Services:
Step 1.
In the Custom window, locate the service to be removed. Click its
corresponding Remove option in the Configure field.
Step 2.
In the Remove confirmation pop-up box, click OK to remove the
selected service or click Cancel to cancel action.
56
Group
Accessing the Group window:
Click Service in the menu bar on the left hand side of the window. Click
Group under it. A window will appear with a table displaying current service
group settings set by the Administrator.
Adding Service Groups:
Step 1. In the Group window, click the New Entry button. In the Add
Service Group window, the following fields will appear:
•
Available Services: list all the available services.
•
Selected Services: list services to be assigned to the new group.
Step 2. Enter the new group name in the group Name field. This will be the
name referencing the created group.
Step 4.
To add new services: Select the services desired to be added in
the Available Services list and then click the Add>> button to add
them to the group.
Step 5.
To remove services: Select services desired to be removed in the
Available Services, and then click the <<Remove button to
remove them from the group.
Step 6. Click OK to add the new group.
57
Modifying Service Groups:
Step 1. In the Group window, locate the service group to be edited. Click its
corresponding Modify option in the Configure field.
Step 2.
In the Mod (modify) group window the following fields are
displayed::
•
Available Services: lists all the available services.
•
Selected Services: list services that have been assigned to the
selected group.
Step 3.
Add new services: Select services in the Available Services list,
and then click the Add>> button to add them to the group.
Step 4.
Remove services: Select services to be removed in the Selected
Services list, and then click the <<Remove button to remove
theses services from the group.
Step 5.
Click OK to save editing changes.
Removing Service Groups:
Step 1. In the Group window, locate the service group to be removed and
click its corresponding Remove option in the Configure field.
Step 2. In the Remove confirmation pop-up box, click OK to remove the
selected service group or click Cancel to cancel removing.
Schedule
The INTERNET FIREWALL allows the Administrator to configure a schedule
for policies to take affect. By creating a schedule, the Administrator is
allowing the Firewall policies to be used at those designated times only. Any
activities outside of the scheduled time slot will not follow the Firewall policies
therefore will likely not be permitted to pass through the Firewall. The
Administrator can configure the start time and stop time, as well as creating 2
different time periods in a day. For example, an organization may only want
the Firewall to allow the internal network users to access the Internet during
work hours. Therefore, the Administrator may create a schedule to allow the
58
Firewall to work Monday-Friday, 8AM-5PM only. During the non-work hours,
the Firewall will not allow Internet access.
Adding a new Schedule:
Step 1: Click on the New Entry button and the Add New Schedule window
will appear.
Step 2: Schedule Name: Fill in a name for the new schedule.
Period : Configure the start and stop time for the days of the week
that the schedule will be active.
Step 3: Click OK to save the new schedule or click Cancel to cancel adding
the new schedule.
59
Modifying a Schedule:
Step 1: In the Schedule window, find the policy to be modified and click the
corresponding Modify option in the Configure field.
Step 2: Make needed changes.
Step 3: Click OK to save changes.
Removing a Schedule:
Step 1: In the Schedule window, find the policy to be removed and click the
corresponding Remove option in the Configure field.
Step 2: A confirmation pop-up box will appear, click on OK to remove the
schedule.
60
Policy
This section provides the Administrator with facilities to sent control policies
for packets with different source IP addresses, source ports, destination IP
addresses, and destination ports. Control policies decide whether packets
from different network objects, network services, and applications are able to
pass through the Firewall.
What is Policy?
The INTERNET FIREWALL uses policies to filter packets. The policy
settings are: source address, destination address, services, permission,
packet log, packet statistics, and flow alarm. Based on its source addresses,
a packet can be categorized into:
(1) Outgoing: a client is in the internal networks while a server is in the
external networks.
(2) Incoming, a client is in the external networks, while a server is in the
internal networks.
(3) To DMZ: a client is either in the internal networks or in the external
networks while, server is in DMZ.
(4) From DMZ, a client is in DMZ while server is either in the internal
networks or in the external networks.
How do I use Policy?
The policy settings are source addresses, destination addresses, services,
permission, log, statistics, and flow alarm. Among them, source addresses,
destination addresses and IP mapping addresses have to be defined in the
Address menu in advance. Services can be used directly in setting up
policies, if they are in the Pre-defined Service menu. Custom services need
to be defined in the Custom menu before they can be used in the policy
settings.
If the destination address of an incoming policy is a Mapped IP address or a
Virtual Server address, then the address has to be defined in the Virtual
Server section instead of the Address section.
Step 1.
Step 2.
Step 3.
In Address, set names and addresses of source networks and
destination networks.
In Service, set services.
In Virtual Server, set names and addresses
Outgoing
61
This section describes steps to create policies for packets and services from
the Internal (LAN) network to the External (WAN) network.
Entering the Outgoing window:
Click Policy on the left hand side menu bar, then click Outgoing under it. A
window will appear with a table displaying currently defined Outgoing
policies.
The fields in the Outgoing window are:
•
Source: source network addresses that are specified in the
Internal section of Address menu, or all the Internal (LAN)
network addresses.
•
Destination: destination network addresses that are specified in
the External section of the Address menu, or all the External
(WAN) network addresses.
•
Service: specify services provided by external network servers.
•
Action: control actions to permit or reject/deny packets from
internal networks to external network travelling through the
Firewall.
•
Option: specify the monitoring functions on packets from internal
networks to external networks travelling through the Firewall.
•
Configure: modify settings.
•
Move: this sets the priority of the policies, number 1 being the
highest priority.
Adding a new Outgoing Policy:
Step 1: Click on the New Entry button and the Add New Policy window will
appear.
62
63
Step 2: Source Address: Select the name of the Internal (LAN) network
from the drop down list. The drop down list contains the
names of all internal networks defined in the Internal
section of the Address menu. To create a new source
address, please go to the Internal section under the
Address menu.
Destination Address: Select the name of the External (WAN)
network from the drop down list. The drop down list
contains the names of all external networks defined in the
External section of the Address window. To create a new
destination address, please go to the External section
under the Address menu.
Service: Specified services provided by external network servers.
These are services/application that are allowed to pass
from the Internal network to the External network. Choose
ANY for all services.
Action: Select Permit or Deny from the drop down list to allow or
reject the packets travelling between the source network
and the destination network.
Logging: Select Enable to enable flow monitoring.
Statistics: Select Enable to enable flow statistics.
Alarm Threshold: set a maximum flow rate (in Kbytes/Sec). An
alarm will be sent if flow rates are higher than the specified
value.
Step 3: Click OK to add a new outgoing policy; or click Cancel to cancel
adding a new outgoing policy.
64
Modifying an Outgoing policy:
Step 1: In the Outgoing policy section, locate the name of the policy
desired to be modified and click its corresponding Modify option
under the Configure field.
Step 2: In the Modify Policy window, fill in new settings.
Note:
To change or add selections in the drop-down list for source or
destination address, go to the section where the selections are
setup. (Source Address→ Internal of Address menu; Destination
Address → External of Address menu; Service→[Predefined],[Custom] or Group under Service).
Step 3: Click OK to do confirm modification or click Cancel to cancel it.
Removing the Outgoing Policy:
Step 1. In the Outgoing policy section, locate the name of the policy desired
to be removed and click its corresponding Remove option in the
Configure field.
Step 2. In the Remove confirmation dialogue box, click OK to remove the
policy or click Cancel to cancel removing.
65
Incoming
This chapter describes steps to create policies for packets and services from
the External (WAN) network to the Internal (LAN) network including Mapped
IP and Virtual Server.
Enter Incoming window:
Step 1:
Click Incoming under the Policy menu to enter the Incoming
window. The Incoming table will display current defined policies
from the External (WAN) network to assigned Mapped IP or
Virtual Server.
Step 2: The fields of the Incoming window are:
•
Source: source networks which are specified in the External
section of the Address menu, or all the external network
addresses.
•
Destination: destination networks, which are IP Mapping
addresses or Virtual server network addresses created in
Virtual Server menu.
•
Service: services supported by Virtual Servers (or Mapped IP).
•
Action: control actions to permit or deny packets from external
networks to Virtual Server/Mapped IP travelling through the
INTERNET FIREWALL.
•
Option: specify the monitoring functions on packets from
external networks to Virtual Server/Mapped IP travelling
through the Firewall.
•
Configure: modify settings or remove incoming policy.
•
Move: this sets the priority of the policies, number 1 being the
highest priority.
Adding an Incoming Policy:
66
Step 1: Under Incoming of the Policy menu, click the New Entry button.
Step 2: Source Address: Select names of the external networks from the
drop down list. The drop down list contains the names of all
external networks defined in the External section of the
Address menu. To create a new source address, please go
to the Internal section under the Address menu.
Destination Address: Select names of the internal networks from
the drop down list. The drop down list contains the names
of IP mapping addresses specified in the Mapped IP or the
Virtual Server sections of Virtual Server menu. To create
a new destination address, please go to the Virtual Server
menu. (Please refer to Chapter 8 for Virtual Server for
details)
Service: Specified services provided by internal network servers.
These are services/application that are allowed to pass
from the External network to the Internal network. Choose
ANY for all services.
Action: Select Permit or Deny from the drop down list to allow or
reject the packets travelling between the specified external
network and Virtual Server/Mapped IP.
Logging: select Enable to enable flow monitoring.
Statistics: select Enable to enable flow statistics.
Alarm Threshold: set a maximum flow rate (in Kbytes/Sec). An
alarm will be sent if flow rates are higher than the specified
value.
Step 3: Click OK to add new policy or click Cancel to cancel adding new
incoming policy.
Modifying Incoming Policy:
Step 1: In the Incoming window, locate the name of policy desired to be
modified and click its corresponding
Modify option in the
Configure field.
Step 2: In the Modify Policy window, fill in new settings.
Step 3: Click OK to save modifications or click Cancel to cancel
modifications.
Removing an Incoming Policy:
67
Step 1: In the Incoming window, locate the name of policy desired to be
removed and click its corresponding [Remove] in the Configure
field.
Step 2: In the Remove confirmation window, click Ok to remove the policy
or click Cancel to cancel removing.
68
External To DMZ & Internal to DMZ
This section describes steps to create policies for packets and services from
the External (WAN) networks to the DMZ networks. Please follow the same
procedures for Internal (LAN) networks to DMZ networks.
Enter [External To DMZ] (or [Internal To DMZ]) window:
Click External To DMZ under Policy menu to enter the External To DMZ
window. The External To DMZ table will show up displaying currently defined
policies.
The fields in External To DMZ window:
•
Source: source networks, which are addresses specified in the
External section of the Address menu, or all the external network
addresses.
•
Destination: destination networks, which are addresses specified in
DMZ section of the Address menu and Mapped IP addresses of the
Virtual Server menu.
•
Service: services supported by servers in DMZ network.
•
Action: control actions, to permit or deny packets from external
networks to DMZ travelling through the INTERNET FIREWALL.
•
Option: specify the monitoring functions of packets from external
network to DMZ network travelling through Firewall.
•
Configure: modify settings or remove policies.
69
Adding a new External To DMZ Policy:
Step 1: Click the New Entry button and the Add New Policy window will
appear.
Step 2: Source Address: Select names of the external networks from the
drop down list. The drop down list contains the names of all
external networks defined in the External section of the
Address menu. To create a new source address, please go
to the Internal section under the Address menu.
Destination Address: Select the name of the DMZ network from
the drop down list. The drop down list contains the names of
the DMZ network created in the Address menu. It will also
contain Mapped IP addresses from the Virtual Server menu
that were created for the DMZ network. To create a new
destination address, please go to the Virtual Server menu.
(Please refer to the sections entitled Address and Virtual
Server for details)
Service: Select a service from drop down list. The drop down list
will contain services defined in the Custom or Group section
under the Service menu. These are services/application that
are allowed to pass from the External network to the DMZ
network. Choose ANY for all services. To add or modify
these services, please go to the Service menu. (Please refer
to the section entitled Services for details)
Action: Select Permit or Deny from the drop down list to allow or
reject the packets travelling from the specified external
network to the DMZ network.
Logging: select Enable to enable flow monitoring.
Statistics: select Enable to enable flow statistics.
Alarm Threshold: set a maximum flow rate (in Kbytes/Sec). An
alarm will be send if a flow rate exceeds the specified value.
Step 3: Click OK.
Modifying an External to DMZ policy:
Step 1: In the External To DMZ window, locate the name of policy desired
to be modified and click its corresponding Modify option in the
Configure field.
Step 2: In the Modify Policy window, fill in new settings.
Step 3: Click OK to do save modifications.
70
Removing an External To DMZ Policy:
Step 1: In the External To DMZ window, locate the name of policy desired
to be removed and click its corresponding Remove option in the
Configure field.
Step 2: In the Remove confirmation pop-up box, click OK to remove the
policy.
71
DMZ To External & DMZ To Internal
This section describes steps to create policies for packets and services from
DMZ networks to External (WAN) networks. Please follow the same
procedures for DMZ networks to Internal (LAN) networks.
Entering the DMZ To External window:
Click DMZ To External under Policy menu and the DMZ To External table
appears displaying currently defined DMZ To External policies.
The fields in the DMZ To External window are:
•
Source: source network addresses which are specified in the DMZ
section of the Address window.
•
Destination: destination networks, which is the external network
address
•
Service: services supported by Servers of external networks.
•
Action: control actions, to permit or deny packets from the DMZ
network to external networks travelling through the INTERNET
FIREWALL.
•
Option: specify the monitoring functions on packets from the DMZ
network to external networks travelling through the Firewall.
•
Configure: modify settings or remove policies
•
Move: this sets the priority of the policies, number 1 being the
highest priority.
72
Adding a DMZ To External Policy:
Step 1: Click the New Entry button and the Add New Policy window will
appear.
Step 2: Source Address: Select the name of the DMZ network from the
drop down list. The drop down list will contain names of DMZ
networks defined in DMZ section of the Address menu. To
add a new source address, please go to the DMZ section
under the Address menu.
Destination Address: Select the name of the external network
from the drop down list. The drop down list lists names of
addresses defined in External section of the Address
menu. To add a new destination address, please go to
External section of the Address menu.
Service: Select a service from drop down list. The drop down list
will contain services defined in the Custom or Group section
under the Service menu. These are services/application that
are allowed to pass from the DMZl network to the External
network. Choose ANY for all services. To add or modify
these services, please go to the Service menu.
Action: Select Permit or Deny from the drop down list to allow or
reject the packets travelling from the specified DMZ network
to the external network.
Logging: select Enable to enable flow monitoring.
Statistics: click Enable to enable flow statistics.
Alarm Threshold: set a maximum flow rate (in Kbytes/Sec). An
alarm will be sent if the flow rate exceeds the specified
value.
Step 3: Click OK to add new policy or click Cancel to cancel adding.
73
Modifying a DMZ To External policy:
Step 1: In the DMZ to External window, locate the name of policy desired to
be modified and click its corresponding Modify option in the
Configure field.
Step 2: In the Modify Policy window, fill in new settings.
Note: To change or add selections in the drop-down list, go to the section
where the selections are setup. (Source Address→DMZ of Address;
Destination Address→External, Service→Pre-defined Service, Custom or
Group under Service.)
Step 3: Click OK to save modifications or click Cancel to cancel
modifications.
Removing a DMZ To External Policy:
Step 1. In the DMZ To External window, locate the name of policy desired
to be removed and click its corresponding Remove option in the
Configure field.
Step 2. In the Remove confirmation dialogue box, click OK.
74
Enabled Monitoring function:
Log: If Logging is enabled in the Outgoing/Incoming policy, the INTERNET
FIREWALL will log the traffic and event passing through the Firewall. The
Administrator can click Log on the left menu bar to get the flow and event
logs of the specified policy.
Note:
System Administrator can back up and clear logs in this window.
Check the chapter entitled “Log” to get details about the log and
ways to back up and clear logs.
Alarm: If Logging is enabled in the Outgoing/Incoming policy, the INTERNET
FIREWALL will log the Traffic alarms and Event alarms passing through the
Firewall. The Administrator can click Alarm on the left menu to get the logs
of flow and event alarms of the specified policy.
Note:
The Administrator can also get information on alarm logs from the
Alarm window. Please refer to the section entitled “Alarm” for
more information.
Statistics: If Statistics is enabled in the Outgoing/Incoming policy, the
75
INTERNET FIREWALL will display the flow statistics passing through the
Firewall.
Note:
The Administrator can also get flow statistics in Statistics. Please
refer to Statistics in Chapter 11 for more details.
76
VPN
The INTERNET FIREWALL’s VPN (Virtual Private Network) is set by the
System Administrator. The System Administrator can add, modify or remove
VPN settings.
What is VPN?
To set up a Virtual Private Network (VPN), you don’t need to configure an
Access Policy to enable encryption. Just fill in the following settings: VPN
Name, Source Subnet, Destination Gateway, Destination Subnet,
Authentication Method, Preshare key, Encapsulation and IPSec lifetime. The
firewalls on both ends must use the same Preshare key and IPSec lifetime
to make a VPN connection.
IPSec Autokey
This chapter describes steps to create a VPN connection using Autokey
IKE. Autokey IKE (Internet Key Exchange) provides a standard method to
negotiate keys between two security gateways. For example, with two
firewall devices, IKE allows new keys to be generated after a set amount of
time has passed or a certain threshold of traffic has been exchanged.
Accessing the Autokey IKE window:
Click Autokey IKE under the VPN menu to enter the Autokey IKE window.
The Autokey IKE table displays current configured VPNs.
The fields in the Autokey IKE window are:
•
Name: The VPN name to identify the VPN tunnel definition. The name
must be different for the two sites creating the tunnel.
•
Gateway IP: The external interface IP address of the remote Firewall.
•
Destination Subnet: Destination network subnet.
•
PSK/RSA: The IKE VPN must be defined with a Preshared Key. The
Key may be up to 128 bytes long.
•
Status: Connect/Disconnect or Connecting/Disconnecting.
77
•
Configure: Connect, Disconnect, Modify and Delete.
Adding the Autokey IKE:
Step 1. Click the New Entry button and the VPN Auto Keyed Tunnel
window will appear.
Step 2: Preshare Key: The IKE VPN must be defined with a Preshared
Key. The Key may be up to 128 bytes long.
ESP/AH: The IP level security headers, AH and ESP, were
originally proposed by the Networking Group focused on IP
security mechanisms, IPSec. The term IPSec is used loosely here
to refer to packets, keys, and routes that are associated with these
headers. The IP Authentication Header (AH) is used to provide
authentication. The IP Encapsulating Security Header (ESP) is
used to provide confidentially to IP datagrams.
ESP-Encryption Algorithm: The INTERNET FIREWALL autoselects 56 bit DES-CBC or 168-bit Triple DES-CBC encryption
algorithm. The default algorithm is 168-bit Triple DES-CBC.
ESP-Authentication Method: The INTERNET FIREWALL autoselects MD5 or SHA-1 authentication algorithm. The default
algorithm is MD5.
78
IPSec Lifetime: New keys will be generated whenever the lifetime
of the old keys is exceeded. The Administrator may enable this
feature if needed and enter the lifetime in seconds to re-key. The
default is 28800 seconds (eight hours). Selection of small values
could lead to frequent re-keying, which could affect performance.
79
Modifying an Autokey IKE:
Step 1: In the Autokey IKE window, locate the name of policy desired to be
modified and click its corresponding Modify option in the Configure
field.
Step 2: In the Modify Policy window, fill in new settings.
Step 3: Click OK to save modifications.
Connecting the VPN connection:
Once all the policy is created with the correct settings, click on the Connect
option in the Configure field. The Status field will change to indicate
Connecting. If the remote Firewall is set up correctly with the VPN active, the
VPN connection will be made between the two Firewalls and the Status field
will change to Connect.
Removing Autokey IKE:
Step 1. Locate the name of the Autokey IKE desired to be removed and
click its corresponding Delete option in the Configure field.
Step 2. In the Remove confirmation pop-up box, click OK to remove the
Autokey IKE or click Cancel to cancel deleting.
Content filtering
Content filtering includes URL Blocking and general filtering. Content Filtering
includes URL Blocking and General Blocking .
1. URL Blocking The device manager can use a complete domain name,
key word, “ ” or “ ” to make rules for specific websites.
2. General Blocking To let Popup ActiveX Java Cookie in or keep them
out.
80
URL Blocking
The Administrator may setup URL Blocking to prevent Internal network users
from accessing a specific website on the Internet. Any web request coming
from an Internal network computer to a blocked website will receive a
blocked message instead of the website.
Entering the URL blocking window:
Click on URL Blocking under the Configuration menu bar.
Click on New Entry.
81
Adding a URL Blocking policy:
Step 1:
After clicking New Entry, the Add New Block String window will
appear.
Step 2:
Enter the URL of the website to be blocked.
Step 3:
Click OK to add the policy. Click Cancel to discard changes.
Modifying a URL Blocking policy:
Step 1:
In the URL Blocking window, find the policy to be modified and
click the corresponding Modify option in the Configure field.
Step 2:
Make the necessary changes needed.
Step 3:
Click on OK to save changes or click on Cancel to cancel
modifications.
82
Removing a URL Blocking policy:
Step 1:
In the URL Blocking window, find the policy to be removed
and click the corresponding Remove option in the
Configure field.
Step 2:
A confirmation pop-up box will appear, click on OK to remove
the policy or click on Cancel to discard changes.
Blocked URL site:
When a user from the Internal network tries to access a blocked URL, the
error below will appear.
83
General Blocking
To let Popup ActiveX Java Cookie in or keep them out.
Step 1: Click Content Filtering in the menu.
Step 2:
•
•
•
•
General Blocking detective functions.
Popup Block Prevent the pop-up boxes appearing.
ActiveX Block Prevent ActiveX packets.
Java Block Prevent Java packets.
Cookie Block Prevent Cookie packets.
Step 3: After selecting each function, click the OK button below.
When the system detects the setting, the firewall
will spontaneously work.
84
Virtual Server
The INTERNET FIREWALL separates an enterprise’s Intranet and Internet
into internal networks and external networks respectively.
Generally
speaking, in order to allocate enough IP addresses for all computers, an
enterprise assigns each computer a private IP address, and converts it into a
real IP address through Firewall’s NAT (Network Address Translation)
function. If a server which provides service to the external networks, is
located in the internal networks, outside users can’t directly connect to the
server by using the server’s private IP address.
The INTERNET FIREWALL’s Virtual Server can solve this problem. A virtual
server has set the real IP address of the Firewall’s external network interface
to be the Virtual Server IP. Through the virtual server feature, the Firewall
translates the virtual server’s IP address into the private IP address of
physical server in the Internal (LAN) network. When outside users on the
Internet request connections to the virtual server, the request will be
forwarded to the private internal server.
Virtual Server owns another feature know as one-to-many mapping. This is
when one virtual server IP address on the external interface can be mapped
into 4 internal network server private IP addresses. This option is useful for
Load Balancing, which causes the virtual server to distribute data packets to
each private IP addresses (which are the real servers). By sending all data
packets to all similar servers, this increases the server’s efficiency, reduces
risks of server crashes, and enhances servers’ stability.
85
How to use Virtual Server and mapped IP
Virtual Server and Mapped IP are part of the IP mapping scheme. By
applying the incoming policies, Virtual Server and IP mapping work similarly.
They map real IP addresses to the physical servers’ private IP addresses
(which is opposite to NAT), but there still exists some differences:
•
Virtual Server can map one real IP to several internal physical
servers while Mapped IP can only map one real IP to one internal
physical server (1-to-1 Mapping). The Virtual Servers’ load balance
feature can map a specific service request to different physical
servers running the same services.
•
Virtual Server can only map one real IP to one service/port of the
internal physical servers while Mapped IP maps one real IP to all the
services offered by the physical server.
IP mapping and Virtual Server work by binding the IP address of the external
virtual server to the private internal IP address of the physical server that
supports the services. Therefore users from the external network can access
servers of the internal network by requesting the service from the IP address
provided by Virtual Server.
86
Mapped IP
Internal private IP addresses are translated through NAT (Network Address
Translation). If a server is located in the internal network, it has a private IP
address, and outside users cannot connect directly to internal servers’ private
IP address. To connect to a internal network server, outside users have to
first connect to a real IP address of the external network, and the real IP is
translated to a private IP of the internal network. Mapped IP and Virtual
Server are the two methods to translate the real IP into private IP. Mapped
IP maps IP in one-to-one fashion; that means, all services of one real
external IP address is mapped to one private internal IP address.
Entering the Mapped IP window:
Click Mapped IP under the Virtual Server menu bar and the Mapped IP
configuration window will appear.
Adding a new IP Mapping:
Step 1. In the Mapped IP window, click the New Entry button the Add New
Mapped IP window will appear.
•
•
Step 2.
External IP: select the external public IP address to be mapped.
Internal IP: enter the internal private IP address or DMZ IP
address which will be mapped 1-to-1 to the external IP address.
Click OK to add new IP Mapping or click Cancel to cancel adding.
Modifying a Mapped IP:
Step 1. In the Mapped IP table, locate the Mapped IP desired to be modified
and click its corresponding Modify option in the Configure field.
Step 2. Enter settings in the Modify Mapped IP window.
87
Step 3. Click OK to save change or click Cancel to cancel.
Note: A Mapped IP cannot be modified if it has been assigned/used
as a destination address of any Incoming policies.
88
Removing a Mapped IP:
Step 1. In the Mapped IP table, locate the Mapped IP desired to be removed
and click its corresponding Remove option in the Configure field.
Step 2. In the Remove confirmation pop-up window, click Ok to remove
the Mapped IP or click Cancel to cancel.
Virtual Server
Virtual server is a one-to-many mapping technique, which maps a real IP
address from the external interface to private IP addresses of the internal
network. This is done to provide services or applications defined in the
Service menu to enter into the internal network. Unlike a mapped IP which
binds an external IP to an Internal/DMZ IP, virtual server binds external IP
ports to Internal IP ports.
Adding a Virtual Server:
Step 1. Click an available virtual server from Virtual Server in the Virtual
Server menu bar to enter the virtual server configuration window.
In the following, Virtual Server is assumed to be the chosen
option:
Step 2.
Click the click here to configure button and the Add new Virtual
Server IP window appears and asks for an IP address from the
external network.
Step 3.
Select an IP address from the drop-down list of available external
network IP addresses.
Note:
If the drop-down list contains only (Disable), there is no available
IP addresses of external network of the System and no Virtual
Server can be added.
Step 4. Click OK to add new Virtual Server or click Cancel to cancel adding.
89
When Disable appears in the drop-down list, no Virtual Server can be added.
90
Setting the Virtual Server’s services:
Step 1. For the Virtual Server which has already been set up with an IP
address, click the New Service button in the table.
Step 2. In the Virtual Server Configurations window:
•
Virtual Server IP: displays the external IP address assigned to
the Virtual Server
•
•
Note:
Step 3.
Step 4.
External Service Port: select the port number that the virtual
server will use. Changing the Service will change the port
number to match the service.
Service: select the service from the pull down list that will be
provided by the Virtual Server.
The services in the drop-down list are all defined in the Predefined and Custom section of the Service menu.
Enter the IP address of the internal network server(s), to which the
virtual server will be mapped. Up to four IP addresses can be
assigned at most.
Click OK to save the settings of the Virtual Server.
Modifying the Virtual Server configurations:
Step 1. In the Virtual Server window’s service table, locate the name of the
service desired to be modified and click its corresponding Modify
option in the Configure field.
Step 2.
In the Virtual Server Configuration window, enter the new settings.
Step 3.
Click OK to save modifications or click Cancel to cancel
modification.
91
Note:
A virtual server cannot be modified or removed if it has been
assigned to the destination address of any Incoming policies.
Removing the Virtual Server service:
Step 1. In the Virtual Server window’s service table, locate the name of the
service desired to be removed and click its corresponding Remove
option in the Configure field.
Step 2.
In the Remove confirmation pop-up box, click Ok to remove the
service or click Cancel to cancel removing.
Log
The INTERNET FIREWALL supports traffic logging and event logging to
monitor and record services, connection times, and the source and
destination network address. The Administrator may also download the log
files for backup purposes. The Administrator mainly uses the Log menu to
monitor the traffic passing through the INTERNET FIREWALL.
What is Log?
Log records all connections that pass through the Firewall’s control policies.
Traffic log’s parameters are setup when setting up control policies. Traffic
logs record the details of packets such as the start and stop time of
connection, the duration of connection, the source address, the destination
address and services requested, for each control policy. Event logs record
92
the contents of System Configuration changes made by the Administrator
such as the time of change, settings that change, the IP address used to log
on, etc.
How to use the Log
The Administrator can use the log data to monitor and manage the
INTERNET FIREWALL and the networks. The Administrator can view the
logged data to evaluate and troubleshoot the network, such as pinpointing
the source of traffic congestions.
93
Traffic Log
The Administrator queries the Firewall for information, such as source
address, destination address, start time, and Protocol port, of all connections.
Entering the Traffic Log window:
Click the Traffic Log option under Log menu to enter the Traffic Log
window.
The table in the Traffic Log window displays current System statuses:
•
•
•
•
•
Time: The start time of the connection.
Source: IP address of the source network of the specific
connection.
Destination: IP address of the destination network of the specific
connection.
Protocol & Port: Protocol type and Port number of the specific
connection.
Disposition: Accept or Deny.
94
Downloading the Traffic Logs:
The Administrator can backup the traffic logs regularly by downloading it to
the computer.
Step 1.
In the Traffic Log window, click the Download Logs button at the
bottom of the screen.
Step 2.
Follow the File Download pop-up window to save the traffic logs
into a specified directory on the hard drive.
Clearing the Traffic Logs:
The Administrator may clear on-line logs to keep just the most updated logs
on the screen.
Step 1.
Step 2.
In the Traffic Log window, click the Clear Logs button at the bottom
of the screen.
In the Clear Logs pop-up box, click Ok to clear the logs or click
Cancel to cancel it.
Event Log
When the INTERNET FIREWALL detects events, the Administrator can get
the details, such as time and description of the events from the Event Logs.
Entering the Event Log window:
Click the Event Log option under the Log menu and the Event Log window
will appear.
95
The table in the Event Log window displays the time and description of the
events.
•
•
Time: time when the event occurred.
Event: description of the event.
96
Downloading the Event Logs:
Step 1. In the Event Log window, click the Download Logs button at the
bottom of the screen.
Step 2. Follow the File Download pop-up window to save the event logs
into a specific directory on the hard drive.
Clearing the Event Logs:
The Administrator may clear on-line event logs to keep just the most updated
logs on the screen.
Step 1. In the Event Log window, click the Clear Logs button at the bottom
of the screen.
Step 2. In the Clear Logs pop-up box, click OK to clear the logs or click
Cancel to cancel it.
97
Alarm
In this chapter, the Administrator can view traffic alarms and event alarms
that occur and the firewall has logged.
Firewall has two alarms: Traffic Alarm and Event Alarm.
Traffic alarm:
In control policies, the Administrator set the threshold value for traffic alarm.
The System regularly checks whether the traffic for a policy exceeds its
threshold value and adds a record to the traffic alarm file if it does.
Event alarm:
When Firewall detects attacks from hackers, it writes attacking data in the
event alarm file and sends an e-mail alert to the Administrator to take
emergency steps.
98
Traffic Alarm
The table in the Traffic Alarm window displays the current traffic alarm logs
for connections.
•
Time: The start and stop time of the specific connection.
•
Source: Name of the source network of the specific connection.
•
Destination: Name of the destination network of the specific
connection.
•
Service: Service of the specific connection.
•
Traffic: Traffic (in Kbytes/Sec) of the specific connection.
Clearing the Traffic Alarm Logs:
Step 1. In the Traffic Alarm window, click the Clear Logs button at the
bottom of the screen.
Step 2. In the Clear Logs pop-up box, click OK to clear the logs or click
Cancel to cancel.
Downloading the Traffic Alarm Logs:
The Administrator can back up traffic alarm logs regularly and download it to
a file on the computer.
Step 1. In the Traffic Alarm window, click the Download Logs button on the
bottom of the screen.
Step 2. Follow the File Download pop-up box to save the traffic alarm logs
into specific directory on the hard drive.
Event Alarm
The table in Event Alarm window displays current traffic alarm logs for
connections.
•
•
Time: log time.
Event: event descriptions.
Clearing Event Alarm Logs:
The Administrator may clear on-line logs to keep the most updated logs on
the screen.
99
Step 1.
Step 2.
In the Event Alarm window, click the Clear Logs button at the
bottom of the screen.
In the Clear Logs pop-up box, click OK.
Downloading the Event Alarm Logs:
The Administrator can back up event alarm logs regularly by downloading it
to a file on the computer.
Step 1.
In the Event Alarm window, click the Download Logs button at the
bottom of the screen.
Step 2.
Follow the File Download pop-up box to save the event alarm logs
into specific directory on the hard drive.
Statistics
In this chapter, the Administrator queries the INTERNET FIREWALL for
statistics of packets and data which passes across the Firewall. The
statistics provides the Administrator with information about network traffics
and network loads.
What is Statistics
Statistics are the statistics of packets that pass through the Firewall by
control policies setup by the Administrator.
How to use Statistics
The Administrator can get the current network condition from statistics, and
use the information provided by statistics as a basis to mange networks.
Entering the Statistics window:
Step 1. The Statistics window displays the statistics of current network
connections.
•
•
•
•
•
Source: the name of source address.
Destination: the name of destination address.
Service: the service requested.
Action: permit or deny
Time: viewable by minutes, hours, or days
100
Status
In this section, the INTERNET FIREWALL displays the status information
about the Firewall. Status will display the network information from the
Configuration menu. The Administrator may also use Status to check the
DHCP lease time and MAC addresses for computers connected to the
Firewall.
Interface Status
Entering the Interface Status window:
Click on Status in the menu bar, then click Interface Status below it. A
window will appear providing information from the Configuration menu.
Interface Status will list the settings for Internal Interface, External
Interface, and the DMZ Interface.
101
ARP Table
Entering the ARP Table window:
Click on Status in the menu bar, then click ARP Table below it. A window
will appear displaying a table with IP addresses and their corresponding
MAC addresses. For each computer on the Internal, External, and DMZ
network that replies to an ARP packet, the INTERNET FIREWALL will list
them in this ARP table.
IP Address:
The IP address of the host computer
MAC Address: The MAC address of that host computer
Interface:
The port that the host computer is connected to (Internal,
External, DMZ)
102
DHCP Clients
Entering the DHCP Clients window:
Click on Status in the menu bar, then click on DHCP Clients below it. A
window will appear displaying the table of DHCP clients that are connected to
the INTERNET FIREWALL. The table will list host computers on the Internal
network that obtain its IP address from the Firewall’s DHCP server function.
IP Address: The IP address of the internal host computer
MAC Address: MAC address of the internal host computer
Leased Time: The Start and End time of the DHCP lease for the internal
host computer.
103
Glossary
DHCP (Dynamic Host Configuration Protocol.)
When a computer with no fixed IP address starts up, it asks the DHCP server
for a temporary IP address. The DHCP server allocates an IP address,
which falls within the same sub-network as the server and does not conflict
with other computers on the network, to the client.
ICMP Protocol
ICMP stands for ‘Internet Control Message Protocol’, it is a Network layer of
Internet protocol that reports errors and provides other information relevant to
IP packet processing. ICMP sends the following messages: Flow Control,
Destination Unreachable, Redirecting Routes and Echo Message. For
example, the UNIX command Ping is based on ICMP to test whether a
particular computer is connected to the Internet.
IP
IP stands for Internet Protocol. IP address uniquely identifies a host computer
connected to the Internet from other Internet hosts, for the purposes of
communication through the transfer of packets. IP has following features:
defining data packet structure, packet is the basic unit of data exchange.
addressing data packets.
moving data between Network layer and Transport layer.
routing packets from the sender to the destination network.
breaking messages into packets and reassembling the packets into the
original message.
104
MAC Address
Each network interface card has a unique six bytes long identification
number that has been assigned in the factory. When a data packet arrives,
the network card matches the destination address on the data packet with its
own MAC address to decides to whether receive or discard the packet.
Subnet Mask
Subnet Mask is used to segment a network into 2, 4, 8, etc sub-networks.
For example, take a Class B network with network number 172.16.0.0 and
subnet mask 255.255.244.0. The first two numbers represents network
number after segmentation. The first 3 bits of the third number is the Subnet
Number. There are 2^3= 8 sub networks. The remaining five bits plus the
eight bits of fourth number, thirteen bits in total, are the networks addresses
available for each sub-network. Each sub-network can have 2^13=8192
networks addresses. Example addresses are as follows:
TCP Protocol
TCP is a connection-oriented protocol, it establishes a logical connection
between two computers. Before transferring data, the two computers
exchange control messages to make sure a connection has been
established, this process is called handshaking. TCP sets up control
functions in the Flag field of the Segment Header. Compared to UDP, TCP is
a very reliable protocol, and uses PAR(Positive Acknowledgment with Retransmission) to guarantee that data from one host computer can reach the
other host computer safely and correctly.
105
TCP/IP Protocol
TCP/IP consists of two protocols:
TCP, Transmission Control Protocol
IP, Internet Protocol
TCP/IP features:
Open communication standard, it is free and does not depend on any
Operating systems or hardware.
Not restricted to any network hardware, Ethernet, Token Ring, Leased
Line, X.25 or Frame Relay can all be integrated and operate under
TCP/IP.
Widely accepted addressing method. It is used to assign network
equipments a unique IP address.
Many standardized high-level protocols provide user with wide and
consistent services
User Datagram Protocol (UDP Protocol)
User Datagram Protocol is a transport layer protocol in the TCP/IP protocol
stack. UDP uses application program to pack user data into packets, and IP
transfer these packets into their destination. Under UDP, applications can
exchange messages with least costs. UDP is an unreliable, connectionless
protocol. Unreliable means that this protocol has no specification to
exchange datagram with guaranteed delivery, but it does transfer data
correctly over network. UDP used source port, and destination port, in the
message header to transfer message to the right application.
106
DoS (Denial of Service Attack)
DoS attacks disables the servers’ abilities to serve, makes system
connections impossible, and prevents system from providing services to any
legal or illegal users. In another word, DoS’s objective is to kick the server
under attacked out of the network.
There are four popular types of DoS attacks:
Bandwidth Consumption: Attackers use wider bandwidth to flood
victims’ bandwidth with garbage data. For example, using a T1
(1.511Mbps) leased line to attack 56k or 128k leased line, or using
several 56k sites to stuff a T3 (45Mbps).
Resource Exhaustion: This attack exhausts the victims’ systems
resources, such as CPU usage, memory, file system quota or other
system processes. The attack can bring down the system or slow down
the system.
Defect program: Attackers use programs to generate exception condition
that can’t be handled by applications, systems, or embedded hardware to
cause system failure. In many occasions, attackers send weird (system
can not identify) packet to targeted systems to cause core dumps and
attacker issue commands that has privileges to destroy the systems in the
mean time.
Router and DNS attacks: Attacker alter routing table and cause legal
requests to servers be rejected. This kind of attack redirects user
requests to an enterprise’s DNS to specific addresses or black holes,
usually un-existing addresses.
107
Firewall
The firewall has three basic functions:
1.
2.
3.
Restrict data to enter at a control point.
Restrict data to flow out at a control point.
Keep attackers away from servers.
Firewall protects:
1.
2.
3.
Software data
Hardware data
Company’s reputation
Firewall’s standard interfaces are
1.
2.
3.
External (WAN) network also known as Untrusted Network
Internal (LAN) network also known as Trusted Network
DMZ network also known as De-Militarized Network
Add-on values of firewall are:
1.
2.
3.
4.
5.
NAT to provide company with enough IP addresses.
Reduce the risk of exposing server to the outside world.
Record Internet usages effectively
Alarm the administrator to take emergency step in a timely fashion
Encrypt sensitive data to transfer them safely across internet
Firewall has following restriction:
1.
2.
3.
4.
Can’t block hackers’ attacks from inside.
Can’t monitor connection that doesn’t pass through firewall
Can’t prevent new type of threats.
Can’t prevent virus’s attacks.
Hackers and Crackers
Hackers are those smart and aggressive programmers who actually initiate
the recent computer revolution. These programmers are crazy about
exploring new technology to solve problems and create new methodologies.
Their objectives are to construct solid networks and not to destroy other
computer systems. Crackers on the other hand are programmers who attack
private networks, but don’t steal or destroy data. Phrackers are people who
use stolen data to enter computer systems illegally to make damage.
IP Spoofing
Data packets sent is from a fake source address. If the firewall’s policy does
not restrict these packets from passing through, they could be used to attack
internal servers easily.
108
Network Address Translation
NAT is the translation of IP addresses between internal or private networks
and the public IP addresses on the Internet. There are three IP address
blocks that have been assigned as private IP address space:
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
Through the NAT mechanism, an enterprise’s internal networks can use any
IP addresses that fall in the three private spaces. Note that, private IP
addresses can not pass through routers to their destinations.
Packet Filtering
Packet Filters check the headers of IP, TCP and ICMP packets to gather
information, such as sources addresses, source ports, destination
addresses, and destination ports. It also checks the relationships between
packets to decide whether a packet is for normal connection. In this way,
attacks can be detected and blocked.
Address
Each address in Address Table can be either an IP address or a sub-network
address. Administrators can create a name for a specific address for easier
reference. Basically, base on the networks they are located, IP address falls
into 3 categories: Internal IP addresses, external IP addresses and DMZ IP
addresses. When setting up policies, administrators choose IP addresses in
Address Table as the source/destination addresses. So Address Table has to
be constructed before setting up policies.
Address Group
The usual way to setup different packet IP filters for the same policy is to
create one policy for each filter. If there are 10 IP addresses then 10 policies
have to be created. Address Group is used to simplify this kind of
procedures. The administrator creates a new group name in External Groups
of Address menu and adds all the related IP addresses into that group. After
the group is created, the group name will be shown in Address Table. When
creating a control policy, group name can be specified as the source or
destination address. In this way, only one policy is needed to achieve the
109
same effect as ten policies in the previous example.
Alarm
There are flow alarm and event alarm. Flow alarm’s parameter is setup
before setting up policies. System checks whether the data packet flow
through each policy is higher the setup limit every 10 minutes. If it is, a
record will be added to flow alarm file. When the INTERNET FIREWALL
detects hacker attacks, it records the attacking data in event alarm file, and
sends E-mail to system manger to take emergent steps.
DMZ
DMZ is the network between the firewall’s external interface and routers.
DMZ’s network number is allocated by ISPs. For example, when the network
number an ISP provides is 210.71.253.128 and subnet mask is
255.255.255.240. Machines inside DMZ can have IP addresses ranged from
210.71.253.128 to 210.71.253.140, sixteen different IP addresses. However,
only thirteen of the sixteen IP addresses ranged from 210.71.253.129 to
210.71.253.141 are useable. 128 is the network number, 143 is the
Broadcasting Address, and 142 is used by router. Because DMZ is located
at the outside of a firewall and is not protected by firewall, it is considered to
be insecure. To fix the loophole, more firewall products provide a dedicate
DMZ interface to provide protection for DMZ connections. In the previous
example, the system manager segments the network into two sub-networks,
210.71.253.128/29 and 210.71.253.136/29 respectively. Since the route’s IP
is 210.71.253.142, the external interface’s IP must be one of
210.71.253.136/29, and DMZ interface’s IP must belong to
210.71.253.128/29. As the following graph shows:
110
HUB
HUB
Net Id=192.168.1.0/24
Net Id=210.71.253.136/29
Firewall
Internal
External
192.168.1.1 210.71.253.138
Router
210.71.253.142
DMZ
210.71.253.130
Internet
Net Id=210.71.253.128/29
HUB
Load Balancing
Load Balancing is a function that Virtual Servers provide. It allows a Virtual
Server to be mapped to more than one physical servers, which provide the
specific service at the same time. When a Virtual Server receives data
packets, it forwards the packet to the first physical server, and the next
packet to the next physical server. The INTERNET FIREWALL uses Least
Connection for load balancing.
Least Connection: Because each physical server has different processing
speeds, Least Connection forwards data packets to the physical server with
the least number of connections at that time. In this way, each packet can
have the least waiting time, and the number of packets a server receives is
proportional to its processing efficiency.
111
Log
There are flow control log and event log. Flow control log’s parameters are
set up the same time control policies are setup. It records details of data
packets of each control policy, including data packet’s start and end time,
disconnect time and length of connection, source address, destination
address and service content.
Event log records details of the firewall’s system configurations changes,
including the user who made the modification, time of change, modified
parameters, and IP address the user uses to logon, etc.
Mapped IP
Both Mapped IP and Virtual Server use IP mapping mechanism to allow
outside users access internal servers through the firewall. They are different
in following ways:
Virtual Server has Load balance feature, and Mapped IP has not.
Virtual Server has a one-to-many mapping relationship to physical servers
and Mapped IP is mapped to physical servers in one-to-one fashion. A
virtual server can be mapped to only one service, such as SMTP, HTTP
or FTP. A Mapped IP can be mapped to all services provided by a
physical server.
Policy
The INTERNET FIREWALL decides whether a data packet can pass
according to values of the policies. A policy’s parameters are source address,
destination address, service, permission, packets’ history, statistics and flow
alarms. Policies can be divided into four categories based on the packets’
source addresses.
Outgoing : Clients are located in internal networks and servers are in
external networks.
Incoming : Clients are located in external networks and servers are in
internal networks.
To DMZ : Client can be located in either internal or external networks and
servers are in DMZ.
From DMZ : Clients are in DMZ and servers are in either internal or
external networks
112
Packet
Direction
Source
Network
Destination
network
Outgoing
Incoming
To DMZ
From DMZ
Internal
External
External,
DMZ
internal
External
Mapped
IP
Virtual
Server
DMZ
113
External,
internal
Schedule
Schedule is used to set up different time intervals conveying different
policies. A policy only works in specified time interval, and is automatically
disabled outside the specified time interval. A specific schedule can be set to
repeat every week or just happen once.
Service
TCP protocol and UDP protocol provided different services. Each service has
a TCP port number and a UDP port number, such as TELNET(23), FTP(21),
SMTP(25), POP3(110), etc. This system supports two kinds of services:
standard services and user defined services. The most popular TCP and
UDP services are already defined in standard services table, and can not be
modified or deleted. Users can setup their own services with proper TCP and
UDP port numbers if necessary. When setting up a user defined service, the
client’s port number range is 1024:65535, and server’s is 0:1023.
Service Group
Similar to address groups, mangers can create new service groups in
[Service Group] option of [Service] menu and assign desired services into
groups.
Using address group and service group can greatly simply the policy creating
process. If there are ten different IP addresses that access five different
server services, such as HTTP, FTP, SMTP, POP3 and TELNET. Without the
concept of address group and service group, (10*5)= 50 policies are needed
to be created. However, with address group in source/destination address
and service group name in service option when setting up a policy, only one
policy is needed instead of 50.
System Configuration
The system configuration file stores system administrator’s name and
password, IP addresses of Firewall’s network interfaces, address table,
service table, virtual servers’ IP addresses and policies. When the
configuration process is completed, system administrator can download the
configuration file into local disc as a backup. System Administrators can
overwrite the firewall’s configuration file with the one stored in disc or restore
the configuration to its default factory settings.
Virtual Server
The Firewall separates an enterprise’s Intranet and Internet into internal
networks and external networks respectively. Generally speaking, in order to
114
allocate enough IP addresses for all computers, an enterprise assigns each
computer a private IP address, and converts it into a real IP address through
the firewall’s NAT (Network Address Translation) function. If a server is
located in the internal network, outside users can’t directly connect to it by
specifying the server’s private IP address. First, we set the real IP address of
an external network interface to the actual IP address of a Virtual Server.
Through IP translation of the Virtual Server, outside users can access the
servers of the internal networks.
Virtual Server owns another feature - one-to-many mapping: one real IP
address on the external interface can be mapped into 4 internal virtual IP
addresses. Because of the Load Balance feature, Virtual Server can
distribute data packets evenly to each private IP address (which is the
physical server) based on their weightings. Thus increases server’s
efficiency, reduces risks of server crashes, and enhances servers’ stability.
Trouble-Shooting
Q:
How to upgrade the INTERNET FIREWALL’s software?
A:
The INTERNET FIREWALL’s software and system parameters are
all stored in the Flash Memory. The Flash Memory is re-writable and
re-readable. Users can contact the distributors to obtain the newest
version of software.
After having the newest version of software from the distributor,
please store it in the hard disk, then connect to the firewall’s WebUI,
enter Software Update of the Administration menu, click the file
name of the newest version of software, then click Ok.
The updating process won’t overwrite the system configuration, so it
is not necessary to save it before updating the software.
Q:
How to back up system configuration?
A:
To change system parameters settings without destroying the original
system configuration, the user can choose Export System Settings to
Client in Settings under the Administration menu. Users can upload
the backup system configuration from hard disk to the firewall in
Import System setting from Client.
Q:
Which server can be installed in DMZ?
A:
The Internet Firewall provides three Interface Ports to divide the
115
enterprise’s networks into internal networks, external networks, and
DMZ. The internal networks use private IP addresses, which routers
can’t transfer. Therefore server’s IP address needs to be a real IP
address instead of a private one. External Internet users can’t
connect to any server with private IP address in the internal networks
directly. DMZ employs real IP addresses. By setting the permission
in DMZ policies to allow packets to flow through, servers inside DMZ
can exchange packet with any Internet IP address. There is no
restriction about which kind of server is used in DMZ.
Q:
What is the difference in privileges of admin and sub admin?
A:
The INTERNET FIREWALL sets the system administrator’s name
and password to admin. When the administrator sets up the system
the first time, the installation wizard asks administrators to change
the password for admin (user name ‘admin’ can not be changed). In
the admin menu under Administration, the admin may add or change
the name and password of sub admin. The administrator can change
the firewall’s system parameters when logged into the firewall as
“admin”. The “sub admin” can only browse the system configuration
and have no privileges to modify it. Therefore, admin has ‘read’ and
‘write’ privileges, but sub admin has only ‘read’ privilege.
Q:
What are the default settings of the INTERNET FIREWALL ?
A:
The INTERNET FIREWALL has three main default settings; users
need to modify them to fit their environment to achieve optimum
performance.
1. The system administrator’s name and password are both ‘admin’
(lower case). The name “admin” can’t be changed, and the
password should be modified and recorded at the time of
installation.
2. The internal Interface IP address is set to 192.168.1.1 in the
factory. The system administrator needs to change it to private IP
address of the enterprise’s internal networks. Then set IP
addresses of External and DMZ interface according to the real IP
addresses allocated by ISP.
3. Internal network, external network and DMZ can’t communicate
to each other by default. So computers in the internal network
can’t access any Internet address when users connect the
INTERNET FIREWALL to internal and external network. System
116
administrator has to define policies with proper permissions in
Outgoing under the Policy menu, such as to permit certain IP
addresses in the internal network to access some web
addresses.
Q:
How to install the INTERNET FIREWALL for the first time?
A:
There are six steps to follow:
Step 1:
First connect the administrator’s PC and the Firewall’s
internal interface card to the same HUB or Switch, change
PC’s IP address to : 192.168.1.2 - 192.168.1.254. Then
restart the computer to activate new IP address. Run
Browser and enter http://192.168.1.1 in URL field to
access Firewall WebUI.
Step 2:
Browser will ask or the user’s name and password enter
‘admin’ and password.
Step 3:
Then WebUI will request the user to change password.
Change it and record the new password. The user name is
still ‘admin’.
Step 4: Set new Internal IP Address (enterprise’s private IP address)
and External IP Address (allocated by ISP provider).
Step 5:
If the new Internal IP Address doesn’t belong to
192.168.1.0 network, such as 172.16.0.1, the administrator
needs to change PC’s IP address to 172.16.0.1,or other IP
address of the same network and restart the computer to
activate new IP address. After the new IP address is
activated, use browser to access http://172.16.0.1.
Step 6:
Enter the main window of administration policies under
WebUI, click New Policy, go to Add New Policy window,
click OK to complete the installation process.
Q:
In the Outgoing menu, I set the source address to “InsideAny”, the destination address to “Outside-any”, the service to
HTTP, and the action to Permit. Why do the computers of the
internal network still cannot access the Internet?
A:
Usually the DNS of the clients point to the DNS server outside of the
firewall. When converting a URL to IP address, the browser sends
out DNS service packet to the external DNS server. If the firewall
117
doesn’t allow DNS service packet to pass, the URL cannot be
mapped to the IP address and the connection fails.
118
Q:
Why can’t users of external networks still store data into virtual
server when virtual server or IP mapping has been set
successfully?
A:
In order to open a virtual server to external networks, Administrator
needs to make sure, in the Incoming menu, there is a policy of
source address pointing to external IP address, destination address
to the virtual server or Mapped IP and with permission to allow
inward packets to pass through.
Q:
Can Admin modify the internal and external interface IP
addresses anytime?
A:
No, because the names in the address table are set according to the
IP addresses of internal and external interface cards, and the source
address and destination address of policies are set according to
address table. The IP addresses of the INTERNET FIREWALL’s
internal interface and external interface are foundations of
administration policies. If the administrator wants to change the
INTERNET FIREWALL’s IP address, the admin will need to clean up
all the administration policies and address table.
Q:
Are there any rules to follow when setting up administration
policies?
A:
When setting up policies, administrators need to follow [small to big]
principle. This means that when the source address, destination
address and service items of a policy is the subset of another policy,
it is necessary to set policy of the subset first. For example, the
sequence to set policies for individual worker, department, and every
worker in the company is:
Individual → Department→Every worker
If subset policies are defined after the main policies, policies defined
by the subset became invalid. For example, the new policy is:
Every worker → Department→ Individual
The policies of departments and individuals are subsets of policies of
every worker, so policies defined by the latter two are invalid.
119
Setup Examples
Example 1: Allow the Internal network to be able to access the Internet
Example 2: The Internal network can only access Yahoo.com website
Example 3: Outside users can access the internal FTP server through
Virtual Servers
Example 4: Install a server inside the Internal network and have the
Internet (External) users access the server through IP
Mapping----------------------------------------------
Please see the explanation of the examples below:
Example 1: Allow the Internal network to be able to access the
Internet
Step 1 Enter the Outgoing window under the Policy menu.
Step 2 Click the New Entry button on the bottom of the screen.
Step 3 In the Add New Policy window, enter each parameter, then click OK.
Step 4 When the following screen appears, the setup is completed.
120
121
Example 2: The Internal network can only access Yahoo.com
website.
Step 1. Enter the External window under the Address menu.
Step 2. Click the New Entry button.
Step 3. In the Add New Address window, enter relating parameters.
Step 4. Click OK to end the address table setup.
Step 5. Go to the Outgoing window under the Policy menu.
Step 6. Click the New Entry button.
Step 7. In the Add New Policy window, enter corresponding parameters.
Click OK.
Step 8.
When the following screen appears, the setup is completed.
122
Example 3: Outside users can access the internal FTP server
through Virtual Servers
Step 1.
Enter Virtual Server under the Virtual Server menu.
Step 2.
Click the ‘click here to configure’ button.
Step 3.
Select an External IP address, then click OK.
Step 4. Click the New Service button on the bottom of the screen.
Step 5. Add the FTP service pointing to the internal server IP address.
Click OK.
Step 6.
A new Virtual Service should appear.
123
Step 7. Go to the Incoming window under the Policy menu, then click on
the New Entry button.
Step 8.
In the Add New Policy window, set each parameter, then click
OK.
Step 9. An Incoming FTP policy should now be created.
124
Example 4: Install a server inside the Internal network and have
the Internet (External) users access the server
through IP Mapping
Step 1. Enter the Mapped IP window under the Virtual Server menu.
Step 2. Click the New Entry button.
Step 3.
In the Add New IP Mapping window, enter each parameter, and
then click OK.
Step 4.
When the following screen appears, the IP Mapping setup is
completed.
Step 5. Go to the Incoming window under the Policy menu.
Step 6. Click the New Entry button.
Step 7. In the Add New Policy window, set each parameter, then click OK.
125
Step 8. Open all the services. (ANY)
Step 9. The setup is completed.
126
Specifications
Standard
IEEE802.3, 10BASE-T
IEEE802.3u, 100BASE-TX
IEEE802.3x full duplex operation and flow control
Interface
1 * 10/100 RJ-45 WAN port
1 * 10/100 RJ-45 DMZ port
4 * 10/100 RJ-45 Fast Ethernet switching LAN ports
1 * Factory Reset Button
Cable Connections
Network Data Rate
RJ-45 (10BASE-T): Category 3,4,5 UTP/STP
RJ-45 (100BASE-TX): Category 5 UTP/STP
Ethernet: Auto-negotiation (10Mbps, 100Mbps)
Transmission Mode
Auto-negotiation (Full-duplex, Half-duplex)
LED indicators
Buffer Memory / MAC
address
System Memory
Emission
Operating Temperature
Operating Humidity
Power Supply
Dimension
System
Power
Port (LAN/WAN)
SPEED
LINK/ACT
FDX/COL
1Mbit / 2K MAC address entries
16MB Flash
32MB RAM
FCC Class A, CE
00 ~ 500C (320 ~ 1220F)
10% - 90%
External Power Adapter, 12VDC/1A
210 * 148 * 35 mm
127
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement