Micronet SP881 Broadband VPN Firewall Manual

Micronet SP881 Broadband VPN Firewall Manual
QUICK INSTALLATION GUIDE
Broadband VPN Firewall
MODEL NO.: SP881
http://www.micronet.com.tw
CE Mark Warning
This equipment complies with the requirements relating to electromagnetic
compatibility, EN55022 class A for ITE, the essential protection requirement of Council
Directive 89/336/EEC on the approximation of the laws of the Member States relating
to electromagnetic compatibility.
FCC Certifications
This Equipment has been tested and found to comply with the limits for a Class A digital
device, pursuant to Part 15 of the FCC rules. These limits are designed to provide
reasonable protection against harmful interference in a residential installation. This
equipment generates, uses and can radiate radio frequency energy and, if not installed and
used in accordance with the instructions, may cause harmful interference to radio
communications. However, there is no guarantee that interference will not occur in a
particular installation. If this equipment does cause harmful interference to radio or
television reception, which can be determined by turning the equipment off and on, the user
is encouraged to try to correct the interference by one or more of the following measures:
- Reorient or relocate the receiving antenna.
- Increase the separation between the equipment and receiver.
- Connect the equipment into an outlet on a circuit different fro m that to which the receiver is
connected.
- Consult the dealer or an experienced radio/TV technician for help.
Contents
CONTENTS OF PACKAGE ......................................................1
VPN FIREWALL OVERVIEW ...................................................1
HARDWARE DESCRIPTION....................................................3
QUICK SETUP ..........................................................................5
ADMINISTRATION ....................................................................9
CONFIGURATION...................................................................19
ADDRESS ............................................................................... 42
SERVICE ................................................................................. 55
SCHEDULE ............................................................................. 61
POLICY.................................................................................... 63
VPN .......................................................................................... 76
CONTENT FILTERING............................................................ 82
VIRTUAL SERVER................................................................816
This device complies with Part 15 of the FCC Rules. Operation is subject to the following
two conditions: (1) this device may not cause harmful interference, and (2) this device must
accept any interference received; including interference that may cause undesired
operation.
LOG ......................................................................................... 94
Company has an on-going policy of upgrading its products and it may be possible that
information in this document is not up-to-date. Please check with your local distributors
for the latest information. No part of this document can be copied or reproduced in any
form without written consent from the company.
STATUS .................................................................................103
Trademarks:
All trade names and trademarks are the properties of their respective companies.
Copyright © 200 3, All Rights Reserved.
Document Version: 2.0
ALARM.................................................................................... 99
STATISTICS ...........................................................................102
GLOSSARY ...........................................................................105
TROUBLE-SHOOTING ......................................................... 119
SETUP EXAMPLES..............................................................124
SPECIFICATIONS .................................................................130
Contents of Package
easier than a software firewall. First the user has to prepare three network
cables, and connect them to the internal, external and DMZ connectors
respectively. The internal interface has to connect to the office’s internal
network on the same HUB/Switch. The external interface has to connect
with an external router, DSL modem, or Cable modem. The DMZ interface
connects to an independent HUB/Switch for the DMZ network.
VPN FIREWALL function setting
The VPN FIREWALL has a built in WEB UI (Web User Interface). All
configurations and management are done through the WEB UI using an
Internet web browser.
VPN FIREWALL monitoring function
The firewall provides monitoring functions which contains traffic log, event
log, traffic alarm, event alarm, and traffic statistics. Traffic alarm records
the packets of hacker invasions. Not only does the firewall log these
VPN FIREWALL Overview
attacks, it can be set up to send E-mail alerts to the Administrator
The VPN FIREWALL provides four 10/100Mbit Ethernet network interface
automatically for immediate hacker’s invasion crisis management.
ports which are the Internal/LAN, External/WAN, and DMZ port. It also
provides an easily operated software Web UI which allows users to set
system parameters or monitor network activities using a web browser.
VPN FIREWALL security feature
Some functions that are available in the firewall are: Packet Filter, Proxy
VPN FIREWALL supporting protocols
The VPN FIREWALL supports all the TCP, UDP and ICMP protocols, such
as HTTP, TELNET, SMTP, POP3, FTP, DNS, PING, etc. System
Administrators can set up proprietary protocols according to operating
requirements.
Server, Hacker invasion alarm, Packet monitor log, Policy, etc.
VPN FIREWALL installation
This product is a hardware firewall. Therefore the installation is much
1
2
Hardware Description
Connecting Example:
DMZ Port: Use this port to connect to the company’s server(s),
which needs direct connection to the Internet (FTP, SNMP, HTTP,
DNS).
External Port (WAN): Use this port to connect to the external router, DSL
modem, or Cable modem.
Firewall :
Internal Port (LAN): Use this port to co nnect to the internal network
of the office.
Internal Port = 192.168.1.1
Reset: Reset the VPN FIREWALL to the original default settings.
DMZ Port = 192.168.2.1
DC Power: connect one end of the power supply to this port, the
other end to the electrical wall outlet.
Connection Type: 10/100 Mbps Cable Connection
External Port = x.x.x.x (provided by ISP)
All ports supports MDI/MDI-X auto crossover capability that is the port can
connect either the PC or hub without crossover cable adjustment.
3
4
VPN FIREWALL Software (management tool)
description
By default, the VPN FIREWALL is shipped with its DHCP Server function
enabled. This means the client computers on the internal (LAN) network
including the Administrator PC can set their TCP/IP settings to
VPN FIREWALL management tool: Web UI
automatically obtain an IP address from the VPN FIREWALL .
The main menu functions are located on the left-hand side of the screen,
The following table is a list of private IP addresses. These addresses may
and the display window will be on the right-hand side. The main functions
not be used as an External IP address.
include items, which are: Administrator, Configuration, Address, Service,
10.0.0.0 ~ 10.255.255.255
172.16.0.0 ~ 172.31.255.255
192.168.0.0 ~ 192.168.255.255
Schedule, Policy, VPN, Content Filtering, Virtual Server, Log, Alarm,
Statistics, and Status.
Once the Administrator PC has an IP address on the same network as the
Quick Setup
VPN FIREWALL, open up an Internet web browser and type in
Web UI Configuration example
http://192.168.1.1 in the address bar.
A pop-up screen will appear and prompt for a username and password. A
Step 1:
username and password is required in order connect to the firewall. Enter
Connect both the Administrator’s PC and the Internal (LAN) port of the VPN
the default login username and password of Administrator (see below).
FIREWALL to a hub or switch. Make sure there is a link light on the
hub/switch for both connections. The VPN FIREWALL has an embedded
web server used for management and configuration. Use a web browser to
display the configurations of the firewall (such as Internet Explorer 4(or
Username:
admin
Password:
admin
above) or Netscape 4.0(or above) with full java script support). The default
IP address of the firewall is 192.168.1.1 with a subnet mask of
255.255.255.0. Therefore, the IP address of the Administrator PC must be
in the range between 192.168.1.2 /24 ~ 192.168.1.254/24.
Step 2:
After entering the username and password, the VPN FIREWALL WEBUI
If the company’s i nternal IP Address is not subnet of 192.168.1.0, (i.e.
Internal IP Address is 172.16.0.1 ) the Administrator must change his/her
PC IP address to be within the same range of the internal subnet (i.e.
screen will display.
Select the Configuration tab on the left menu and a sub-function list will be
displayed. Click on Interface from the sub -function list, and enter proper
192.168.1.0). Reboot the PC if necessary.
5
6
Layer 3 network setup information. (for example)
Internal interface
Externa l
IP Address
192.168.1.1
NetMask
255.255.255.0
IP address
211.22.93.2
NetMask
255.255.255.0
Default Gateway
211.22.93.1
Note: The above figures are only examples. Please fill in the
appropriate IP address information provided to you by the ISP.
Click on the Policy tab from the main function menu, then click on
Outgoing from the sub -function list.
The configuration is successful if you see the screen below. Make sure
Click on New Entry button.
that all the computers that are connected to the Internal (LAN) port have
When the New Entry option appears, then enter the following
their Default Gateway IP Address set to the Firewall’s Internal IP Address
configuration:
(i.e. 192.168.1.1). At this point, all the computers on the Internal network
Source Address – select “Inside_Any”
should gain access to Internet immediately. If a firewall filter function is
Destination Address – select “Outside_Any”
required, please refer to the Policy section.
Service - select “ANY”
Action - select “Permit”
Click on OK to apply the changes.
7
8
Administration
alert Administrator(s) automatically whenever the firewall has experienced
unauthorized access or a network hit (hacking or flooding). Once enabled,
The VPN FIREWALL Administration and monitoring control is set by the
an IP address of a SMTP(Simple Mail Transfer protocol) Server is required.
System Administrator. The System Administrator can add or modify System
Up to two e -mail addresses can be entered for the alert notificati ons.
settings and monitoring mode. The sub Administrators can only read
System settings but not modify them. In Administration, the System
Administrator can:
Software Update:
Administrators may visit distributor’s web site to
download the latest firmware. Administrators may update the VPN
FIREWALL firmware to maximize its performance and stay current with the
(1) Add and change the sub Administrator’s names and passwords;
latest fixes for intruding attacks.
(2) Back up all Firewall settings into local files;
(3) Set up alerts for Hackers invasion.
What is Administration?
“Administration” is the managing of settings such as the privileges of
Firewall Administration setup
On the left hand menu, click on Administration, and then select
Administrator below it. The current list of Administrator(s) shows up.
packets that pass through the firewall and monitoring controls.
Administrators may manage, monitor, and configure firewall settings. All
configurations are “read-only” for all users other than the Administrator;
those users are not able to change any settings for the firewall.
The three sub functions under Administrator are Admin, Setting,
Date/Time, Language, Permitted IPs, Logout and Software Update.
Administrator: has control of user access to the firewall. He/she can
add/remove users and change passwords.
Setting: The Administrator may use this function to backup firewall
configurations and export (save) them to an “Administrator” computer or
anywhere on the network; or restore a configuration file to the VPN
FIREWALL; or restore the firewall back to default factory settings. Under
Setting, the Administrator may enable e-mail alert notification. This will
9
10
Settings of the Administration table:
Administrator Name: The username of Administrators for the firewall. The
user admin cannot be removed.
Privilege: The privileges of Administrators (Admin or Sub Admin)
The username of the main Administrator is Administrator with read/write
privilege.
Sub Admins may be created by the Admin by clicking New Sub Admin .
Sub Admins have read only privilege.
Configure: Click Modify to change the “Sub Administrator’s” password and
click Remove to delete a “Sub Administrator.”
Changing the Sub-Administrator’s Password:
Step 1. In the Administration window, locate the Administrator name
you want to edit, and click on Modify in the Configure field.
Step 2. The Modify Administrator Password window will appear.
Enter in the required information:
• Password: enter original password.
• New Password: enter new password
• Confirm Password: enter the new password again.
Step 3. Click OK to confirm passwo rd change or click Cancel to cancel it.
Adding a new Sub Administrator:
Step 1.
In the Administration window, click the New Sub Admin button
to create a new Sub Administrator.
Step 2. In the Add New Sub Administrator window:
• Sub Admin Name: enter the username of new Sub Admin.
Removing a Sub Administrator:
• Password: enter a password for the new Sub Admin.
Step 1. In the Administration table, locate the Administrator name you
want to edit, and click on the Remove option in the Configure
field.
• Confirm Password: enter the password again.
Step 2. The Remove confirm ation pop-up box will appear.
Step 3. Click OK to add the user or click Cancel to cancel the addition.
(match whole word only)
11
Step 3. Click OK to remove that Sub Admin or click Cancel to cancel.
12
Settings
Exporting VPN FIREWALL settings:
The Administrator may use this function to backup firewall configurations
Step 1. Under Firewall Configuration, click on the Download button
next to Export System Settings to Client.
and export (save) them to an “Administrator” computer or anywhere on
the network; or restore a configuration file to the device; or restore the
Step 2. When the File Download pop-up window appears, choose the
destination place in which to save the exported file. The
firewall back to default factory settings.
Administrator may choose to rename the file if preferred.
Entering the Settings window:
Click Setting in the Administrator menu to enter the Settings window.
Importing Firewall settings:
Step 1.
Under Firewall Configuration, click on the Browse button next
to Import System Settings. When the Choose File pop-up
The Firewall Configuration settings will be shown on the screen.
window appears, select the file to which contains the saved
Firewall Settings, then click OK.
Step 2.
Click OK to import the file into the Firewall or click Cancel to
cancel importing.
Restoring Factory Default Settings:
Step 1. Select Reset Factory Settings under Firewall Configuration .
Step 2. Click OK at the bottom-right of the screen to restore the factory
settings.
13
14
Enabling E -mail Alert Notification:
Step 1.
Select Enable E -mail Alert Notification under E-Mail Settings .
This function will enable the Firewall to send e-mail alerts to the
System Administrator when the network is being attacked by
hackers or when emergency conditions occur.
Step 2. SMTP Server IP: Enter SMTP server’s IP address.
Step 3 .
MTU Setting
PPPoE uses a Maximum Transmission Unit (MTU) setting of 1492 bytes,
while all client computers (Windows IE browsers) usually use the default
MTU of 1500 bytes. The existing Internet standards to addre ss this issue,
however, some web sites do not conform to these standards, which causes
the access problem
E-Mail Address 1: Enter the first e-mail address to receive the
alarm notification.
To-Appliance Packets Log
Step 4 .
E-Mail Address 2: Enter the second e -mail address to receive
the alarm notification. (Optional)
Select this option to the VPN FIREWALL’s To-Firewall Packets Log. Once
this function is enabled, every packet to this appliance will be recorded for
Step 5.
Click OK on the bottom-right of the screen to enable E-mail alert
notification.
system manager to trace.
Firewall Reboot
Select this option to the VPN FIREWALL Firewall Reboot. Once this
function is selected, the firewall will be reboot.
Web Management (External Interface)
The number is the port number, which you can access the Web
Management Interface from WAN port. Web Browsers use port 80 by
default for connection. For security reasons, you can change the port
number or clear the check box to disable it in Configuration \ Interface \
External Interface \ WEB UI
15
16
Date/Time
Language
This option can synchronize the system clock of the appliance. This will
allow the logs to be time stamped correctly according to the computer clock
time.
The software provides English version, Traditional Chinese Version and
Simplified Chinese Version for you to choose.
Step 1. Click System →Date/Time.
Step 1. Click Language.
Step 2. Click the down arrow € to select the offset time from GMT, or
click Assist to select a time zone in the pop-up screen.
Step 2. Select the language version you want (English Version,
Step 3. Enter the Server IP Address or Server name with which you want
to synchronize, or click Assist to select a Network Time Server.
Step 4. Update system clock every ¨ minutes You can set the interval
time to synchronize with outside servers. If you set it to 0, it
means the device will not synchronize automatically.
Step 5. Synchronize system clock with this client: You can
synchronize the system clock with this client computer by clicking
the Sync button.
Step 6. Click the OK button below to change the setting or click Cancel
to discard changes.
Traditional Chinese Version and Simplified Chinese Version).
Step 3. Click OK to change the language version or click Cancel to
discard changes.
Logout the firewall
Select this option to the VPN FIREWALL’s Logout the firewall, this
function protects your system while you are away
Software Update
Under Software Update, the admin may update the VPN FIREWALL’s
software with a newer software.
Step 1. Click Software Update tab
Step 2. Click Browse button and specify the file path on local host
Step 3. Click OK button
17
18
Configuration
Interface:
What is System Configuration?
In this section, the Administrator can set up the IP addresses for the office
network. The Administrator may configure the IP addresses of the Internal
(LAN) network, the External (WAN) network, and the DMZ network. The
netmask and gateway IP addresses are also configured in this section.
In this section, the Administrator can:
(1) Set up the internal, external and DMZ IP addresses
(2) Set up the Multiple NAT
(3) Set up the Firewall detecting functions
(4) Set up a static route
Entering the Interface menu:
Click on Configuration in the left menu bar. Then click on Interface below
it. The current settings of the interface addresses will appear on the screen.
(5) Set up the DHCP Server
(6) Set up DNS Proxy
(7) Set up Dynamic DNS
Note: After all the settings of the Firewall configuration have been
set, the Administrator can backup the System configuration
into the local hard drive as shown in the Administrator
section of this manual under the Settings.
19
20
Configuring the Interface Settings:
External Interface
Using the External Interface, the Administrator sets up the External (WAN)
Internal Interface
network. These IP Addresses are real public IP Addresses, and are
Using the Internal Interface, the Administrator sets up the Internal (LAN)
routable on the Internet.
network. The Internal network will use a private IP scheme. The private IP
network will not be routable on the Internet.
PPPoE (ADSL User):
IP Address: The private IP address of the Firewall’s internal network is the
This option is for PPPoE users who are required to enter a username and
IP address of the Internal (LAN) port of the VPN FIREWALL. The default IP
password in order to connect, such as ADSL users.
address is 192.168.1.1.
Note:
The IP Address of Internal Interface and the DMZ Interface is
a private IP address only.
Current Status: Displays the current line status of the PPPoE
connection.
If the new Internal IP Address is not 192.168.1.1, the Administrator needs
to set the IP Address on the computer to be on the same subnet as the
IP Address: Displays the IP Address of the PPPoE connection
Username:
Enter the PPPoE username provided by the ISP.
Firewall and restart the System to make the new IP address effective. For
example, if the Firewall’s new Internal IP Address is 172.16.0.1, then enter
Password: Enter the PPPoE password provided by the ISP.
the new Internal IP Address 172.16.0.1 in the URL field of browser to
IP Address provided by ISP:
connect to Firewall.
Dynamic: Select this if the IP address is automatically assigned by
the ISP.
NetMask: This is the netmask of the internal network. The default netmask
of the VPN FIREWALL is 255.255.255.0.
Ping: Select this to allow the internal network to ping the IP Address of the
Fixed: Select this if you were given a static IP address. Enter the IP
address that is given to you by your ISP.
Service-On-Demand:
Firewall. If set to enable, the VPN FIREWALL will respond to
Auto Disconnect: The PPPoE connection will automatically
ping packets from the internal network.
disconnect after a length of idle time (no activities). Enter in the
Web UI: Select this to allow the VPN FIREWALL WEB UI to be accessed
from the Internal (LAN) network.
21
amount of idle minutes before disconnection. Enter ‘0’if you do not
want the PPPoE connection to disconnect at all.
22
Ping: Select this to allow the external network to ping the IP
the VPN FIREWALL will respond to echo request
Address of the Firewall. This will allow people from the Internet to
packets from the external network.
be able to ping the Firewall. If set to enable, the VPN FIREWALL
Web UI:
Select this to allow the VPN FIREWALL WEBUI to be
will respond to echo request packets from the external network.
accessed from the External (WAN) network. This will
Web UI: Select this to allow the VPN FIREWALL WEB UI to be
allow the Web UI to be configured from a user on the
accessed from the External (WAN) network. This will allow the Web
Internet. Keep in mind that the VPN FIREWALL always
UI to be configured from a user on the Internet. Keep in mind that
requires a username and password to enter the Web
the VPN FIREWALL always requires a username and password to
UI.
enter the Web UI.
Static IP Address:
Dynamic IP Address (Cable Modem User):
This option is for users who are automatically assigned an IP address by
their ISP, such as cable modem users. The following fields apply:
This option is for users who are assigned a static IP Address from their ISP.
Your ISP will provide all the information needed for this section such as IP
Address, Netmask, Gateway, and DNS. Use this option also if you have
more than one public IP Address assigned to you.
IP Address: Enter the static IP address assigned to you by your ISP.
IP Address:
The dynamic IP address obtained by the Firewall from
This will be the public IP address of the External (WAN)
the ISP will be displayed here. This is the IP address of
port of the VPN FIREWALL.
the External (WAN) port of the VPN FIREWALL.
MAC Address:
This is the MAC Address of the VPN FIREWALL.
Hostname:
This will be the name assign to the VPN FIREWALL.
Some cable modem ISP assign a specific hostname in
order to connect to their network. Please enter the
Netmask:
(i.e. 255.255.255.0)
Default Gateway: This will be the Gateway IP address.
Domain Name Server (DNS): This is the IP Address of the DNS
server.
hostname here. If not required by your ISP, you do not
have to enter a hostname.
Ping:
Select this to allow the external network to ping the IP
Address of the Firewall. This will allow people from the
Internet to be able to ping the Firewall. If set to enable,
23
This will be the Netmask of the external (WAN) network.
Ping:
Select this to allow the external network to ping the IP
Address of the Firewall. This will allow people from the
Internet to be able to ping the Firewall. If set to enable,
the VPN FIREWALL will respond to echo request packets
24
from the external network.
Web UI:
Multiple NAT
Select this to allow the VPN FIREWALL WEBUI to be
accessed from the External (WAN) network. This will
Multiple NAT allows local port to set multiple subnetworks and connect with
allow the Web UI to be configured from a user on the
the internet through different external IP Addresses.
Internet. Keep in mind that the VPN FIREWALL always
For instance:The lease line of a company applies several real IP Addresses
requires a username and password to enter the Web UI.
168.85.88.0/24, and the company is divided into R&D department, service,
sales department, procurement department, accounting department, the
company can distinguish each department b y different subnetworks for the
DMZ Interface
purpose of convenient management. The settings are as the following :
The Administrator uses the DMZ Interface to set up the DMZ network. The
DMZ network consists of server computers such as FTP, SMTP, and HTTP
(web). These server computers are put in the DMZ network so they can be
isolated from the Internal (LAN) network traffic. Broadcast messages from
the Internal network will not cross over to the DMZ network to cause
congestions and slow down these servers. This allows the server
computers to work efficiently without any slowdowns.
1. R&D department subnetwork:
192.168.1.11/24(Internal) ßà 168.85.88.253(External)
2. Service department subnetwork:
192.168.2.11/24(Internal) ßà 168.85.88.252(External)
3. Sales department subnetwork:
192.168.3.11/24(Internal) ßà 168.85.88.251(External)
4. Procurement department subnetwork:
192.168.4.11/24(Internal) ßà 168.85.88.250(External)
5. Accounting department subnetwork:
IP Address: The private IP address of the Firewall’s DMZ interface.
192.168.5.11/24(Internal) ßà 168.85.88.249(External)
This will be the IP address of the DMZ port. The IP address the
The first department(R&D department) was set while setting interface IP,
Administrator chooses will be a private IP address and cannot use
the other four ones have to be added in Multiple NAT, after completing the
the same network as the External or Internal network.
settings, each department use the different WAN IP Address to connect to
NetMask: This will be the netmask of the DMZ network.
the internet. The settings of each department are as the following
Service
IP Address: 192.168.2.1
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.2.11
The other departments are also set by groups, this is the function of
25
26
Multiple NAT.
Modify Multiple NAT
Add Multiple NAT
Step 1. Click Multiple NAT in the Configuration menu to enter Multiple
Step 1. Click Multiple NAT in the Configuration menu to enter Multiple
NAT window.
NAT window.
Step 2. Find the IP Address youwant to modify and click Modify
Step 2. Click the New Entry button below to add Multiple NAT.
Step 3. Enter the new IP Address in Modify Multiple NAT window.
Step 3. Enter the IP Address in the website name column of the new
Step 4. Click the OK button below to change the setting or click Cancel to
discard changes.
window.
•
External Interface IP :WAN IP address (public IP)
•
Alias IP of internal Interface:LAN IP address (private IP)
•
Netmask:Netmask of your network
Step 4. Click OK to add Multiple NAT or click Cancel to discard changes.
Remove Multiple NAT
Step 1. Click Multiple NAT in the Configuration menu to enter Multiple
NAT window.
Step 2. Find the IP Address you want to delete and click Remove .
Step 3. A confirmation pop-up box will appear, click OK to delete the
setting or click Cancel to discard changes.
Hacker Alert
The Administrator ca n enable the VPN FIREWALL’s auto detect functions
in this section. When abnormal conditions occur, the Firewall will send an
e-mail alert to notify the Administrator, and also display warning messages
in the Event window of Alarm.
n Detect SYN Attack: Select this option to detect TCP SYN
attacks that hackers send to server computers continuously to
block or cut down all the connections of the servers. These
27
28
attacks will prevent valid users from connecting to the servers.
n
Detect Ping of Death Attack: Select this option to detect the
After enabling this function, the S ystem Administrator can enter
attacks of tremendous trash data in PING packets that hackers
the number of SYN packets per second that is allow to enter the
send to cause System malfunction This attack can cause network
network/firewall. Once the SYN packets exceed this limit, the
speed to slow down, or even make it necessary to restart the
activity will be logged in Alarm and an email alert is sent to the
computer to get a normal operation.
Administrator. The default SYN flood threshold is set to 200
n
Pkts/Sec .
Detect Tear Drop Attack: Select this option to detect tear
drop attacks. These are packets that are segmented to small
n Detect ICMP Flood: Select this option to detect ICMP flood
packets with negative length. Some Systems treat the negative
attacks. When hackers continuously send PING packets to all the
value as a very large number, and copy enormous data into the
machines of the internal networks or to the Firewall, your network
System to cause System damage, such as a shut down or a
is experiencing an ICMP flood attack. This can cause traffic
restart.
congestion on the network and slows the network down. After
enabling this function, the System Administrator can enter the
n
number of ICMP packets per second that is allowed to enter the
Detect IP Spoofing Attack: Select this option to detect spoof
attacks. Hackers disguise themselves as trusted users of the
network/firewall. Once the ICMP packets exceed this limit, the
network in Spoof attacks. They use a fake identity to try to pass
activity will be logged in Alarm and an email alert is sent to the
through the Firewall System and invade the network.
Administrator. The default ICMP flood threshold is set to 1000
Pkts/Sec.
n
Filter IP Source Route Option: Each IP packet can carry an
optional field that specifies the replying address that can be
n Detect UDP Flood: Select this option to detect UDP flood
different from the source address specified in packet’s header.
attacks. A UDP flood attack is similar to an ICMP flood attack.
Hackers can use this address field on disguised packets to
After enabling this function, the System Administrator can enter
invade internal networks and send internal networks’ data back to
the number of UDP packets per second that is allow to enter the
network/firewall. Once the UDP packets exceed this limit, the
activity will be logged in Alarm and an email alert is sent to the
Administrator. The default UDP flood threshold is set to 1000
them.
n
Detect Port Scan Attack: Select this option to detect the port
scans hackers use to continuously scan networks on the Internet
to detect computers and vulnerable ports that are opened by
Pkts/Sec.
those computers.
29
30
n
Detect Land Attack: Some Systems may shut down when
Route Table
receiving packets with the same source and destination
In this section, the Administrator can add static routes for the networks.
addresses, the same source port and destination port, and when
SYN on the TCP header is marked. Enable this function to detect
Entering the Route Table screen:
such abnormal packets.
n Default Packet Deny: Denies all packets from passing the
Firewall. A packet can pass only when there is a policy that
Click Configuration on the left side menu bar, then click Route Table
below it. The Route Table window appears, in which current route settings
are shown.
allows it to pass.
After enabling the needed detect functions, click OK to activate
the changes.
Route Table functions:
•
Interface: Destination network, internal or external networks.
•
Destination IP: IP address of destination network.
•
NetMask: Netmask of destination network.
•
Gateway: Gateway IP address for connecting to destination network.
•
Configure: Change settings in the route table.
Adding a new Static Route:
Step 1.
In the Route Table window, click the New Entry button.
Step 2.
In the Add New Static Route window, enter new static route
information.
Step 3.
In the Interface field’s pull-down menu, choose the network to
connect (Internal, External or DMZ).
Step 4. Click OK to add the new static route or click Cancel to cancel.
31
32
DHCP
Modifying a Static Route:
Step 1.
In the Route Table menu, find the route to edit and click the
corresponding Modify option in the Configure field.
Step 2.
Entering the DHCP window:
Click OK to apply changes or click Cancel to cancel it.
Removing a Static Route:
Step 1.
Configuration Protocol) settings for the Internal (LAN) network.
In the Modify Static Route window, modify the necessary routing
addresses.
Step 3.
In the section, the Administrator can configure DHCP (Dynamic Host
Click Configuration on the left hand side menu bar, then click DHCP
below it. The DHCP window appears in which current DHCP settings are
shown on the screen.
In the Route Table window, find the route to remove and click the
corresponding Remove option in the Configure field.
Step 2.
In the Remove confirmation pop-up box, click OK to confirm
removing or click Cancel to cancel it.
Dynamic IP Address functions:
33
•
Subnet : Internal network’s subnet
•
NetMask : Internal network’s netmask
•
Gateway: Internal network’s gateway IP address
•
Broadcast: Internal network’s broadcast IP address
34
Enabling DHCP Support:
DNS-Proxy
Step 1.
In the Dynamic IP Address window, click Enable DHCP
The VPN FIREWALL’s Administrator may use the DNS Proxy function to
Support.
make the VPN FIREWALL act as a DNS Server for the Internal and DMZ
Step 2.
Domain Name: The Administrator may enter the name of the
Internal network domain if preferred.
network. All DNS requests to a specific Domain Name will be routed to the
firewall’s IP address. For example, let’s say an organization has their mail
server (i.e., mail.dfl300.com) in the DMZ network (i.e. 192.168.10.10). The
Step 3.
Domain Name Server: Enter in the IP address of the DNS
Server to be assigned to the Internal network.
Step 4.
Step 5.
outside Internet world may access the mail server of the organization easily
by its domain name, providing that the Administrator has set up Virtual
Client IP Address Range 1: Enter the starting and the ending IP
Server or Mapped IP settings correctly. However, for the users in the Internal
address dynamically assigning to DHCP clients.
network, their external DNS server will assign them a public IP address for
Client IP Address Range 2: Enter the starting and the ending IP
address dynamically assigning to DHCP clients. (Optional)
the mail server. So for the Internal network to access the mail server
(mail.dfl300.com), they would have to go out to the Internet, then come back
through the Firewall to access the mail server. Essentially, the internal
Step 6.
Click OK to enable DHCP support.
network is accessing the mail server by a real public IP address, while the
mail server serves their request by a NAT address and not a real one.
This odd situation occurs when the re are servers in the DMZ network and
they are bound to real IP addresses. To avoid this, set up DNS Proxy so all
the Internal network computers will use the VPN FIREWALL as a DNS
server, which acts as the DNS Proxy.
If you want to use the DNS Proxy function of the VPN FIREWALL , the
end user’s main DNS server IP address should be the same IP
Address as the VPN FIREWALL.
35
36
Entering the DNS Proxy window:
Modifying a DNS Proxy:
Step 1:
Click on Configuration in the menu bar, then click on DNS Proxy below it.
The DNS Proxy window will appear.
the corresponding Modify option in the Configure field.
Step 2: Make the necessary changes needed.
Below is the information needed for setting up the DNS Proxy:
•
Domain Name: The domain name of the server
•
Virtual IP Address: The virtual IP address respective to DNS
•
In the DNS Proxy window, find the policy to be modified and click
Step 3:
Click OK to save changes or click on Cancel to cancel
modifications.
Proxy
Removing a DNS Proxy:
Configure: modify or remove each DNS Proxy policy
Step 1:
In the DNS Proxy window, find the policy to be removed and
click the corresponding Remove option in the Configure field.
Step 2:
A confirmation pop-up box will appear, click OK to remove the
DNS Proxy or click Cancel.
Adding a new DNS Proxy:
Step 1:
Click on the New Entry button and the Add New DNS Proxy
window will appear.
Step 2:
Fill in the appropriate settings for the domain name and virtual IP
address.
Step 3:
Click OK to save the policy or Cancel to cancel.
37
38
Dynamic DNS (DDNS)
How to use dynamic DNS:
The firewall provides service providers, users have to register first to use
The Dynamic DNS (require Dynamic DNS Service) allows you to alias
a dynamic IP address to a static hostname, allowing your device to be
more easily accessed by specific name. When this function is enabled,
the IP address in Dynamic DNS Server will be automatically updated
with the new IP address provided by ISP.
this function. For the usage regulations, see the providers’websites.
How to register:
First, Click DDNS in the Configuration menu to enter Dynamic DNS
window, then click New Entry button, on the right side of the service
providers, click Sign up, the service providers’website will appear,
please refer to the website for the way of registration.
Click Dynamic DNS in the Configuration menu to enter Dynamic
DNS window.
Dynamic DNS settings
Step 1: Click DDNS in the Configuration menu to enter Dynamic
The nouns in Dynamic DNS window:
•
! (Update Status):
【
fail;
Connecting;
DNS window.
Update succeed;
Update
Unidentified error】
Step 2: Click New Entry button.
Step 3: Click the information in the column of the new window.
•
Domain name :Enter the password provided by ISP.
•
External IP:IP Address of the WAN port.
•
Configure:Modify dynamic DNS settings. Click Modify to change
the DNS parameters; click Delete to delete the settings.
• Service providers:Select service providers.
• Sign up :to the service providers’website for registration.
• External IP:IP Address of the WAN port.
• Automatically :Check to automatically fill in the external IP.
• User Name:Enter the registered user name.
• Password:Enter the password provided by ISP (Internet Service
Provider).
• Domain name :Your host domain name provided by ISP.
Step 4: Click OK to add dynamic DNS or click Cancel to discard changes.
39
40
Address
The VPN FIREWALL allows the Administrator to set Interface addresses of
the Internal network, Internal network group, External network, External
network group, DMZ and DMZ group.
What is the Address Table?
Modify dynamic DNS
An IP address in the Address Table can be an address of a computer or a
Step 1: Click Dynamic DNS in the Configuration menu to enter
sub network. The Administrator can assign an easily recognized name to
an IP address. Based on the network it belongs to, an IP address can be an
Dynamic DNS window.
internal IP address, external IP address or DMZ IP address. If the
Step 2: Find the item you want to change and click Modify .
Step 3: Enter the new information in the Modify Dynamic DNS window.
Administrator needs to create a control policy for packets of different IP
addresses, he can first add a new group in the Internal Network Group or
the External Network Group and assign those IP addresses into the newly
Step 4: Click OK to change the settings or click Cancel to discard
changes.
created group. Using group addresses can greatly simplify the process of
building control policies.
With easily recognized names of IP addresses and names of address
groups shown in the address table, the Administrator can use these names
Remove Dynamic DNS
as the source address or destination address of control policies. The
Step 1: Click Dynamic DNS in the Configuration menu to enter
address table should be built before creating control policies, so that the
Dynamic DNS window.
Administrator can pick the names of correct IP addresses from the address
Step 2: Find the item you want to change and click Remove.
table when setting up control policies.
Step 3: A confirmation pop-up box will appear, click OK to delete the
settings or click Cancel to discard changes.
41
42
Internal
Removing an Internal Address:
Entering the Internal window:
Step 1.
Step 1.
In the Internal window, locate the name of the network to be
Click Internal under the Address menu to enter the Internal
removed. Click the Remove option in its corresponding
window. The current setting information such as the name of the
Configure field.
internal network, IP and Netmask addresses will show on the
Step 2.
In the Remove confirmation pop-up box, click OK to remove the
address or click Cancel to discard changes.
screen.
Internal Group
Entering the Internal Group window:
The Internal Addresses may be combined together to become a group.
Click Internal Group under the Address menu to enter the Internal Group
window. The current setting information for the Internal network group
Adding a new Internal Address:
Step 1.
In the Internal window, click the New Entry button.
Step 2.
In the Add New Address window, enter the settings of a new
Step 3.
internal network address.
Adding an Internal Group:
Click OK to add the specified internal network or click Cancel to
Step 1.
In the Internal Group window, click the New Entry button to
enter the Add New Address Group window.
cancel the changes.
Modifying an Internal Address:
Step 1.
appears on the screen.
In the Internal window, locate the name of the network to be
modified. Click the Modify option in its corresponding Configure
field. The Modify Address window appears on the screen
immediately.
Step 2. In the Add New Address Group window:
• Available Address: list the names of all the members of the
internal network.
• Selected Address: list the names to be assigned to the new
group.
• Name: enter the name of the new group in the open field.
Step 2.
In the Modify Address window, fill in the new addresses.
Step 3.
Click OK to save changes or click Cancel to discard changes.
43
44
Step 3.
Add members: Select names to be added in Available Address
Modifying an Internal Group:
list, and click the Add>> button to add them to the Selected
Step 1.
Address list.
Step 4.
Remove members: Select names to be removed in the Selected
Address list, and click the <<Remove button to remove these
members from Selected Address list.
Step 5.
Click OK to add the new group or click Cancel to discard
changes.
45
In the Internal Group window, locate the network group desired
to be modified and click its corresponding Modify option in the
Configure field.
Step 2.
A window displaying the information of the selected group
appears:
• Available Address: list names of all members of the Internal
network.
• Selected Address: list names of members which ha ve been
assigned to this group.
Step 3.
Add members: Select names in Available Address list, and
click the Add>> button to add them to the Selected Address list.
Step 4.
Remove members: Select names in the Selected Address list,
and click the <<Remove button to remove these members from
the Selected Address list.
Step 5.
Click OK to save changes or click Cancel to discard changes.
46
Removing an Internal Group:
Step 1.
In the Internal Group window, locate the group to be removed
Modifying an External Address:
Step 1.
and click its corresponding Remove option in the Configure
modified and click the Modify option in its corresponding
field.
Step 2.
In the External table, locate the name of the network to be
Configure field.
In the Remove confirmation pop-up box, click OK to remove the
Step 2.
group or click Cancel to discard changes.
The Modify Address window will appear on the screen
immediately. In the Modify Address window, fill in new
addresses.
External
Step 3.
Click OK to save changes or click Cancel to discard changes.
Entering the External window:
Removing a n External Address:
Click External under the Address menu to enter the External window. The
Step 1.
In the External table, locate the name of the network to be
current setting information, such as the name of the External network, IP
removed and click the Remove option in its corresponding
and Netmask addresses will show on the screen.
Configure field.
Step 2.
Adding a new External Address:
Step 1.
In the External window, click the New Entry button.
Step 2.
In the Add New Address window, enter the settings for a new
In the Remove confirmation pop -up box, click OK to remove
the address or click Cancel to discard changes.
external network address.
Step 3.
Click OK to add the specified external network or click Cancel to
discard changes.
47
48
External Group
Editing an External Group:
Step 1.
Entering the External Group window:
In the External Group window, locate the network group to be
modified and click its corresponding Modify button in the
Click the External Group under the Address menu bar to enter the
Configure field.
External window. The current settings for the external network group(s) will
Step 2.
appear on the screen.
A window displaying the information of the selected group
appears:
•
Adding an External Group:
Step 1.
external network.
In the External Group window, click the New Entry button and
•
In the Add New Address Group window the following fields will
Step 3.
•
Name: enter the name of the new group.
•
Available Address: List the names of all the members of the
Selected Address list.
Step 4.
Step 3.
Remove members: Select the names to be removed in the
Selected Address list, and click the <<Remove button to
external network.
Selected Address:
Add members: Select the names to be added in the Available
Address list, and click the Add>> button to add them to the
appear:
•
Selected Address: list the names of the members that have
been assigned to this group.
the Add New Address Group window will appear.
Step 2.
Available Address: list the names of all the members of the
remove them from the Selected Address list.
List the names to assign to the new group.
Add members: Select the names to be added in the Available
Step 5. Click OK to save changes or click Cancel to discard changes.
Address list, and click the Add>> button to add them to the
Step 4.
Selected Address list.
Removing an External Group:
Remove members: Select the names to be removed in the
Step 1.
and click its corresponding Modify option in the Configure field.
Selected Address list, and click the <<Remove button to
remove them from the Selected Address list.
Step 5.
Click OK to add the new group or click Cancel to discard
In the External Group window, locate the group to be removed
Step 2.
In the Remove confirmation pop -up box, click OK to remove
the group or click Cancel to discard changes.
changes.
49
50
DMZ
Modifying a DMZ Address:
Step 1.
In the DMZ window, locate the name of the network to be
modified and click the Modify option in its corresponding
Entering the DMZ window:
Configure field.
Click DMZ under the Address menu to enter the DMZ window. The current
setting information such as the name of the internal network, IP, and
Step 2.
In the Modify Address window, fill in new addresses.
Netmask addresses will show on the screen.
Step 3.
Click OK on save the changes or click Cancel to discard
changes.
Adding a new DMZ Address:
Step 1.
In the DMZ window, click the New Entry button.
Step 2.
In the Add New Address window, enter the settings for a new
Step 3.
DMZ address.
Removing a DMZ Address:
Click OK to add the specified DMZ or click Cancel to discard
Step 1.
In the DMZ window, locate the name of the network to be
removed and click the Remove option in its corresponding
changes.
Configure field.
Step 2.
In the Remove confirmation pop-up box, click OK to remove the
address or click Cancel to discard changes.
51
52
DMZ Group
Step 2.
A window displaying information about the selected group
appears:
Entering the DMZ Group window:
•
Available Address: list the names of all the members of the
DMZ.
Click DMZ Group under the Address menu to enter the DMZ window. The
•
been assigned to this group.
current settings information for the DMZ group appears on the screen.
Step 3.
Adding a DMZ Group:
In the DMZ Group window, click the New Entry button.
Step 2.
In the Add New Address Group window:
•
Available Address: list names of all members of the DMZ.
•
Selected Address: list names to assign to a new group.
Step 3.
Name: enter a name for the new group.
Step 4.
Add members: Select the names to be added from the
Available Address list, and click the Add>> button to add them
to the Selected Address list.
Selected Address list.
Step 4.
remove them from the Selected Address list.
Remove members: Select names to be removed from the
Selected Address list, and click the <<Remove button to
remove them from Selected Address list.
Step 5. Click OK to save changes or click Cancel to cancel editing.
Removing a DMZ Group:
Step 1.
In the DMZ Group window, locate the group to be removed and
click its corresponding Remove option in the Configure field.
Remove members: Select names to be removed from the
Selected Address list, and click the <<Remove button to
Step 6.
Add members: Select names to be added from the Available
Address list, and click the Add>> button to add them to the
Step 1.
Step 5.
Selected Address: list the names of the members that have
Step 2.
In the Remove confirmation pop -up box, click OK to remove
the group.
Click OK to add the new group or click Cancel to discard
changes.
Modifying a DMZ Group:
Step 1.
In the DMZ Group window, locate the DMZ group to be modified
and click its corresponding Modify button in the Configure field.
53
54
Service
needs to set up 50 (10x5) control policies, but by applying all 5 services to
a single group name in the service field, it takes only one control policy to
In this section, network services are defined and new network services can
achieve the same effect as the 50 control policies.
be added. There are three sub menus under Service which are:
Pre-defined, Custom, and Group. The Administrator can simply follow the
Pre -defined
instructions below to define the protocols and port numbers for network
communication applications. Users then can connect to servers and other
computers through these available network services.
Entering a Pre -defined window:
Click Service on the menu bar on the left side of the window. Click
Pre-defined under it. A window will appear with a list of services and their
What is Service?
associated port numbers. This list cannot be modified.
TCP and UDP protocols support varieties of services, and each service
consists of a TCP Port or UDP port number, such as TELNET(23),
SMTP(21), POP3(110),etc. The VPN FIREWALL defines two services:
pre-defined service and custom service. The common-use services like
TCP and UDP are defined in the pre-defined service and cannot be
modified or removed. In the custom menu, users can define other TCP port
and UDP port numbers that are not in the pre-defined menu according to
their needs. When defining custom services, the client port ranges from
1024 to 65535 and the server port ranges from 0 to 65535 .
How do I use Service?
The Administrator can add new service group names in the Group option
under Service menu, and assign desired services into that new group.
Using service group the Administrator can simplify the processes of setting
up control policies. For example, there are 10 different computers that
want to access 5 different services on a server, such as HTTP, FTP, SMTP,
POP3, and TELNET. Without the help of service groups, the Administrator
55
56
Custom
type).
Entering the Custom window:
•
Client Port: enter the range of port number of new clients.
•
Server Port: enter the range of port number of new servers.
Click Service on the menu bar on the left side of the window. Click
Custom under it. A window will appear with a table showing all services
The client port ranges from 1024 to 65535 and the se rver port ranges from
0 to 65535.
currently defined by the Administrator.
Step 3 Click OK to add new services, or click Cancel to cancel.
Adding a new Service:
Step 1
Modifying Custom Services:
In the Custom window, click the New Entry button and a new
Step 1. In the Custom table , locate the name of the service to be
service table appears.
modified. Click its corresponding Modify option in the Configure
field.
Step 2.
A table showing the current settings of the selected service
appears on the screen
Step 3.
Enter the new values.
Step 4.
Click OK to accept editing; or click Cancel.
Removing Custom Services:
Step 1.
In the Custom window, locate the service to be removed. C lick
its corresponding Remove option in the Configure field.
Step 2.
Step 2
•
In the new service table:
In the Remove confirmation pop-up box, click OK to remove the
selected service or click Cancel to cancel action.
Service Name: This will be the name referencing the new
service.
•
Protocol: Enter the network protocol type to be used, such as
TCP, UDP, or Other (please enter the number for the protocol
57
58
Group
Modifying Service Groups :
Accessing the Group window:
Step 1. In the Group window, locate the service group to be edited.
Click its corresponding Modify option in the Configure field.
Click Service in the menu bar on the left hand side of the window. Click
Group under it. A window will appear with a table displaying current service
group settings set by the Administrator.
Adding Service Groups:
Step 2.
In the Modify window the following fields are displayed::
•
Available Services: lists all the available service s.
•
Selected Services: list services that have been assigned to the
selected group.
Step 1. In the Group window, click the New Entry button. In the Add
Step 3.
list, and then click the Add>> button to add them to the group.
Service Group window, the following fields will appear:
•
Available Services: list all the available services.
•
Selected Services: list services to be assigned to the new group .
Step 2. Enter the new group name in the group Name field . This will be
Add new service s: Select services in the Available Services
Step 4.
Remove services: Select service s to be removed in the
Selected Services list, and then click the <<Remove button to
remove theses service s from the group.
Step 5.
Click OK to save editing changes.
the name referencing the created group.
Step 3.
To add new services: Select the services desired to be added
Removing Service Groups:
in the Available Services list and then click the Add>> button to
Step 1. In the Group window, locate the service group to be removed
and click its corresponding Remove option in the Configure
add them to the group.
field.
Step 4.
To remove services: Select services desired to be removed in
the Available Services, and then click the <<Remove button to
remove them from the group.
Step 2. In the Remove confirmation pop-up box, click OK to remove the
selected service group or click Cancel to cancel removing.
Step 5. Click OK to add the new group.
59
60
Schedule
Modifying a Schedule:
The VPN FIREWALL allows the Administrator to configure a schedule for
policies to take affect. By creating a schedule, the Administrator is allowing
Step 1: In the Schedule window, find the policy to be modified and click
the corresponding Modify option in the Configure field.
the Firewall policies to be used at those designated times only. Any
activities outside of the scheduled time slot will not follow the Firewall
Step 2: Make needed changes.
policies therefore will likely not be permitted to pass through the Firewall.
Step 3: Click OK to save changes.
The Administrator can configure the start time and stop time, as well as
creating 2 different time periods in a day. For example, an organization
Removing a Schedule:
may only want the Firewall to allow the internal network users to access the
Internet during work hours. Therefore, the Administrator may create a
schedule to allow the Firewall to work Monday-Friday, 8AM-5PM only.
During the non-work hours, the Firewall will not allow Internet access.
Step 1: In the Schedule window, find the policy to be removed and click
the corresponding Remove option in the Configure field.
Step 2: A confirmation pop-up box will appear, click on OK to remove the
schedule.
Adding a new Schedule:
Step 1: Click on the New Entry button and the Add New Schedule
window will appear.
Step 2: Schedule Name: Fill in a name for the new schedule.
Period : Configure the start and stop time for the days of the
week that the schedule will be active.
Step 3: Click OK to save the new schedule or click Cancel to cancel
adding the new schedule.
61
62
Policy
If the destination address of an incoming policy is a Mapped IP address or
This section provides t he Administrator with facilities to sent control policies
Server section instead of the Address section.
for packets with different source IP addresses, source ports, destination IP
addresses, and destination ports. Control policies decide whether packets
Step 1.
a Virtual Server address, then the address has to be defined in the Virtual
destination networks.
from different network objects, network service s, and applications are able
Step 2.
to pass through the Firewall.
In Address, set names and addresses of source networks and
Step 3.
In Service, set services.
In Virtual Server, set names and addresses
What is Policy?
The VPN FIREWALL uses policies to filter packets. The policy settings are :
source address, destination address, services, permission, packet log,
packet statistics, and flow alarm. Based on its source addresses, a packet
can be categorized into:
(1) Outgoing: a client is in the internal networks while a server is in the
external networks.
(2) Incoming, a client is in the external networks, while a server is in the
Outgoing
This section describes steps to create policies for packets and services
from the Internal (LAN) network to the External (WAN) network.
Entering the Outgoing window:
Click Policy on the left hand side menu bar, then click Outgoing under it. A
internal networks.
(3) To DMZ: a client is either in the internal networks or in the external
networks while , server is in DMZ.
(4) From DMZ, a client is in DMZ while server is either in the internal
window will appear with a table displaying currently defined Outgoing
policies.
The fields in the Outgoing window are:
networks or in the external networks.
•
Source: source network addresses that are specified in the
How do I use Policy?
Internal section of Address menu, or all the Internal (LAN)
The policy settings are source addresses, destination addresses, services,
network addresses.
permission, log, statistics, and flow alarm. Among them, source addresses,
•
Destination: destination network addresses that are specified
destination addresses and IP mapping addresses have to be defined in the
in the External section of the Address menu, or all the External
Address menu in advance. Services can be used directly in setting up
(WAN) network addresses.
policies, if they are in the Pre-defined Service menu. Custom services need
to be defined in the Custom menu before they can be used in the policy
settings.
63
•
Service: specify services provided by external network servers.
•
Action: control actions to permit or reject/deny packets from
64
internal networks to external network travelling through the
Address menu. To create a new source address, please go to the
Firewall.
Internal section under the Address menu.
Option: specify the monitoring functions on packets from
Destination Address: Select the name of the External (WAN)
internal networks to external network s travelling through the
Firewall.
network from the drop down list. The drop down list contains the
names of all external networks defined in the External section of
•
Configure: modify settings.
the Address window. To create a new destination address,
•
Move: this sets the priority of the policies, number 1 being the
•
highest priority.
please go to the External section under the Address menu.
Service: Specified services provided by external network servers.
These are services/application that are allowed to pass from the
Adding a new Outgoing Policy:
Internal network to the External network. Choose ANY for all
services.
Step 1: Click on the New Entry button and the Add New Policy window
will appear.
Action: Select Permit or Deny from the drop down list to allow or
reject the packets travelling between the source network and the
destination network.
Logging: Select Enable to enable flow monitoring.
Statistics: Select Enable to enable flow statistics.
Alarm Threshold: set a maximum flow rate (in Kbytes/Sec). An
alarm will be sent if flow rates are higher than the specified value.
Step 3: Click OK to add a new outgoing policy; or click Cancel to cancel
adding a new outgoing policy.
Step 2: Source Address: Select the name of the Internal (LAN) network
from the drop down list. The drop down list contains the names of
all internal networks defined in the Internal section of the
65
66
Modifying an Outgoing policy:
Incoming
Step 1: In the Outgoing policy section, locate the name of the policy
This chapter describes steps to create policies for packets and services
desired to be modified and click its corresponding Modify option
under the Configure field.
from the External (WAN) network to the Internal (LAN) network including
Mapped IP and Virtual Server.
Step 2: In the Modify Policy window, fill in new settings.
Enter Incoming window:
Note:
To change or add selections in the drop-down list for source or
destination address, go to the section where the selections are
setup. (Source Address→ Internal of Address menu; Destination
Address → External of Address menu; Service→[Pre-defined],
Step 1: Click Incoming under the Polic y menu to enter the Incoming
window. The Incoming table will display current defined policies
from the External (WAN) network to assigned Mapped IP or
Virtual Server.
[Custom] or Group under Service).
Step 3: Click OK to do confirm modification or click Cancel to cancel it.
Removing the Outgoing Policy:
Step 1. In the Outgoing policy section, locate the name of the policy
desired to be removed and click its corresponding Remove
option in the Configure field.
Step 2.
Step 2: The fields of the Incoming window are:
•
section of the Address menu, or all the external network
In the Remove confirmation dialogue box, click OK to remove
the policy or click Cancel to cancel removi ng.
Source: source networks which are specified in the External
addresses.
•
Destination: destination networks, which are IP Mapping
addresses or Virtual server network addresses created in Virtual
Server menu.
•
Service: services supported by Virtual Servers (or Mapped IP).
•
Action: control actions to permit or deny packets from external
networks to Virtual Server/Mapped IP travelling through the VPN
FIREWALL .
67
68
•
Option: specify the monitoring functions on packets from
Statistics: select Enable to enable flow statistics.
external networks to Virtual Server/Mapped IP travelling
Alarm Threshold: set a maximum flow rate (in Kbytes/Sec). An
through the Firewall.
alarm will be sent if flow rates are higher than the specified value.
•
Configure: modify settings or remove incoming policy.
•
Move: this sets the priority of the policies, number 1 being the
Step 3: Click OK to add new policy or click Cancel to cancel adding new
incoming policy.
highest priority.
Modifying Incoming Policy:
Adding an Incoming Policy:
Step 1: Under Incoming of the Policy menu, click the New Entry button.
Step 1: In the Incoming window, locate the name of policy desired to be
modified and click its corresponding Modify option in the
Configure field.
Step 2: Source Address: Select names of the external networks from
the drop down list. The drop down list contains the names of all
external networks defined in the External section of the Address
Step 2: In the Modify Policy window, fill in new settings.
Step 3: Click OK to save modifications or click Cancel to cancel
menu. To create a new source address, please go to the Internal
modifications.
section under the Address menu.
Destination Address: Select names of the internal networks
from the drop down list. The drop down list contains the names of
IP mapping addresses specified in the Mapped IP or the Virtual
Server sections of Virtual Server menu. To create a new
Removing an Incoming Policy:
Step 1: In the Incoming window, locate the name of policy desired to be
removed and click its corresponding [Remove] in the Configure
field.
destination address, please go to the Virtual Server menu.
Service: Specified services provided by internal network servers .
These are services/application that are allowed to pass from the
Step 2:
In the Remove confirmation window, click Ok to remove the
policy or click Cancel to cancel removing.
External network to the Internal network. Choose ANY for all
services.
External To DMZ & Internal to DMZ
Action: Select Permit or Deny from the drop down list to allow or
reject the packets travelling between the specified external
This section describes steps to create policies for packets and services
network and Virtual Server/Mapped IP.
from the Externa l (WAN) networks to the DMZ networks. Please follow
Logging: select Enable to enable flow monitoring.
the same procedures for Internal (LAN) networks to DMZ networks.
69
70
Enter [External To DMZ] (or [Internal To DMZ]) window:
menu. To create a new source address, please go to the Internal
section under the Address menu.
Click External To DMZ under Policy menu to enter the External To DMZ
Destination Address: Select the name of the DMZ network from
window. The External To DMZ table will show up displaying currently
the drop down list. The drop down list contains the names of the
defined policies.
DMZ network created in the Address menu. It will also contain
Mapped IP addresses from the Virtual Server menu that were
The fields in External To DMZ window:
created for the DMZ network. To create a new destination
•
•
the sections entitled Address and Virtual Server for details)
addresses.
Service: Select a service from drop down list. The drop down list
Destination: destination networks, which are addresses specified
in DMZ section of the Address menu and Mapped IP addresses of
will contain services defined in the Custom or Group section
under the Service menu. These are services/application that are
the Virtual Server menu.
allowed to pass from the External network to the DMZ network.
•
Service: services supported by servers in DMZ network.
•
Action: control actions, to permit or deny packets from external
networks to DMZ travelling through the VPN FIREWALL.
•
•
address, please go to the Virtual Server menu. (Please refer to
Source: source networks, which are addresses specified in the
External section of the Address menu, or all the external network
Choose ANY for all services. To add or modify these services,
please go to the Service menu. (Please refer to the section
entitled Services for details)
Option: specify the monitoring functions of packets from external
Action: Select Permit or Deny from the drop down list to allow or
reject the packets travelling from the specified external network to
network to DMZ network travelling through Firewall.
the DMZ network.
Configure: modify settings or remove policies.
Logging: select Enable to enable flow monitoring.
Statistics: select Enable to enable flow statistics.
Adding a new External To DMZ Policy:
Alarm Threshold: set a maximum flow rate (in Kbytes/Sec). An
Step 1: Click the New Entry button and the Add New Policy window will
appear.
Step 2: Source Address: Select names of the external networks from
alarm will be send if a flow rate exceeds the specified value.
Step 3: Click OK.
the drop down list. The drop down list contains the names of all
external networks defined in the External section of the Address
71
72
Modifying an External to DMZ policy:
Step 1:
In the External To DMZ window, locate the name of policy
desired to be modified and click its corresponding Modify option
in the Configure field.
The fields in the DMZ To External window are :
•
section of the Address window.
•
Step 2: In the Modify Policy window, fill in new settings.
Step 3: Click OK to do save modifications.
Removing an External To DMZ Policy:
•
Service: services supported by Servers of external networks.
•
Action: control actions, to permit or deny packets from the DMZ
network to external networks travelling through the VPN
FIREWALL.
•
option in the Configure field.
Step 2: In the Remove confirmation pop-up box, click OK to remove the
policy.
Destination: destination networks, which is the external network
address
Step 1: In the External To DMZ window, locate the name of policy
desired to be removed and click its corresponding Remove
Source: source network addresses which are specified in the DMZ
Option: specify the monitoring functions on packets from the DMZ
network to external networks travelling through the Firewall.
•
Configure: modify settings or remove policies
•
Move: this sets the priority of the policies, number 1 being the
highest priority.
DMZ To External & DMZ To Internal
Adding a DMZ To External Policy:
This section describes steps to create policies for packets and services
from DMZ networks to External (WAN) networks . Please follow the same
procedures for DMZ networks to Internal (LAN) networks.
Step 1: Click the New Entry button and the Add New Policy window will
appear.
Entering the DMZ To External window:
Step 2: Source Address: Select the name of the DMZ network from the
drop down list. The drop down list will contain names of DMZ
Click DMZ To External under Policy menu and the DMZ To External table
appears displaying currently defined DMZ To External policies.
networks defined in DMZ section of the Address menu. To add a
new source address, please go to the DMZ section under the
Address menu.
Destination Address: Select the name of the external network
from the drop down list. The drop down list lists names of
73
74
addresses defined in External section of the Address menu. To
Destination Address→External, Service →Pre-defined Service, Custom or
add a new destination address, please go to External section of
Group under Service .)
the Address menu.
Service: Select a service from drop down list. The drop down list
Step 3: Click OK to save modifications or click Cancel to cancel
will contain services defined in the Custom or Group section
under the Service menu. These are services/application that a re
allowed to pass from the DMZl network to the External network.
Choose ANY for all services. To add or modify these services,
modifications.
Removing a DMZ To External Policy:
Step 1. In the DMZ To External window, locate the name of policy
please go to the Service menu.
desired to be removed and click its corresponding Remove
Action: Select Permit or Deny from the drop down list to allow or
reject the packets travelling from the specified DMZ network to
the external network.
option in the Configure field.
Step 2.
In the Remove confirmation dialogue box, click OK.
Logging: select Enable to enable flow monitoring.
Statistics: click Enable to enable flow statistics.
Enabled Monitoring function:
Alarm Threshold: set a maximum flow rate (in Kbytes/Sec). An
Log: If Logging is enabled in the Outgoing/Incoming policy, the VPN
alarm will be sent if the flow rate e xceeds the specified value.
FIREWALL will log the traffic and event passing through the Firewall. The
Administrator can click Log on the left menu bar to get the flow and event
Step 3: Click OK to add new policy or click Cancel to cancel adding.
logs of the specified policy.
Modifying a DMZ To External policy:
Step 1: In the DMZ to External window, locate the name of policy desired
to be modified and click its corresponding Modify option in the
Configure field.
Step 2: In the Modify Policy window, fill in new settings.
Note:
Note: To change or add selections in the drop-down list, go to the section
where the selections are setup. (Source Address→DMZ of Address;
75
System Administrator can back up and clear logs in this window.
Check the chapter entitled “Log” to get details about the log
and ways to back up and clear logs.
76
Alarm: If Logging is enabled in the Outgoing/Incoming policy, the VPN
VPN
FIREWALL will log the Traffic alarms and Event alarms passing through the
Firewall. The Administrator can click Alarm on the left menu to get the logs
The VPN FIREWALL’s VPN (Virtual Private Network) is set by the System
of flow and event alarms of the specified policy.
Administrator. The System Administrator can add, modify or remove VPN
settings.
What is VPN?
To set up a Virtual P rivate Network (VPN), you don’t need to configure an
Access Policy to enable encryption. Just fill in the following settings: VPN
Name, Source Subnet, Destination Gateway, Destination Subnet,
Note:
The Administrator can also get information on alarm logs from
the Alarm window. Please refer to the section entitled “Alarm”
for more information.
Statistics: If Statistics is enabled in the Outgoing/Incoming policy, the VPN
FIREWALL will display the flow statistics passing through the Firewall.
Authentication Method, Preshare key, Encapsulation and IPSec lifetime.
The firewalls on both ends must use the same Preshare key and IPSec
lifetime to make a VPN connection.
IPSec Autokey
This chapter describes steps to create a VPN connection using Autokey
IKE. Autokey IKE (Internet Key Exchange) provides a standard method to
negotiate keys between two security gateways. For example, with two
firewall devices, IKE allows new keys to be generated after a set amount of
time has passed or a certain threshold of traffic has been exchanged.
Accessing the Autokey IKE window:
Note:
The Administrator can also get flow statistics in Statistics.
Please refer to Statistics in Chapter 11 for more details.
77
Click Autokey IKE under the VPN menu to enter the Autokey IKE window.
The Autokey IKE table displays current configured VPNs.
78
The fields in the Autokey IKE window are:
•
Name: The VPN name to identify the VPN tunnel definition. The name
•
Gateway IP: The external interface IP address of the remote Firewall.
•
Destination Subnet: Destination network subnet.
•
PSK/RSA: The IKE VPN must be defined with a Preshared Key. The
must be diffe rent for the two sites creating the tunnel.
Key may be up to 128 bytes long.
•
•
Status: Connect/Disconnect or Connecting/Disconnecting.
Configure: Connect, Disconnect, Modify and Delete.
Step 2: Preshare Key: The IKE V PN must be defined with a Preshared
Key. The Key may be up to 128 bytes long.
ESP/AH: The IP level security headers, AH and ESP, were
originally proposed by the Networking Group focused on IP
security mechanisms, IPSec. The term IPSec is used loosely
here to refer to packets, keys, and routes that are associated
with these headers. The IP Authentication Header (AH) is used
to provide authentication. The IP Encapsulating Security Header
(ESP) is used to provide confidentially to IP datagrams.
Adding the Autokey IKE:
ESP-Encryption Algorithm: The VPN FIREWALL auto-selects
Step 1. Click the New Entry button and the VPN Auto Keyed Tunnel
56 bit DES-CBC or 168 -bit Triple DES-CBC encryption algorithm.
The default algorithm is 168-bit Triple DES -CBC.
window will appear.
ESP-Authentication Method: The VPN FIREWALL
auto-selects MD5 or SHA-1 authentication algorithm. The default
algorithm is MD5.
IPSec Lifetime: New keys will be generated whenever the
lifetime of the old keys is exceeded. The Administrator may
enable this feature if needed and enter the lifetime in seconds to
re-key. The default is 28800 seconds (eight hours). Selection of
small values could lead to frequent re -keying, which could affect
performance.
79
80
Content filtering
Modifying an Autokey IKE:
Step 1: In the Autokey IKE window, locate the name of policy desired to
be modified and click its corresponding Modify option in the
Content filtering includes URL Blocking and general filtering. Content
Filtering includes “URL Blocking” and “General Blocking”.
Configure field.
Step 2: In the Modify Policy window, fill in new settings.
Step 3: Click OK to save modifications.
1. URL Blocking:The device manager can use a complete domain name,
key word, “~” or “*” to make rules for specific websites.
2. General Blocking:To let Popup、ActiveX、Java、Cookie in or keep them
out.
Connecting the VPN connection:
Once all the policy is created with the correct settings, click on the Connect
URL Blocking
option in the Configure field. The Status field will change to indicate
Connecting. If the remote Firewall is set up correctly with the VPN active,
The Administrator may setup URL Blocking to prevent Internal network
the VPN connection will be made between the two Firewalls and the Status
users from accessing a specific website on the Internet. Any web request
field will change to Connect.
coming from an Internal network computer to a blocked website will receive
a blocked message instead of the website.
Removing Autokey IKE:
Step 1. Locate the name of the Autokey IKE desired to be removed and
click its corresponding Delete option in the Configure field.
Step 2. In the Remove confirmation pop-up box, click OK to remove the
Autokey IKE or click Cancel to cancel deleting.
81
Entering the URL blocking window:
Click on URL Blocking under the Configuration menu bar.
Click on New Entry.
82
Adding a URL Blocking policy:
Step 1:
Removing a URL Blocking policy:
After clicking New Entry, the Add New Block String window
Step 1:
will appear.
In the URL Blocking window, find the policy to be removed and
click the corresponding Remove option in the Configure field.
Step 2:
Enter the URL of the website to be blocked.
Step 2:
Step 3:
Click OK to add the policy. Click Cancel to discard changes.
A confirmation pop-up box will appear, click on OK to remove
the policy or click on Cancel to discard changes.
Modifying a URL Blocking policy:
Blocked URL site:
Step 1:
In the URL Blocking window, find the policy to be modified and
When a user from the Internal network tries to access a blocked URL, the
click the corresponding Modify option in the Configure field.
error below will appear.
Step 2:
Make the necessary changes needed.
Step 3:
Click on OK to save changes or click on Cancel to cancel
modifications.
83
84
Virtual Server
General Blocking
To let Popup、ActiveX、Java、Cookie in or keep them out.
The VPN FIREWALL separates an enterprise’s Intranet and Internet into
internal networks and e xternal networks respectively. Generally speaking,
Step 1: Click Content Filtering in the menu.
Step 2: 【General Blocking】detective functions.
in order to allocate enough IP addresses for all computers, an enterprise
assigns each computer a private IP address, and converts it into a real IP
address through Firewall’s NAT (Network Address Translation) function. If a
• Popup Block:Prevent the pop-up boxes appearing.
• ActiveX Block:Prevent ActiveX packets.
• Java Block:Prevent Java packets.
• Cookie Block:Prevent Cookie packets.
Step 3: After selecting each function, click the OK button below.
server which provides service to the external networks, is located in the
internal networks, outside users can’t directly connect to the server by
using the server’s private IP address.
The VPN FIREWALL’s Virtual Server can solve this problem. A virtual
server has set the real IP address of the Firewall’s external network
interface to be the Virtual Server IP. Through the virtual server feature, the
Firewall translates the virtual server’s IP address into the private IP address
of physical server in the Internal (LAN) network. When outside users on the
Internet request connections to the virtual server, the request will be
forwarded to the private internal server.
Virtual Server owns another feature know as one -to-many mapping. This is
when one virtual server IP address on the external interface can be
mapped into 4 internal network server private IP addresses. This option is
useful for Load Balancing, which causes the virtual server to distribute data
When the system detects the setting, the firewall will
packets to each private IP addresses (which are the real servers). By
sending all data packets to all similar servers, this increases the server’s
spontaneously work.
efficiency, reduces risks of server crashes, and enhance s servers’stability.
85
86
How to use Virtual Server and mapped IP
Mapped IP
Virtual Server and Mapped IP are part of the IP mapping scheme. By
Internal private IP addresses are translated through NAT (Network Address
applying the incoming policies, Virtual Server and IP mapping work similarly.
They map real IP addresses to the physical servers’private IP addresses
(which is opposite to NAT), but there still exists some differences:
•
Virtual Server can map one real IP to several internal physical
Translation). If a server is located in the internal network, it has a private IP
address, and outside users cannot connect directly to internal servers’
private IP address. To connect to a internal network server, outside users
have to first connect to a real IP address of the external network, and the
servers while Mapped IP can only map one real IP to one internal
real IP is translated to a private IP of the internal network. Mapped IP and
Virtual Server are the two methods to translate the real IP into private IP.
physical server (1 -to-1 Mapping). The Virtual Servers’ load balance
Mapped IP maps IP in one-to-one fashion; that means, all services of one
feature can map a specific service request to different physical
real external IP address is mapped to one private internal IP address.
servers running the same services.
•
Virtual Server can only map one real IP to one service/port of the
Entering the Mapped IP window:
internal physical servers while Mapped IP maps one real IP to all
Click Mapped IP under the Virtual Server menu bar and the Mapped IP
the service s offered by the physical server.
configuration window will appear.
IP mapping and Virtual Server work by binding the IP address of the
Adding a new IP Mapping:
external virtual server to the private internal IP address of the physical
Step 1. In the Mapped IP window, click the New Entry button the Add
New Mapped IP window will appear.
server that supports the services. Therefore users from the external
network can access servers of the internal network by requesting the
service from the IP address provided by Virtual Server.
•
External IP: select the external public IP address to be mapped.
•
Internal IP: enter the internal private IP address or DMZ IP
address which will be mapped 1 -to-1 to the external IP address.
87
88
Step 2.
Click OK to add new IP Mapping or click Cancel to cancel
adding.
Virtual Server
Virtual server is a one-to-many mapping technique, which maps a real IP
address from the external interface to private IP addresses of the internal
Modifying a Mapped IP:
network. This is done to provide services or applications defined in the
Step 1. In the Mapped IP table, locate the Mapped IP desired to be
modified and click its corresponding Modify option in the
Configure field.
Service menu to enter into the internal network. Unlike a mapped IP which
binds an external IP to an Internal/DMZ IP, virtual server binds external IP
ports to Internal IP ports.
Step 2. Enter settings in the Modify Mapped IP window.
Step 3. Click OK to save change or click Cancel to cancel.
Adding a Virtual Server:
Note: A Mapped IP cannot be modified if it has been assigned/used
Step 1. Click an available virtual server from Virtual Server in the Virtual
Server menu bar to enter the virtual server configuration window.
as a destination address of any Incoming policies.
In the following, Virtual Server is assumed to be the chosen
Removing a Mapped IP:
option:
Step 1. In the Mapped IP table, locate the Mapped IP desired to be
removed and click its corresponding Remove option in the
Configure field.
Step 2.
In the Remove confirmation pop-up window, click Ok to remove
the Mapped IP or click Cancel to cancel.
Step 2.
Click the click here to configure button and the Add new Virtual
Server IP window appears and asks for an IP address from the
external network.
89
Step 3.
Select an IP address from the drop-down list of available external
network IP addresses.
Note:
If the drop -down list contains only (Disable ), there is no available
90
IP addresses of external network of the System and no Virtual
Server can be added.
Step 4. Click OK to add new Virtual Server or click Cancel to cancel
adding.
When Disable appears in the drop-down list, no Virtual Server can be
added.
Setting the Virtual Server’s services:
Step 1. For the Virtual Server which has already been set up with an IP
Step 2.
address, click the New Service button in the table.
In the Virtual Server Configurations window:
• Virtual Server IP: displays the external IP address assigned to
the Virtual Server
• External Service Port: select the port number that the virtual
Modifying the Virtual Server configurations:
Step 1. In the Virtual Server window’s service table, locate the name of
the service desired to be modified and click its corresponding
server will use. Changing the Service will change the port
number to match the service.
• Service: select the service from the pull down list that will be
Modify option in the Configure field.
Step 2.
provided by the Virtual Server.
Note:
The services in the drop -down list are all defined in the
Pre -defined and Custom section of the Service menu.
In the Virtual Server Configuration window, enter the new
settings.
Step 3.
Click OK to save modifications or click Cancel to cancel
modification.
Step 3.
Enter the IP address of the internal network server(s), to which
the virtual server will be mapped. Up to four IP addresses can be
assigned at most.
Step 4.
Click OK to save the settings of the Virtual Server.
91
92
Note:
A virtual server cannot be modified or removed if it has been
assigned to the destination address of any Incoming policies.
Log
The VPN FIREWALL supports traffic logging and event logging to monitor
Removing the Virtual Server service:
and record services, connection times, and the source and destination
network address. The Administrator may also download the log files for
Step 1. In the Virtual Server window’s service table, locate the name of
the service desired to be removed and click its corresponding
backup purposes. The Administrator mainly uses the Log menu to monitor
the traffic passing through the VPN FIREWALL.
Remove option in the Configure field.
Step 2.
In the Remove confirmation pop-up box, click Ok to remove the
What is Log?
service or click Cancel to cancel removing.
Log records all connections that pass through the Firewall’s control policies.
Traffic log’s parameters are setup when setting up control policies. Traffic
logs record the details of packets such as the start and stop time of
connection, the duration of connection, the source address, the destination
address and services requested, for each control policy. Event logs record
the contents of System Configuration changes made by the Administrator
such as the time of change, settings that change, the IP address used to
log on, etc.
How to use the Log
The Administrator can use the log data to monitor and manage the VPN
FIREWALL and the networks. The Administrator can view the logged data
to evaluate and troubleshoot the network, such as pinpointing the source of
traffic congestions.
93
94
•
Traffic Log
Source: IP address of the source network of the specific
connection.
The Administrator queries the Firewall for information, such as source
address, destination address, start time, and Protocol port, of all
•
connections.
•
Entering the Traffic Log window:
•
Destination: IP address of the destination network of the specific
connection.
Protocol & Port: Protocol type and Port number of the specific
connection.
Disposition: Accept o r Deny.
Click the Traffic Log option under Log menu to enter the Traffic Log
Downloading the Traffic Logs:
window.
The Administrator can backup the traffic logs regularly by downloading it to
the computer.
Step 1.
In the Traffic Log window, click the Download Logs button at the
bottom of the screen.
Step 2.
Follow the File Download pop-up window to save the traffic logs
into a specified directory on the hard drive.
Clearing the Traffic Logs:
The Administrator may clear on-line logs to keep just the most updated logs
on the screen.
Step 1.
In the Traffic Log window, click the Clear Logs button at the
bottom of the screen.
Step 2.
In the Clear Logs pop-up box, click Ok to clear the logs or click
Cancel to cancel it.
The table in the Traffic Log window displays current System statuses:
•
Time: The start time of the connection.
95
96
Event Log
Downloading the Event Logs:
When the VPN FIREWALL detects events, the Administrator can get the
details, such as time and description of the events from the Event Logs.
Step 1. In the Event Log window, click the Download Logs button at the
bottom of the screen.
Step 2.
into a specific directory on the hard drive.
Entering the Event Log window:
Click the Event Log option under the Log menu and the Event Log window
Follow the File Download pop-up window to save the event logs
Clearing the Event Logs:
will appear.
The Administrator may clear on-line event logs to keep just the most
updated logs on the screen.
Step 1.
In the Event Log window, click the Clear Logs button at the
bottom of the screen.
Step 2. In the Clear Logs pop-up box, click OK to clear the logs or click
Cancel to cancel it.
The table in the Event Log window displays the time and description of the
events.
•
Time: time when the event occurred.
•
Event: description of the event.
97
98
Alarm
Clearing the Traffic Alarm Logs:
Step 1. In the Traffic Alarm window, click the Clear Logs button at the
In this chapter, the Administrator can view traffic alarms and event alarms
that occur and the firewall has logged.
bottom of the screen.
Step 2.
Firewall has two alarms: Traffic Alarm and Event Alarm.
Traffic alarm:
In the Clear Logs pop-up box, click OK to clear the logs or click
Cancel to cancel.
Downloading the Traffic Alarm Logs:
In control policies, the Administrator set the threshold value for traffic alarm.
The System regularly checks whether the traffic for a policy exceeds its
threshold value and adds a record to the traffic alarm file if i t does.
The Administrator can back up traffic alarm logs regularly and download it
to a file on the computer.
Step 1.
In the Traffic Alarm window, click the Download Logs but ton on
the bottom of the screen.
Event alarm:
Step 2.
Follow the File Download pop-up box to save the traffic alarm
logs into specific directory on the hard drive.
When Firewall detects attacks from hackers, it writes attacking data in the
event alarm file and sends an e-mail alert to the Administrator to take
Event Alarm
emergency steps.
The table in Event Alarm window displays current traffic alarm logs for
Traffic Alarm
The table in the Traffic Alarm window displays the cur rent traffic alarm logs
for connections.
• Time: The start and stop time of the specific connection.
• Source: Name of the source network of the specific connection.
• Destination: Name of the destination network of the specific
connection.
• Service: Service of the specific connection.
• Traffic: Traffic (in Kbytes/Sec) of the specific connection.
99
connections.
•
Time: log time.
•
Event: event descriptions.
Clearing Event Alarm Logs:
The Administrator may clear on-line logs to keep the most updated logs on
the screen.
Step 1.
In the Event Alarm window, click the Clear Logs button at the
Step 2.
bottom of the screen.
In the Clear Logs pop-up box, click OK.
100
Downloading the Event Alarm Logs:
The Administrator can back up event alarm logs regularly by downloading it
Step 2.
In this chapter, the Administrator queries the VPN FIREWALL for statistics
of packets and data which passes across the Firewall. The statistics
to a file on the computer.
Step 1.
Statistics
In the Event Alarm window, click the Download Logs button at
the bottom of the screen.
provides the Administrator with information about network traffics and
network loads.
Follow the File Download pop-up box to save the event alarm
logs into specific directory on the hard drive.
What is Statistics
Statistics are the statistics of packets that pass through the Firewall by
control policies setup by the Administra tor.
How to use Statistics
The Administrator can get the current network condition from statistics, and
use the information provided by statistics as a basis to mange networks.
Entering the Statistics window:
Step 1. The Statistics window displays the s tatistics of current network
connections.
• Source: the name of source address.
• Destination: the name of destination address.
• Service: the service requested.
• Action: permit or deny
• Time: viewable by minutes, hours, or days
101
102
Status
ARP Table
In this section, the VPN FIREWALL displays the status information about
Entering the ARP Table window:
the Firewall. Status will display the network information from the
Click on Status in the menu bar, then click ARP Table below it. A window
Configuration menu. The Administrator may also use Status to check the
DHCP lease time and MAC addresses for computers connected to the
will appear displaying a table with IP addresses and their corresponding
Firewall.
MAC add resses. For each computer on the Internal, External, and DMZ
network that replies to an ARP packet, the VPN FIREWALL will list them in
this ARP table.
Interface Status
Entering the Interface Status window:
Click on Status in the menu bar, then click Interface Status below it. A
window will appear providing information from the Configuration menu.
Interface Status will list the settings for Internal Interface, External
Interface, and the DMZ Interface.
IP Address:
The IP address of the host computer
MAC Address: The MAC address of that host computer
Interface:
The port that the host computer is connected to (Internal,
External, DMZ)
103
104
Glossary
DHCP Clients
Entering the DHCP Clients window:
DHCP
(Dynamic Host Configuration Protocol.)
When a computer with no fixed IP address starts up, it asks the DHCP
Click on Status in the menu bar, then click on DHCP Clients below it. A
server for a temporary IP address. The DHCP server allocates an IP
window will appear displaying the table of DHCP clients that are connected
address, which falls within the same sub-network as the server and does
to the VPN FIREWALL . The table will list host computers on the Internal
not conflict with other computers on the network, to the client.
network that obtain its IP address from the Firewall’s DHCP server function.
ICMP Protocol
ICMP stands for ‘Internet Control Message Protocol’, it is a Network layer of
Internet protocol that reports errors and provides other information relevant
to IP packet processing. ICMP sends the following messages: Flow Control,
Destination Unreachable, Redirecting Routes and Echo Message. For
example, the UNIX command Ping is based on ICMP to test whether a
particular computer is connected to the Internet.
IP Address: The IP address of the internal host computer
MAC Address: MAC address of the internal host computer
Leased Time: The Start and End time of the DHCP lease for the internal
host computer.
IP
IP stands for Internet Protocol. IP address uniquely identifies a host
computer connected to the Internet from other Interne t hosts, for the
purposes of communication through the transfer of packets. IP has
following features:
defining data packet structure, packet is the basic unit of data exchange.
addressing data packets.
moving data between Network layer and Transport layer.
routing packets from the sender to the destination network.
breaking messages into packets and reassembling the packets into the
original message.
105
106
MAC Address
TCP/IP Protocol
TCP/IP consists of two protocols:
Each network interface card has a unique six bytes long identification
number that has been assigned in the factory. When a data packet arrives,
TCP, Transmission Control Protocol
the network card matches the destination address on the data packet with
IP, Internet Protocol
its own MAC address to decides to whether receive or discard the packet.
TCP/IP features:
Subnet Mask
Open communication standard, it is free and does not depe nd on any
Subnet Mask is used to segment a network into 2, 4, 8, etc sub -networks.
Operating systems or hardware.
For example, take a Class B network with network number 172.16.0.0 and
Not restricted to any network hardware, Ethernet, Token Ring, Leased
subnet mask 255.255.244.0. The first two numbers represents network
Line, X.25 or Frame Relay can all be integrated and operate under
number after segmentation. The first 3 bits of the third number is the
Subnet Number. There are 2^3= 8 sub networks. The remaining five bits
TCP/IP.
Widely accepted addressing method. It is used to assign network
plus the eight bits of fourth number, thirteen bits in total, are the networks
equipments a unique IP address.
addresses available for each sub -network. Each sub-network can have
2^13=8192 networks addresses. Example addresses are as follows:
Many standardized high-level protocols provide user with wide and
TCP
consistent services
User Datagram Protocol (UDP Protocol)
Protocol
TCP is a connection-oriented protocol, it establishes a logical connection
User Datagram Protocol is a transport layer protocol in the TCP/IP protocol
between two computers. Before transferring data, the two computers
stack. UDP uses application program to pack user data into packets, and
exchange control messages to make sure a connection has been
IP transfer these packets into their destination. Under UDP, applications
established, this process is called handshaking. TCP sets up control
can exchange messages with least costs. UDP is an unreliable,
functions in the Flag field of the Segment Header. Compared to UDP, TCP
connectionless protocol. Unreliable means that this protocol has no
is a very reliable protocol, and uses PAR(Positive Acknowledgment with
Re-transmission) to guarantee that data from one host computer can reach
specification to exchange datagram with guaranteed delivery, but it does
transfer data correctly over network. UDP used source port, and destination
the other host computer safely and correctly.
port, in the message header to transfer message to the right application.
107
108
DoS (Denial of Service Attack)
DoS attacks disables the servers’abilities to serve, makes system
connections impossible, and prevents system from providing services to
Firewall
The firewall has three basic functions:
1. Restrict data to enter at a control point.
any legal or illegal users. In another word, DoS’s objective is to kick the
2. Restrict data to flow out at a control point.
server under attacked out of the network.
3. Keep attackers away from servers.
There are four popular types of DoS attacks:
Firewall protects:
Bandwidth Consumption: Attackers use wider bandwidth to flood
1. Software data
victims’ bandwidth with garbage data. For example, using a T1
2. Hardware data
(1.511Mbps) leased line to attack 56k or 128k leased line, or using
3. Company’s reputation
several 56k sites to stuff a T3 (45Mbps).
Resource Exhaustion: This attack exhausts the victims’ systems
Firewall’s standard interfaces are
resources, such as CPU usage, memory, file system quota or other
1. External (WAN) network also known as Untrusted Network
system processes.
2. Internal (LAN) network also known as Trusted Network
The attack can bring down the system or slow
down the system.
3. DMZ network also known as De-Militarized Network
Defect program: Attackers use programs to generate exception
condition that can’t be handled by applications, systems, or embedded
Add-on values of firewall are:
hardware to cause system failure. In many occasions, attackers send
1. NAT to provide company with enough IP addresses.
weird (system can not identify) packet to targeted systems to cause core
2. Reduce the risk of exposing server to the outside world.
dumps and attacker issue commands that has privileges to destroy the
systems in the mean time.
3. Record Internet usages effectively
4. Alarm the administrator to take emergency step in a timely fashion
Router and DNS attacks: Attacker alter routing table and cause legal
5. Encrypt sensitive data to transfer them safely across internet
requests to servers be rejected. This kind of attack redirects user
requests to an enterprise’s DNS to specific addresses or black holes,
usually un-existing addresses.
Firewall has following restriction:
1. Can’t block hackers’ attacks from inside.
2. Can’t monitor connection that doesn’t pass through firewall
3. Can’t prevent new type of threats.
4. Can’t prevent virus’s attacks.
109
110
Hackers and Crackers
Packe t Filtering
Hackers are those smart and aggressive programmers who actually initiate
the recent computer revolution. These programmers are crazy about
Packet Filters check the headers of IP, TCP and ICMP packets to gather
information, such as sources addresses, source ports, destination
exploring new technology to solve problems and create new methodologies.
addresses, and destination ports. It also checks the relationships between
Their objectives are to construct solid networks and not to destroy other
packets to decide whether a packet is for normal connection. In this way,
computer systems. Crackers on the other hand are programmers who
attacks can be detected and blocked.
attack private networks, but don’t steal or destroy data. Phrackers are
people who use stolen data to enter computer systems illegally to make
damage.
Address
Each address in Address Table can be either an IP address or a
sub-network address. Administrators can create a name for a specific
IP Spoofing
address for easier reference. Basically, base on the networks they are
Data packets sent is from a fake source address. If the firewall’s policy
located, IP address falls into 3 categories: Internal IP addresses, external
does not restrict these packets from passing through, they could be used to
IP addresses and DMZ IP addresses. When setting up policies,
attack internal servers easily.
administrators choose IP addresses in Address Table as the
source/destination addresses. So Address Table has to be constructed
Network Address Translation
NAT is the translation of IP addresses between internal or private networks
and the public IP addresses on the Internet. There are three IP address
blocks that have been assigned as private IP address space:
before setting up policies.
Address Group
The usual way to setup different packet IP filters for the same policy is to
create one policy for each filter. If there are 10 IP addresses then 10
10.0.0.0 – 10.255.255.255
policies have to be created. Address Group is used to simplify this kind of
172.16.0.0 – 172.31.255.255
procedures. The administrator creates a new group name in External
192.168.0.0 – 192.168.255.255
Groups of Address menu and adds all the related IP addresses into that
Through the NAT mechanism, an enterprise’s internal networks can use
group. After the group is created, the group name will be shown in Address
any IP addresses that fall in the three private spaces. Note that, private IP
Table. When creating a control policy, group name can be specified as the
addresses can not pass through routers to their destinations.
source or destination address. In this way, only one policy is needed to
achieve the same effect as ten policies in the previous example.
111
112
Alarm
There are flow alarm and event alarm. Flow alarm’s parameter is setup
before setting up policies. System checks whether the data packet flow
through each policy is higher the setup limit every 10 minutes. If it is, a
record will be added to flow alarm file. When the VPN FIREWALL detects
HUB
HUB
Net Id=192.168.1.0/24
Net Id=210.71.253.136/29
Firewall
Internal
External
Router
192.168.1.1
210.71.253.138
210.71.253.142
DMZ
hacker attacks, it records the attacking data in event alarm file, and sends
210.71.253.130
E-mail to system manger to take emergent steps.
Internet
Net Id=210.71.253.128/29
HUB
DMZ
DMZ is the network between the firewall’s external interface and routers.
DMZ’s network number is allocated by ISPs. For example, when the
Load Balancing
network number an ISP provides is 210.71.253.128 and subnet mask is
Load Balancing is a function that Virtual Servers provide. It allows a Virtual
255.255.255.240. Machines inside DMZ can have IP addresses ranged
Server to be mapped to more than one physical servers, which provide the
from 210.71.253.128 to 210.71.253.140, sixteen different IP addresses.
However, only thirteen of the sixteen IP addresses ranged from
specific service at the same time. When a Vitual Server receives data
210.71.253.129 to 210.71.253.141 are useable. 128 is the network number,
packet to the next physical server. The VPN FIEWALL uses Least
143 is the Broadcasting Address, and 142 is used by router. Because
DMZ is located at the outside of a firewall and is not protected by firewall, it
Connection for load balancing.
Least Connection: Because each physical server has different processing
is considered to be insecure. To fix the loophole, more firewall products
speeds, Least Connection forwards data packets to the physical server with
provide a dedicate DMZ interface to provide protection for DMZ
connections. In the previous example, the system manager segments the
the least number of connections at that time. In this way, each packet can
have the least waiting time, and the number of packets a server receives is
network into two sub -networks, 210.71.253.128/29 and 210.71.253.136/29
proportional to its processing efficiency.
respectively. Since the route’s IP is 210.71.253.142, the external interface’s
IP must be one of 210.71.253.136/29, and DMZ interface’s IP must belong
to 210.71.253.128/29. As the following graph shows:
packets, it forwards the packet to the first physical server, and the next
Log
There are flow control log and event log. Flow control log’s parameters are
set up the same time control policies are setup. It records details of data
packets of each control policy, including data packet’s start and end time,
disconnect time and length of connection, source address, destination
address and service content.
113
114
Event log records details of the firewall’s system configurations changes,
including the user who made the modification, time of change, modified
parameters, and IP address the user uses to logon, etc.
Mapped IP
Packet
Direction
Outgoing
Incoming
To DMZ
From DMZ
Source Network Internal
External
External,
internal
DMZ
Destination
network
Mapped IP
Virtual
Server
DMZ
External,
internal
External
Both Mapped IP and Virtual Server use IP mapping mechanism to allow
outside users access internal servers through the firewall. They are
different in following ways:
Schedule
Schedule is used to set up different time intervals conveying different
Virtual Server has Load balance feature, and Mapped IP has not.
policies. A policy only works in specified time interval, and is automatically
Virtual Server has a one -to-many mapping relationship to physical
disabled outside the specified time interval. A specific schedule can be set
to repeat every week or just happen once.
servers and Mapped IP is mapped to physical servers in one-to-one
fashion. A virtual server can be mapped to only one service, such as
SMTP, HTTP or FTP. A Mapped IP ca n be mapped to all services
provided by a physical server.
Service
TCP protocol and UDP protocol provided different services. Each service
has a TCP port number and a UDP port number, such as TELNET(23),
Policy
FTP(21), SMTP(25), POP3(110), etc. This system supports two kinds of
The VPN FIREWALL decides whether a data packet can pass according to
services: standard services and user defined services. The most popular
values of the policies. A policy’s parameters are source address,
TCP and UDP services are already defined in standard services table, and
destination address, service, permission, packets’history, statistics and
flow alarms. Policies can be divided into four categories based on the
can not be modified or deleted. Users can setup their own services with
proper TCP and UDP port numbers if necessary. When setting up a user
packets’ source addresses.
defined service, the client’s port number range is 1024:65535, and server’s
Outgoing : Clients are located in internal networks and servers are in
is 0:1023.
external networks.
Incoming : Clients are located in external networks and servers are in
internal networks.
To DMZ : Client can be located in either internal or external networks
and servers are in DMZ.
From DMZ : Clients are in DMZ and servers are in either internal or
external networks
115
116
Service Group
Virtual Server. Through IP translation of the Virtual Server, outside users
Similar to address groups, mangers can create new service groups in
[Service Group] option of [Service] menu and assign desired services into
can access the servers of the internal networks.
groups.
Virtual Server owns another feature - one -to-many mapping: one real IP
Using address group and service group can greatly simply the policy
address on the external interface can be mapped into 4 internal virtual IP
creating process. If there are ten different IP addresses that access five
addresses. Because of the Load Balance feature, Virtual Server can
different server services, such as HTTP, FTP, SMTP, POP3 and TELNET.
distribute data packets evenly to each private IP address (which is the
Without the concept of address group and service group, (10*5)= 50
physical server) based on their weightings. Thus increase s server’s
efficiency, reduces risks of server crashes, and enhance s servers’stability.
policies are needed to be created. However, with address group in
source/destination address and service group name in service option when
setting up a policy, only one policy is needed instead of 50.
System Configuration
The system configuration file stores system administrator’s name and
password, IP addresses of Firewall’s network interfaces, address table,
service table, virtual servers’ IP addresses and policies. When the
configuration process is completed, system administrator can download the
configuration file into local disc as a backup. System Administrators can
overwrite the firewall’s configuration file with the one stored in disc or
restore the configuration to its default factory settings.
Virtual Server
The Firewall separates an enterprise ’s Intranet and Internet into internal
networks and external networks respectively. Generally speaking, in order
to allocate enough IP addresses for all computers, an enterprise assigns
each computer a private IP address, and converts it into a real IP address
through the firewall’s NAT (Network Addre ss Translation) function. If a
server is located in the internal network, outside users can’t directly connect
to it by specifying the server’s private IP address. First, we set the real IP
address of an external network interface to the a ctual IP address of a
117
118
Trouble-Shooting
permission in DMZ policies to allow packets to flow through,
servers inside DMZ can exchange packet with any Internet IP
Q:
How to upgrade the VPN FIREWALL’s software?
A:
The VPN FIREWALL’s software and system parameters are all
address. There is no restriction about which kind of server is used
in DMZ.
stored in the Flash Memory. The Flash Memory is re -writable and
re-readab le. Users can contact the distributors to obtain the newest
Q:
What is the difference in privileges of admin and sub admin?
version of software.
A:
The VPN FIREWALL sets the system administrator’s name and
After having the newest version of software from the distributor,
password to admin . When the administrator sets up the system the
please store it in the hard disk, then connect to the firewall’s WebUI,
first time, the installation wizard asks administrators to change the
enter Software Update of the Administ ration menu, click the file
password for admin (user name ‘admin’ can not be changed). In
name of the newest version of software, then click Ok.
the admin menu under Administration, the admin may add or
The updating process won’t overwrite the system configuration, so
change the name and password of sub admin. The administrator
it is not necessary to save it before updating the software.
can change the firewall’s system parameters when logged into the
Q:
How to back up system configuration?
firewall as “admin”. The “sub admin” can only browse the system
configuration and have no privileges to modify it. Therefore, admin
A:
To change system parameters settings without destroying the
has ‘read’and ‘write’privileges, but sub admin has only ‘read’
privilege.
original system configuration, the user can choose Export System
Settings to Client in Settings under the Administration menu. Users
can upload the backup system configuration from hard disk to the
firewall in Import System setting from Client.
Q:
Which server can be installed in DMZ?
A:
The VPN FIREWALL provides three Interface Ports to divide the
enterprise’s networks into internal networks, external networks, and
DMZ. The internal networks use private IP addresses, which
routers can’t transfer. Therefore server’s IP address needs to be a
real IP address instead of a private one. External Internet users
can’t connect to any server with private IP address in the internal
networks directly. DMZ employs real IP addresses. By setting the
119
Q:
What are the default settings of the VPN FIREWALL ?
A:
The VPN FIREWALL has three main default settings; users need to
modify them to fit their environment to achieve optimum
performance.
1. The system administrator’s name and password are both
‘admin’(lower case). The name “admin” can’t be changed, a nd
the password should be modified and recorded at the time of
installation.
2. The internal Interface IP address is set to 192.168.1.1 in the
factory. The system administrator needs to change it to private
IP address of the enterprise’s internal networks. Then set IP
addresses of External and DMZ interface according to the real
120
IP addresses allocated by ISP.
restart the computer to activate new IP address. After the
3. Internal network, external network and DMZ can’t communicate
new IP address is activated, use browser to access
to each other by default. So computers in the internal network
http://172.16.0.1 .
can’t access any Internet address when users connect the
Step 6:
Enter the main window of administration policies under
VPN FIREWALL to internal and external network. System
WebUI, click New Policy, go to Add New Policy window,
administrator has to define policies with proper permissions in
click OK to complete the installation process.
Outgoing under the Policy menu, such as to permit certain IP
addresses in the internal network to access some web
addresses.
Q:
A:
Q:
service to HTTP, and the action to Permit. Why do the
computers of the internal network still cannot access the
Internet?
How to install the VPN FIREWALL for the first time?
There are six steps to follow:
Step 1:
First connect the administrator’s PC and the Firewall’s
In the Outgoing menu, I set the source address to
“Inside-Any”, the destination address to “Outside-any”, the
A:
Usually the DNS of the clients point to the DNS server outside of
internal interface card to the same HUB or Switch,
change PC’s IP address to : 192.168.1.2 - 192.168.1.254.
the firewall. When converting a URL to IP address, the browser
sends out DNS service packet to the external DNS server. If the
Then restart the computer to activate new IP address.
firewall doesn’t allow DNS service packet to pass, the URL cannot
Run Browser and enter http://192.168.1.1 in URL field
be mapped to the IP address and the connection fails.
to access Firewall Web UI.
Step 2:
Browser will ask or the user’s name and password enter
Q:
Why can’t users of external networks still store data into
virtual server when virtual server or IP mapping has been set
successfully?
A:
In order to open a virtual server to external networks, Administrator
‘admin’and password.
Step 3:
Then Web UI will request the user to change password.
Change it and record the new password. The user name
is still ‘admin’.
Step 4: Set new Internal IP Address (enterprise’s private IP
needs to make sure, in the Incoming menu, there is a policy of
source address pointing to external IP address, destination address
address) and External IP Address (allocated by ISP
to the virtual server or Mapped IP and with permission to allow
provider).
Step 5:
inward packets to pass through.
If the new Internal IP Address doesn’t belong to
192.168.1.0 network, such as 172.16.0.1, the
administrator needs to change PC’s IP address to
172.16.0.1,or other IP address of the same network and
121
Q:
Can Admin modify the internal and external interface IP
addresses anytime?
122
A:
No, because the names in the address table are set according to
Setup Examples
the IP addresses of internal and external interface cards, and the
source address and destination address of policies are set
according to address table. The IP addresses of the VPN
FIREWALL’s internal interface and external interface are
Example 1:
Example 2:
Example 3:
Example 4:
A:
Are there any rules to follow when setting up administration
policies?
Outside users can access the internal FTP server through
Install a server inside the Internal network and have the
Internet (External) users access the server through IP
Mapping---------------------------------------------------
clean up all the administration policies and address table.
Q:
The Internal network can only access Yahoo.com website
Virtual Servers
foundations of administration policies. If the administrator wants to
change the VPN FIREWALL’s IP address, the admin will need to
Allow the Internal network to be able to access the Internet
Please see the explanation of the examples below:
When setting up policies, administrators need to follow [small to big]
principle. This means that when the source address, destination
Example 1:
address and service items of a policy is the subset of another policy,
it is necessary to set policy of the subset first. For example, the
sequence to set policies for individual worker, department, and
every worker in the company is:
Individual → Department→Every worker
Allow the Internal network to be able to access
the Internet
Step 1
Enter the Outgoing window under the Policy menu.
Step 2
Step 3
Click the New Entry button on the bottom of the screen.
In the Add New Policy window, enter each parameter, then click
OK.
If subset policies are defined after the main policies, policies
defined by the subset became invalid. For example, the new policy
is:
Every worker → Department→ Individual
The policies of departments and individuals are subsets of policies
of every worker, so policies defined by the latter two are invalid.
Step 4 When the following screen appears, the setup is completed.
123
124
Example 2:
The Internal network can only access Yahoo.com
website.
Step 1. Enter the External window under the Address menu.
Step 2. Click the New Entry button.
Step 3 . In the Add New Address window, enter relating parameters.
Step 8. When the following screen appears, the setup is completed.
Step 4. Click OK to end the address table setup.
Step 5. Go to the Outgoing window under the Policy menu.
Step 6. Click the New Entry button.
Step 7. In the Add New Policy window, enter corresponding parameters.
Example 3:
Outside users can access the internal FTP server
through Virtual Servers
Click OK.
Step 1. Enter Virtual Server under the Virtual Server menu.
Step 2. Click the ‘click here to configure’button.
Step 3. Select an External IP address, then click OK.
Step 4. Click the New Service button on the bottom of the screen.
Step 5. Add the FTP service pointing to the internal server IP address.
Click OK.
125
126
Step 6.
A new Virtual Service should appear.
Step 9. An Incoming FTP policy should now be created.
Example 4:
Install a server inside the Internal network and
have the Internet (External) users access the
server through IP Mapping
Step 1.
Enter the Mapped IP window under the Virtual Server menu.
Step 2.
Click the New Entry button.
Step 3.
In the Add New IP Mapping window, enter each parameter, and
then click OK.
Step 4.
When the following screen appears, the IP Mapping setup is
completed.
Step 7. Go to the Incoming window under the Policy menu, then click on
Step 8.
the New Entry button.
In the Add New Policy window, set each parameter, then click
OK.
127
128
Specifications
Standard IEEE802.3, 10BASE-T
IEEE802.3u, 100BASE-TX
IEEE802.3x full duplex operation and flow control
Step 5. Go to the Incoming window under the Policy menu.
Step 6. Click the New Entry button.
Step 7. In the Add New Policy window, set each parameter, then click
OK.
Interface 1 * 10/100 RJ-45 WAN port
1 * 10/100 RJ-45 DMZ port
4 * 10/100 RJ-45 Fast Ethernet switching LAN ports
1 * Factory Reset Button
Cable Connections RJ-45 (10BASE-T): Category 3,4,5 UTP/STP
RJ-45 (100BASE-TX): Category 5 UTP/STP
Network Data Rate Ethernet: Auto- negotiation (10Mbps, 100Mbps)
Transmission Mode Auto- negotiation (Full-duplex, Half-duplex)
LED indicators System
Power
Port (LAN/WAN)
SPEED
LINK/ACT
FDX/COL
MAC address 512 MAC address entries
System Memory 16MB Flash
32MB RAM
Emission FCC Class A, CE
Operating 00 ~ 500C (320 ~ 122 0F)
Temperature
Operating Humidity 10% - 90%
Step 8. Open all the services. (ANY)
Power Supply External Power Adapter, 12VDC/1A
Dimension 210 * 148 * 35 mm
Step 9. The setup is completed.
129
130
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement