Information in this User’s Manual is subject to change without notice and does not represent a commitment on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in this User’s Manual. PLANET makes no commitment to update or keep current the information in this User’s...
interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference radio communications. However, there is no guarantee that interference will not occur in a particular installation.
Page 4
Any error messages that displayed when the problem occurred ♦ Any software running when the problem occurred ♦ Steps you took to resolve the problem on your own Revision User’s Manual for PLANET UTM Content Security Gateway Model: CS-2001v2 Rev: 1.0 (April, 2012) PartNo: EM-CS2001v2_v1.0...
Front panel: Ethernet Port1/2/3/4 Power Indicator Console Port HDD Indicator USB Port Figure 1a. Front Panel of the CS-2001 Rear panel: Power Switch Power Socket Figure 1b. Rear Panel of the CS-2001 Power Indicator: Lights up when the power is on.
Page 11
CS-2001 UTM Content Security Gateway User’s Manual LED / Port Description LED1(Left) Orange Steady on indicates the port is connected to other network device. Blink to indicates there is traffic on the port LED2(Right) Orange Steady on indicates the port is connected at...
Basic System Configuration Step 1. Connect both the IT administrator’s PC and the device’s LAN port to the same hub / switch, and launch a browser (e.g., IE or Firefox) to access the management interface address which is set to http://192.168.1.1 by default.
Page 13
Configuration Panel: Displays the data or configurable settings of the corresponding item selected on the Menu Panel. Figure4. The CS-2001 User Interface Note: 1. For your reference, you may configure your management address based on the available subnet ranges below.
Page 14
Step 4. If it’s the first time you’ve logged into the management interface, an install wizard will appear to guide you through setting some of the basic settings required. System > Configuration > Installation Wizard Figure5. The Install Wizard Step 5. Select the language for the user interface and the default character encoding.
Page 15
Fill in the IP Address and Netmask fields. Figure7. Interface Settings Important : 1. Note: Once the LAN interface is changed, please enter the new LAN IP address in the browser next time when you log in the CS-2001 Web UI.
Page 16
Step 7. Configure theWAN Interface (please refer to your ISP for the settings). Setting: Select Port2(WAN1) Interface: Select WAN Connection Mode: Select the required mode Configure the remaining settings. Figure8. The WAN Settings...
Page 17
Step 8. Tick the Synchronize to an NTP Server box to ensure the system is provided with the accurate time. Figure9. Time Settings Step 9. Enable Outgoing. Figure10. Enabling an Outgoing Policy...
Page 18
DHCP to enable LAN PCs to obtain IP addresses, users may have Internet access right after configuring DHCP. To configure any network policies, please go to Policy Object and Policy. Step 10. Provide the following CS-2001 interface information to LAN users. Figure12. Settings Confirmation...
S.1 Overview of Functions Category Configurable Settings Description Index System Administration Admin Creates, modifies or removes Chapter 1 administrator accounts. Permitted IPs Permits specific IP addresses to access the system. Software Update the system’s software Update version. Configuration Settings For importing or exporting the Chapter 2 system settings, resetting the system to factory default settings,...
Page 21
LAN and DMZ users. Installation For quick installation and Wizard configuration. Language Available languages include Traditional Chinese, Simplified Chinese and English. Network Settings For DNS settings, link speed / Chapter 3 duplex settings, etc. Interface For configuring the interface type: LAN (IP address, netmask, MAC address, etc.), WAN (connection type, downstream / upstream bandwidth, etc.), DMZ...
Page 22
Web-based mail, online gaming, VPN Tunneling, and remote controlling. Virtual Server Mapped IPs Maps an internal host to an Chapter 10 external IP address to provide a Port Mapping specific connection or service, Port-Mapping such as PC-Anywhere, FTP, Group HTTP, etc. One-Step For establishing secure and Chapter 11...
Page 23
Personal Rule spam filtering is applied in the following order: Greylist Global Rule Filtering > Personal Rule, Global Whitelist Rule > Whitelist > Blacklist > Blacklist Fingerprint > Bayesian Filtering Training > Spam Signature... Anti-Virus Settings Scans for virus-infected mail Chapter 14 using ClamAV and Sophos.
Page 24
IDP Reports Settings Provides statistics in the form of Chapter 20 graphs and logs. Statistics can be Statistics sent to the specific recipient Logs periodically and logs can be searched based on the specified criteria. SSL Web Settings For configuring the VPN IP Chapter 21 range, the protocol and the encryption algorithm.
Page 25
DNS controlling mechanism. The backup mode provides continuous access if one of the WAN links ceases to function. High Settings For installing two CS-2001 Chapter 27 Availability devices to ensure an uninterrupted network connection. Co-Defense Core Switch...
Page 26
Historical Top Chart Traffic WAN Traffic Displays the usage statistics from Chapter 31 Grapher the WAN interfaces. Policy-Based Displays the usage statistics of a Traffic configured policy. Diagnostic Ping Provides Ping, Traceroute and Chapter 32 Tools Packet Capture to diagnose the Traceroute connection.
Chapter 1 Administration This chapter mainly explains the authorization settings for accessing the CS-2001. It covers the subjects of Admin, Permitted IPs, Software Update and Logout. The complete administrative authority lies in the hands of the IT administrator. Other than the IT administrator, any other administrator, also known as...
Page 29
Terms in Admin Admin Name The authentication name to log in the system. The IT administrator’s name and password are assigned as admin which cannot be deleted. Access Privilege The main IT administrator have the privilege of reading, writing and viewing. That means the main IT administrator is able to view and change the system configuration, logs and accounts.
1.1 Admin 1.1.1 Adding a Sub-Administrator Step 1. Go to System > Administration > Admin, set as below: (Figure 1-1) Click the New Sub-Admin button to create a new sub-administrator. Enter the Sub-Admin Name and Password. Enter the password again in the Confirm Password field. ...
1.1.2 Modifying the Password Step 1. Go to System > Administration > Admin and then set as below: (Figure 1-2) Click the Modify button of the admin you want to modify. Enter the original password in the Password field and then enter the new password in the New Password field.
1.2 Permitted IPs 1.2.1 Adding a Permitted IP Step 1. Under System > Administrator > Permitted IPs, click the New Entry button and then set as below: (Figure 1-3) Enter the name in the Name field. Select IPv4 for Protocol. ...
1.3 Logout 1.3.1 Logging out the System Step 1. Click Logout to protect the system from any unauthorized modification while being away. (Figure 1-4, 1-5) Figure 1-4 The Logout Screen Figure 1-5 Confirming to Log Out...
Page 34
Step 2. Click OK and then the logout message appears. (Figure 1-6) Figure 1-6 The Logout Message...
1.4 Updating Software Step 1. To run a software update, go to System > Administration > Software Update and follow the steps below: Click Browse to locate the software and then open it. Click OK to proceed to update the software. (Figure 1-7)...
Chapter 2 Configuration Configuration includes the following system settings: System Settings, Date / Time, Multiple Subnets, Route Table, DHCP, Dynamic DNS, Host Table, SNMP and Language.
Page 37
Terms in Setting System Settings Allows the IT administrator to import / export system settings, perform a factory reset and format the built-in hard disk. Configuration File Backup and Restore Utility (Used: 40KB, Free: 9MB, Capacity: 10MB) Saves a copy of the system settings file to the devices’ s internal storage. The IT administrator can restore the system’s settings based upon the file’s date.
Page 38
device can block their IP address for the specified amount of time. This helps to prevent any unauthorized tampering of the device.
Page 39
Proxy Settings (for signature updates) Once the Proxy Server is deployed, the proxy settings must be configured for the CS-2001 to access the Internet. SIP/ H.323 NAT Traversal Settings Enables SIP NAT Traversal or H.323 NAT traversal.
Page 40
Interface Denotes in which network, i.e. LAN or DMZ, the subnet resides. VLAN ID Permits the interface on the CS-2001 to support VLAN tags belonging to the LAN or DMZ. Terms in Routing Table Dynamic Routing Routers exchange routing information to reflect any changes in the typology of the network.
Page 41
Note: Dynamic Routing Protocols can be categoried into the following two categories: Distance-Vector Routing Protocol: Uses the Bellman-Ford algorithm to calculate paths. Examples of distance-vector routing protocols include RIPv1/2 and IGRP (Cisco's proprietary protocol). Using RIP, the maximum hop count from the first router to the destination is 15. Any destination greater than 15 hops away is considered unreachable.
Page 42
private purposes. In 2007 30-bit AS numbers were introduced. These numbers are written either as simple integers, or in the form x.y, where x and y are 16-bit numbers. Numbers of the form 0.y are exactly the old 16-bit AS numbers, 1.y numbers and 65535.65535 are reserved, and the remainder of the space is available for allocation.
Page 43
Terms in DHCP Static IP Assignment DHCP can allocate IP addresses based upon the MAC address of PCs in the LAN or DMZ. Terms in Dynamic DDNS Domain Name The domain name registered at the DDNS service provider. Real IP Address ...
Page 44
Level 3 provides not only authentication for SMTP data but also encryption and is referred to as AuthPriv. User Name The NMS uses this user name to access information from the CS-2001. Auth Protocol Supports the authentication protocols of HMAC_MD5_96 and HMAC_SHA_96.
Page 45
Auth Password The NMS uses this password to access information from the CS-2001. Privacy Protocol Supports the cipher Data Encryption Standard (DES) that is based on a 56-bit Symmetric-key algorithm. Privacy Password The NMS uses this password to access information from the CS-2001.
2.1 Settings 2.1.1 Exporting System Settings Step 1. Under System > Configuration > Settings, click next to Export System Settings under the System Settings section. Step 2. Click Save in the File Download window, and then assign a storage folder. After that, click Save in the Save As window to complete exporting the system settings.
Page 47
2.1.2 Importing System Settings Step 1. Under System > Configuration > Settings, click Browse… next to Import System Settings under the System Settings section. Next, in the Choose File window, select the configuration file and then click Open. (Figure 2-2) Step 2.
Page 48
2.1.3 Resetting the System to Factory Default Settings and Formatting the Hard Drive Step 1. Under System > Configuration > Settings, tick Reset to factory default settings and Format the inbuilt hard disk under the Hard Disk Formatting section. (Figure 2-4) Figure 2-4 Resetting the Device to Factory Default Step 2.
Page 49
2.1.4 Enabling Email Alert Notification Step 1. Go to System > Configuration > Settings. Under the Name Settings section, configure the following settings: Type your company name in the Company Name field. Type a name in the Device Name field. Step 2.
Page 50
2.1.5 Rebooting the CS-2001 Step 1. To reboot the CS-2001, go to System > Configuration > Settings. Under the Device Reboot section click Reboot next to To reboot the system, click. Step 2. A confirmation dialogue box will appear asking “Are you sure you want to reboot the system? Step 3.
2.2 Date / Time 2.2.1 CS-2001 Time Settings Step 1. Go to System > Configuration > Date/Time and configure the following settings: (Figure 2-7) Configure the GMT offset hours. Tick Synchronize to an NTP server. Type the IP address of Internet time server in the NTP Server IP / Hostname field.
2.3 Multiple Subnet 2.3.1 Using NAT / Routing Mode For LAN Users to Access the Internet Prerequisite Setup (Note: IP addresses used as examples only) Configure port 1 as LAN1 (192.168.1.1, NAT routing mode) and connect it to the LAN which is using the IP address range 192.168.1.x/24. Configure port 2 as WAN1 (10.10.10.1) and connect it to the ISP router (10.10.10.2);...
Page 53
Figure 2-8 Configuring Multiple Subnet Figure 2-9 Settings Completed Important: 1. When the PCs’ subnets or IP addresses are not on the same Interface. You may go to Policy > LAN to LAN and create a policy (select Inside Any for both Source Address and Destination Address) to enable LAN to LAN connection.
Page 54
Step 2. Under Network > Interface, set as below: (Figure 2-10) Click on Port 2’s Modify button. For Interface Type select WAN, and enter all the relevant settings (provided by your ISP). For WAN NAT Redirection, select A designated IP and then enter 162.172.50.1.
Page 55
CS-2001 UTM Content Security Gateway User’s Manual Step 3. Under Policy Object > Address > LAN, set as below: (Figure 2-11) Figure 2-11 Address Settings for the LAN...
Page 56
Step 4. Go to Policy > Outgoing and configure the following settings: Click on New Entry. Source Address: Select the name of the LAN addresses. (LAN1_Subnet1) Action: Tick Port 3 (WAN2). Click on Advanced Settings. For Port3 (WAN2) select Automatic. ...
Page 57
Figure 2-13 The Second Outgoing Policy Settings...
Page 59
Step 5. The configuration of LAN1 to the Internet is now complete. (Figure 2-15) Figure 2-15 The LAN Configured Using Multiple Subnet Note: 1. The LAN subnet 192.168.1.x/24 is only able to gain access to the Internet via WAN2 (using NAT).
Page 60
2.3.2 Using Multiple Subnets to Establish a VLAN Gateway to Regulate VLAN Users to Access the Internet Prerequisite Setup (Note: IP addresses used as examples only) Configure Port1 as LAN1 (192.168.1.1, NAT/ Routing mode) and connect it to the LAN which is using 192.168.1.x/24. VLAN ID 10 using 192.168.100.x/24.
Page 61
Figure 2-16 First Multiple Subnet Setting...
Page 62
Figure 2-17 Second Multiple Subnet Setting Figure 2-18 Multiple Subnet Settings Completed Note: 1. The device’s interface settings permits multiple VLAN gateways to control each of the VLAN’s access to the Internet or communication amongst the VLANs. 2. When the PCs’ subnets or IP addresses are not on the same Interface. You may go to Policy > LAN to LAN and create a policy (select Inside Any for both Source Address and Destination Address) to enable LAN to LAN connection.
Page 63
Step 2. Go to Policy Object > Address > LAN, and set as below: (Figure 2-19) Figure 2-19 Address Settings for the LAN...
Page 64
Step 3. Go to Policy Object > Address > LAN Group and then set as below: (Figure 2-20) Figure 2-20 LAN Group Settings Step 4. Go to Policy > Outgoing, set as below: Click on New Entry. Source Address: Select the name of the LAN addresses (VLAN_Group) ...
Page 65
Step 5. The internal network’s VLAN. (Figure 2-23) Figure 2-23 The Completed Mulitple Subnet VLAN Settings...
2.4 Route Table 2.4.1 Enabling Two Networks Connected by a Router to Access the Internet via the CS-2001 Prerequisite Setup (Note: IP addresses used as examples only) Company A: Port 1 is set as LAN 1 (192.168.1.1, NAT routing mode) which is connected to the LAN subnet 192.168.1.x/24.
Page 67
Step 1. Go to System > Configuration > Route Table and set as below: Click on New Entry. IP Version : Select IPv4. IP Address: Type 192.168.10.0. Netmask: 255.255.255.0. Gateway : 192.168.1.252. Interface : LAN1. ...
Page 68
Figure 2-26 Static Route Setttings Figure 2-27 The Completed Static Route Settings Important: 1. To enable the LAN to LAN connection, go to Policy > LAN to LAN and create a policy (select Inside Any for both Source Address and Destination Address). To enable the DMZ to DMZ connection, go to Policy >...
Page 69
Step 2. The subnets 192.168.10.x/24,192.168.20.x/24 and 192.168.1.x/24 can now communicate with each other. In addition, these subnets may also access the Internet using real IP addresses assigned from the CS-2001 device’s NAT mechanism. (Figure 2-28) Figure 2-28 The Routing Table...
2.5 DHCP 2.5.1 Using an External DHCP Server to Allocate IP Addresses to Internal PCs Step 1. Go to System > Configuration > DHCP, and set as below: (Figure 2-29) Tick Enable DHCP Relay. From DHCP Relay Interface select the interface. ...
Page 71
Note: 1. When Enable DHCP Relay Support is enabled, internal PCs can obtain an IP address from the server through the specified interface (WAN1/2/3/4/5/6 or VPN-WAN1/2/3/4/5/6) of the CS-2001.
Page 72
2.5.2 Using the CS-2001 to Allocate IP Addresses to LAN PCs Step 1. Go to System > Configuration > DHCP and set as below: (Figure 2-30) Select Enable DHCP. Deselect Obtain DNS server address automatically. DNS Server 1: Type an IP address as DNS Server 1.
Page 74
1. Enabling Obtain DNS server address automatically is intended for LAN users whom access the Internet via the device’s authentication mechanism. LAN users need to configure their Preferred DNS server address to be the same as the LAN interface address of the CS-2001 in Internet Protocol (TCP/IP) Properties.
2.6 DDNS Step 1. Go to System > Configuration > Dynamic DNS, and set as below: (Figure 2-31) Click New Entry. Select a Service Provider from the drop-down list. Tick Use the IP of on the right of WAN IP and then select a WAN port.
2.7 Host Table Step 1. Go to System > Configuration > Host Table and set as below: ( Figure 2-33) Configure the Host Name accordingly. Select IPv4 for IP Version. Type the virtual IP address that the host name corresponds to in the Virtual IP Address field.
2.8 SNMP 2.8.1 SNMP Agent Settings Step 1. Go to System > Configuration > SNMP. Under the SNMP Agent Settings section configure the following: (Figure 2-34) Tick the interfaces that are permitted to send SNMP agent messages. Device Name: Name the device. By default, it is UTM. ...
Page 78
Port: Type the port number of SNMP Trap. (Default value: 162) Click OK. The IT administrator may now install a SNMP Trap client to receive alerts from the CS-2001. Figure 2-35 SNMP Trap Settings Note: 1. The IT administrator may test the SNMP trap by clicking on...
CS-2001 UTM Content Security Gateway User’s Manual 2.9 Bulletin Board 2.9.1 Using CS-2001 to Announce the Information to LAN Users and DMZ Users Step 1. Go to System > Configuration > Bulletin Board and then configure the settings in the Bulletin Board Login Settings secion.
Page 80
Step 2. Under System > Configuration > Bulletin Board, configure the settings in the Bulletin Board Announcements section. Click New Entry. (Figure 2-37) Enter the Subject. Specify the Announcement Duration. Target Viewer: tick LAN Users and select Inside Any; tick DMZ Users and select DMZ Any.
Page 81
Step 3. The LAN users and DMZ users will see the announcement when they access the Internet. (Figure 2-39, 2-40) Figure 2-39 Clicking the Button to See the Announcement Figure 2-40 LAN / DMZ Users Seeing the Announcement Note: 1. To know how many users have seen the announcement, you may go to System > Configuration >...
Page 82
172.19.1.254. You may enter http://172.19.1.254:84 in the web browser. (Figure 2-41, 2-42) Figure 2-41 Logging in the Bulletin Board Setting Page Figure 2-42 The Bulletin Board Setting Page...
2.10 Language 2.10.1 Changing the Language Step 1. Under System > Configuration > Language, you may change the language of the user interface. (Figure 2-36) Figure 2-36 The Language Settings...
Chapter 3 Interface The Interface configuration allows you to configure the connection parameters separately for LAN, WAN and DMZ interfaces as well as to assign multiple network interfaces into a group based on your topology plan. In this chapter, it will be covering the functionality and application of Settings, Interface and Interface Group.
Page 86
By Source IP: For services that require using the same IP address throughout the process, such as online game and banking, CS-2001 helps user retain the same WAN port (i.e. IP address) over which the session was created to avoid disconnection caused by the variation of the user’s IP address.
Page 87
Interface Designation The system-assigned name based on the network interface type selected. Interface Type The network interface is categorized into three types: Local Area Network (LAN) Wide Area Network (WAN) Demilitarized Zone (DMZ) Connection Type (As Interface Type set to LAN) ...
Page 88
IPv6 address represent itself as text string using the following three conventional forms: Colon-hexadecimal form: This is the preferred form n:n:n:n:n:n:n:n. Each n represents the hexadecimal value of one of the eight 16-bit elements of the address. For example: 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A ...
Page 89
The IPv6 prefix is the part of the address that indicates the bits that have fixed values. If it happens not to be a multiple of four such as 21DA:D3:0:2F3B:2AA:FF:FE28:9C5A/59, then the third 16 bits (i.e., 2F3B) have to be modified (to 2F20) to become a multiple of four. ...
Page 90
The result, 02-AA-00-FF-FE-3F-2A-1C, is converted to colon-hexadecimal notation, yielding the interface identifier 2AA:FF:FE3F:2A1C. Thus, in this example, the link-local address that corresponds to the network adapter with the MAC address of 00-AA-00-3F-2A-1C is FE80::2AA:FF:FE3F:2A1C. Any IP Routing For hoteliers (hotel, guest house, inn, hostel, motel, etc.) to provide customers with Internet service.
Page 91
When ticked, the management interface is available for access via SSH protocol. Connection Type (As Interface Type set to WAN) It has three connection types, namely: Static IP Address (Leased Line User) Dynamic IP Address (Cable Modem User) ...
Page 92
NAT Redirection Translates private IP addresses into public addresses. Auto-configuration: The public address is automatically designated by the system. A designated IP: The public address is manually designated by the IT administrator. Max. Downstream & Upstream Bandwidth ...
Page 93
Detection Mode When Round-Robin or Active-Backup is selected for Bonding Mode, ARP detect can be selected to detect the connection. Saturated Connections Determines the amount of sessions each WAN port can process at a time under By Traffic, By Session or By Packet mode. New sessions will be distributed to other WAN ports when the number of sessions has reached the maximum specified.
Page 94
Terms in Interface Group Interface Group Allows you to group network interface while each group is isolated from one another. Note: This requires at least a WAN port with a static IP and a LAN or DMZ running Transparent Bridging mode. ...
3.1.1 Modifying the LAN Interface (NAT / Routing) 3.1.2 Configuring the WAN Interface 3.1.3 Using CS-2001 as a Gateway for Users on Two Subnets to Access the Internet (NAT/Routing) 3.1.4 Using CS-2001 as a Gateway for the Internal Users to Access the Internet...
3.1.1 Modifying the LAN Interface (NAT / Routing) Prerequisite Setup (Note: IP addresses used as examples only) Port1 is configured as LAN1 by default. (IP address: 192.168.1.1, NAT/ Routing) Step 1. Go to Network > Interface and then set as below: (Figure 3-1)...
Page 97
2. Do not disable HTTP and HTTPS before configuring the settings under System > Administration > Permitted IPs, or the IT administrator may be unable to access the Web UI from LAN.
3.1.2 Configuring the WAN Interface Step 1. Go to Network > Interface and then click Port2’s Modify button. Select WAN for Interface Type. Step 2. Configure the Service Detection (ICMP & DNS): If ICMP is selected, enter the Alive Indicator Site IP. (Figure 3-2)...
Page 99
Step 3. Select WAN for Interface Type: Static IP Address: (Figure 3-4) Enter the IP Address, Netmask and Default Gateway. Enter the Max. Downstream Bandwidth and the Max. Upstream Bandwidth. Tick Ping, HTTP and HTTPS. Click OK. (Figure 3-5)...
Page 100
Figure 3-4 Configuring the Static IP Address Figure 3-5 Setting Completed...
Page 101
Figure 3-6 Configuring the Dynamic IP Address Figure 3-7 Setting Completed...
Page 103
1. The DNS Settings may be configured under Network > Settings. 2. When Ping, HTTP and HTTPS are enabled, the users may access the CS-2001 Web UI from external network. The access from the external network might affect the network security, thus it is suggested to disable Ping, HTTP and HTTPS after the configuration.
Page 104
3.1.3 Using CS-2001 as a Gateway for Users on Two Subnets to Access the Internet (NAT/Routing) Prerequisite Setup (Note: IP Addresses used as examples only) Configure Port1 as WAN1 (61.11.11.11) and connect it to the ADSL Termination Unit Remote (ATUR) to access the Internet.
Page 105
Figure 3-10 Configuring the LAN Interface...
Page 106
Step 2. Go to Network > Interface and then set as below: (Figure 3-11) Click Port3’s Modify button. Select LAN for Interface Type. Select NAT Routing for Connection Type. Enter the IPv4 Address and the Netmask. ...
Page 107
Step 3. LAN1 and LAN2 users will connect to WAN1(61.11.11.11) and use WAN1’s IP address to access the Internet. You may create the policy to establish the connection between LAN1 and LAN2. (Figure 3-12) Figure 3-12 The Deployment of LAN using NAT / Routing Mode...
Page 108
3.1.4 Using CS-2001 as a Gateway for the Internal Users to Access the Internet and Configure the DMZ for the External Users to Access the Network Resource Prerequisite Setup (Note: IP addresses used as examples only) Configure Port1 as LAN1(192.168.1.1, NAT/Routing) and connect to the LAN. IP address range:192.168.1.x/24.
Page 109
Figure 3-13 Configuring the LAN Interface...
Page 110
Step 2. Go to Network > Interface and then set as below: (Figure 3-14) Click Port3’s Modify button. Select DMZ for Interface Type. Select Transparent Routing for Connection Type. Tick Ping, HTTP and HTTPS. Click OK. Figure 3-14 DMZ Interface Settings Note:...
Page 111
Step 3. The external users may connect to the web server (61.11.11.12) to access the network resource. The LAN users may connect to WAN1 (61.11.11.11) and use WAN1’s IP address to access the Internet. (Figure 3-15) Figure 3-15 The Deployment of DMZ Using Transparent Routing Mode...
3.1.5 Deploying the CS-2001 between the Gateway and LAN (configuring two subnets, one using Transparent Routing, the other one using NAT/Routing) for the LAN users to access the Internet Prerequisite Setup (Note: IP addresses used as examples only) Gateway’s LAN IP addresses are 192.168.1.1 (192.168.1.x/24) and 192.168.2.1 (192.168.2.x/24).
Page 113
Step 1. Go to Network > Interface and then set as below: (Figure 3-16) Click Port2’s Modify button. Select LAN for Interface Type. Select Transparent Routing for Connection Type. Tick Ping, HTTP and HTTPS. Click OK. Figure 3-16 Configuring the LAN Interface Step 2.
Page 114
Settings Step 3. LAN1 users (192.168.1.x/24) and LAN2 users (192.168.2.x/24) may use their original IP addresses to access the Internet via the CS-2001. You may create the policy to establish the connection between LAN1 and LAN2. (Figure 3-18)...
Page 115
Figure 3-18 The deployment of LAN Using Transparent Routing and NAT/ Routing...
3.1.6 Deploying the CS-2001 between the Gateway and the LAN (LAN1 and DMZ1), connecting LAN1 to the user’s PC (using NAT/Routing mode) and then connecting DMZ1 to user’s PC (using Transparent Bridging mode) Prerequisite Setup (Note: IP addresses used as examples only) Gateway’s LAN (172.16.1.1).
Page 117
Step 1. Go to Network > Interface and then set as below: (Figure 3-19) Click Port1’s Modify button. Select LAN for Interface Type. Select NAT Routing for Connection Type. Enter the IPv4 Address and the Netmask. ...
Page 118
Figure 3-20 DMZ Interface Settings Step 3. Go to Network > Interface Group and then set as below: (Figure 3-21) Configure Port2(WAN1) and Port3(WAN2) as Group1. Click OK. Figure 3-21 Configuring the Interface Group...
Page 119
Step 4. PCs (IP range: 172.16.x.x/16) on DMZ may use the original address to access the Internet through CS-2001. PCs on LAN will connect to WAN1 (172.16.1.12) and use WAN1’s IP address to access the Internet. (Figure 3-22) Figure 3-22 The Deployment of DMZ Using Transparent Bridging Mode...
Page 120
PCs in DMZ (172.16.x.x/16): The LAN PCs (default gateway:172.16.1.1) will access the Internet through CS-2001’s WAN1. Configure the default gateway as CS-2001’s WAN1 (172.16.1.12). Packets pass through the CS-2001 will use WAN1(172.16.1.12) or WAN2(211.22.22.22) to access the Internet. (Load Balancing) ...
Page 121
3. Configure a router to connect different subnets in LAN for the PCs to access the Internet through the original firewall. PCs in DMZ may using the original IP address to access the (Figure 3-24) Internet through CS-2001’s WAN1. Figure 3-24 The Deployment of DMZ Using Transparent Bridging 03...
Page 122
4. Configure two Firewall to connect the Internet and the CS-2001 and then configure a router to connect the CS-2001 and DMZ (192.168.2.1/24 and 192.168.3.1/24). Connect the two subnets to WAN1’s firewall and WAN2’s firewall individually. Then, the packets from the two subnets (Figure 3-25)...
3.1.7 Deploying CS-2001 between the Gateway and LAN (LAN1 and DMZ1) for LAN Users and DMZ Users to Access the Internet Prerequisite Setup (Note: IP addresses used as examples only) Gateway: LAN(192.168.1.1), IP range:192.168.1.x/24 WAN(61.11.11.11) connects to the ADSL Termination Unit Remote to access the Internet.
Page 124
Step 1. Go to Network > Interface and then set as below: (Figure 3-26) Click Port1’s Modify button. Select WAN for Interface Type. Select the Connection Type. Configure the connection settings. Tick Ping, HTTP and HTTPS. ...
Page 125
Step 2. Under Network > Interface, set as below: (Figure 3-27) Click Port2’s Modify button. Select LAN for Interface Type. Select Transparent Bridging for Connection Type. Tick Ping, HTTP and HTTPS. Click OK. Figure 3-27 LAN Settings Using Transparent Bridging Mode...
Page 126
Step 3. Under Network > Interface and then set as below: (Figure 3-28) Click Port3’s Modify button. Select WAN for Interface Type. Select the Connection Type. Configure the connection settings. Tick Ping, HTTP and HTTPS. ...
Page 127
Figure 3-30 Interface Group Settings Important: 1. Then, the CS-2001 may operate as two individual switches. Port1(WAN1) and Port2 (LAN1) connect to the LAN, Port3(WAN2) and Port4(DMZ1) connect to the DMZ. The PCs under two different switches may not connect to each other.
Page 128
Step 6. Users connecting to Port2(LAN1) will use 192.168.1.x/24 to access the Internet. Users on Port4(DMZ1) will use the IP address that distributed by the ISP to access the Internet. (Figure 3-31) Figure 3-31 Interface Group Deployment...
Page 129
3.1.8 Using the CS-2001 Device as the Gateway and Connecting it to the LAN (There are Two LAN Interface, One Use NAT/Routing, the Other One Use Transparent Bridging Mode) for the LAN Users to Access the Internet Prerequisite Setup (Note: IP Addresses used as examples only) Configure Port1 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit...
Page 130
Step 1. Go to Network > Interface and set as below: (Figure 3-32) Click Port1’s Modify button. Select WAN for Interface Type. Select the Connection Type. Configure the connection settings. Tick Ping, HTTP and HTTPS. ...
Page 131
Step 2. Go to Network > Interface and then set as below: (Figure 3-33) Click Port2’s Modify button. Select LAN for Interface Type. Select NAT/Routing for Connection Type. Enter the IPv4 Address and the Netmask. Tick Ping, HTTP and HTTPS.
Page 132
Step 4. Go to Network > Interface Group and then set as below: (Figure 3-35) Configure Port1(WAN1), Port2(LAN1) and Port3(LAN2) as Group Click OK. Figure 3-35 Interface Group Settings Note: 1. Then, users on the same subnet may be divided into different interface according to their departments.
Page 133
Step 5. PCs under sales department (LAN1) and PCs under support department (LAN2) are on 192.168.1.x/24. They will connect to WAN1 and use WAN1’s IP address (61.11.11.11) to access the Internet. You may create the policy to establish the connection between LAN1 and LAN2. (Figure 3-36)...
Chapter 4 Address In Address, the IT administrator may configure network settings of LAN, WAN and DMZ, as well as designate specific addresses in a network as a group. An IP address might represent a host or a subnet, in either case, the IT administrator may give it an easily identifiable name for better management.
Page 137
Terms in Address Name An easily identifiable name to represent the IP address or addresses. Address type Used to designate the IP range and IPv6 address / prefix length or IP / netmask IP. IP Version IPv4 or IPv6 can be selected. IP Address ...
Page 138
FQDN(Fully Qualified Domain Name) The FQDN consists of two parts: the hostname and the domain name. For example, an FQDN may be www.planet.com.tw. The hostname is www, and the domain name is planet.com.tw. To regulate the access to the specified web site, the IT administrator only needs to configure an FQDN setting.
4.1 Example Settings Scenario Page 4.1.1 LAN Using DHCP to Grant Only FTP Access to a LAN User with Specific IP Address 4.1.2 Creating a Policy for Certain Users to Connect to a LAN/ WAN Specific IP Address Group...
Page 140
4.1.1 Using DHCP to Assign an IP to a Specific User and only Permitting FTP Access Step 1. Under Policy Object > Address > LAN, set as below: (Figure 4-1) Click New Entry. Type the name of the user in the Name field. (e.g., Alex).
Page 141
Note: 1. To save the configured data from Policy Object > Address > WAN / LAN / DMZ as a file for storage or modification, use Export data entries. If the list needs to be restored due to accidential modifications etc., use Import data entries. 2.
Page 142
Step 2. Go to Policy > Outgoing and configure as below: (Figure 4-3) Source Address: Select the source address. Service Select FTP. Click OK. (Figure 4-4) Figure 4-3 The Outgoing Policy Settings Figure 4-4 Policy Completed...
Page 143
4.1.2 Creating a Policy for Certain Users to Connect to a Specific IP Address Step 1. Create several addresses under Policy Object > Address > LAN. (Figure 4-5) Figure 4-5 The Creation of Several LAN Addresses...
Page 144
Step 2. Under Policy Object > Address > LAN Group, set as below: (Figure 4-6) Click New Entry. Name: Designate a name for the group. Select group members from the Available address column on the left, and then click Add. ...
Page 145
Step 3. Go to Policy Object > Address > WAN and configure as below: ( Figure 4-8) Click New Entry. Name: Designate a name for the group. Address Type: Select IP / Netmask. IP Version: Select IPv4. ...
Page 146
Step 4. Go to Policy > Outgoing and configure as below: (Figure 4-10) Source Address: Select the LAN address group. Destination Address: Select the WAN destination address. Click OK. (Figure 4-11) Figure 4-10 The Policy Settings Figure 4-11 The Completed Policy Settings Note: 1.
TCP and UDP protocols provide different services. These services have an associated port number, for example Telnet = 23, FTP = 21, SMTP = 25, POP3 = 110, etc. The CS-2001 provides control over access to these services using Pre-defined and Custom settings.
Page 148
Client Port The port number of the client user’s PC which is used for connecting to the CS-2001. It is recommended using the default range (0 to 65535). Server Port The port number for the customized service.
5.1 Example of Pre-defined 5.1.1 Creating a Policy to Permit WAN Users Using VoIP Technology to Communicate with LAN Users (Using VoIP Port Numbers of TCP 1720, TCP 15328-15333 and UDP 15328-15333) Step 1. Go to Policy Object > Address > LAN Group and configure the following settings.
Page 150
Step 2. Go to Policy Object > Service > Custom and then configure as below: (Figure 5-3) Name: Type in a name for the service. In row number 1 select TCP for the protocol. Leave the Client Port on the default setting.
Page 151
Step 3. Go to Policy Object > Virtual Server > Port Mapping and use settings you created in Policy Object > Service > Custom. (Figure 5-5) Figure 5-5 Using the Pre-defined Service Settings Step 4. Go to Policy > Incoming and configure as below: (Figure 5-6)...
Page 152
Step 5. Go to Policy > Outgoing and configure as below: (Figure 5-8) Source Address: Select the LAN group. Service: Select the custom service. Action: Select Port1 (WAN1). Click OK. (Figure 5-9) Figure 5-8 The Outgoing Policy for VoIP Figure 5-9 The Completed Settings Note: 1.
5.2 Example of Service Group 5.2.1 Creating a Policy with a Service Group to Limit Specific LAN Users to Access Only Certain Internet Services (HTTP, POP3, SMTP and DNS) Step 1. Go to Policy Object > Service > Group, and set as below: (Figure 5-10)...
Page 155
Step 2. Go to Policy Object > Address > LAN Group and create a LAN Group of specific LAN users that are only permitted to access certain services. ( Figure 5-12) Figure 5-12 The Added LAN Group Step 3. Under Policy > Outgoing, set as below: (Figure 5-13)...
Page 156
Figure 5-14 The Completed Policy Settings...
Chapter 6 Schedule Schedule is used for regulating the activation time of policies. With its help, the IT administrator may determine a specific period of time for each policy to take effect, saving time on system administration.
Page 158
Terms in Schedule Name Designates the name of the schedule. Type Two modes are provided: Recurring: Based upon a weekly schedule, with configurable start and end periods for each of the seven days in a week. One-Time: Provides a start and stop time for a single specific date based upon the year, month, day, hour and minute.
6.1 Example 6.1.1 Assigning Daily Internet Access Time Slots for LAN Users Step 1. Under Policy Object > Schedule > Settings, set as below: (Figure 6-1) Type the name. Mode: Select either Recurring or One-Time. Use the drop-down menus to select the required start and end time for each day of the week.
Page 160
Step 2. Under Policy > Outgoing, set as below: (Figure 6-3) Select the pre-defined schedule for Schedule. Click OK. (Figure 6-4) Figure 6-3 Applying the Schedule to the Policy Figure 6-4 The Completed Policy Settings...
Chapter 7 QoS QoS provides bandwidth management for LAN users accessing the Internet via the CS-2001. When applied with a Policy, it ensures users are allocated suitable amounts of bandwidth. (Figure 7-1, 7-2) Figure 7-1 The Network with no QoS Figure 7-2 Applying QoS to the Network (Max.
Page 162
Terms in Settings Name The name of the QoS setting. Port The WAN port to apply QoS. Downstream Bandwidth Determines the guaranteed bandwidth and maximum bandwidth of the total downstream bandwidth. Upstream Bandwidth: Determines the guaranteed bandwidth and maximum bandwidth of the total upstream bandwidth.
7.1 Example 7.1.1 Creating a Policy to Limit Upload and Download Bandwidth Step 1. Under Policy Object > QoS > Settings, set as below: (Figure 7-3) Click New Entry. Type the Name accordingly. Configure the bandwidth of Port 2 (WAN1) and Port 3 (WAN2). ...
Page 165
Step 2. Under Policy > Outgoing, set as below: (Figure 7-5) Select the pre-configured QoS setting. Click OK. (Figure 7-6) Figure 7-5 Applying QoS to a Policy...
Page 166
Figure 7-6 The Completed Policy Setting Note: 1. Under Policy Object > QoS > Settings, the available bandwidth range, such as G. Bandwidth and M. Bandwidth, is predefined under Interface > WAN. Thus, an appropriate value of Max. Downstream Bandwidth and Max. Upstream Bandwidth should be configured under Interface >...
Chapter 8 Authentication Authentication regulates users access to the Internet. CS-2001 offers five authentication modes, namely User, Group, RADIUS, POP3 and LDAP, adding flexibility to your choice of authentication method.
Page 168
Terms in Authentication Authentication Management Provides basic settings for managing authentication: Authentication Port Number: The port number designated for authentication. By default, it is 82. Authentcation Idle Timeout: If an authenticated connection has been idle for a period of time, it will expire. The default is 30 minutes. ...
Page 170
The authentication login screen appears after a user attempts to access a web site: (Figure 8-2) Figure 8-2 The Authentication Login Screen An authenticated user will be redirected to the designated web site: (Figure 8-3) Figure 8-3 The User Being Redirected to a Website...
Page 171
Note: 1. The Allow password modification mechanism is only applicable to authenticated users. 2. The authentication login screen appears after either trying to access a web site or by typing the management address together with its authentication port number in the address field of a web browser.
Page 172
CS-2001 UTM Content Security Gateway User’s Manual LDAP User Name Lists the LDAP User Name from LDAP server. The user name may be grouped for authentication.
1. The IT administrator may export the Authentication user list for safe keeping, and restore the list if needed. 2. To use authentication, LAN users must configure their Preferred DNS server in Internet Protocol (TCP/IP) Properties to be the same as the LAN interface address of CS-2001.
Page 174
Step 2. Under Policy Object > Authentication > Group, set as below: (Figure 8-5) Click New Entry. Group Name: Type a name for the group. Select group members from the Available Authentication User column on the left, and then click Add. ...
Page 175
Step 3. Go to Policy > Outgoing and configure as below: (Figure 8-6) Authentication: Select the group name that was configured in the previous step. Click OK. (Figure 8-7) Figure 8-6 Apply the Authentication to a Policy Figure 8-7 The Completed Policy Settings...
Page 176
Step 4. The authentication login screen is displayed in the web browser when a LAN user tries to access the Internet. Internet access will be available after applying the valid user name and password to the corresponding fields in the login screen. (Figure 8-8)...
8.2 RADIUS Authentication 8.2.1 Regulating Internet Access with a Policy – An Example using the RADIUS Server from Windows Server 2003 ※ The Configuration of Windows Server 2003 Built-in RADIUS Server Step 1. Go to Start > Settings > Control Panel > Add/Remove Programs, and then click Add/Remove Windows Components on the left.
Page 178
Step 3. The Internet Authentication Service. (Figure 8-11) Figure 8-11 Selecting the Internet Authentication Service Step 4. Go to Start > Settings > Control Panel > Administrative Tools > Internet Authentication Service, and then click it. (Figure 8-12) Figure 8-12 The Path of Internet Authentication Service on the Start Menu...
Page 179
Step 5. Right-click RADIUS Clients and then click New RADIUS Client. (Figure 8-13) Figure 8-13 Adding a RADIUS Client Step 6. Type a name and the client address, namely the management address of CS-2001. (Figure 8-14)...
Page 180
Figure 8-14 Typing a Friendly Name and the Management Address...
Page 181
Step 7. Select RADIUS Standard from the Client-Vendor dorp-down list, and then configure the Shared secret and Confirm shared secret as same as that of the CS-2001 under Policy Object > Authentication > RADIUS. (Figure 8-15) Figure 8-15 Selecting the Client Vendor and Entering the Password Step 8.
Page 182
Figure 8-16 Adding a Remote Access Policy...
Page 183
Step 9. Select Use the wizard to set up a typical policy for a common scenario and then type a name in the Policy name field. (Figure 8-17) Figure 8-17 Configuring and Naming the Policy...
Page 185
Step 11. Select User. (Figure 8-19) Figure 8-19 Selecting User or Group Access Step 12. Select MD5-Challenge from the drop-down list. (Figure 8-20) Figure 8-20 Selecting an Authentication Method...
Page 186
Step 13. Right-click the newly added policy name and then click Properties. (Figure 8-21) Figure 8-21 Configuring the Properties of a Policy...
Page 187
Step 14. Select Grant remote access permission and then remove the existing settings. Next, click Add…. (Figure 8-22) Figure 8-22 Configuring the RADIUS Properties...
Page 188
Step 15. Select Service-Type to add. (Figure 8-23) Figure 8-23 Select the Attribute Type Step 16. Select Authenticate Only and Framed from the Available types and then click Add. (Figure 8-24) Figure 8-24 Adding the Service Type...
Page 189
Step 17. Click on the Edit Profile…, then click the IP tab and then tick Server settings determine IP address assignment. (Figure 8-25) Figure 8-25 Configuring the IP Setting...
Page 190
Step 18. Click on the Edit Profile… button then click on the Authentication tab. Tick Microsoft Encrypted Authentication version 2 (MS-CHAP v2), Microsoft Encrypted Authentication (MS-CHAP ), Encrypted authentication (CHAP) and Unencrypted authentication [PAP, SPAP]. (Figure 8-26) Figure 8-26 Configuring the Authentication Settings...
Page 191
Step 19. Click on the Edit Profile…, click the Advanced tab and then click Add…. (Figure 8-27) Figure 8-27 Configuring the Advanced Settings...
Page 192
Step 20. Select Framed-Protocol and click Add. (Figure 8-28) Figure 8-28 Adding the Attribute...
Page 193
Step 21. For Framed-Protocol, select PPP from the Attribute value drop-down list. (Figure 8-29) Figure 8-29 Attribute Setting 1 Step 22. For Service-Type, select Framed from the Attribute value drop-down list. (Figure 8-30) Figure 8-30 Attribute Setting 2...
Page 194
Step 23. Go to Start > Settings > Control Panel > Administrative Tools, then select Computer Management. (Figure 8-31) Figure 8-31 Selecting “Computer Management” on the Start Menu Step 24. In the left column, go to Computer Management (Local) > System Tools >...
Page 196
RADIUS server: (Figure 8-33) Figure 8-33 The RADIUS Server Settings Note: 1. You may click Test Connection to detect the connection between CS-2001 and RADIUS server. Step 27. Under Policy Object > Authentication > Group, select RADIUS Server from the Available Authentication User column and then click Add.
Page 197
Step 28. Under Policy > Outgoing, set as below: (Figure 8-35) Select the defined user group for Authentication User. Click OK. (Figure 8-36) Figure 8-35 Applying the Authentication to a Policy Figure 8-36 The Completed Policy Settings Step 29. The authentication login screen will appear in the web browser with which a LAN user tries to surf the Internet.
Step 1. Under Policy Object > Authentication > POP3, set as below: (Figure 8-38) Figure 8-38 The POP3 Server Settings Note: may click Test Connection to test the connection between CS-2001 and the POP3 1. You server. Step 2. From Policy Object > Authentication > Group, select POP3 User from the Available Addresses column and then click Add.
Page 199
Figure 8-39 Adding POP3 User to an Authenticated Group...
Page 200
Step 3. Under Policy > Outgoing, set as below: (Figure 8-40) Authentication: Select the user group. Click OK. (Figure 8-41) Figure 8-40 Using POP3 Authentication in a Policy Figure 8-41 A Policy with POP3 Authentication Step 4. The authentication login screen appears in the web browser when a LAN user tries to access the Internet.
8.4 LDAP Authentication 8.4.1 Regulating Internet Access with a Policy - An Example of Windows Server 2003 Built-in LDAP Server ※ The Configuration of the LDAP Server from Windows Server 2003 Step 1. Go to Start > Settings > Control Panel > Administrative Tools > Manage Your Server.
Page 202
Step 3. In the Preliminary Steps window, click Next. (Figure 8-44) Figure 8-44 Preliminary Steps Step 4. In the Server Role window, select Domain Controller (Active Directory) and click Next. (Figure 8-45) Figure 8-45 Server Role...
Page 203
Step 5. In the Summary of Selections window, click Next. (Figure 8-46) Figure 8-46 Summary of Selections Step 6. In the Active Directory Installation Wizard window, click Next. (Figure 8-47) Figure 8-47 Active Directory Installation Wizard...
Page 204
Step 7. In the Operating System Compatibility window, click Next. (Figure 8-48) Figure 8-48 Operating System Compatibility Step 8. In the Domain Controller Type window, select Domain controller for a new domain, then click Next. (Figure 8-49) Figure 8-49 Domain Controller Type...
Page 205
Step 9. In the Create New Domain window, select Domain in a new forest and click Next. (Figure 8-50) Figure 8-50 Creating a New Domain Step 10. In the New Domain Name window, enter the Full DNS name for new domain and then click Next.
Page 206
Step 11. In the NetBIOS Domain Name window, type a Domain NetBIOS name and then click Next. (Figure 8-52) Figure 8-52 The NetBIOS Domain Name Step 12. In the Database and Log Folders window, specify the pathname of the Database folder and the Log folder and then click Next. (Figure 8-53)...
Page 207
Step 13. In the Shared System Volume window, specify the Folder location and then click Next. (Figure 8-54) Figure 8-54 The Shared System Volume Step 14. In the DNS Registration Diagnostics window, select I will correct the problem later by configuring DNS manually (Advanced) and then click Next.
Page 208
Step 15. In the Permissions window, select Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems and then click Next. (Figure 8-56) Figure 8-56 Permissions Step 16. In the Directory Services Restore Mode Administrator Password window, enter the Restore Mode Password and Confirm password, and then click Next.
Page 209
Step 17. In the Summary window, click Next. (Figure 8-58) Figure 8-58 The Summary Step 18. Settings completed. (Figure 8-59) Figure 8-59 Settings Completed...
Page 210
Step 19. Go to Start > Programs > Administrative Tools > Active Directory Users and Computers. (Figure 8-60) Figure 8-60 Navigating to “Active Directory Users and Computers” on the Menu Step 20. In the Active Directory Users and Computers window, right-click Users, and then go to New >...
Page 211
Step 21. In the New Object–User window, apply your information to the fields, and then click Next. (Figure 8-62) Figure 8-62 New Object – User Settings Step 22. In the New Object – User window, enter the password, and then click Next.
Page 212
(Figure 8-65) Figure 8-65 LDAP Server Settings Note : 1. You may click Test Connection to detect the connection between CS-2001 and LDAP server. 2. Lists the LDAP User Name from LDAP server. The user name may be grouped for authentication.
Page 213
Step 25. Go to Policy Object > Authentication > Group, then add LDAP User. (Figure 8-66) Figure 8-66 Adding the LDAP User...
Page 214
Step 26. Under Policy > Outgoing, set as below: (Figure 8-67) Select the defined user group for Authentication User. Click OK. (Figure 8-68) Figure 8-67 Using LDAP Authentication in a Policy Figure 8-68 A Policy with LDAP Authentication Step 27.
Chapter 9 Application Blocking Application Blocking regulates the control of Instant Messenger Login, File Transfer over IM, Peer-to-Peer Sharing, Multimedia Streaming, Web-Based Mail, Online Gaming, VPN Tunneling, Remote Controlling and Other Applications.
Page 216
Note: 1. Once the Proxy Server is deployed, the proxy settings under System > Configuration > Settings must be configured for the CS-2001 to access the Internet. Instant Messenger Login Regulates the use of MSN, Yahoo, ICQ/AIM, QQ, Skype, Google Talk, Gadu-Gadu, Rediff, WebIM, Alisoft, BaiduHi, SinaUC, Fetion, Facebook Chat, Comfrog.
Page 217
VPN Tunneling Regulates the online usage of VNN Client, Ultra-Surf, Tor, Hamachi, HotSpot Shield and FreeGate. Remote Controlling Regulates the online usage of TeamViewer, VNC and Remote Desktop.
9.1 Example Example Scenario Page Regulating the Use of IM Software ─ Messaging and File 9.1.1 IM Transferring Regulating the Use of P2P Software - Downloading and 9.1.2 P2P Uploading...
Page 219
9.1.1 Regulating the Use of IM Software ─ Messaging and File Transferring Step 1. Go to Policy Object > Application Blocking > Settings and set as below: (Figure 9-1) Click New Entry. Type a name in the Name field. ...
Page 221
Step 1. Under Policy > Outgoing, set as below: (Figure 9-3) Application Blocking: Select the name of the Application Blocking setting. Click OK. (Figure 9-4) Figure 9-3 Applying IM Blocking to a Policy Figure 9-4 A Policy with IM Blocking...
Page 222
9.1.2 Regulating the Use of P2P Software - Downloading and Uploading Step 1. Under Policy Object > Application Blocking > Settings, set as below: (Figure 9-5) Click New Entry. Type a name in the Name field. Select Peer-to-Peer Sharing and tick Select All. ...
Page 224
Step 2. Under Policy > Outgoing, set as below: (Figure 9-7) Application Blocking: Select the name of the Application Blocking Setting. Click OK. (Figure 9-8) Figure 9-7 Enabling the P2P Blocking in a Policy Figure 9-8 A Policy with P2P Blocking Note: 1.
Chapter 10 Virtual Server Virtual server provides services to external users by mapping a real IP address from a WAN port on the CS-2001 to a private IP address within the LAN. Mapped IPs: Uses Network Address Translation (NAT) to map a real IP address to a private IP address (one-to-one mapping) to provide any service (ports 0-65535).
Page 226
Terms in Virtual Server WAN IP The real IP address of the WAN. Map to Virtual IP The private network address of a server in the LAN. Server Real IP The real IP address used by the virtual server. Service ...
10.1 Example Settings Scenario Page 10.1.1 Mapped IPs Using a Server to Provide FTP, Web and Mail Services through the Regulation of a Policy 10.1.2 Port Using Multiple Virtual Servers to Host a Web Site through the Regulation of a Policy Mapping 10.1.3 Port A VoIP Session Between an External and Internal User...
Page 228
10.1.1 Using a Server to Provide FTP, Web and Mail Services through the Regulation of a Policy Step 1. Setup a server in the LAN which provides FTP, web and mail services; configure its IP address as 192.168.1.100 and its Preferred DNS server address as that of the external DNS server.
Page 229
Step 4. Go to Policy Object > Service > Group, and create a group called Main_Service containing all of the server’s services e.g. DNS, FTP, HTTP, POP3, SMTP, etc. Create another group called Mail_Service comprising the services for enabling the server to send emails. (Figure 10-3)...
Page 230
Step 6. Under Policy > Outgoing, set as below: (Figure 10-6) Source Address: Select the LAN address. Service: Select Mail_Service. Click OK. (Figure 10-7) Figure 10-6 Configuring an Outgoing Policy Figure 10-7 The Completed Policy Settings Important: 1.
Page 231
Step 7. The completed settings. (Figure 10-8) Figure 10-8 The Server Providing Multiple Services Note: 1. It is strongly recommended not to select ANY for Service when configuring a policy, especially when using a Mapped IP. This is because of the possibility of hackers being able to use some of the services as a means to hack into server.
Page 232
10.1.2 Using Multiple Virtual Servers to Host a Web Site through the Regulation of a Policy Step 1. Set up multiple web servers in the LAN using the IP addresses: 192.168.1.101, 192.168.1.102, 192.168.1.103 and 192.168.1.104. Step 2. Under Policy Object > Virtual Server > Port Mapping, set as below: (Figure 10-9)...
Page 233
Figure 10-9 Setting Virtual IP Figure 10-10 The Completed Virtual IP Settings...
Page 234
Step 3. Under Policy > Incoming, set as below: (Figure 10-11) Destination IP: Select the Virtual IP setting. Service: Select HTTP(8080) Click OK. (Figure 10-12) Figure 10-11 Applying the Service to Policy Figure 10-12 The Completed Policy Setting Note:...
Page 235
Step 4. Settings completed. (Figure 10-13) Figure 10-13 Multiple Servers Hosting a Single Website...
Page 236
10.1.3 A VoIP Session Between an External and Internal User (VoIP Ports: TCP 1720, TCP 15321-15333 and UDP 15321-15333) Step 1. Configure internal VoIP user with the IP address: 192.168.1.100. Step 2. Under Policy Object > Address > LAN, set as below: (Figure 10-14)...
Page 237
Step 4. Under Policy Object > Virtual Server > Port Mapping, set as below: (Figure 10-16) Name : Enter the name for the Virtual IP setting. Server Real IP : Select Port 2 (WAN1) and type 61.11.11.12 in the field, or click Assist Me to select an IP addresss.
Page 238
Step 5. Under Policy > Incoming, set as below: (Figure 10-18) Destination IP: Select the vitual server setting. Service: Select the custom service setting. Click OK. (Figure 10-19) Figure 10-18 Applying the Service to the Policy Figure 10-19 The Completed Policy Setting...
Page 239
Step 6. Under Policy > Outgoing, set as below: (Figure 10-20) Source IP: Select the address setting. Service: Select the service setting. Action: Select Port2 (WAN1) Click OK. (Figure 10-21) Figure 10-20 Setting an Outgoing Policy Figure 10-21 The Completed Settings Important:...
Page 240
Step 7. A VoIP session created between an internal and external user. (Figure 10-22) Figure 10-22 The Completed VoIP Setup...
Page 241
10.1.4 Using Multiple Virtual Servers to Provide HTTP, POP3, SMTP and DNS Services through the Regulation of a Policy Step 1. Set up multiple service servers of which IP addresses respectively are 192.168.1.101, 192.168.1.102, 192.168.1.103 and 192.168.1.104 in the LAN. And then, configure their preferred DNS server addresses as that of the external DNS server.
Page 243
Step 4. Under Policy Object > Virtual Server > Port Mapping, set as below: (Figure 10-26) Name: Enter the name for the setting. Server Real IP: Select Port3 (WAN2) and type “211.22.22.23” in the field, or click Assist Me to select an IP address. ...
Page 244
Step 5. Go to Policy > Incoming and then set as below: (Figure 10-28) Select the virtual server setting for Destination IP. Select Main_Service for Service. Click OK. (Figure 10-29) Figure 10-28 Configuring an Incoming Policy Figure 10-29 Policy Completed...
Page 245
Step 6. Go to Policy > Outgoing and set as below: (Figure 10-30) Select the defined rule from the Source Address drop-down list. Select Mail_Service from the Service drop-down list. Click OK. (Figure 10-31) Figure 10-30 Configuring an Outgoing Policy Figure 10-31 Policy Completed Important:...
Chapter 11 VPN To obtain a private and secure network link, the CS-2001 is capable of establishing VPN connections. When used in combination with remote client authentication, it links the business’ remote sites and users, conveniently providing the enterprise with an encrypted network communication method. By allowing the...
Page 248
Terms in VPN Diffie-Hellman A cryptographic protocol that allows two parties that have no perior knowledge of each other to establish a shared secret key over an insecure communications channel. The RSA is a kind of asymmetric cryptography. It involves a public and private key.
Page 249
AH ( Authentication Header ) The Authentication Header guarantees connectionless integrity and data origin authentication of IP datagrams. ESP (Encapsulating Security Payload) The Encapsulated Security Payload provides confidentiality and integrity protection to IP datagrams. DES (Data Encryption Standard) ...
Page 250
Extended Authentication (XAuth) XAuth provides an additional level of authentication. It uses a Request/ Reply mechanism to provide the extended authentication. XAuth is also referred to as two factor authentication. Note: 1. The Account Name under Extended Authentication (XAuth) are the accounts listed under Poliy >...
Page 251
Terms in One-Step IPSec One-Step IPSec One-Step IPSec merely takes one step to complete settings Go to Policy Object > VPN > One-Step IPSec, and then refer to the following to configure: Type a name for the connection in the Name field. (Figure 11-1)...
Page 252
Figure 11-3 The Automatically Created IPSec Policy Figure 11-4 The Corresponding Outgoing Policy Figure 11-5 The Corresponding Incoming Policy Note: 1. One-Step IPSec uses default settings (listed below) on most configurations to simplify the procedure of creating a VPN connection with IPSec encryption: ...
Page 253
Terms in VPN Wizard: VPN Wizard It simplifies the settings of a VPN connection. Under Policy Object > VPN > VPN Wizard, set as below: Select a connection method and then click Next. (Figure 11-6) Create a policy for VPN connection. Click Next when finished. (Figure 11-7)...
Page 254
Figure 11-9 Applying Available VPN Trunk to the Policy Figure 11-10 Setting Completed Figure 11-11 An Outgoing Policy Completed Figure 11-12 An Incoming policy Completed...
Page 255
Figure 11-13 IPSec Autokey Screen Note: 1. By default, CS-2001 will create an IPSec VPN connection using Dead Peer Detection. If Remote Gateway – Fixed IP or Domain Name has been specified, then the IT administrator may manually create an IPSec VPN connection.
Page 256
Click Modify to modify the settings, or click Remove to remove the settings. (Figure 11-14) Figure 11-14 PPTP Server Screen Note: 1. By default, CS-2001 will create a PPTP VPN connection using Echo-Request. If Manual Disconnect is ticked, then the IT administrator shall be able to disconnect the connection manually.
Page 257
Click Modify to modify the setting, or click Remove to remove the setting. (Figure 11-15) Figure 11-15 PPTP Client Screen Note: 1. By default, CS-2001 will create a PPTP VPN connection using Echo-Request. If Manual Connection is ticked, then the IT administrator shall be able to create a connection manually.
Page 258
1. Enabling the trunk load balancing feature will allow the packets of a session to be load-balanced through a VPN trunk to increase the link speed. The load balancing algorithm specifed under Network > Interface > Load Balancing Mode will be adapted to load balance between two CS-2001 units.
Page 259
Terms in Trunk Name The description for VPN trunk. Note: the name has to be exclusive from any other. Group Member The groups that are subject to the VPN Trunk rule. Configuration Click Modify to change the configuration of VPN trunk; click Remove to remove the setting.
11.1 Example Settings Scenario Page 11.1.1 IPSec Autokey Using Two CS-2001 Devices to Mutually Access the Resources of Two Subnets via an IPSec VPN Connection 11.1.2 IPSec Autokey Creating an IPSec VPN Connection under Windows 2000 by a CS-2001 Device 11.1.3 IPSec Autokey Creating an IPSec VPN Connection between Two...
Page 261
Configure Port2 as WAN1(211.22.22.22) and connect it to the ADSL Termination Unit Remote (ATUR) to access the Internet. Multiple subnet: 192.168.85.1. IP address range: 192.168.85.x/24 This example uses two CS-2001 devices to establish VPN connection between A Company and B Company. For A Company, set as below: Step 1.
Page 262
Step 3. Select Remote Gateway (Static IP or Hostname) for Remote Settings, and enter the management address of B Company. (Figure 11-20) Figure 11-20 Remote Settings...
Page 263
Step 4. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. (The maximum length of Pre-Shared Key String is 103 characters.) (Figure 11-21) Figure 11-21 Authentication Method Settings Step 5. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm;...
Page 264
Step 8. Settings completed. (Figure 11-25) Figure 11-25 IPSec Autokey Settings Completed Step 9. Under Policy Object > VPN > Trunk, set as below: (Figure 11-26) Name:Type a name. Local Settings : Select “LAN”. Local IP / Netmask : Type “192.168.10.0”...
Page 265
Figure 11-26 VPN Trunk Settings Figure 11-27 VPN Trunk Created Step 10. Under Policy > Outgoing, set as below: (Figure 11-28) Select the defined trunk for VPN Trunk. Click OK. (Figure 11-29) Figure 11-28 Configuring a Policy with VPN Trunk Figure 11-29 Policy Created...
Page 266
Step 11. Under Policy > Incoming, set as below: (Figure 11-30) Select the defined trunk for VPN Trunk. Click OK. (Figure 11-31) Figure 11-30 Creating an Incoming Policy with VPN Trunk Figure 11-31 An Incoming Policy with VPN Trunk Note:...
Page 267
For B Company, set as below: Step 1. Under System > Configuration > Multiple Subnets, set as below: (Figure 11-32) Figure 11-32 Multiple Subnet Settings Step 2. Go to Policy Object > VPN > IPSec Autokey, and then click New Entry. (Figure 11-33)...
Page 268
Step 5. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. ( The maximum length of Pre-Shared Key String is 103 characters.) (Figure 11-36) Figure 11-36 Authentication Method Settings Step 6. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm;...
Page 269
Step 9. Settings completed. (Figure 11-40) Figure 11-40 IPSec Autokey Settings Completed Step 10. Under Policy Object > VPN > Trunk, click New Entry and then set as below: (Figure 11-41) Name: Type a name. Local Settings: Check “LAN”. Local IP / Netmask: Type “192.168.85.0”...
Page 271
Step 11. Under Policy > Outgoing, click New Entry and then set as below: (Figure 11-43) Select the defined Trunk for VPN Trunk. Click OK. (Figure 11-44) Figure 11-43 Using VPN Trunk in an Outgoing Policy Figure 11-44 An Outgoing Policy with VPN Trunk...
Page 272
Step 12. Under Policy > Incoming, click New Entry and then set as below: (Figure 11-45) Select the defined trunk for VPN Trunk. Click OK. (Figure 11-46) Figure 11-45 Creating an Incoming Policy with VPN Trunk Figure 11-46 An Incoming Policy with VPN Trunk...
Page 274
11.1.2 Creating an IPSec VPN Connection under Windows 2000 by a CS-2001 Device Prerequisite Setup (Note: IP addresses used as examples only) A Company uses a CS-2001 device: Configure Port1 as LAN1(192.168.10.1). IP address range:192.168.10.x/24 Configure Port2 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote to access the Internet.
Page 275
11-50) Figure 11-50 Remote Settings Step 4. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. (The maximum length of Pre-Shared Key String is 103 characters.) (Figure 11-51) Figure 11-51 Authentication Method Settings Step 5. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm;...
Page 276
Figure 11-54 Advanced Settings of IPSec Autokey Step 8. Settings completed. (Figure 11-55) Figure 11-55 IPSec Autokey Settings Completed Step 9. Under Policy Object > VPN > Trunk, set as below: (Figure 11-56) Name: Type a name. Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.10.0”...
Page 278
Step 10. Under Policy > Outgoing, set as below: (Figure 11-58) Select the defined trunk for VPN Trunk. Click OK. (Figure 11-59) Figure 11-58 Creating an Outgoing Policy with VPN Trunk Figure 11-59 Policy Completed...
Page 279
Step 11. Under Policy > Incoming, set as below: (Figure 11-60) Select the defined trunk for VPN Trunk. Click OK. (Figure 11-61) Figure 11-60 Creating an Incoming Policy with VPN Trunk Figure 11-61 Policy Completed...
Page 280
For B Company, set as below: Step 1. Select Start > Run on the Start menu in Windows 2000. (Figure 11-62) Figure 11-62 Selecting “Run…” on the Start Menu Step 2. In the Open field of the Run window, type “mmc”. (Figure 11-63)...
Page 281
Step 3. In the Console 1 window, click Console on the menu bar, and then click Add/Remove Snap-in. (Figure 11-64) Figure 11-64 Selecting “Add / Remove Snap-in” on the Console Menu Step 4. In the Add / Remove Snap-in window, click Add. Then, in the Add Standalone Snap-ins window, select IP Security Policy Management and add it.
Page 282
Step 5. Select Local Computer, and then click Finish. (Figure 11-66) Figure 11-66 Selecting Local Computer Step 6. Settings completed. (Figure 11-67) Figure 11-67 Settings Completed...
Page 283
Step 7. Right-click the IP Security Policies on Local Machine, and then click Create IP Security Policy. (Figure 11-68) Figure 11-68 Creating an IP Security Policy Step 8. Click Next. (Figure 11-69) Figure 11-69 Security Policy Wizard...
Page 284
Step 9. Type the Name and Description and then click Next. (Figure 11-70) Figure 11-70 Name and Description Settings Step 10. Disable Activate the default response rule and then click Next. (Figure 11-71) Figure 11-71 Disable the “Activate the Default Response Rule”...
Page 285
Step 11. In the IP Security Policy Wizard window, tick Edit properties and click Finish. (Figure 11-72) Figure 11-72 Settings Completed Step 12. In the VPN_B Properties window, disable Use Add Wizard and then click Add. (Figure 11-73)...
Page 287
Step 13. In the New Rule Properties window, click Add. (Figure 11-74) Figure 11-74 New Rule Properties Step 14. In the IP Filter List window, disable Use Add Wizard. Change the Name into “VPN_B WAN TO LAN” and then click Add. (Figure 11-75)...
Page 289
Step 15. In the Filter Properties window, select “A specific IP Address” for Source address, and then apply B Company’s WAN IP address “211.22.22.22” and subnet mask “255.255.255.255” to the fields. After that, select “A specific IP Subnet” for Destination address, and then type “192.168.10.0”...
Page 295
Step 21. Tick Data integrity and encryption, and select “MD5” for Integrity algorithm and “3DES” for Encryption algorithm. Tick Generate a new key every, and enter “28800” in the seconds field, and then click OK to return to the New Rule Properties window. (Figure 11-82)...
Page 296
Figure 11-83 Selecting the Connection Type...
Page 297
Step 23. In the New Rule Properties window, click Tunnel Setting tab. After that, tick The tunnel endpoint is specified by this IP Address, and then enter “61.11.11.11” as the WAN IP address of A Company. (Figure 11-84) Figure 11-84 Tunnel Setting Step 24.
Page 299
Step 25. Select Use this string to protect the key exchange (preshared key), and then enter the preshared key “123456789” in the field. (Figure 11-86) Figure 11-86 Preshared Key Settings...
Page 300
Step 26. Click Apply, and then click Close to close the window. (Figure 11-87) Figure 11-87 Authentication Methods Settings...
Page 302
Step 28. In the VPN_B Properties window, disable Use Add Wizard; click Add to create the second IP security rule. (Figure 11-89) Figure 11-89 VPN_B Properties Settings...
Page 303
Step 29. In the New Rule Properties window, click Add. (Figure 11-90) Figure 11-90 Clicking “Add…” to Add an IP Filter...
Page 304
Step 30. In the IP Filter List window, disable Use Add Wizard. Change the Name into “VPN_B LAN TO WAN”, and then click Add. (Figure 11-91) Figure 11-91 Adding an IP Filter...
Page 305
Step 31. In the Filter Properties window, select “A specific IP Subnet” for Source address, and then type “192.168.10.0” as A Company‘s subnet address and “255.255.255.0” as subnet mask. After that, select “A specific IP Address” for Destination address, and then type “211.22.22.22” as B Company‘s WAN IP address and “255.255.255.255”...
Page 311
Step 37. Check Data integrity and encryption, and select “MD5” for Integrity algorithm and “3DES” for Encryption algorithm. Tick Generate a new key every, and type “28800” in the seconds field, and then click OK to return to the New Rule Properties window (Figure 11-98)...
Page 312
Step 38. In the New Rule Properties window, click Connection Type tab and tick All network connections. (Figure 11-99) Figure 11-99 Selecting the Connection Type...
Page 313
Step 39. In the New Rule Properties window, click Tunnel Setting tab. After that, tick The tunnel endpoint is specified by this IP Address, and then type “211.22.22.22” as the WAN IP address of B Company. (Figure 11-100) Figure 11-100 Tunnel Settings...
Page 314
Step 40. In the New Rule Properties window, click Authentication Methods tab. Next, select the method “Kerberos” and then click Edit on the right. (Figure 11-101) Figure 11-101 Authentication Methods Settings...
Page 315
Step 41. Select Use this string to protect the key exchange (preshared key), and then enter the preshared key “123456789” in the field. (Figure 11-102) Figure 11-102 Preshared Key Settings...
Page 316
Step 42. Click Apply, and then click Close to close the window. (Figure 11-103) Figure 11-103 New Authentication Method Created...
Page 318
Step 44. In the VPN_B Properties window, click General tab and then click Advanced. (Figure 11-105) Figure 11-105 General Settings of VPN_B Properties...
Page 319
Step 45. Tick Master Key Perfect Forward Secrecy and then click Methods. (Figure 11-106) Figure 11-106 Key Exchange Settings Step 46. Click Move up or Move down to arrange the order of selected item. Move the item “IKE / 3DES / MD5” to the top, and then click OK. (Figure 11-107)...
Page 320
Step 47. Settings completed. (Figure 11-108) Figure 11-108 IPSec VPN Settings Completed Step 48. Right-click VPN_B and move to Assign, and then click it. (Figure 11-109) Figure 11-109 Assigning a Security Rule to VPN_B...
Page 321
Step 49. Select Start > Settings > Control Panel on the Start menu, and then click it. (Figure 11-110) Figure 11-110 Selecting “Control Panel” on the Start Menu Step 50. In the Control Panel window, double-click Administrative Tools. (Figure 11-111) Figure 11-111 Double-Clicking “Administrative Tools”...
Page 322
Step 51. In the Administrative Tools window, double-click Services. (Figure 11-112) Figure 11-112 The Services Window Step 52. In the Services window, right-click IPSec Policy Agent and move to Restart, and then click it. (Figure 11-113) Figure 11-113 Restarting IPSec Policy Agent...
Page 323
Step 53. Settings completed. (Figure 11-114) Figure 11-114 Deployment of IPSec VPN Using CS-2001 and Windows 2000...
Page 324
Configure Port2 as WAN1(211.22.22.22) and connect it to the ADSL Termination Unit Remote (ATUR) to access the Internet. This example uses two CS-2001 devices to establish VPN connection between A Company and B Company. (using aggressive mode) For A Company, set as below: Step 1.
Page 325
and enter the management address of B Company. (Figure 11-117) Figure 11-117 Remote Settings...
Page 326
Step 4. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. (The maximum length of Pre-Shared Key String is 103 characters. (Figure 11-118) Figure 11-118 Authentication Method Settings Step 5. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm;...
Page 327
Step 8. Select “Aggressive mode” for Mode. Enter 11.11.11.11 in the My ID field and then enter @abc123 in the Peer ID field. (Figure 11-122) Figure 11-122 Mode Settings Note: 1. MY ID / Peer ID Settings: The ID will be the same as the WAN IP if you leave the field blank. ...
Page 328
Step 10. Under Policy Object > VPN > Trunk, set as below: (Figure 11-124) Name: Type a name. Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.10.0” as A Company’s subnet address and “255.255.255.0” as Mask. Remote Settings: Select Remote IP / Netmask.
Page 329
Step 11. Under Policy > Outgoing, click New Entry and then set as below: (Figure 11-126) Select the defined trunk from the VPN Trunk drop-down list. Click OK. (Figure 11-127) Figure 11-126 Configuring an Outgoing Policy with VPN Trunk Figure 11-127 An Outgoing Policy with VPN Trunk...
Page 330
Step 12. Under Policy > Incoming, click New Entry and then set as below: (Figure 11-128) Select the defined trunk from the VPN Trunk drop-down list. Click OK. (Figure 11-129) Figure 11-128 Configuring an Incoming Policy with VPN Trunk Figure 11-129 An Incoming Policy with VPN Trunk...
Page 331
For B Company, set as below: Step 1. Under Policy Object > VPN > IPSec Autokey, click New Entry and then set as below: (Figure 11-130) Figure 11-130 IPSec Autokey Screen Step 2. Enter ipsec2 in the Name field and then select Port2 (WAN1) for WAN Interface.
Page 332
Step 5. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm; select “SHA1” for Authentication Algorithm; select “DH 2” for Key Group. (Figure 11-134) Figure 11-134 ISAKMP Algorithm Settings...
Page 333
Step 6. Configure the settings under IPSec Algorithm. Select “3DES” for Encryption Algorithm and “MD5” for Authentication Algorithm. (Figure 11-135) Figure 11-135 IPSec Algorithm Settings Step 7. Select “Group 1” for PFS Key Group. Enter “3600” in the ISAKMP SA Lifetime field and “28800”...
Page 334
Step 10. Select Policy Object > VPN > Trunk, click New Entry and then set as below: (Figure 11-139) Name: Type a name. Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.20.0” as B Company’s subnet address and “255.255.255.0” as Mask.
Page 336
Step 11. Under Policy > Outgoing, click New Entry and then set as below: (Figure 11-141) Select the defined trunk for VPN Trunk. Click OK. (Figure 11-142) Figure 11-141 Configuring an Outgoing Policy with VPN Trunk Figure 11-142 Policy Completed...
Page 337
Step 12. Under Policy > Incoming, click New Entry and then set as below: (Figure 11-143) Select the defined trunk for VPN Trunk. Click OK. (Figure 11-144) Figure 11-143 Configuring an Incoming Policy with VPN Trunk Figure 11-144 Policy Completed...
Page 338
Step 13. Settings completed. (Figure 11-145) Figure 11-145 Deployment of IPSec VPN Using Aggressive Mode...
Page 339
A Company’s WAN port 1 and B Company’s WAN port 1; A Company’s WAN port 2 and B Company’s WAN port 2. This example uses two CS-2001 devices. Assume that A Company wants to create a VPN connection with B Company in order to access files. (GRE / IPSec package...
Page 340
For A Company, set as below: Step 1. Go to Policy Object > VPN > IPSec Autokey, and then click New Entry. (Figure 11-146) Figure 11-146 IPSec Autokey Screen Step 2. Enter VPN_01 in the Name field and then select Port2 (WAN1) for the WAN Interface.
Page 341
Step 6. Select Use both algorithms below the IPSec Algorithm, or tick Use authentication algorithm only. If ticked Use both algorithms, please select “3DES” for Encryption Algorithm and “MD5” for Authentication Algorithm. (Figure 11-151) Figure 11-151 IPSec Algorithm Settings Step 7. Select “Group 1” for PFS Key Group. Enter “3600” in the ISAKMP SA Lifetime field and “28800”...
Page 342
Step 9. Setting completed. (Figure 11-154) Figure 11-154 IPSec Autokey Settings Completed Step 10. Select Policy Object > VPN > IPSec Autokey, and then click New Entry. Step 11. Type VPN_02 in the Name field and then select Port3(WAN2) for the WAN Interface.
Page 343
Step 14. Under the ISAKMP Algorithm section, select “3DES” for Encryption Algorithm; select “MD5” for Authentication Algorithm; select “DH 1” for Key Group. (Figure 11-159) Figure 11-159 ISAKMP Algorithm Settings Step 15. Select Use both algorithms below the IPSec Algorithm, or tick Use authentication algorithm only.
Page 344
Step 18. Settings completed. (Figure 11-163) Figure 11-163 IPSec Autokey Settings Completed Step 19. Under Policy Object > VPN > Trunk, set as below: (Figure 11-164) Name: Type a name. Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.10.0”...
Page 346
Step 20. Under Policy > Outgoing, click New Entry and then set as below: (Figure 11-166) Select the defined trunk for VPN Trunk. Click OK. (Figure 11-167) Figure 11-166 Configuring an Outgoing Policy with VPN Trunk Figure 11-167 Policy Completed...
Page 347
Step 21. Under Policy > Incoming, click New Entry and then set as below: (Figure11-168) Select the defined trunk for VPN Trunk. Click OK. (Figure 11-169) Figure 11-168 Configuring an Incoming Policy with VPN Trunk Figure 11-169 An Incoming Policy with VPN Trunk Completed...
Page 348
For B Company, set as below: Step 1. Go to Policy Object > VPN > IPSec Autokey, and then click New Entry. (Figure 11-170) Figure 11-170 IPSec Autokey Screen Step 2. Type VPN_01 in the Name field and then select Port2(WAN1) for WAN Interface.
Page 350
Step 6. Select Use both algorithms below the IPSec Algorithm, or tick Use authentication algorithm only. If ticked Use both algorithms, please select “3DES” for Encryption Algorithm and “MD5” for Authentication Algorithm. (Figure 11-175) Figure 11-175 IPSec Algorithm Settings Step 7. Select “Group 1” for PFS Key Group. Enter “3600” in the ISAKMP SA Lifetime field and “28800”...
Page 351
Step 10. Under Policy Object > VPN > IPSec Autokey, click New Entry again. Step 11. Type VPN_02 in the Name field and then select Port3 (WAN2) for Interface. (Figure 11-180) Figure 11-180 Name and Interface Settings Step 12. Select Remote Gateway (Static IP or Hostname) for Remote Settings, and enter the management address of A Company (WAN port 2).
Page 352
Algorithm. (Figure 11-184) Figure 11-184 IPSec Algorithm Settings Step 16. Select “Group 1” for PFS Key Group. Enter “3600” in the ISAKMP SA Lifetime field and “28800” in the IPSec SA Lifetime field and then select “Main Mode” for Mode. (Figure 11-185)...
Page 353
Step 19. Under Policy Object > VPN > Trunk, set as below: (Figure 11-188) Name: Type a name. Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.20.0” as B Company’s subnet address and “255.255.255.0” as Mask. Remote Settings: Select Remote IP / Netmask.
Page 354
Step 20. Under Policy > Outgoing, click New Entry and then set as below: (Figure 11-190) Select the defined trunk for VPN Trunk. Click OK. (Figure 11-191) Figure 11-190 Using VPN Trunk in an Outgoing Policy Figure 11-191 An Outgoing Policy with VPN Trunk...
Page 355
Step 21. Select Policy > Incoming, click New Entry and then set as below: (Figure 11-192) Select the defined trunk for VPN Trunk. Click OK. (Figure 11-193) Figure 11-192 Using VPN Trunk in an Incoming Policy Figure11-193 An Incoming Policy with VPN Trunk...
Page 356
Step 22. Settings completed. (Figure 11-194) Figure 11-194 Deployment of IPSec VPN Using GRE/IPSec...
Page 357
C Company: Configure Port1 as LAN1(192.168.30.1). IP range:192.168.30.x/24. Configure Port2 as WAN1(121.33.33.33) and connect it to the ADSL Termination Unit Remote to access the Internet. This example is to use three CS-2001 devices to establish VPN connection among A Company, B Company and C Company.
Page 358
CS-2001 UTM Content Security Gateway User’s Manual For A Company, set as below: Step1. Go to Policy Object > VPN > IPSec Autokey and then click New Entry. (Figure 11-195) Figure 11-195 IPSec Autokey Step2. Type VPN_01 in the Name field and then select Port2(WAN1) for Interface.
Page 359
Figure 11-199 Configuring the IPSec Algorithm Step6. Under the IPSec Algorithm section, select 3DES for Encryption Algorithm and then select MD5 for Authentication Algorithm. (Figure 11-200) Figure 11-200 Configuring the IPSec Algorithm Step7. Under the Advanced Settings (optional) section, select GROUP 1 for PFS Key Group, enter 3600 in the ISAKMP SA Lifetime field, enter 28800 in the IPSec SA Lifetime field and then select Main mode for Mode.
Page 360
Step8. Policy Created. (Figure 11-202) Figure 11-202 Policy Created Step9. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: (Figure 11-203) Type the name in the Name field. Local Settings: select LAN. Enter the local subnet and the mask. ...
Page 361
Figure 11-204 First Trunk Completed Step10. Go to Policy Object > VPN > IPSec Autokey and then click the New Entry button again. (Figure 11-205) Figure 11-205 The IPSec Autokey Page Step11. Type VPN_02 in the Name field and then select Port2(WAN1) for the Interface.
Page 363
Step15. Under the IPSec Algorithm section, select Use both algorithms. Select 3DES for Encryption Algorithm and MD5 for Authentication Algorithm. (Figure 11-210) Figure 11-210 Configuring IPSec Algorithm Step16. Under the Advanced Settings (Optional) section, select GROUP 1 for PFS Key Group, enter 3600 in the ISAKMP SA Lifetime field, enter 28800 in the IPSec SA Lifetime field and then select Main mode for Mode.
Page 364
Step18. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: (Figure 11-213) Type the name in the Name field. Local Settings: select LAN. Enter the IP address and the Mask in the Local IP / Netmask field.
Page 365
Step19. Go to Policy Object > VPN > Trunk Group, click New Entry and then set as below: (Figure 11-215) Type the name in the Name field. Move the IPSec_VPN_Trunk_01(LAN) and IPSec_VPN_Trunk_02(LAN) from the Available Trunks column to the Selected Trunks column.
Page 366
Step20. Under Policy > Outgoing, click New Entry and then set as below: (Figure 11-217) Select the defined Trunk from the VPN Trunk drop-down list. Click OK. (Figure 11-218) Figure 11-217 Configuring the Outgoing Policy with VPN Trunk Figure 11-218 Policy Created...
Page 367
Step21. Go to Policy > Incoming, click New Entry and then set as below: (Figure 11-219) Select the defined Trunk from the VPN Trunk drop-down list. Click OK. (Figure 11-220) Figure 11-219 Configuring an Incoming Policy with VPN Trunk Figure 11-220 Policy Created...
Page 368
For B Company, set as below: Step 1. Go to Policy Object > VPN > IPSec Autokey and then click the New Entry button. (Figure 11-221) Figure 11-221 The IPSec Autokey Page Step 2. Type VPN_01 in the Name field and then select Port2(WAN1) for Interface.
Page 369
Step 6. Under the IPSec Algorithm section, select Use both algorithms. Select 3DES for Encryption Algorithm and then select MD5 for Authentication Algorithm. (Figure 11-226) Figure 11-226 Configuring the IPSec Algorithm Step 7. Under the Advanced Settings (optional) section, select GROUP 1 for PFS Key Group, enter 3600 in the ISAKMP SA Lifetime field, enter 28800 in the IPSec SA Lifetime field and then select Main mode for Mode.
Page 370
Step 9. Under Policy Object > VPN > Trunk, click the New Entry button and then set as below: (Figure 11-229) Type the name in the Name field. Local Settings: Select LAN. Local IP / Netmask: Enter the subnet and the mask.
Page 371
Step 10. Go to Policy Outgoing, click the New Entry button and then set as below: (Figure 11-231) Select the defined Trunk from the VPN Trunk drop-down list. Click OK. (Figure 11-232) Figure 11-231 Configuring an Outgoing Policy with VPN Trunk Figure 11-232 A Policy with VPN Trunk Created...
Page 372
Step 11. Go to Policy > Incoming, click the New Entry button and then set as below: (Figure 11-233) Select the defined Trunk from the VPN Trunk drop-down list. Click OK. (Figure 11-234) Figure 11-233 Configuring an Incoming Policy with VPN Trunk Figure 11-234 A Policy with VPN Trunk Created...
Page 373
For C Company, set as below: Step 1. Under Policy Object > VPN > IPSec Autokey, click the New Entry button and then set as below: (Figure 11-235) Figure 11-235 The IPSec Autokey Page Step 2. Enter the name in the Name field and then select Port2(WAN1) for Interface.
Page 374
Step 6. Under the IPSec Algorithm section, select Use both algorithms. Select 3DES for Encryption Algorithm and then select MD5 for Authentication Algorithm. (Figure 11-240) Figure 11-240 Configuring the IPSec Algorithm Step 7. Under the Advanced Settings (optional) section, select GROUP 1 from the PFS Key Group drop-down list.
Page 375
Step 9. Go to Policy Object > VPN > Trunk, click the New Entry button and then set as below: (Figure 11-243) Type the name in the Name field. Local Settings : Select LAN. Enter C Company’s subnet / mask 192.168.30.3 / 255.255.255.0 in the field.
Page 376
Step 10. Go to Policy > Outgoing, click New Entry and then set as below: (Figure 11-245) Select the defined Trunk from the VPN Trunk drop-down list. Click OK. (Figure 11-246) Figure 11-245 Configuring an Outgoing Policy Figure 11-246 Policy Completed...
Page 377
Step 11. Go to Policy > Incoming, click New Entry and then set as below: (Figure 11-247) Select the defined Trunk from the VPN Trunk drop-down list. Click OK. (Figure 11-248) Figure 11-247 Configuring an Incoming Policy Figure 11-248 Setting Completed...
Page 378
Step 12. Setting completed. (Figure 11-249) Figure 11-249 The Deployment of IPSec VPN...
Page 379
A Company’s WAN port 1 and B Company’s WAN port 1; A Company’s WAN port 2 and B Company’s WAN port 2. This example is to use two CS-2001 devices to establish VPN connection between A Company and B Company.
Page 380
1. The IT administrator may enable or disable the external users to access the Internet via the CS-2001 device when they establish a VPN connection with the CS-2001 device. 2. Auto-disconnect if idle for: if the VPN connection is idle for the defined times, it will be...
Page 381
3. Using RADIUS Server (refer to chapter 8 for RADIUS authentication) to establish PPTP VPN connection, go to Policy Object > VPN > PPTP Server and create a PPTP Server setting of which User Name is“*” and the Password is “@radius” for RADIUS authentication. Step 2.
Page 382
Figure 11-253 Configuring the Second PPTP Server...
Page 383
Figure 11-254 Second PPTP Server Completed...
Page 384
Step 3. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: (Figure 11-255) Type the name in the Name field. Local Settings: Select LAN. Type A Company’s subnet / mask 192.168.10.0 / 255.255.255.0 in the field. ...
Page 385
Note: 1. When Remote IP / Netmask is selected for Remote Settings, you may select only one tunnel to establish the PPTP VPN connection. Step 4. Go to Policy > Outgoing, click New Entry and then set as below: (Figure 11-257)...
Page 386
Step 5. Go to Policy > Incoming, click New Entry and then set as below: (Figure 11-259) Select the defined VPN from the VPN Trunk drop-down list. Click OK. (Figure 11-260) Figure 11-259 Configuring an Incoming Policy with VPN Trunk Figure 11-260 Settings Completed...
Page 387
For B Company, set as below: Step 1. Go to Policy Object > VPN > PPTP Client and then set as below: Click New Entry. (Figure 11-261) Type PPTP_01 in the Username field. Enter 123456789 in the Password field. ...
Page 388
Figure 11-263 Second PPTP Client Setting Completed Figure 11-264 Second PPTP Client Setting Completed Note: 1. When CS-2001 PPTP Client establish VPN connection with Windows PPTP Server, NAT with PPTP Client must be selected for the PCs under CS-2001 to access to Windows PPTP server.
Page 389
Step 2. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: (Figure 11-265) Enter the name in the Name field. Local Settings: select LAN. Enter B Company’s local subnet / mask 192.168.20.0/ 255.255.255.0 in the Local IP / Netmask field.
Page 390
Figure 11-266 Settings Completed Note: 1. When Remote IP / Netmask is selected for Remote Settings, the number of the PPTP_Client tunnel should be configured according to the number of WAN.
Page 391
Step 3. Go to Policy > Outgoing and then set as below: (Figure 11-267) Select the defined Trunk from the VPN Trunk drop-down list. Click OK. (Figure 11-268) Figure 11-267 Configuring an Outgoing Policy Figure 11-268 Setting Completed...
Page 392
Step 4. Go to Policy > Incoming, click New Entry and then set as below: (Figure 11-269) Select the defined Trunk from the VPN Trunk drop-down list. Click OK. (Figure 11-270) Figure 11-269 Configuring an Incoming Policy Figure 11-270 Settings Completed...
Page 393
Step 5. Settings completed. (Figure 11-271) Figure 11-271 The Deployment of PPTP VPN...
Page 394
Configure Port 2 as WAN1(211.22.22.22) and connect it to the ADSL Termination Unit Remote(ATUR) to access the Internet. This example is to use two CS-2001 devices to establish VPN connection between A Company and B Company. For A Company, set as below:...
Page 395
Step 1. Go to Policy Object >VPN > PPTP Server and then set as below: (Figure 11-272) Click Modify. Click Enable PPTP. Click Encryption. Tick Allow Internet access via and then select the port. Auto-disconnect if idle for: type 0. ...
Page 396
Step 2. Go to Policy Object > VPN > PPTP Server, click New Entry and then set as below: (Figure 11-273) Type PPTP_Connection in the Username field. Type 123456789 in the Password field. Under Client IP(s) assigned from, click IP Range. ...
Page 397
Figure 11-275 Configuring PPTP Connection Figure 11-276 Setting Completed Note: 1. When CS-2001 PPTP Client establish VPN connection wih the CS-2001 PPTP Server, NAT with PPTP Client must be selected for CS-2001 PPTP Client users to access the Internet via PPTP Server.
Page 398
Step 2. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: (Figure 11-277) Enter the name in the Name field. Local Settings: select LAN. Type B Company’s subnet/ mask 192.168.20.0 / 255.255.255.0 in the Local IP / Netmask field. ...
Page 399
Step 3. Go to Policy > Outgoing, click New Entry and then set as below: (Figure 11-279) Select the defined Trunk from the VPN Trunk drop-down list. Click OK. (Figure 11-280) Figure 11-279 Configuring an Outgoing Policy Figure 11-280 Setting Completed Note:...
Page 401
Remote (ATUR) to access the Internet. B Company uses a PC running Windows 2000. IP address: 211.22.22.22 This example is to establish VPN connection by one CS-2001 device and one PC running Windows 2000. For A Company, set as below:...
Page 402
1. The IT administrator may enable or disable the external users to access the Internet via the CS-2001 device when they establish a VPN connection to the CS-2001 PPTP Server. 2. Auto-disconnect if idle for: if the VPN connection is idle for the specified minutes, it will be...
Page 403
Client IP Allocation/ IP Range must be on the LAN1 (192.168.10.x/24) which must not already be in use. In addition, the external user must establish the PPTP VPN connection to the CS-2001 via IPSec VPN. Step 2. Go to Policy Object > VPN > PPTP Server, click New Entry and then set as below: (Figure 11-283)...
Page 404
Step 3. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: (Figure 11-285) Type the name in the Name field. Local Settings: select LAN. Type A Company’s subnet / mask 192.168.10.0 / 255.255.255.0 in the Local IP/ Netmask field. ...
Page 405
Note: 1. If the external users want to connect to the IPSec VPN subnet, the Local IP/ Netmask must be configured as the IPSec VPN subnet.
Page 406
Step 4. Go to Policy > Outgoing, click New Entry and then set as below: (Figure 11-287) Select the defined trunk from the VPN Trunk drop-down list. Click OK. (Figure 11-288) Figure11-287 Configuring an Outgoing Policy Figure 11-288 Setting Completed...
Page 407
Step 5. Go to Policy > Incoming, click New Entry and then set as below: (Figure 11-289) Select the defined Trunk from the VPN Trunk drop-down list. Click OK. (Figure 11-290) Figure 11-289 Configuring an Incoming Policy with VPN Trunk Figure 11-290 Setting Completed...
Page 408
For B Company, set as below: Step 1. Right-click on My Network Places and then click Properties. (Figure 11-291) Figure 11-291 Selecting “Properties” on the Shortcut Menu of “My Network Places” Step 2. In the Network and Dial-up Connections window, double-click ”Make New Connection”.
Page 409
Figure 11-292 Double-Clicking on “Make New Connection”...
Page 410
Step 3. In the Location Information window, specify the country / region, area code and phone system accordingly, and then click OK. (Figure 11-293) Figure 11-293 Local Information Settings Step 4. In the Phone And Modem Options window, click OK. (Figure 11-294)...
Page 412
Step 5. In the Network Connection Wizard window, click Next. (Figure 11-295) Figure 11-295 Network Connection Wizard Step 6. In the Network Connection Type window, select Connect to a private network through the Network and then click Next. (Figure 11-296) Figure 11-296 Select the “Connect to a private network through the Internet”...
Page 413
Step 7. In the Destination Address window, type the host name or IP address in the blank field and then click Next. (Figure 11-297) Figure 11-297 Destination Address Settings Step 8. In the Connection Availability window, select For all users and then click Next.
Page 414
Step 9. In the Completing the New Connection Wizard window, type a Connection Name and then click Finish. (Figure 11-299) Figure 11-299 New Connection Created...
Page 415
Step 10. In the Connect Virtual Private Connection window, set as below: (Figure 11-300) User Name: Type “PPTP_Connection”. Password: Enter 123456789. Tick Save Password. Click Connect. The “Connecting Virtual Private Connection…” dialogue box appears. (Figure 11-301) ...
Chapter 12 Configuration Mail configuration refers to the processing basis of mail services. In this chapter, it will be covering the functionality and application of Settings, Mail Domains, Account Manager, Mail Relay, Mail Notice, Queued Mail and Mail Signatures.
Page 420
Terms in Settings Log Storage Time Quarantined spam / virus emails can be designate a storage time and deleted when due. You may also decide whether a quarantined email can be repeatedly retrieved or not. Personal Email Viewer / Email Notification Settings ...
Page 421
Tag spam email’s subject with: --Spam--. Tag virus-infected emails with: --Virus--. Type the subject and the content of the mail notice. Click OK. (Figure 12-1)...
Page 422
Figure 12-1 Configuring the Settings of Mail Security...
Page 423
A notice with customized subject and message. (Figure 12-2) Figure 12-2 A Notice Shows Customized Subject and Message An unscanned email is highlighted with a warning message“---Unscanned---”. (Figure 12-3) Figure 12-3 An Unscanned Email Shows a Warning Message...
Page 424
The spam mail’s subject tagged with warning message. (Figure 12-4) Figure 12-4 The Spam Mail’s Subject Tagged with “Spam” The virus mail’s subject tagged with warning message. (Figure 12-5) Figure 12-5 The Virus Mail’s Subject Tagged with “Virus”...
Page 425
Terms in Account Manager Account Learning Settings Disabled: Accounts added manually. Accounts added automatically: the email account will be added in the local mail server automatically once it is proved valid by the mail server. Synchronized with LDAP server: The accounts can be imported from LDAP server.
12.1 Mail Domains 12.1.1 Using Mail Domains to Filter Emails Step 1. Apply to a local ISP for several domain names, “planet.com.tw”, “supportplanet.com.tw”, “testplanet.com.tw” and “virtualplanet.com.tw” for instance, to provide mail service. The mapped IP address is 172.19.100.164.
Page 427
Step 2. Under Mail Management > Configuration > Mail Domains, set as below: Click the New Entry button to create the first entry. Type planet.com.tw in the Domain Name field. Enter the mapped IP address. Click OK and then modify the domain.
Page 428
Figure 12-8 Modifying the First Entry Figure 12-9 Typing the Domain Alias Figure 12-10 Settings Completed Figure 12-11 Creating the Second Entry...
Page 429
Figure 12-12 The Second Entry Completed Figure 12-13 Modifying the Second Entry Figure 12-14 Typing the Domain Alias Figure 12-15 Settings Completed...
Page 430
Note: 1. The CS-2001 device will filter the emails according to the settings under Mail Security > Configuration > Mail Domains. If there is no Mail Domains settings, the filtered emails will be recorded under Mail Security > Mail Reports > Logs > Outbound SMTP.
Select Accounts added automatically. Click OK. The CS-2001 filters any emails passing through by verifying with the mail server that the recipients account exists. Select Import from LDAP server and configure the settings. Click OK.
Page 432
Step3. Go to Mail Security > Configuration > Account Manager, import the accounts into the system: Click the Browse... button. In the Choose file window, locate the file and then click the Open button. (Figure 12-16) Click the Import button. In the Import Mail Account window, select the file type and then click the OK button.
Page 433
Step4. Go to Mail Security > Configuration > Account Manager, add or remove the accounts. Click the Add button. Enter the account information. (Figure 12-18) Click the OK button. (Figure 12-19) To remove the account, select the account and then click the Remove button.
Page 434
Figure 12-20 Removing the Account Note: 1. Once Accounts added automatically is selected, the CS-2001 will varify the existence of the account with the mail server before relaying the mail. 2. When Imported from LDAP server is selected, the CS-2001 will determine whether to relay the email by varifying the account with the LDAP accounts list.
Page 435
Step5. Users may be given permission to access Personal Email Viewer under Mail Security > Configuration > Account Manager. To permit a user to access Personal Email Viewer, select the account(s) and then click Enable Personal Email Viewer. Click OK in the confirmation window.
Page 436
12.2.2 Accessing Personal Email Viewer Step 1. Type the management address together with the HTTP port (8080) or HTTPS port (1443) in the address field of a Web browser. (Figure 12-23) Type the account name and the password. Select the mail domain from the drop-down list.
Page 437
Step 2. Users will be requested to configure user preferences during their first login. Click Continue. (Figure 12-24) Configure the User Preferences accordingly. (Figure 12-25) Click Save. Settings completed. (Figure 12-26) Click Continue. Figure 12-24 The Greeting Message Shown upon First Login...
Page 438
Figure 12-25 The User Preferences Settings Figure 12-26 User Preferences Settings Completed...
Page 439
Step 3. Below shows the CS-2001’s user-friendly, web-based mailbox. (Figure 12-27) Figure 12-27 The Web Mail User Interface...
Page 440
12.2.3 Using Whitelist and Blacklist to Filter Emails Supposed the domain name “planet.com.tw” is registered to your organization, and you are using the account “joe” to log in to Personal Email Viewer, then: Step 1. Click Preference in the Web Mail main screen and then a pop-up window appears.
Page 441
Figure 12-29 Creating the Second Entry of Whitelist Figure 12-30 Settings Completed...
Page 442
Step 2. Click Preference in the Personal Email Viewer main screen and then a pop-up window appears. Click the Blacklist button under the User Preference section. Click the New button. Type *yahoo* in the Email Address/ Domain Name field. ...
Page 443
Figure 12-32 Creating the Second Entry of Blacklist Figure 12-33 Blacklist Created...
Page 444
Emails sent to share2k003@yahoo.com.tw will be rated as spam mail. Only share2k01@yahoo.com.tw will receive emails from joe@planet.com.tw, whereas share2k003@yahoo.com.tw receives none as a result of emails sent to it are classified as spam.
12.3 Mail Relay 12.3.1 Using CS-2001 as a Gateway (Set the Mail Server in DMZ under Transparent Mode) Prerequisite Setup Configure Port1 as LAN1 (192.168.1.1, NAT/Routing Mode) and connect it to the LAN which is using the IP range 192.168.1.X/24.
Page 446
Step 2. Go to Mail Security > Configuration > Mail Relay and then set as below: (Figure 12-35) Select Sender’s IP Address. Type the IP Address and the Netmask. Click OK. Figure 12-35 Mail Relay Settings Note: 1.
Page 447
12.3.2 Deploying the CS-2001 Device between the Gateway and Mail Server (Mail Server is in DMZ under Transparent Mode) Prerequisite Setup LAN Segment: 172.16.x.x/16 Configure Port1 as WAN1(172.16.1.12) and connect it to the LAN. Configure Port2 as DMZ1 (Transparent Routing mode) and connect it to the mail server.
Page 448
Step 2. Go to Mail Security > Configuration > Mail Relay and then set as below: Click New Entry. (Figure 12-37) Select Sender’s IP Address. Type the IP Address and the Netmask. Click OK. Click New Entry again. (Figure 12-38)...
Page 449
12.3.3 Using CS-2001 as Gateway to Enable Branch’s Employees to Send Emails via Headquarters’ Mail Server (Set the Mail Server under DMZ Transparent Routing Mode) Prerequisite Setup Configure Port1 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote (ATUR) to access the Internet.
Page 450
Step 2. Go to Mail Security > Configuration > Mail Relay and then set as below: (Figure 12-40) Select Sender’s IP Address. Enter the IP Address and the Netmask. Click OK. Figure 12-40 Mail Relay Settings...
12.4 Mail Notice 12.4.1 Retrieving Spam or Virus Emails from the Mail Notice (An Outlook Exparess Example) Step 1. All the accounts are listed under Mail Security > Configuration > Mail Notice but only accounts in the Selected Accounts column will be notified: (Figure 12-41)...
Page 452
Step 2. Go to Mail Security > Configuration > Mail Notice and then set as below: Tick Notice for, then select “Both Spam and Viruses” from the drop-down list. Tick Send Mail Notice on weedends. Select “00 : 00” for 1st Time. ...
Page 453
Note: 1. Accounts in the Selected Accounts column will receive a mail notice based upon schedules when emails sent from or to them are classified as spam or virus emails. 2. Up to six email notifications can be sent based upon the time order, starting from the earliest time set.
12.5 Queued Mail 12.5.1 Monitoring Email Delivery Status Step 1. Go to Mail Security > Configuration > Settings and then set as below: Max. Lifetime of Queued Mail: 4 hour. When the delivery has failed, the system will keep trying to resend the email to the recipient periodically within the storage time.
Page 455
Step 2. Go to Mail Security > Configuration > Queued Mail to obtain the delivery status. A symbol, under the Reason column, indicates an email is being processed (delivered). (Figure 12-44 Figure 12-45) Factors that caused failed deliveries are obtainable and the email can be resent by clicking Resend.
12.6 Mail Signatures Step 1. Go to Mail Security > Configuration > Mail Signatures and then set as below: Tick Add signatures to all outgoing messages. Type the message to be shown in the text field. Click OK to complete the settings. (Figure 12-46)...
Page 457
Step 2. Any email sent from the CS-2001 will now have the signature message appended to the body of the email for the recipient to view. (Figure 12-47) Figure 12-47 Email with the Mail Signatures...
Chapter 13 Anti-Spam Users will no longer be disturbed by large influxes of spam. The Anti-Spam mechanism prevents the users from wasting their time on searching for business emails amongst the spam. It also lowers the risk of accidentally deleting business emails when deleting spam.
Page 459
Settings must be configured for the CS-2001 to access the Internet. 2. The CS-2001 will apply its default spam filtering settings if no method has been selected. 3. Bayesian filtering is not effective unless at least 200 messages have been classified for spam (Figure 13-1)...
Page 460
Spam Actions (Sending) The action of outbound spam mail can be set to delete, deliver as normal or store the quarantine. Spam Actions (Receiving) The action of inbound spam mail is deliver. In addition, you may also store the spam in the quarantine.
Page 461
The figure below shows that an email’s subject is tagged with the score (optional). (Figure 13-3) Figure 13-3 An Email’s Subject Tagged with the Score Terms in Personal Rule Search Used for searching for individual emails. Used for retrieving quarantined emails. Whitelist ...
Page 462
Comment The description of the rule’s name. Classification When Spam is selected, emails that meet the inspection criteria will be classified as spam. When Ham (Non-Spam) is selected, emails that meet the inspection criteria will be classified as ham. Action ...
Page 463
“joe” typed as a pattern, it means emails from whosever email account contained the word “joe” will be considered as spam or ham.
Page 464
Spam Training Using Forwarded Mail IT administrator may designate a separate email account for reporting spam emails. Through the help of users, spam emails can be reported to CS-2001 to raise filtering accuracy. Ham Training Using Forwarded Mail ...
Page 465
Training Schedule CS-2001 can be scheduled a daily time for spam or ham training. CS-2001 can be set to immediately train. An Overview on Email Transmission A mail server acts as an intermediary among users during mail delivery or retrieval.
Page 466
The Three Key Elements of Email Transmission An email transmission is achieved by using an MUA, MTA and MDA. :Whether sending or receiving email, the end-user MUA(Mail User Agent) client must rely on an MUA which came along with the OS, as without it they are unable to obtain email access.
Page 467
How an Email is Processed Composing and sending an email: Email delivery from an MUA to an MTA: Run a MUA client (email program) and follow the instructions below: Apply the sender address and the domain name of outgoing mail server (sender MTA), to the corresponding fields.
Page 468
Email retrieval: signifies MUA is using POP (Post Office Protocol) to communicate with the MTA by which users may have the access to emails. Currently, POP3 (Post Office Protocol version 3) is the most popular protocol for incoming emails. By default, port 110 is assigned to the POP3 protocol.
Scenario Page 13.1.1 Detecting Whether Emails are Spam 13.1.2 Using CS-2001 in Accordance with Whitelist and Blacklist to Filter Spam (Mail Server Is Deployed in DMZ under Transparent Mode) 13.1.3 Deploying CS-2001 in between Gateway and Mail Server and Filtering...
Page 470
13.1.1 Detecting Whether Emails are Spam Prerequisite Setup Configure Port1 as LAN1(192.168.1.1, NAT/ Routing mode) and connect it to the LAN which is using 192.168.1.x/24. Configure Port2 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote to access the Internet. IP range: 61.11.11.10 to 61.11.11.14. Configure Port3 as WAN2(211.22.22.22) and connect it to the ADSL Termination Unit Remote to access the Internet.
Page 471
Step 3. Under Policy Object > Address > DMZ, set as below: (Figure 13-4) Figure 13-4 Creating an Address Setting Corresponding to the Mail Server Step 4. Under Policy Object > Service > Group, set as below: (Figure 13-5) Figure 13-5 Creating Service Groups to Include the POP3, SMTP or DNS Services...
Page 472
Step 5. Go to Policy > Outgoing and then set as below: (Figure 13-6) Select the defined group (Mail_Service_02) from the Service drop-down list. Tick POP3 for Anti-Spam. Click OK. (Figure 13-7)...
Page 473
Figure 13-6 Configuring an Outgoing Policy with Group Service and POP3 Anti-Spam...
Page 475
Step 6. Under Policy > WAN to DMZ, set as below: (Figure 13-8) Select the defined rule from the Destination Address drop-down list. Select the defined service group (Mail_Service_01) from the Service drop-down list. Tick POP3 for Anti-Spam. ...
Page 477
Step 7. Go to Policy > DMZ to WAN and then set as below: (Figure 13-10) Select the defined group from the Source Address drop-down list. Select the defined service group (Mail_Service_02) from the Service drop-down list. Tick POP3 for Anti-Spam.
Page 478
Figure 13-10 Creating a DMZ to WAN Policy with Group Service and POP3 Anti-Spam...
Page 480
Step 8. Under Mail Security > Anti-Spam > Settings, set as below: (Figure 13-12) Figure 13-12 Anti-Spam Filter Settings and Action Settings...
Page 481
The list of filtered spam cannot be obtained by means of Mail Notice. Step 9. When receiving an email from an external mail account js1720@ms21.pchome.com.tw, CS-2001 will filter the email for spam. Step 10. When receiving an email from an internal mail account...
13.1.2 Using CS-2001 in Accordance with Whitelist and Blacklist to Filter Spam (Mail Server Is Deployed in DMZ under Transparent Mode) Prerequisite Setup Configure Port1 as LAN1 (192.168.1.1, NAT/ Routing mode) and connect it to the LAN which is using 192.168.1.x/24.
Page 483
Step 3. Go to Policy Object > Service > Group and then set as below: (Figure 13-15) Figure 13-15 Creating Service Groups to Include POP3, SMTP and DNS Service...
Page 484
Step 4. Go to Policy > WAN to DMZ and then set as below: (Figure 13-16) Select the defined rule from the Destination Address drop-down list. Select the defined rule (Mail_Service_01) from the Service drop-down list. Select SMTP for Anti-Spam. ...
Page 486
Step 5. Under Policy > DMZ To WAN, set as below: (Figure 13-18) Select the defined rule for Source Address. Select the defined service (Mail_Service_02) for Service. Select SMTP for Anti-Spam. Click OK. (Figure 13-19)...
Page 487
Figure 13-18 Creating a DMZ to WAN Policy...
Page 489
Step 6. Go to Mail Security > Configuration > Mail Domains and then set as below: (Figure 13-20) Figure 13-20 Mail Domain Settings Step 7. Go to Mail Security > Anti-Spam > Settings and then set as below: (Figure 13-21) Figure 13-21 Anti-Spam Settings Note: 1.
Page 490
Step 8. Go to Mail Security > Anti-Spam > Whitelist and then set as below: Click New Entry. Type share2k01@yahoo.com.tw in the Mail Account field. Select From for Direction. Click OK. (Figure 13-22) Click New Entry again. ...
Page 491
Figure 13-25 Creating the Fourth Entry on Whitelist Figure 13-26 Whitelist Setting Completed Note: 1. Whitelist can be exported as a file for archive and editing purpose, which can be used for restoring the list later on.
Page 492
Step 9. Go to Mail Security > Anti-Spam > Blacklist and then set as below: Click New Entry. Type *yahoo* in the Mail Account field. Select From for Direction. Click OK. (Figure 13-27) Click New Entry again. ...
Page 493
3. Whitelist overrides Blacklist, thus, email inspection will firstly act on Whitelist and then Blacklist. Step 10. Provided that joe@supportplanet.com.tw steve@supportplanet.com.tw both receive an email from a Yahoo account: If the sender’s account is share2k01@yahoo.com.tw, then both Joe and Steve will receive it.
Page 494
13.1.3 Deploying CS-2001 in between Gateway and Mail Server and Filtering Spam with Global Rule (Mail Server Is Deployed in DMZ under Transparent Mode) Prerequisite Setup Gateway: 172.16.x.x/16 Configure Port1 as LAN1. Configure Port2 as WAN1 (172.16.1.12) and connect it to the gateway.
Page 496
Step 4. Under Policy > WAN To DMZ, set as below: (Figure 13-32) Select the defined DMZ for Destination Address. Select the defined service (Mail_Service_01) for Service. Select SMTP for Anti-Spam. Click OK. (Figure 13-33) Figure 13-32 Creating a WAN to DMZ Policy with Service and SMTP Anti-Spam...
Page 498
Step 5. Under Policy > DMZ To WAN, set as below: (Figure 13-34) Select the defined DMZ for Source Address. Select the defined service (Mail_Service_02) for Service. Select SMTP for Anti-Spam. Click OK. (Figure 13-35)...
Page 499
Figure 13-34 Creating a DMZ to WAN Policy with Service and SMTP Anti-Spam...
Page 501
Step 6. Under Mail Security > Configuration > Mail Domains, set as below: (Figure 13-36) Figure 13-36 Mail Domain Settings Step 7. Under Mail Security > Configuration > Mail Relay, set as below: (Figure 13-37) Figure 13-37 Mail Relay Settings Note: 1.
Page 502
Step 8. Under Mail Security > Anti-Spam > Settings, set as below: (Figure 13-38) Figure 13-38 Anti-Spam Settings Note: 1. An email that meets a Global Rule will be processed based on the corresponding Action setting of the Global Rule.
Page 503
Step 9. Go to Mail Security > Anti-Spam > Global Rule and then set as below: Click New Entry. Type HamMail in the Rule Name field. Type Ham Mail in the Comment field. Select Ham (Non-Spam) for Classification. ...
Page 504
Note: 1. The Action setting of a Global Rule will be unavailable if Classification selected as Ham (Non-Spam). It is because normal emails do not need any additional process before sending to the recipient.
Page 505
Step 10. Go to Mail Security > Anti-Spam > Global Rule and then set as below: Click New Entry. Type SpamMail in the Rule Name field. Type Spam Mail in the Comment field. Select Spam for Classification. ...
Page 506
Email header can be used as a reference when configuring Condition and Item of Global Rule. Figure 13-43 shows the header of an email. To view header, click to select any email in your Outlook Express, then right-click it and move to Properties on the shortcut menu. After a window appeared, click the Details tab for header information.(Figure 13-43)...
Page 507
Step 11. Provided that joe@supportplanet.com.tw steve@supportplanet.com.tw both receive an email from a Yahoo account: If the sender’s account is share2k01@yahoo.com.tw, then both Joe and Steve will receive it. But if the sender’s account is share2k003@yahoo.com.tw, only Joe will receive it. Emails that sent to Steve will be classified as spam and quarantined.
Page 508
13.1.4 Improving Bayesian Filtering Accuracy by Training Spam Filtering / Ham-Filtering (An Outlook Express Example) To train spam filtering: Step 1. In Outlook Express, create a new folder named “Spam Mail”: Right-click Local Folders, and then select New Folder. (Figure 13-44)...
Page 509
Figure 13-45 Naming the Folder as Spam Mail...
Page 510
Step 2. Click Inbox in Outlook Express, and then move the spam to the Spam Mail folder In Inbox, select all the spam, right-click them, and then move to Move to Folder on shortcut menu. (Figure 13-46) Select Spam Mail folder in the Move window, and then click OK. (Figure 13-47)...
Page 511
Figure 13-47 Selecting the “Spam Mail” Folder...
Page 512
Step 3. Compact the Spam Mail folder to make it easier importing spam messages onto CS-2001 for spam filtering training: Click the Spam Mail folder. (Figure 13-48) In the upper left corner, click File, point to Folder, and then click Compact.
Page 513
Figure 13-49 Compacting the Spam Mail Folder...
Page 514
Step 4. Copy the pathname of the Spam Mail folder to CS-2001 device for training use: Right-click Spam Mail folder, and then click Properties on shortcut menu. (Figure 13-50) In the Spam Mail Properties window, copy the pathname.
Page 515
Figure 13-51 Copying the Pathname of the Spam Mail Folder...
Page 516
Step 5. Go to Mail Security > Anti-Spam > Training and then configure the settings under the Spam Training Using Importing section: Paste the pathname of the Spam Mail folder in the Import Spam Mail from field. Click the lower right OK to import the folder; the spam filtering will be trained on schedules.
Page 517
Step 6. Delete all spam emails in the Spam Mail folder; since they have been compressed and uploaded to CS-2001, they are of no use any longer: In the Spam Mail folder, select all emails, right-click them, and then click Delete on shortcut menu.
Page 518
Figure 13-54 All Spam Emails Have Been Deleted To train ham filtering: Step 7. In Outlook Express, create a new folder called “Ham Mail”: Right-click Local Folders, and then select New Folder. (Figure 13-55) In the Create Folder window, type “Ham Mail” in the Folder name field, and then click OK.
Page 519
Figure 13-55 Creating a New Folder Figure 13-56 Naming the Folder as Ham Mail...
Page 520
Step 8. Click Inbox in Outlook Express, and then move normal emails to the Ham Mail folder: In Inbox, select all the hams, right-click them, and then move to Move to Folder on shortcut menu. (Figure 13-57) Select Ham Mail folder in the Move window, and then click OK. (Figure 13-58)...
Page 521
Figure 13-58 Selecting the Ham Mail Folder...
Page 522
Step 9. Compact the Ham Mail folder for the easy of importing normal email messages onto CS-2001 for ham filtering training: Click the Ham Mail folder. (Figure 13-59) In the upper left corner, click File, point to Folder, and then click Compact.
Page 523
Figure 13-60 Compacting the Ham Mail Folder...
Page 524
Step 10. Copy the pathname of the Ham Mail folder to CS-2001 device for training use: Right-click the Ham Mail folder, and then click Properties on shortcut menu. (Figure 13-61) In the Ham Mail Properties window, copy the pathname.
Page 525
Figure 13-62 Copying the Pathname of the Ham Mail Folder...
Page 526
Step 11. Go to Mail Security> Anti-Spam > Training, configure the settings under the Ham Training Using Importing section. Paste the pathname of the Ham Mail folder to the Import ham mail from field. Click lower right OK to import the folder; the ham filtering will be trained on schedules.
Page 527
Step 12. Delete all emails in the Ham Mail folder; since they have been compressed and uploaded to CS-2001, they are of no use any longer: In the Ham Mail folder, select all normal emails, right-click them, and then click Delete on shortcut menu.
Page 528
Figure 13-65 All Normal Emails Have Been Deleted...
Page 529
13.1.5 Improving Bayesian Filtering Accuracy by Training Spam Filtering / Ham-Filtering Step 1. On you mail server, create an email account, such as spam@supportplanet.com.tw, for gathering spam emails. Step 2. On you mail server, create an email account, such as ham@supportplanet.com.tw, for gathering normal emails.
Page 530
Step 4. In Mail Security > Anti-Spam > Training, configure the Ham Training Using Forwarded Mail setting according to the relevant information of ham@supportplanet.com.tw: POP3 Server Enter the user name and the password. Click OK. (Figure 13-66) Figure 13-66 Email Accounts Used for Gathering Normal/ Spam Messages and Training...
Page 531
To train spam filtering: Step 5. In Outlook Express, forward all spam emails in the Inbox as attachment to spam@supportplanet.com.tw: In Inbox, select all spam emails, right-click any of the selected emails, and then click Forward As Attachment on shortcut menu. (Figure 13-67)...
Page 532
Figure 13-68 Forwarding the Selected Spam Emails as Attachment...
Page 533
To train ham filtering: Step 6. In Outlook Express, forward all normal emails in the Inbox as attachment to ham@supportplanet.com.tw: In Inbox, select all normal emails, right-click any of the selected emails, and then click Forward As Attachment on shortcut menu. (Figure 13-69)...
Page 534
Figure 13-70 Forwarding the Selected Normal Emails as Attachment...
Page 535
Step 7. CS-2001 will retrieve emails in spam@supportplanet.com.tw ham@supportplanet.com.tw periodically and use them for training on schedules. (Figure 13-71) Figure 13-71 Training Schedule Settings...
Chapter 14 Anti-Virus Due to its inbound and outbound email anti-virus scanning capabilities, CS-2001 guards against the extensive damage that virus infections can inflict on your business.
Page 538
Sophos─The purchase of an end-user license is required for legal use. Note: 1. To assure the CS-2001 is updated successfully, click Test Connection to check whether the connection to the virus definition server works before running the update. 2. Once the Proxy Server is deployed, the proxy settings under System > Configuration >...
Page 539
Figure 14-1 Anti-Virus Settings Note: 1. Three virus-scanning modes available for users are ClamAV, Sophos and ClamAV+Sophos.
14.1 Example Scenario Page 14.1.1 Filtering Out the Virus Emails on Mail Server the Virus Emails on Mail Server 14.1.2 Using CS-2001 as a Gateway to Filter Out Virus Emails (Mail Server Is Deployed in LAN under NAT Mode)
Page 541
14.1.1 Filtering Out the Virus Emails on Mail Server Prerequisite Setup Configure Port1 as LAN1 (192.168.1.1, NAT/ Transparent Routing mode) and connect it to the LAN which is using 192.168.1.x/24. Configure Port2 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote to access the Internet.
Page 542
Step 4. Go to Policy Object > Service > Group, set as below: (Figure 14-3) Figure 14-3 Creating Service Groups to Include the POP3, SMTP and DNS Services...
Page 543
Step 5. Under Policy > Outgoing, set as below: (Figure 14-4) Select the defined service (Mail_Service_02) for Service. Select POP3 for Anti-Virus. Click OK. (Figure 14-5)...
Page 544
Figure 14-4 Creating an Outgoing Policy with Service and POP3 Anti-Virus Figure 14-5 Policy Created...
Page 545
Step 6. Under Policy > WAN To DMZ, set as below: (Figure 14-6) Select the defined DMZ for Destination Address. Select the defined service (Mail_Service_01) for Service. Select POP3 for Anti-Virus. Click OK. (Figure 14-7) Figure 14-6 Creating a WAN to DMZ Policy with Service and POP3 Anti-Virus...
Page 547
Step 7. Under Policy > DMZ To WAN, set as below: (Figure 14-8) Select the defined DMZ for Source Address. Select the defined service (Mail_Service_02) for Service. Select POP3 for Anti-Virus. Click OK. (Figure 14-9)...
Page 548
Figure 14-8 Creating a DMZ to WAN Policy with Service and POP3 Anti-Virus...
Page 550
Step 8. Go to Mail Security > Anti-Virus > Settings and then set as below: (Figure 14-10) Figure 14-10 Anti-Virus Settings...
Page 551
Step 9. When receiving emails from an external mail account, such as js1720@ms21.pchome.com.tw, CS-2001 will scan emails for viruses. Step 10. When an external user receiving emails from an internal account, such as joe@supportplanet.com.tw, CS-2001 will scan emails for viruses.
Page 552
14.1.2 Using CS-2001 as a Gateway to Filter Out Virus Emails (Mail Server Is Deployed in LAN under NAT Mode) Prerequisite Setup Configure Port1 as LAN1(192.168.2.1, NAT/Routing mode) and connect it to the LAN which is using 192.168.2.x/24. Mail Server: using LAN1 IP address (192.168.2.12) mapping to WAN1 IP address(61.11.11.12).
Page 553
Figure 14-13 Creating Service Groups to Include POP3, SMTP and DNS Service Step 4. Under Policy Object > Virtual Server > Port Mapping, set as below: (Figure 14-14) Figure 14-14 Port Mapping Settings...
Page 554
Step 5. Under Policy > Incoming, set as below: (Figure 14-15) Select the defined virtual server for Destination Address. Select the defined service (Mail_Service_01) for Service. Select SMTP for Anti-Virus. Click OK. (Figure 14-16) Figure 14-15 Creating an Incoming Policy with Service and SMTP Anti-Virus...
Page 556
Step 6. Under Policy > Outgoing, set as below: (Figure 14-17) Select the defined LAN address for Source Address. Select the defined service (Mail_Service_02) for Service. Select SMTP for Anti-Virus. Click OK. (Figure 14-18)...
Page 557
Figure 14-17 Creating an Outgoing Policy with Service and SMTP Anti-Virus...
Page 559
Step 7. Go to Mail Security > Configuration > Mail Domains and then set as below: (Figure 14-19) Figure 14-19 Mail Domain Settings Step 8. Go to Mail Security > Anti-Virus > Settings and then set as below: (Figure 14-20) Figure 14-20 Anti-Virus Settings Note:...
Page 560
Step 9. When “Joe”, an internal user at supportplanet.com.tw, receives emails from external mail accounts at yahoo.com.tw: The virus mail from share2k01@yahoo.com.tw will be stored in the quarantine. The regular mail from share2k003@yahoo.com.tw will be sent to joe@supportplanet.com.tw. Step 10.
Chapter 15 Mail Reports CS-2001 provides you with email reports in the form of statistics and logs, presenting you with a thorough insight into the email activities of the business.
Page 562
Terms in Setting Periodic Report Scheduling Settings It can generate and send out the periodic report to the designated recipient(s) on schedules. History Report Scheduling Settings It can generate and send the history report to the designated recipient(s) on schedules.
Page 563
Figure 15-2 Periodical Report Sent as an Attachment...
Page 564
Terms in Logs Search Available searching criteria are: date, sender, sender IP, recipient, attachment, subject, attribute and process. Go to Mail Security > Mail Reports > Logs, click the Search icon and then set as below: Enable the searching duration and then specify a period of time. ...
Page 565
Figure 15-3 Searching for a Specific Log Note: 1. How to open an “.mbx” file (exported from quarantined or archived emails) on your local computer: Convert the “.mbx” file into an “.eml” file with an mbx2eml application (e.g., IMAPSize) and then run Outlook Express to open the “.eml”...
Page 566
Run IMAPSize, go to Tools > mbox2eml on the menu bar, and then click it.(Figure 15-26) In the mbox2eml window, click the Select mbox files to convert button, locate the “.mbx” file, click Open, and then click Convert to start converting the file into an “.eml”...
Page 567
Figure 15-26 Navigating to Tools > Mbox2eml on the Menu Bar Figure 15-27 Locating the “.mbx” File to be Converted...
Page 568
Figure 15-28 Converting the “.mbx” File into an “.eml” File Figure 15-29 File Conversion Completed...
Page 569
Figure 15-30 Clicking and Dragging the “.eml” File into Outlook Express to Open It...
15.1 Statistics Step 1. Mail Security > Mail Reports > Statistics shows a comprehensive statistical report. Step 2. In the upper left corner, click Day for a daily statistics report; click Week for a weekly statistics report; click Month for a monthly statistics report; click Year for an annual statistics report.
Chapter 16 Configuration Regulating the websites that employees may access improves profuctivity, and protects the network from the damage caused by malicious software or code. Whitelist : To permit access to specific websites, the IT administrator may enter the complete URL, or a URL in combination with a wildcard (*). ...
Page 575
Terms in Setting URL Blocking License To activate the Category feature for URL Blocking, the license key must be imported into the device here. Each license key is unique to the device it was purchased for, thus the key is invalid if used on other devices.
Page 576
Figure 16-1 Web Filter Settings Note: 1. Before enabling syslog, please configure the syslog setting under System > Configuration > Settings.
Page 577
The alert message displays when an internal user tries to access the blocked web page. (Figure 16-2) Figure 16-2 The Alert Message Terms in Whitelist Name The name of the Whitelist. Specifies permitted URLs. The asterisk character (“*”) allows any website. Terms in Blacklist Name ...
Page 578
Specifies any URLs required to be blocked. The asterisk character (“*”) blocks any websites. Terms in Category Name The name for the Category. Member Provides the following categories: Anti-Social and Illegal, Pornographic and Abusive, Gaming and Gambling, Society and Commerce, Communication and Technology, Leisure, Information and Education, and Other.
Page 579
Terms in MIME/Script Name The name of MIME/Script. Script Window Popup:Blocking the popup window. Microsoft ActiveX:Disallowing the execution of ActiveX. Java Applet:Disallowing the execution of Java. Web Cookie:Blocking Web Cookie. MIME Type MIME (Multipurpose Internet Mail Extensions) is an Inernet standard that extends the format of e-mail.
Page 580
video/mpeg application/octet-stream application/pdf application/msword Important: 1. To apply the Whitelist, Blacklist, Category, File Extensions and MIME/Script to the Policy, those rules need to be added in the Group first.
16.1 Example Settings Scenario Page 16.1.1 Whitelist Regulating User’s Access to Specific Websites Using Blacklist and Whitelist Blacklist Group 16.1.2 Category Regulating User’s access to Specific Website, Downloading or Uploading Specific File Extension via File Extensions MIME/Script HTTP or FTP or the Access to Specific MIME Types/ Group Script Types...
16.1.1 Regulating User’s Access to Specific Websites Using Blacklist and Whitelist Step 1. Go to Web Filter > Configuration > Whitelist and then set as below: Click New Entry. Type the name in the Name field. In the URL field, type the keyword of the URL, such as yahoo. ...
Page 583
Note: 1. Whitelist can be exported as a file for storage, which can be used for restoring the list later Step 2. Go to Web Filter > Configuration > Blacklist and then set as below: (Figure 16-6) Type the name in the Name field. ...
Page 584
Step 3. Go to Web Filter > Configuration > Group, click New Entry and then set as below: (Figure 16-8) Type the name in the Name field. Move the Whitelist from the Available Whitelists column to the Selected Whitelists column. ...
Page 585
Figure 16-8 Group Settings for URL Blocking...
Page 586
Figure 16-9 The Completed Group Settings...
Page 587
Step 4. Go to Policy > Outgoing, click New Entry and then set as below: (Figure 16-10) Select the defined group from the Web Filter drop-down list. Click OK. (Figure 16-11) By applying this policy, only websites containing “yahoo” or “google” in the domain name will be permitted.
Page 588
16.1.2 Regulating User’s access to Specific Website, Downloading or Uploading Specific File Extension via HTTP or FTP or the Access to Specific MIME Types/ Script Types Step 1. Go to Web Filter > Configuration > Category, click New Entry and then set as below: (Figure 16-12)...
Page 589
Step 2. Go to Web Filter > Configuration > File Extensions, click New Entry and then set as below: (Figure 16-14) Type the name in the Name field. Select All types of file extensions. Click OK. (Figure 16-15) Figure 16-14 Blocking the Specific File Extension Figure 16-15 Setting Completed Note:...
Page 590
Figure 16-16 Adding a New Extension Figure 16-17 Typing a New Extension Figure 16-18 File Extension Added...
Page 591
Step 3. Go to Web Filter > Configuration > MIME/Script, click New Entry and then set as below: (Figure 16-19) Type the name in the Name field. Under the Forbidden File Extensions section, tick Window Popup, Microsoft ActiveX, Java Applet and Web Cookie. ...
Page 592
Click Modify and then click Add. (Figure 16-21) Enter the MIME Types in the field. Click OK. (Figure 16-22, 16-23) Figure 16-21 Configuring the MIME Type Figure 16-22 Adding the MIME Types Figure 16-23 MIME Type Added...
Page 593
Step 4. Go to Web Filter > Configuration > Group, click New Entry and then set as below: (Figure 16-24) Type the name in the Name field. Select the defined category from the Category drop-down list. Select the defined rule from the Upload Blocking drop-down list and the Download Blocking drop-down list.
Page 594
Figure 16-24 Configuring the URL Group...
Page 596
Step 5. Go to Policy > Outgoing, click New Entry and then set as below: (Figure 16-26) Select the defined group from the Web Filter drop-down list. Click OK. (Figure 16-27) Figure 16-26 Configuring the Policy Figure 16-27 Policy Completed...
Chapter 17 Reports Reports delivers the IT administrator with detailed statistics and logs regarding the access of websites made by users.
Page 598
Terms in Setting Periodic Report Scheduling Settings Generates and sends out a periodic report to the designated recipient(s) based on a schedule. History Report Retrieving Settings Generates the report of a specific date and instantly sends it to the designated recipient(s).
Page 599
Figure 17-2 A Daily Report Sent through an Email Message...
Page 600
Terms in Logs Search Category: Available searching criteria are time, souce IP address, website, classification and action. Upload: Available searching criteria are time, source IP addrss, website, file, rule and action. Download: Available searching criteria are time, source IP address, website, file, rule and action.
Page 601
Figure 17-13 Searching for the Specific Logs Note: 1. Under Web Filter > Reports > Logs, the Category reports can be sorted by the time, source IP, website, class or action. 2. Under Web Filter > Reports > Logs, the download and the upload report can be sorted by the time, source IP, website, class and action.
17.1 Statistics Step 1. Under Web Filter > Reports > Statistics, bar charts shows the report of URL blocking. Step 2. In the upper left corner, click on a time reference from which to display the bar charts. Click on Day for bar charts derived from daily statistics; click on Week for bar charts derived from weekly statistics;...
Page 603
Step 4. Below it shows the statistics report. (Figure 17-15) Y-axis indicates the amount of scanned URL. X-axis indicates the time.
Chapter 18 Configuration In order to protect your network from various security threats, the device produces timely alerts and blocking mechanisms based upon anomaly flows and the inspection of packet contents.
Page 609
1. To ensure signature definitions can be updated successfully, click on Test Connection to check the connection to the designated IDP definition server. 2. Once the Proxy Server is deployed, the proxy settings under System > Configuration > Settings must be configured for the CS-2001 to access the Internet. IDP Logging Setting ...
Page 610
Type 60 in the Storage Lifetime field. Click OK. (Figure 18-1) Figure 18-1 IDP Settings Note: 1. To enable Syslog, the IT administrator must configure the Syslog Message Settings under System > Configuration > Settings first.
Page 611
When detecting attacks, the IT administrator will receive both an email notification and a NetBIOS Notification, Also, a corresponding log will be available under IDP > IDP Reports > Logs. (Figure 18-2, 18-3) Figure 18-2 An Email Notification Figure 18-3 A NetBIOS Notification...
Page 612
Note: 1. The IDP log is generated upon the “Log”setting under IDP > Signatures > Anomaly / Pre-defined / Custom.
Chapter 19 Signatures To protect your company's network from malicious intrusions and attacks, the CS-2001 provides alerts and blocking mechanisms based upon the inspection of packets and the detection of anomaly traffic flows. Regardless of whether the attack originated internally or externally, the device ensures that legitimate network traffic remains secure and undisturbed.
Page 614
Terms in Signatures Anomaly Available signatures are syn flood, udp flood, icmp flood, portscan and http insptct. (Figure 19-1) You may specify the action taken upon the detection of an anomaly flow. Available actions are Pass, Drop and Reject. Available Alert are Log and Alert. Figure 19-1 Anomaly Settings...
Page 615
Pre-defined Available signatures are Attack Responses, Backdoor, Bad Traffic, Chat, DDoS, DNS, DoS, Exploit, Finger, FTP, ICMP, IMAP, Info, Misc, MySQL, NetBIOS, NNTP, Oracle, Policy, POP2, POP3, Porn, RPC, Rservices, Scan, Shellcode, SMTP, SNMP, Spyware, SQL, Telnet, TFTP, Web CGI, Web Client, Web Coldfusion, Web Frontpage, Web IIS, Web Misc, Web PHP, X11 and other.
Page 617
Note: 1. All the signatures under the IDP > Signatures > Pre-defined are processed according to the Default Settings for Each Risk Level settings under IDP > Configuration > Settings. However, after the settings under IDP > Configuration > Settings, the user may go to IDP > Signatures >...
Page 618
Name The name of the signature. Protocol Determine of which IP Version (IPv4, IPv6) and Communication Protocol to detect and protect. Source IP / Netmask The IP address/ netmask where the attack is from. Source Port The port number where the attack is from.
19.1 Example 19.1.1 Adopting Packets Inspection along with Custom and Pre-Defined Signatures to Detect and Prevent the Intrusion Step 1. Under IDP > Configuration > Settings, set as below: (Figure 19-3) Figure 19-3 IDP Settings...
Page 620
Step 2. Go to IDP > Signatures > Anomaly and then set as below: (Figure 19-4) Enable the signatures and configure the settings. Click OK. Figure 19-4 Anomaly Settings...
Page 621
Step 3. Under IDP > Signatures > Pre-defined, set as below: (Figure 19-5) Select the signatures. Click OK. Figure 19-5 Pre-Defined Settings...
Page 622
Step 4. Go to IDP > Signatures > Custom and set as below: (Figure 19-6) Type the name in the Name field. Select IPv4 for IP Version and TCP for Communication Protocol. Type the Source Port No. ...
Page 623
Note: 1. You may type a word string in the Content Pattern field; or convert it to hexadecimal ASCII code and then paste it into the field. (E.g., the word “cracks” can also be converted to |63 72 61 63 6b 73|) Step 5.
Page 624
Figure 19-8 Applying the IDP to the Policy...
Chapter 20 IDP Report CS-2001 provides you with a comprehensive IDP report in both statistics and logs. With the help of them, you could have a clear view of network security status.
Page 627
Terms in Settings Periodic Report Scheduling Settings It can generates and send out the periodic report to the designated recipient(s) on schedules. History Report Scheduling Settings It can generates the report of a specific date and instantly send it to the designated recipient(s).
Page 629
Terms in Logs Search Available search criteria are date, event, signature category, attacker IP, victim IP, interface and risk level. Go to IDP > IDP Reprots > Logs, click the Search icon and then set as below: Enable searching duration and specify a period of time.
CS-2001 UTM Content Security Gateway User’s Manual 20.1 Statistics Step 1. Go to IDP > IDP Reports > Statistics, to view a full-scale IDP report in statistics. Step 2. In the upper left corner, click Day to see the daily statistics report, click Week to see the weekly statistics report, click Month to see the monthly statistics report, click Year to see the yearly statistics report.
20.2 Logs Under IDP > IDP Reports > Logs, it shows the IDP status. Note: 1. The symbol used in Logs: Process: Symbol Description Allow Drop, Reject Risk Level: Symbol Description High Risk Medium Risk Low Risk...
Chapter 21 Web VPN / SSL VPN Since the Internet is in widespread use these days, the demand for secure remote connections is increasing. To meet this demand, SSL VPN provides the best solution. By using SSL VPN from a standard browser, clients can transfer data securely through its SSL security protocol without the need to install any software or hardware.
Page 634
Terms in VPN DES, an acronym for Data Encryption Standard, is a cipher that was selected by NIST (National Institute of Standard and Technology), using a 56-bit key for encryption. 3DES 3DES, an acronym for Triple Data Encryption Standard, providing significantly enhanced security by executing the core DES algorithm three times in a row, is more difficult to break than DES, using a 168-bit key size.
Page 635
Hardware Auth. The IT administrator may enable the PCs listed under Web VPN/ SSL VPN > Hardware Auth by adding them to the Selected Hardware column under Web VPN / SSL VPN / Settings.
Page 636
1. Hardware authentication prevents the need for users to enter a username and password every time they wish to establish a SSL VPN connection with the CS-2001. However, if it is the first time that a user tries to establish a SSL VPN connection, they will be requested to enter a username and password.
21.1 Example 21.1.1 Configuring Web / SSL VPN Connection settings for External Clients Step 1. Go to Interface > WAN, activate the HTTPS function. (Figure 21-2) Figure 21-2 WAN Interface Step 2. Go to Policy Object > Authentication > Account / Group and then set as below: (Figure 21-3, 21-4)...
Page 639
Step 3. Go to Web VPN / SSL VPN > Settings and then set as below: Click Modify. (Figure 21-5) Tick Enable Web VPN / SSL VPN. Select the IP Version. Enter the Client IP address / netmask. ...
Page 641
Figure 21-7 Web VPN / SSL VPN Authentication Settings Figure 21-8 Web VPN / SSL VPN Authentication Completed...
Page 642
Step 4. Go to Policy > Incoming and then set as below: (Figure 21-9) Select the defined Web VPN / SSL VPN from the VPN Trunk drop-down list. Click OK. (Figure 21-10) Figure 21-9 Configuring an Incoming Policy with Web VPN / SSL VPN Figure 21-10 Policy Created...
Page 643
Step 5. Configure the setting from a browser: In the URL field, type the CS-2001 interface address plus sslvpn or webvpn. For example, https://61.11.11.11/sslvpn https://61.11.11.11/webvpn. Click Yes in the Security Alert window. (Figure 21-11) Click Yes in the Warning – Security window.
Page 647
(Figure 21-17) Figure 21-17 Web VPN / SSL VPN Connection Status Step 7. Under Web VPN / SSL VPN > Hardware Auth, it displays the connection status between the CS-2001 and the users. (Figure 21-18) Figure 21-18 The Authentication User List...
Page 648
Step 8. Go to Web VPN / SSL VPN > Settings and then set as below: ( Figure 21-19) Click Modify. Move the hardware from the Available Hardware column to the Selected Hardware column. Click OK. (Figure 21-20) Figure 21-19 Configuring Authentication User / Group...
Page 649
Figure 21-20 Setting Completed Step 9. When a user establishes an SSL VPN connection through the CS-2001, their hardware can be directly authenticated without the need for a username and password.
Page 650
Note: 1. When hardware authentication and user/group authentication are both enabled, the device will first try to authenticate by hardware authentication and will perform the following: If the user’s PC hardware information is under Web VPN / SSL VPN > Settings, then the user is permitted to establish a Web VPN connection.
Chapter 22 Configuration IM Recording can help you record and monitor the use of MSN and QQ messenger. This can prevent productivity losses from personal use and confidentiality breaches from information leaks.
Page 654
The user’s password is invalid. The CS-2001 device may not Invalid Password be able to record the user’s use of QQ messenger. 2. The CS-2001 wll authenticate the user’s account and password when the user attempts to log into the QQ messenger.
22.1 Example 22.1.1 Recording the Use of MSN / QQ Messenger Step 1. Users may log into the Web User Interface to add their own account. (Enter the management IP address appended with qq, e.g., http://192.168.1.1/qq) (Figure 22-1, 22-2) Figure 22-1 Entering the QQ Account and Password...
Page 656
Figure 22-2 Account Added Note: 1. IT administrator may add new users under IM Recording > Configuration > QQ Account Manager.
Page 657
Step 2. The added user is listed under IM Recording > Configuration > QQ Account Manager: Tick Block QQ access with an invalid password. Click OK. The newly added user has not yet been authenticated. (Figure 22-3) ...
Page 658
Note: 1. Users may go to the Web user interface to change their password on their own. (Enter the (Figure 22-5) management IP address appended with qq. E.g., http://192.168.1.1/qq) Figure 22-5 Modifying the Password...
Page 659
Step 3. Go to Policy > Outgoing and set as below: (Figure 22-6) Enable IM Recording. Click OK. (Figure 22-7) Figure 22-6 Creating an Outgoing Policy with IM Recording...
Chapter 23 Reports The records of MSN and QQ messengers are shown in the form of easy-to-read log and statistics. Terms in Settings Periodic Report Scheduling Settings It can generate and send out the periodic report to the designated recipient(s) on schedules.
Page 665
Figure 23-6 Weekly IM Statistics Report Terms in Message History Search Available search criteria are date, time range, IM type, username, account, participants, message content and transferred file name. Configure the Email Notification Settings under System > Configuration >...
Page 666
Click Search. (Figure 23-7) Click Send Report. The report is sent to the designated recipient(s). (Figure 23-8, 23-9) To store the search results in the local computer, click the Download Report button. (Figure 23-10) Figure 23-7 Searching the Specific Logs Note: The logs under IM Recording >...
Page 667
CS-2001 UTM Content Security Gateway User’s Manual Figure 23-8 Receiving the Search Results Figure 23-9 The Searching Results Note: You may click the number under the icon to see the sent messages of the participants.
Figure 23-10 Downloading the Searching Results 23.1 Statistics Step 1. IM Recording > Reports > Statistics shows a comprehensive statistical report. Step 2. In the upper left corner, click Day to see the daily report; click Week to see the weekly report; click Month to see the monthly report; click Year to see the yearly report.
Page 669
Figure 23-11 IM Recording Statistical Report...
23.2 Message History Step 1. IM Recording > Reports > Message History shows the logs of users’ conversation. (Figure 23-12) Figure 23-12 IM Conversation Logs Policy...
Chapter 24 Policy CS-2001 inspects each packet passing through the device to see if it meets the criteria of any policy. Every packet is processed according to the designated policy, consequently any packets that do not meet the criteria will not be permitted to pass.
Page 672
1. CS-2001 only processes packets accepted from the policy. Therefore, wherever the connection is made ─ regardless of the network type (LAN, WAN or DMZ) ─ there must be policies respectively configured for these networks. 2. CS-2001 adopts VPN trunk in policy to manage the packet transmission and reception of VPN connections.
Page 673
Terms in Policy Source Address & Destination Address Source address and Destination address is based around using the device as a point of reference. The initiating point of a session is referred to as the source address. Service The service to be regulated.
Page 674
Authentication This requires users to be authenticated to create a connection. VPN Trunk This is where you apply the policy to regulate the session packets of IPSec or PPTP VPN. Action It determines over which WAN interface/s packets are permitted to pass through (see the table below).
Page 675
CS-2001 UTM Content Security Gateway User’s Manual Web App Firewall It can regulate and filter all the web application. Anti-Virus It filters viruses contained within files transferred over HTTP / Web-Based Mail / FTP / SMTP / POP3 protocol.
Page 676
Priority When accessing packets, CS-2001 will inspect the packet to see if it is identical with the criteria of existing policies. The packet-to-policy inspection is performed by the priority of policies. Therefore, in order to optimize the process, you may rearrange the priority of policies accordingly by changing the figure in the pull-down menu of each policy.
24.1 Example No. Settings Scenario Page 24.1.1 Outgoing Creating a Policy to Monitor the Internet Access of LAN User 24.1.2 Outgoing Creating a Policy to Restrict the Access to Specific Web Sites 24.1.3 Outgoing Creating a Policy to Grant Internet Access to Only Authenticated Users on Schedule 24.1.4 Incoming...
Page 678
24.1.1 Creating a Policy to Monitor the Internet Access of LAN Users Step 1. Go to Policy > Outgoing and then set as below: (Figure 22-1) Enable the Packet Logging. Enable the Traffic Grapher. Click OK. (Figure 22-2) Figure 22-1 Enabling Packet Logging and Traffic Grapher Figure 22-2 Setting Completed...
Page 679
Click any Source IP or Destination IP for sessions accessed through the IP address that you click on. For details of all sessions accessed through CS-2001, go to Monitoring > Logs > Traffic on the main menu. (Figure 22-4)...
Page 680
Figure 22-4 Traffic Shown in Log Screen...
Page 681
Step 3. Under Monitoring > Traffic Grapher > Policy-Based Traffic, the traffic flow is displayed in graphics, giving you an instant insight of traffic status. (Figure 22-5)...
Page 684
24.1.2 Creating a Policy to Restrict the Access to Specific Web Sites Step 1. Go to Web Filter > Configuration > Whitelist/ Blacklist/ File Extensions/ MIME/ Scritp/ Group and then set as below: (Figure 22-6, 22-7, 22-8, 22-9, 22-10) Figure 22-6 Whitelist Settings Figure 22-7 Blacklist Settings Figure 22-8 File Extensions Settings...
Page 686
Step 2. Go to Policy Object > Application Blocking > Settings and then set as below: (Figure 22-11, 22-12) Figure 22-11 Application Blocking Settings Figure 22-12 Setting Completed Note: 1. Script blocking is used for blocking certain functional features of a web site, such as Java, cookie, and so on.
Page 687
2. Application Blocking is used for blocking Instant Messenger, Peer-to-Peer Application, Video/ Audio Application, Webmail, Game Application, Tunnel Application, Remote Control Application and other application.
Page 688
Step 3. Go to Policy Object > Address > WAN / WAN Group and then set as below: (Figure 22-13, 22-14) Figure 22-13 WAN Interface Setting Figure 22-14 WAN Group Setting...
Page 689
Step 4. Go to Policy > Outgoing and then set as below: (Figure 22-15) Select the defined group from the Destination Address field. Select Deny All for Action. Click OK. Figure 22-15 Creating an Outgoing Policy to Deny Access...
Page 690
Step 5. Go to Policy > Outgoing and then set as below: (Figure 22-16) Select the defined group from the Web Filter drop-down list. Select the defined rule from the Application Blocking drop-down list. Click OK. (Figure 22-17) Figure 22-16 Applying Application Blocking to the Policy Figure 22-17 Policy Created Note:...
Page 691
24.1.3 Creating a Policy to Grant Internet Access to Only Authenticated Users on Schedule Step 1. Go to Policy Object > Schedule > Settings and then set as below: (Figure 22-18) Figure 22-18 Shcedule Settings Step 2. Go to Policy Object > Authentication > Account / Group and then set as below: (Figure 22-19)...
Page 692
Figure 22-20 Applying the Schedule and Authentication to the Policy Figure 22-21 Policy Completed...
Page 693
24.1.4 Creating a Policy to Enable a Remote User to Control a LAN PC with Remote Control Software (pcAnywhere) Step 1. Set up a computer to be remotely controlled; its IP address is 192.168.1.2. Step 2. Under Policy Object > Virtual Server > Port Mapping, set as below: (Figure 22-22)...
Page 694
Step 3. Under Policy > Incoming, set as below: (Figure 22-23) Select the defined Virtual Server for Destination Address. Select PC-Anywhere(5629-5632) for Service. Click OK. (Figure 22-24) Figure 22-23 Creating an Incoming Policy to Enable LAN PC to be Remotely Controlled Figure 22-24 Policy Completed...
Page 695
24.1.5 Creating a Policy to Limit the Bandwidth, Daily Total Traffic Amount and Maximum Concurrent Sessions of an Incoming Session to a FTP Server (A NAT Mode Example) Step 1. Set up a FTP server in DMZ; the server IP address is 192.168.3.2. (The DMZ subnet addresses range from 192.168.3.1/24) Step 2.
Page 696
Step 4. Go to Policy > WAN to DMZ and then set as below (Figure 22-27) Select the defined rule from the Destination Address drop-down list. Select FTP(18-21) from the Service drop-down list. Select the defined rule from the QoS drop-down list. ...
Page 697
Figure 22-28 A WAN-to-DMZ Policy Created...
Page 698
24.1.6 Creating a Policy to Enable LAN / WAN Users to Have Email Access (A Transparent Mode Example) Step 1. Set up a mail server in DMZ. Next, point it to the external DNS server and then set its IP address to 61.11.11.12. Step 2.
Page 699
Step 4. Under Policy > WAN To DMZ, set as below: (Figure 22-31) Select the defined DMZ rule for Destination Address. Select the defined service for Service. Click OK. (Figure 22-32) Figure 22-31 A WAN-to-DMZ Policy for Granting Email Access to WAN Users Figure 22-32 A WAN-to-DMZ Policy for Granting Email Access to WAN Users Completed...
Page 700
Step 5. Under Policy > LAN To DMZ, set as below: (Figure 22-33) Select the defined DMZ entry for Destination Address. Select the defined service for Service. Click OK. (Figure 22-34) Figure 22-33 A LAN-to-DMZ Policy for Granting Email Access to LAN User Figure 22-34 A LAN-to-DMZ Policy for Granting Email Access to LAN User Completed...
Page 701
Step 6. Under Policy > DMZ To WAN, set as below: (Figure 22-35) Select the defined rule for Source Address. Select the defined rule for Service. Click OK. (Figure 22-36) Figure 22-35 A DMZ-to-WAN Policy for Granting Email Access to WAN User Figure 22-36 A DMZ-to-WAN Policy for Granting Email Access to WAN User Completed...
Chapter 25 Anomaly Flow IP Once an anomaly traffic flow is detected, CS-2001 will take action to block the flow of packets. This protection ensures that the network remains operational, and consequently the business’s revenue generating opportunities are left undisturbed.
25.1 Example 25.1.1 Configuration for Alerts and the Blocking of Internal DDoS Attacks Step 1. Go to System > Configuration > Settings and then configure the settings under the Email Notification Settings section. Step 2. Go to System > Configuration > SNMP and then configure the settings under the SNMP Trap Settings section.
Page 705
Step 3. Go to Anomaly Flow IP > Settings and then set as below: (Figure 23-2) Enter the Traffic Threshold per IP. (The default value is 100) Tick Enable Anomaly Flow IP Blocking and then type the Blocking Time.
Page 706
Step 4. When a DDoS attack occurs, CS-2001 generates a corresponding log under Anomaly Flow IP > Virus-infected IP, and if NetBIOS Notification is enabled, sends a NetBIOS broadcast to both the victim user and IT administrator to warn about the attack.
Page 707
Step 6. Internal users will see an alert message upon opening a web browser after being infected by a computer virus. CS-2001 limits virus-infected users’ bandwidth to a minimum in order to oblige users to take action to remove virus. Note: The alert message merely appears to virus-infected users at the very first time to open a web browser after the infection.
Chapter 26 Inbound Balancing The CS-2001 provides enterprises with Inbound Load Balancing. It ensures uninterrupted access for external users to the company's servers. If one WAN link fails, incoming traffic will be redirected to another WAN link. In addition, inbound flows can be distributed to each port according to the regulated weighting and priority of each port, ensuring the quality of the connection.
Page 710
IP addresses with meaningful and more easily readable English hostnames, such as ccu.edu.tw, planet.com.tw. We are all familiar with website addresses. For example if we want to browse yahoo's website we just type in www.yahoo.com into a browser to see the...
Page 711
Domain Name Type IP Address host1.nu.net.tw 61.11.11.12 host2.nu.net.tw 61.11.11.13 host2.nu.net.tw 211.22.22.23 Table 24-1 Domain Name and IP Address Mapping Table Domain names can be mapped to more than one IP address. The table above indicates that host2 is mapped to two IP addresses, so it lists out two entries corresponding to host2.
Page 712
Supposing a user wants to send an email to mary@mail.nu.net.tw. The user is using test.com.tw as its SMTP server. The DNS records will be queried on this server to determine where to send the email destined for mail.nu.net.tw. The following table shows the MX record resulted from the query: (Table 24-4)...
Page 713
pointer records of the reverse database, this IP address is stored as the domain name 12.11.11.61.in-addr.arpa pointing back to its designated hostname.
Page 714
IPv6 uses PTR record as well. For example, host33.nu.net.tw points to FEC0::2AA:FF:FE3F:2A1C (FEC0:0000:0000:0000:02AA:00FF:FE3F:2A1C), in pointer records of the reverse database, this IP address is stored as the domain name C.1.A.2.F.3.E.F.F.F.0.0.A.A.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.C.E.F.IP6.INT. pointing back to its designated hostname. For example, using the nslookup command to verify whether DNS lookup functions normally.
Page 715
Further Description DNS pointers are used to indicate which DNS server holds all the associated DNS records for a domain. Any specific information can be obtained from the DNS server, such as the physical address of a website or mail server. Thus, the DNS server must be reliably connected to the internet and accurate DNS records must be maintained.
Page 716
Note: 1. The DNS must point to the fixed IPs.
Page 717
Under Advance > Inbound Balancing > Settings, configure DNS settings as listed below: (Table 24-6) Domain Name Type IP Address Reverse Weight Priority nu.net.tw 61.11.11.11 nu.net.tw 211.22.22.22 Table 24-6 Domain Name and IP Address Mapping Table The Secondary DNS server can act as a substitute if the primary DNS server develops a fault by allowing the domain name to remain functioning.
Page 718
Configure DNS settings as listed below: (Table 24-7) Domain Name Type IP Address Weighting Priority web.nu.net.tw 61.11.11.11 web.nu.net.tw 211.22.22.22 www.nu.net.tw CNAME web.nu.net.tw Table 24-7 CNAME Record of www.nu.net.tw According to table 24-7, use nslookup command to verify the result of forward DNS lookup and reverse DNS lookup: C:\>nslookup Default Server:dns.hinet.net...
Page 719
As seen from table 24-7, it can be inferred that when browsing www.nu.net.tw, visitors are directed to different servers according to their browsing sequence. The 1st user accesses the server via 61.11.11.11. The 2nd user accesses the server via 211.22.22.22. The 3rd user accesses the server via 211.22.22.22.
26.1 Example Application Environment Page 26.1.1 Creating an A Record to Load Balance a Web Server Using the Backup Mode 26.1.2 Creating an A Record to Load Balance a Web Server Using the Round-Robin Mode 26.1.3 Creating a CNAME Record to Load Balance a Web Server Using the Round-Robin Mode 26.1.4 Creating a MX Record to Load Balance a Mail Server Using the Round-Robin Mode...
Page 721
26.1.1 Creating an A Record to Load Balance a Web Server Using the Backup Mode Step 1. Go to Advance > Inbound Balancing > Settings and proceed with the following settings: Click New Entry. (Figure 24-2) Type the domain name. ...
Page 722
Figure 24-3 The First Inbound Balance Configuration...
Page 723
Figure 24-4 The Second Inbound Balance Configuration Figure 24-5 The Completed Settings Note: 1. If @ is entered in the Hostname field, then it will be the defined domain name. In this example, it is supportplanet.com.tw. 2. ”.” indicates fully qualified domain name (FQDN). For example, if www is entered in the Hostname field, then it will be www.supportplanet.com.tw.
Page 724
Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below: (Figure 24-6, 24-7) Figure 24-6 Server 1 Settings Figure 24-7 Server 2 Settings...
Page 725
Step 3. Go to Policy > Incoming and then set as below: Click New Entry. (Figure 24-8) For Destination Address select [Virtual Server IP] Web_Server(61.11.11.11). For Service select HTTP(80). Click OK. Click New Entry. (Figure 24-9) ...
Page 726
Figure 24-9 Configuring the First Settings of an Incoming Policy Settings Figure 24-10 The Completed Policy Settings...
Page 727
Step 4. Settings complete. If WAN 1 goes down, WAN 2 ensures user’s access to the web server remains uninterrupted. (Figure 24-11) Figure 24-11 Web Server Backup Deployment...
Page 728
26.1.2 Creating an A Record to Load Balance a Web Server Using the Round-Robin Mode Step 1. Go to Advance > Inbound Balancing > Settings and proceed with the following settings: Click New Entry. (Figure 24-12) In the Domain Name field, enter the domain that you obtained from your ISP.
Page 729
Figure 24-13 The First Inbound Balance Settings Figure 24-14 The Second Inbound Balance Configuration Figure 24-15 Setting Completed...
Page 730
Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below: (Figure 24-16, 24-17) Figure 24-16 Server 1 Settings Figure 24-17 Server 2 Settings...
Page 731
Step 3. Go to Policy > Incoming and proceed with the following settings: Click New Entry. (Figure 24-18) Select the defined rule ([Virtual IP]Web_Server(61.11.11.11)) for Destination Address. Select HTTP(80) for Service. Click OK. Click New Entry. (Figure 24-19)...
Page 732
Figure 24-19 Configuring the Second Policy Settings Figure 24-20 Policy Completed...
Page 733
Step 4. Setting completed. (Figure 24-21) Figure 24-21 The Round-Robin Deployment Note: 1. Inbound Balance Settings:(Table 24-9) Name Type Address Weight Priority www.supportplanet.com.tw 61.11.11.11 www.supportplanet.com.tw 211.22.22.22 Table 24-9 Web Server Weight and Priority Settings The weight and priority values will distribute their access as below: ...
Page 734
cycle restarted) The 5th user accesses the server via 211.22.22.22. The 6th user accesses the server via 211.22.22.22.
Page 735
26.1.3 Creating a CNAME Record to Load Balance a Web Server Using the Round-Robin Mode Step 1. Go to Advance > Inbound Balancing > Settings and then set as below: Click New Entry. (Figure 24-22) In the Domain Name field, enter the domain name you applied for from your ISP.
Page 736
Figure 24-23 The First Inbound Balance Settings Figure 24-24 The Second Inbound Balance Settings Figure 24-25 CNAME(Alias) Settings...
Page 738
Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below: (Figure 24-27, 24-28) Figure 24-27 Server 1 Settings Figure 24-28 Server 2 Settings...
Page 739
Step 3. Go to Policy > Incoming and then set as below: Click New Entry. (Figure 24-29) Select the defined rule ([Virtual IP]Web_Server(61.11.11.11)) for Destination Address. Select HTTP(80) for Service. Click OK. Click New Entry. (Figure 24-30)...
Page 740
Figure 24-30 Configuring the Second Policy Settings Figure 24-31 Adding the Second Policy...
Page 741
Step 4. Setup completed. (Figure 24-32) Figure 24-32 Web Server Deployment Using CNAME Note: 1. The settings for Inbound Balancing:(Table 24-10) Name Type Address Weight Priority web.supportplanet.com.tw 61.11.11.11 web.supportplanet.com.tw 211.22.22.22 www.supportplanet.com.tw CNAME web.supportplanet.com.tw Table 24-10 The Web Servers Weight, Priority and CNAME Settings ...
Page 742
The 4th user accesses the server via 61.11.11.11 (Round-Robin priority distribution cycle has restarted) The 5th user accesses the server via 211.22.22.2 2. The 6th user accesses the server via 211.22.22.2 2.
Page 743
26.1.4 Creating a MX Record to Load Balance a Mail Server Using the Round-Robin Mode Step 1. Go to Advance > Inbound Balancing > Settings and then set as below: Click New Entry. (Figure 24-33) Enter the Domain Name. ...
Page 744
Figure 24-34 The First Inbound Balance Settings Figure 24-35 The Second Inbound Balance Settings Figure 24-36 The MX(Mail eXchanger) Settings...
Page 746
Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below: (Figure 24-38, 24-39, 24-40, 24-41) Figure 24-38 The First Setting of Server Figure 24-39 The Second Setting of Server...
Page 747
Figure 24-40 The Third Setting of Server Figure 24-41 The Fourth Setting of Server...
Page 748
Step 3. Go to Policy > Incoming and then set as below: Click New Entry. (Figure 24-42) Select the defined rule ([Virtual IP]Mail_Server_POP3(61.11.11.11)) for Destination Address. Select POP3(110) for Service. Click OK. Click New Entry. (Figure 24-43)...
Page 749
Figure 24-43 The Second Policy Settings Figure 24-44 The Third Policy Settings...
Page 751
Step 4. Setup Completed. (Figure 24-47) Figure 24-47 The Mail Server Deployment Note: (Table 24-11) 1. Settings for Inbound Balancing: Name Type Address Weight Priority main.supportplanet.com.tw 61.11.11.11 main.supportplanet.com.tw 211.22.22.22 mail.supportplanet.com.tw. main.supportplanet.com.tw Table 24-11 The MX Server’s Weight and Priority Settings ...
Page 752
The 2nd user accesses the server via 211.22.22. 22. The 3rd user accesses the server via 211.22.22.2 2 (Round-Robin priority distribution cycle finished). The 4th user accesses the server via 61.11.11.11(Round-Robin priority distribution cycle has restarted). The 5th user accesses the server via 211.22.22.2 2. ...
Chapter 27 High Availability When two CS-2001 devices are deployed in the network, the two devices can operate in active / standby mode. The master device (active device) maintains a synchronization with the backup device (standby device). Once the master device fails, the backup device will seamlessly take over the operations.
Page 754
Terms in High Availability HA Mode This mode is used to determine if the device will serve as the master or backup. Data Transmission Port / Management IP Address Configures the IP address and port for executing the synchronization between the master device and the backup device.
27.1 Example 27.1.1 High Availability Deployment Preparation Configure Port1 as LAN1 (192.168.1.1, NAT/ Routing mode) and connect it to the LAN using 192.168.1.x/24. Configure Port2 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote to access the Internet. IP range:61.11.11.10 to 61.11.11.14. Configure Port3 as WAN2 (211.22.22.22) and connect it to the ADSL Termination Unit Remote to access the Internet.
Page 756
Step 1. Assign one CS-2001 device as the master and connect it to the same switch that the LAN is connected to. (Figure 25-1) Figure 25-1 The Deployment of the Master Device under High Availability Mode...
Page 757
Step 2. Using the master device, configure the following High Availability settings under Network > Interface. (Figure 25-2) Figure 25-2 The IP Address for the LAN Interface...
Page 758
Step 3. Using the master device, configure the following High Availability settings under Advance > High Availability > Settings: Tick Enable High Availability(HA). For HA Mode, select Active from the drop-down list. For HA Port, select Port1 from the drop-down list. ...
Page 759
Step 4. To set up the backup device, be sure the backup device is turned off and then configure the interface. Backup device’s LAN port, WAN port and DMZ port must be different from Master device’s. After the configuration, turn on the device. (Figure 25-4)...
Page 760
1. When deploying a high availability between two devices, the Master device must be turned on to avoid synchronization errors. 2. The built-in disk of the CS-2001 device can be changed. The capacity of the new disk should be larger than or equal to the capacity of the original one to avoid synchronization errors. (To synchronize the data of Backup device and Master device.
Page 761
Figure 25-6 Backup Device Taking Over Operations When Master Device Fails 6. Note: During backup, if the WAN port is using a dynamic IP address and it is in the process of being renewed, the session will disconnect. IPSec VPN Connections: the IT administrator needs to set the Keepalive IP Address under Policy Object >...
Chapter 28 Co-Defense System The CS-2001 can work in cooperation with the network’s switch, to provide instant monitoring of the internal network’s status. When the device detects an anomaly traffic flow, it will block the flow and provide information to help the IT...
Page 763
Terms in Core Switch Name The name used to identify the switch. Switch Model The switch model can be selected or it can be customized. IP Version The Internet protocol that the system can use to telnet into the switch. There are IPv4 and IPv6.
Page 764
Remove Blocking Command This command instructs the core switch to discontinue blocking an IP/MAC address. Show Blocking Commands This command is used to view the IP/MAC addresses that the switch is blocking. Note: 1. When the system detects the internal anomaly flow, the switch will use the following variables to block IP/MAC address, unblock already blocked IP/MAC addresses and view IP/MAC addresses.
28.1 Example 28.1.1 Quickly Isolating Any Anomaly Flow in the Internal Network by Utilizing the Core and Edge Switch Step 1. Go to Anomaly Flow IP > Settings and set as below: (Figure 26-2) Figure 26-2 Anomaly Flow IP Settings...
Page 766
Step 2. Under Advance > Co-Defense System > Core Switch, set as below: ( Figure 26-3) Enter the name to identify the switch. Select the model of the switch from the Switch Model drop-down list. Select IPv4 from the IP Version drop-down list。 ...
Page 768
Step 3. Under Advance > Co-Defense System > Edge Switch, click New Entry and then set as below: (Figure 26-9) Type the name in the Name field. Select IPv4 from the IP Version drop-down list. Fill the IP Address field and the Community String field. ...
Page 769
Step 4. Go to Advance > Co-Defense System > MAC ADDR Table. Using SNMP, the CS-2001 can obtain the MAC addresses of any packets that pass through the edge switch. Note: 1. Under Advance > Co-Defense System > Edge Switch, every port number from on the edge...
Virus Logs show the detected viruses from your HTTP, Webmail and FTP packets processed through the CS-2001. Application Blocking Logs provide details of all the applications that have been blocked by the CS-2001.
Page 772
Terms in Settings Logging Settings Logs are sent to the designated recipient once the file size reaches 300 KB. Logs can be backed up onto the remote device and SNMP Trap. The log setting of traffic, events, connections, viruses, application blocking, concurrent sessions and quota: ...
Page 773
Figure 27-1 Searching for a Specific Log...
Page 774
Figure 27-2 Downloading the Search Results...
Page 775
Terms in Events Search Available search criteria are date, admin name, IP address, event type and event log with detailed content. Under Monitoring > Logs > Events, click Search and then set as below: Enable the search duration and then specify a period of time to search within.
Page 776
Terms in Connection Search PPPoE : Available search criteria are date and keyword. Dynamic IP Address: Available search criteria are date and keyword. DHCP: Available search criteria are date and keyword. PPTP Server : Available search criteria are date and keyword. ...
Page 777
Figure 27-4 Searching for a Specific Log...
Page 778
Terms in Virus Search Available search criteria are date, source IP, destination IP, application, infected file and virus name. Under Monitoring > Logs > Viruses, click Search and then set as below: Terms in Application Blocking Search Available search criteria are date, source IP and keyword.
29.1 Traffic 29.1.1 Viewing the Protocols and Port Numbers Used during an Access to CS-2001 Step 1. Go to Policy> DMZ To WAN and set as below: (Figure 27-5) Enable the Packet Logging. Click OK. (Figure 27-6) Figure 27-5 A Policy with Traffic Log...
Page 780
Step 2. Under Monitoring > Logs > Traffic, it shows the traffic status of a policy. (Figure 27-7) Figure 27-7 Traffic Log Step 3. Click any Source IP or Destination IP, you will see of which protocols and ports it used and its traffic. (Figure 27-8)...
Page 781
Figure 27-8Monitoring the Traffic Flow of Each IP Address...
Page 782
Step 4. To clear the logs, click the Clear button and then click OK in the confirmation window. (Figure 27-9) Figure 27-9 Deleting all the Traffic Log...
29.2 Event 29.2.1 Viewing System History Access and the Status of WAN Step 1. Under Monitoring > Logs > Events, there it shows the system history access and the status of WAN. (Figure 27-10) Click the icon for details. (Figure 27-11)...
Page 784
Figure 27-11 Specific Details of a History Event...
29.3 Connection 29.3.1 Viewing the Connection Logs of WAN Interface Step 1. Under Monitoring > Logs > Connections, it shows the logs of PPPoE, Dynamic IP Address, DHCP, PPTP Server, PPTP Client, IPSec, Web VPN, SMTP Inbound, SMTP Outbound and POP3. (Figure 27-12)...
Page 786
Step 2. To delete the logs, click the Clear button and then click OK in the confirmation window. (Figure 27-13) Figure 27-13 Deleting all the Connection Logs...
29.4 Viruses 29.4.1 Viewing the Detected Viruses from Internal Users Using HTTP / Web Mail / FTP Protocol to Transfer Files Step 1. Go to Policy > Outgoing and then set as below: (Figure 27-14) For Anti-Virus, tick HTTP/Webmail and FTP. ...
Page 788
Figure 27-14 A Policy with HTTP/ WebMail and FTP...
Page 790
Step 2. Under Monitoring > Logs > Viruses, it shows the logs of detected virus from the Internal users using HTTP/ WebMail and FTP protocol to transfer files. Step 3. To delete the logs, click the Clear button and then click OK.
29.5 Application Blocking 29.5.1 Viewing the Logs Step 1. Under Policy > Outgoing, set as below: (Figure 27-16) Select the defined application blocking. Click OK. (Figure 27-17) Figure 27-16 A Policy with Application Blocking Figure 27-17 Policy Completed...
Page 792
Step 2. Under Monitoring > Logs > Application Blocking, it shows the logs of applicatons that have been blocked. (Figure 27-18) Figure 27-18 Application Blocking Logs Step 3. To delete the logs, click the Clear button and then click OK from the confirmation window.
29.6 Concurrent Sessions 29.6.1 Viewing the Logs of Concurrent Sessions that have been Exceeded the Configured Value Step 1. Go to Policy > Outgoing and then set as below: (Figure 27-20) Enter a value in the Max. Concurrent Sessions per IP field ...
Page 794
Figure 27-20 A Policy with Limitation of Concurrent Sessions...
Page 795
Figure 27-21 Policy Completed Step 2. Under Monitoring > Logs > Concurrent Sessions, it shows the logs of the concurrent sessions that have exceeded the configured value. Step 3. To delete the logs, click the Clear button and then click OK in the confirmation window.
29.7 Quota 29.7.1 Viewing the Logs of Quota that Has Been Reached Step 1. Go to Policy > Outgoing and then set as below: (Figure 27-22) Type a value in the Quota per Source IP field. Click OK. (Figure 27-23)...
Page 797
Figure 27-22 A Policy with Limitation of Quota per Source IP...
Page 798
Figure 27-23 Policy Completed Step 2. Under Monitoring > Logs > Quota, it shows the logs of the quota that have reached the configured value. Step 3. To delete the logs, click the Clear button and then click OK in the confirmation window.
29.8 Log Backup 29.8.1 Archiving or Retrieving Logs Generated by CS-2001 Step 1. Go to System > Configuration > Settings and then set as below: Tick Enable email notifications and then configure the related settings. (Figure 27-24) Tick Enable syslog messages and then configure the related settings.
Page 800
Step 3. Go to Monitor > Log > Settings and then set as below: (Figure 27-27) Figure 27-27 Monitoring Settings...
Page 801
Note: 1. Once Email Notification is enabled, the logs will be sent to the IT administrator when the files size reaches 300KB. 2. When syslog message is enabled, the logs will be delivered to the designated remote device. 3. When SNMP trap alerts is enabled, the logs can be delivered to a PC installed with SNMP Trap software.(Figure 27-29)...
CS-2001 UTM Content Security Gateway User’s Manual Chapter 30 Accounting Reports Accounting report gives the IT administrator an insight into the various session of users that pass through the device, providing the IT administrator with detailed statistical reports and charts.
Page 803
Terms in Setting Accounting Report Settings The configuration to enable or disable the recording of inbound and outbound data access and configure the storage period of the records. Under Monitoring > Accounting Reports > Settings, set as below: ...
Terms in Today Top-N Time Slider Drag the two sliders to adjust the statistics’ time interval (represented by the red portion.) Source IP Indicates certain period of traffic of the source IP in the day. Source IP: indicates the source IP of the packets. ...
Page 805
Figure 28-2 Searching for the Specific Log...
Page 806
Figure 28-3 Downloading the Accounting Reports...
Page 807
Figure 28-4 Deleting the Accounting Reprots...
30.1 Flow Analysis Step 1. Under Monitoring > Accounting Reports > Flow Analysis, it shows the traffic of source IP and service through CS-2001. (Figure 28-5) Figure 28-5 Flow Analysis...
30.2 Today’s Top Chart Step 1. Under Monitoring > Accounting Reports > Today’s Top Chart, it shows the traffic from the source IP, destination IP and the traffic of service through CS-2001 in the day. (Figure 28-6)...
Page 811
Step 2. You may drag the two sliders to adjust the statistics’ time interval. The left one is the start time slider, the right one is the end time slider. Once you adjust the time interval, the Service IP accounting report, the Destination IP accounting report and the Service accounting report will be refreshed according to the new time interval.
Page 812
Figure 28-7 Today Top-N Report according to the Time Interval...
Page 813
Step 3. By clicking any source IP, a pop-up window will show its destination IP and service. (Figure 28-8) Figure 28-8 The Destination IP and Service Step 4. By clicking any Destination IP, a pop-up window will show its source IP and service.
Page 815
Step 5. By clicking any service, it will show its source IP and destination IP. (Figure 28-10) Figure 28-10 The Source IP and Destination IP...
30.3 Historical Top Chart Step 1. Under Monitoring > Accounting Reports > Historical Top Chart, you may see the traffic of the source IP, destination IP and service of the certain duration by specifying the date. (Figure 28-11) Figure 28-11 History Top-N...
Chapter 31 Traffic Grapher Statistics delivers comprehensive information regarding network traffic, enabling the IT administrator to gain a thorough understanding of traffic flow across the WAN interfaces and packets managed by policies. WAN Traffic provides upstream and downstream traffic flow statistics of all packets passing through the WAN interfaces based on their corresponding policies.
Page 818
Traffic Grapher Charts Vertical axis indicates the network traffic. Horizontal axis indicates time. Type/ Source/ Destination/ Service/ Action The Items infer what Policy is used. Time The statistics are available in time units of per minute, hour, day, week, month and year.
31.1 WAN Traffic Step 1. In Monitoring > Traffic Grapher > WAN Traffic, it shows the statistics of upstream / downstream packets over the WAN interface. The statistic charts are available in the time unit of minute, hour, day, week, month and year. Click Minutes for statistic charts in the time unit of minute;Click Hours for statistic charts in the time unit of hour;Click Days for statistic charts in the time unit of day;Click Weeks for statistic charts in the time unit of...
31.2 Policy-Based Traffic Step 1. When creating a new policy, if the Statistics is enabled, the Policy statistics charts in the path of Monitoring > Traffic Grapher > Policy-Based Traffic corresponding to the policy will start recording. Under Monitoring > Traffic Grapher > Policy-Based Traffic, the statistics charts corresponding to a policy are available in the time unit of minute, hour, day, week, month, and year.
32.1 Ping Step 1. To test whether a host is reachable across an IP network, go to Monitoring > Diagnostic Tools > Ping and then configure as below: (Figure 30-1) Type the Destination IP or Domain name in the Destination IP / Domain name field.
Page 829
Figure 30-2 Ping Result Note: 1. If VPN is selected from the Interface drop-down list, the user must enter the local LAN IP address in the Interface field. Enter the IP address that is under the same subnet range in the Destination IP / Domain name field.
Page 830
Figure 30-3 Ping Results for a VPN Connection...
32.2 Traceroute Step 1. Under Monitoring > Diagnostic Tools> Traceroute the Traceroute command can be used by the CS-2001 to send out packets to a specific address to diagnose the quality of the traversed network. (Figure 30-4) In Destination IP / Domain name enter the destination address for the packets.
Chapter 33 Wake-On-LAN Any wake-on-LAN supported PC can be remotely turned on by a “wake-up” packet sent from the CS-2001. By utilizing remote control software such as VNC, Terminal Service or PC Anywhere, a remote user may remotely wake up a computer...
33.1 Example 33.1.1 Remote Controlling a PC Step 1. Supposing the MAC address of the PC that is desired to be remotely controlled is 00:0C:76:B7:96:3B. Step 2. Under Monitoring > Wake-On-LAN > Settings, click New Entry and then set as below: ...
ARP Table: records all the ARP tables of host PCs that have connected to CS-2001. Sessions Info: It records all the sessions sending or receiving packets over CS-2001. DHCP Clients: It records the status of IP addresses distributed by CS-2001 built-in DHCP server.
(Figure 32-2) Figure 32-2 Status Interface Note: 1. System Uptime: the operating uptime of the CS-2001. 2. Active Sessions Number: shows the current number of sessions connected to the device. 3. Forwarding Mode: displays the interface connection mode. 4. WAN Connection: shows the WAN interface connection status.
Page 838
8. PPPoE / Dynamic IP Uptime: when the interface is connected using PPPoE, it displays the connection uptime. 9. MAC Address: displays the MAC address of the interface. 10. IP Address / Netmask: the interface’s IP address and netmask. 11. Default Gateway: shows the WAN gateway address. 12.
34.2 System Info Step 1. Under Monitoring > Status > System Info, it shows the current system information, such as CPU utilization, hard disk utilization and memory utilization. (Figure 32-3)...
34.3 Authentication Step 1. Under Monitoring > Status > Authentication, it shows the authentication status of the device. (Figure 32-4) Figure 32-4 The Authentication Status Note: IP Address: displays the authenticated user’s IP address. Authentication – User Name: the user’s authenticated login name. Login Time: the user’s login time (year/ month/ day/ hour/ minute/ second)
34.4 ARP Table Step 1. Under Monitoring > Status > ARP Table, it shows NetBIOS Name, IP Address, MAC Address and Interface of any computer that has connected to the device. (Figure 32-5) Figure 32-5 ARP Table Note: 1. NetBIOS Name: the computer’s network identification name. 2.
Page 843
Figure 32-6 Downloading the Anti-ARP Virus Software Figure 32-7 The Result of Executng the Anti-ARP Virus Software...
Page 844
Figure 32-8 The Anti-ARP Virus Software will Automatically Run when the System Startups...
34.5 Sessions Info Step 1. Under Monitoring > Status > Sessions Info, it provides a list of all the sessions that have connected to the device. (Figure 32-9) Figure 32-9 System Sessions...
Page 846
Step 2. By clicking on any source IP, it shows the port number and the traffic. (Figure 32-10) Figure 32-10 The System Info...
34.6 DHCP Clients Step 1. Under Monitoring > Status > DHCP Clients, it shows the status of IP address distributed by the device’s DHCP server. (Figure 32-11) Figure 32-11 The DHCP Clients Note: 1. NetBIOS Name: the computer’s network identification name. 2.
CS-2001 UTM Content Security Gateway User’s Manual 34.7 Host Info Step1. Under Monitoring > Status > Host Info, the IT administrator may view the list of NetBIOS and DNS. (Figure 34-12, 34-13) Figure 34-12 The List of NetBIOS Figure 34-13 The List of DNS...