1. Manuals
  2. Brands
  3. Planet Networking & Communication Manuals
  4. Gateway
  5. MH-5001
  6. User manual

Planet Networking & Communication MH-5001 User Manual

Multi-homing utm security gateway
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Multi-Homing UTM Security Gateway User's Manual
Multi-Homing
UTM Security Gateway
MH-5001
User's Manual
I

Advertisement

Table of Contents
loading

Related Manuals for Planet Networking & Communication MH-5001

Summary of Contents for Planet Networking & Communication MH-5001

  • Page 1 Multi-Homing UTM Security Gateway User’s Manual Multi-Homing UTM Security Gateway MH-5001 User’s Manual...

  • Page 2: Customer Service

    Multi-Homing UTM Security Gateway User’s Manual Copyright Copyright (C) 2006 PLANET Technology Corp. All rights reserved. The products and programs described in this User’s Manual are licensed products of PLANET Technology, This User’s Manual contains proprietary information protected by copyright, and this User’s Manual and all accompanying hardware, software, and documentation are copyrighted.
  • Page 3 Any error messages that displayed when the problem occurred ♦ Any software running when the problem occurred ♦ Steps you took to resolve the problem on your own Revision User’s Manual for PLANET Multi-Homing Security Gateway Model: MH-5001 Rev: 4.0 (July, 2006) Part No. EM-MH5Kv4 (2081-B90070-000)
  • Page 4 Changing the LAN1 IP Address ..........................26 2.2.1 From LAN1 to configure MH-5001 LAN1 network settings................. 26 2.2.2 From CLI (command line interface) to configure MH-5001 LAN1 network settings ........27 2.2.3 Web GUI design principle..........................27 2.2.4 Rule principle ..............................28 Chapter 3 Basic Setup......................

  • Page 5: Chapter 6 Authentication

    Multi-Homing Security Gateway User’s Manual Demands .................................. 50 Methods ................................... 50 Remote Management Access Methods ........................50 Steps..................................52 5.4.1 Telnet................................52 5.4.2 SSH ................................52 5.4.3 WWW ................................52 5.4.4 HTTPS................................53 5.4.5 SNMP................................53 5.4.6 ICMP ................................53 Chapter 6 Authentication ......................

  • Page 6: Chapter 10 Firewall

    12.2.5 Key Management ............................96 12.2.6 Encapsulation ..............................97 12.2.7 IPSec Protocols .............................. 97 12.3 Make VPN packets pass through MH-5001......................98 Chapter 13 Virtual Private Network – IPSec ..............99 13.1 Demands .................................. 99 13.2 Objectives ................................99 13.3 Methods ...................................
  • Page 7 Create a custom MMC console ........................143 18.4.3 Create an IPSec policy ..........................146 18.4.4 Add a filter rule from WinXP to MH-5001....................148 18.4.5 Add a filter rule from MH-5001 to WinXP....................151 18.4.6 Configure a rule for WinXP client to MH-5001................... 153 18.4.7...
  • Page 8 Multi-Homing Security Gateway User’s Manual 22.2 Objectives ................................180 22.3 Methods ................................. 180 22.4 Steps..................................181 22.4.1 View L7 Firewall Logs..........................182 Chapter 23 Intrusion Prevention Systems ................183 23.1 Demands ................................183 23.2 Objectives ................................183 23.3 Methods ................................. 183 23.4 Steps..................................

  • Page 9: Appendix B Trouble Shooting

    Steps for Backup / Restore Configurations......................212 29.8 Steps for Reset password ............................213 Appendix A Command Line Interface (CLI)............. 214 Enable the port of MH-5001 ..................214 CLI commands list (Normal Mode)................214 CLI commands list (Rescue Mode) ................216 Appendix B Trouble Shooting..................219 Appendix C System Log Syntax ..................

  • Page 10: About This User Manual

    All the examples after Chapter 2 in this manual, which instruct you how to configure the Multi-Homing Security Gateway, are taken from MH-5001. The hardware and software specification of the MH-5001 will be introduced in Chapter 1. You can refer the...

  • Page 11: What's New In Version 4

    This section describes the enhancements that were made to MH-5001 as compared to the previous version. It includes changes to the way that the MH-5001 operates, some of which are reflected by changes to the WBI and others that were made to the MH-5001 engine to improve performance and accuracy.

  • Page 12: Transparent Mode

    The Main office has a VPN tunnel to each branch office. Both Branch_1 and Branch_2 have their own VPN tunnel to the hub. The VPN Spoke allows VPN traffic to pass from one tunnel to the other through a central MH-5001 hub. See Chapter 15 Virtual Private Network –...

  • Page 13: Quick Start

    Figure 1-1 The example before MH-5001 applies on it Here we would like to alter the original IP Sharer with the MH-5001 like Figure 1-. If we hope to have MH-5001 to replace the IP Sharer, we just need to simply execute the following five steps as Figure 1- showed. By these steps, we hope to build an image to...
  • Page 14 (connected LAN1 port). For the details, please refer section 1.3. Continually, we will connect to the web GUI of MH-5001. So you must make sure that you have a PC which is located in the same subnet with MH-5001 before this step. Note: The default LAN1 port is (192.168.1.254 / 255.255.255.0). Refer to section 1.5 for more information.

  • Page 15: Wiring The Mh-5001

    Wiring the MH-5001 First, connect the power cord to the socket at the back panel of the MH-5001 as in Figure 1- and then plug the other end of the power adapter to a wall outlet or power strip. The Power LED will turn ON to indicate proper operation.
  • Page 16 DHCP IP Address 10.1.1.254 ____.____.____.____ DMZ1(Port 3) IP Subnet Mask 255.255.255.0 ____.____.____.____ IP Address 192.168.1.254 ____.____.____.____ LAN1(Port 4) IP Subnet Mask 255.255.255.0 ____.____.____.____ IP Address 192.168.2.254 ____.____.____.____ LAN2(Port 5) IP Subnet Mask 255.255.255.0 ____.____.____.____ Table 1-1 MH-5001 related network settings...

  • Page 17: Using The Setup Wizard

    A computer on your LAN1 must be assigned an IP address and Subnet Mask from the same range as the IP address and Subnet Mask assigned to the MH-5001 in order to be able to make an HTTPS connection using a web browser. The MH-5001 is assigned an IP address of 192.168.1.254 with a Subnet Mask of 255.255.255.0 by default.
  • Page 18 Enter the Host Name and the Domain Name, followed by clicking the Next. Step 4. Operation Mode BASIC SETUP > Wizard > Next MH-5001 Multi-Homing Security Gateway can operate NAT/Router mode Transparent mode. Choose which operation Mode for this device to use.
  • Page 19 Transparent mode provides the same basic protection as NAT mode. Packets received by the MH-5001 are intelligently forwarded or blocked according to firewall rules. MH-5001 can be inserted in your network at any point without the need to make any changes to your network or any of its components. However, VPN, NAT, Routing and some advanced firewall features (such as Authentication, IP/MAC Binding) are only available in NAT/Route mode.
  • Page 20 MH-5001 User Manual Chapter 1 Quick Start Step 5.b — Fixed IP BASIC SETUP > Wizard > Next > Fixed IP If Fixed IP Address is selected, enter the ISP-given IP Address, Subnet Mask, Gateway IP, Primary DNS and Secondary DNS IP. Click Next to proceed.

  • Page 21: Internet Connectivity

    The LAN Settings page allows you to modify the IP address and Subnet Mask that will identify the MH-5001 on your LAN. This is the IP address you will enter in the URL field of your web browser to connect to the MH-5001. It is also the IP address that all of the computers and devices on your LAN will use as their Default Gateway.

  • Page 22: Wan1-To-Dmz1 Connectivity

    Step 5. Check NAT Rules ADVANCED SETTINGS > NAT > NAT Rules The MH-5001 has added the NAT rules as the right diagram. The rule Basic-LAN1 means that, when matching the condition (requests of LAN/DMZ-to-WAN direction with its source IP falling in the range of 192.168.1.254 /...
  • Page 23 ISP. Step 5. Check NAT Rules ADVANCED SETTINGS > NAT > NAT Rules The MH-5001 has added the NAT rules as the right diagram. The rule Basic-DMZ1 (number 1) means that, when matching the condition (requests of LAN/DMZ-to-WAN direction with its source IP falling in the range of 10.1.1.254 / 255.255.255.0), the...
  • Page 24 WAN side cannot connect to a private-IP (ex.10.1.1.5) through the Internet. The data connections would be fail. After enabling this feature, the MH-5001 will translate the private IP/port into an IP/port of its own. Thus the problem is gracefully solved. Click Apply to proceed.

  • Page 25: Nat/Router Mode And Transparent Mode

    In this document, we will introduce you how to setup NAT/Router Mode firewall in the most examples. You can learn the settings of each feature by them. For more information of how to choose NAT or Route mode in the MH-5001, please refer Section 7.5.4.
  • Page 26 Chapter 1 Quick Start Basically, transparent mode provides the same firewall protection as NAT mode. Packets received by the MH-5001 are intelligently forwarded or blocked according to the firewall rules. However, some advanced firewall features are only available in NAT/Route mode.

  • Page 28: System Overview

    Multi-Homing Security Gateways. The VPN tunnel secures communications between Organizations more safely. We will focus on how to build up the topology using the MH-5001 as the following Figure 2-1. In order to achieve this purpose, we need to know all the administration procedure.

  • Page 29: Changing The Lan1 Ip Address

    WAN load balancing. Inbound load balancing will be supported in a very near future. Chapter 24 ~ Chapter 29 System Maintenance In this part, we provide some useful skills to help you to justify MH-5001 more securely and steadily. Changing the LAN1 IP Address The default settings of MH-5001 are listing in Table 1-1.

  • Page 30: Web Gui Design Principle

    Warning: After you apply the changed settings, the network will be disconnected instantly since the network IP address you are logining is changed. 2.2.2 From CLI (command line interface) to configure MH-5001 LAN1 network settings Step 1. Use Console port to configure MH-5001 Use the supplied console line to connect the PC to the Diagnostic RS-232 socket of the MH-5001.

  • Page 31: Rule Principle

    What action will this rule do? Figure 2-3 The rule configuration is divided into three parts You may find many rules configuration in the MH-5001. They are distributed in the respective feature. These rules include NAT rule Virtual Server rule...
  • Page 32 MH-5001 User Manual Chapter 2 System Overview Additionally, please note that there is a button named “Move Before” in the Figure 2-4. If you are not satisfied with the current rule sequence, you can adjust the rule sequence by using the “Move Before” button.

  • Page 34: Basic Setup

    4. Ping the public Internet Server IP addresses with a sequence of every specified Timeout to check the connection of the current default WAN link. When the specified WAN link is disconnected, MH-5001 will try to make the ping action to the first Public Internet Server IP address within the specified Timeout.

  • Page 35: Setup Wan1 Ip

    DESCRIPTION Range / Format EXAMPLE Assignment Default WAN When Default WAN link is enabled, all the link packets sent out from MH-5001 will be via this Enable/Disable Enabled (Gateway/DNS) port. Get DNS Automatically Get DNS related information from DHCP Server...

  • Page 36: Setup Dmz1, Lan1 Status

    OSPF Area ID Specify OSPF area ID number digit string (Max 9 bits) Default WAN When Default WAN link is enabled. All the link packets sent out from MH-5001 will be via this Enable/Disable Enabled (Gateway/DNS) port. Service Name ISP vendor (Optional)
  • Page 37 MH-5001 User Manual Chapter 3 Basic Setup FIELD DESCRIPTION Range / Format EXAMPLE IP Address DMZ port IP address IPv4 format 10.1.1.254 IP Subnet Mask DMZ port IP subnet mask netmask format 255.255.255.0 Enable DHCP Server Enable DMZ port of the DHCP Sever or not...

  • Page 38: Setup Wan1 Ip Alias

    MH-5001 User Manual Chapter 3 Basic Setup IPv4 format in the IP Pool Starting Address Specify the starting address of the DHCP IP address. LAN1 address 192.168.40.100 range Pool Size(max size: 253) Specify the numbers of the DHCP IP address.
  • Page 39 MH-5001 User Manual Chapter 3 Basic Setup Step 2. Edit, Delete IP alias record BASIC SETUP > WAN Settings > IP Alias You can easily add, edit, or delete IP alias records by the Add, Edit, or Delete button. WAN port...

  • Page 40: Setup Wan Backup

    MH-5001 User Manual Chapter 3 Basic Setup 3.4.4 Setup WAN Backup Step 4. Set public Internet server IP BASIC SETUP > WAN Settings > WAN Backup Specify public Internet server IPs for system to ping in order for you to make sure the connection of the default WAN link.

  • Page 42: Chapter 4 System Tools

    1. Basic configurations for domain name, password, system time, timeout and services. 2. DDNS: Suppose the MH-5001’s WAN uses dynamic IP but needs a fixed host name. When the IP is changed, it is necessary to have the DNS record updated accordingly. To use this service, one has to register the account, password, and the wanted host name with the service provider.
  • Page 43 Figure 4-1 DDNS mechanism chart 3. DNS Proxy: After activating the DNS proxy mode, the client can set its DNS server to the MH-5001 (that is, send the DNS requests to the MH-5001). The MH-5001 will then make the enquiry to the DNS server and return the result to the client.
  • Page 44 Figure 4-3 DHCP Relay mechanism chart 5. As the following Figure 4-4 demonstrated, there is an embedded snmp agent in the MH-5001. So you can use SNMP manager to monitor the MH-5001 system status, network status ,etc. from either LAN or Internet.
  • Page 45 Figure 4-4 It is efficient to use SNMP Manager to monitor MH-5001 device 6. We can adjust the MH-5001 interface in the SYSTEM TOOLS > Admin Settings > Interface in according to our preference and requirement (3 WAN, 1 DMZ, 1 LAN). As the following Figure 4-5 demonstrated, there are three ISP connected onto MH-5001.

  • Page 46: General Settings

    Click Apply. FIELD DESCRIPTION EXAMPLE Host Name The host name of the MH-5001 device MH-5001 Domain Name Fill in the domain name of company planet.com.tw Table 4-1 System Tools - General Setup menu Step 2.
  • Page 47 You can also enter an IP address instead. Check the Continuously (every 3 min) update system clock and click Apply. The MH-5001 will immediately update the system time and will periodically update it. Check the Update system clock...

  • Page 48: Ddns Setting

    Enabled Interface Assign which public IP address of interface to the DDNS server. WAN1 The domain address of DDNS server. In the MH-5001, we provide some websites for your choice. Service Provide WWW.ORAY.NET If you choose WWW.ORAY.NET as DDNS service provider. It would register the source IP address which is connected to the DDNS server.

  • Page 49: Dhcp Relay Setting

    Enable DNS Proxy forwarding it to the assigned DNS server. When there is a response from Enabled assigned DNS server, then MH-5001 will forward it back to the host of the LAN/DMZ. Table 4-6 System Tools – DNS Proxy menu 4.4.4 DHCP Relay setting...

  • Page 50: Change Mh-5001 Interface

    The community which can get the SNMP information. Here Set Community private-rw “community” is something like password. Trusted hosts The IP address which can get or set community from the MH-5001. 192.168.1.5 The community which will send SNMP trap. Here “community” is Trap community trap-comm something like password.
  • Page 51 You can specify WAN / LAN / DMZ for each port by your preference. Port1 ~ Port5 However, there must be one WAN and one LAN interface existing in the Port3 : WAN MH-5001. Port4 : DMZ Port5 : LAN Table 4-9 Change the MH-5001 interface setting...

  • Page 53: Remote Management

    Administrators may want to manage the MH-5001 remotely from any PC in LAN_1 with HTTP at port 8080, and from WAN_PC with TELNET. In addition, the MH-5001 may be more secure if monitored by a trusted host (PC1_1). What is more, the MH-5001 should not respond to ping to hide itself.
  • Page 54 You should avoid allowing management access for an interface connected to the Internet unless this is required for your configuration. To improve the security of a MH-5001 unit that allows remote management from the Internet, add secure administrative user passwords, change these passwords regularly, and only enable secure management access using HTTPS or SSH.

  • Page 55: Steps

    Setup SSH SYSTEM TOOLS > Remote Mgt. > SSH Enter 22 in the Server Port field. Check the LAN1/LAN2 checkbox. Click the ALL of Secure Client IP Address for accessing MH-5001. And click the Apply. 5.4.3 WWW Step 1. Setup WWW SYSTEM TOOLS >...

  • Page 56: Https

    Check the LAN1 checkbox. In the Secure Client Address field. If you prefer indicated specified IP address. Just click the Selected, and enter the valid IP address for reading the SNMP MIBs at the MH-5001. Finally click the Apply button. 5.4.6 ICMP Step 1.

  • Page 57: Local Setting

    Demands MH-5001 Multi-Homing Security Gateway supports user authentication against the internal user database, a RADIUS server or a LDAP server. You can create a user account by adding username and password to the internal database to grant the user an access to Internet, etc.

  • Page 58: Pop3(S) Setting

    MH-5001 User Manual Chapter 6 Authentication Step 3. Configure Local Settings Basic Setup > Authentication > Authentication > Local Enter the Username and Password, and then click Add to add it to user’s list. If you would like to delete a user, just click that username and then click Delete to remove it.

  • Page 59: Radius Setting

    Basic Setup > Authentication > Authentication > Radius If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the MH-5001 then will contact the RADIUS server for authentication. Click Authentication Type as Radius. Enter...

  • Page 60: Ldap Setting

    Basic Setup > Authentication > Authentication > LDAP If you have configured LDAP support and a user is required to authenticate using a LDAP server, the MH-5001 will then contact the LDAP server for authentication. To authenticate with the MH-5001, the user enters a username and password.

  • Page 61: Exempt Host

    MH-5001 User Manual Chapter 6 Authentication 6.3.6 Exempt Host Step 10. Configuring the Exempt Host Basic Setup > Authentication > Exempt Host Enter the exempt host IP Address, and click Add to add an IP address. When enabling authentication, the chosen PC IP address will...

  • Page 62: Chapter 7 Nat

    Chapter 7 This chapter introduces NAT and explains how to implement it in MH-5001. To facilitate the explanation on how MH-5001 implements NAT and how to use it, we zoom in the left part of Figure 1- into Figure 7-1.

  • Page 63: Objectives

    1. Let PC1_1~PC1_5 connect to the Internet. 2. As the Figure 7-2 illustrated, the clients will connect to the MH-5001. Then MH-5001 will forward the packet to the real server. So FTPServer1 (10.1.1.5) will be accessed by other Internet users.

  • Page 64: Steps

    As the above Figure 7-3 illustrates, the server 10.1.1.5 provides FTP service. But it is located on the DMZ region behind WALL-1 - MH-5001. And MH-5001 will act as a Virtual Server role which redirects the packets to the real server 10.1.1.5. And you can announce to the Internet users that there exists a ftp server IP/port is 61.2.1.1/44444.
  • Page 65 Step 2. Check NAT Rules ADVANCED SETTINGS > NAT > NAT Rules As described in the above, the MH-5001 has set the rules for the LAN/DMZ zones. They all belong to the Many-to-One (M-1) type that will map many private addresses to the automatically chosen public IP address.
  • Page 66 IP address for being translated into. You can check the Auto choose IP from WAN ports. The MH-5001 will automatically determine which WAN IP is to be translated into. FIELD...

  • Page 67: Setup Virtual Server For The Ftpserver1

    MH-5001 to translate the private IP addresses into the pool of public IP addresses. The MH-5001 will use the first public IP until MH-5001 uses up all source ports for the public IP. MH-5001 will then choose the second public...
  • Page 68 IP assigned by the ISP. Step 5. Check NAT Rules ADVANCED SETTINGS > NAT > NAT Rules The MH-5001 has added the NAT rules automatically as right diagram described. The rule Basic-DMZ1 (number 1) means that, when matching...
  • Page 69 Customize the rule name as the ftpServer. For any packets with its destination IP equaling to the WAN1 IP (61.2.1.1) and destination port equaling to 44444, ask MH-5001 to translate the packet’s destination IP/port into 10.1.1.5/21. Check the Passive FTP client? to maximize the compatibility of the FTP protocol.

  • Page 70: Nat Modes Introduction

    Step 9. View the Result ADVANCED SETTINGS > NAT > Virtual Servers Now any request towards the MH-5001’s WAN1 IP (61.2.1.1) with port 44444 will be translated into a request towards 10.1.1.5 with port 21, and then be forwarded to the 10.1.1.5. The FTP server listening at port 21 in 10.1.1.5 will...

  • Page 71: Many-To-Many Type

    As the above Figure 7-4 illustrated, NAT Many-to-One type means that many local PCs are translated into only one public IP address when the packets are forwarded out through the WALL-1 - MH-5001. Take Connection1 for example. Its IP address and port are translated from 192.168.40.1:2933 to 61.2.1.1:2933.

  • Page 72: One-To-One Type

    As the above Figure 7-6 illustrated. NAT One to One type means that each local PC is translated into a unique public IP address when the packets are forwarded out through the MH-5001. Take Connection1 for example. Its IP address and port are translated from 192.168.40.1:2933 to 61.2.1.1:2933.
  • Page 73 MH-5001 User Manual Chapter 7 Map a pool of private IP addresses to a subnet If the public IP address of your company is not only one node range of public IP addresses chosen from the (ex. you have applied extra-one ISP). You may use the WAN ports.

  • Page 74: Chapter 8 Routing

    This chapter introduces how to add static routing and policy routing entries To facilitate the explanation on how MH-5001 implements routing and how to use it. We zoom in the left part of Figure 2-1 into Figure 8-1 and increase some devices for description.

  • Page 75: Add A Static Routing Entry

    Routing Objectives 1. We need to let WALL-1, the MH-5001 knows how to forward the packets which is destinated financial department (192.168.50.0/24). 2. The network administrator plans to solve the problem by subscribing the second link (ISP2). He hopes that all the packets from the General-Manager-Room (192.168.40.192/26) will pass through the ISP2 link instead of the default ISP1 link.
  • Page 76 MH-5001 User Manual Chapter 8 Routing The destination IP Netmask of this static routing entry Netmask IPv4 format 255.255.255.0 record. Gateway The default gateway of this static routing entry record. IPv4 format 192.168.40.253 Table 8-1Add a static routing entry Step 3.

  • Page 77: Add A Policy Routing Entry

    MH-5001 User Manual Chapter 8 Routing 8.4.2 Add a policy routing entry Step 5. Setup the ISP2 link Basic Setup > WAN Settings > IP Alias We must add an IP alias record to the WAN1 port, because a new ISP link has been applied.
  • Page 78 MH-5001 User Manual Chapter 8 Routing FIELD DESCRIPTION Range / Format EXAMPLE Activate this rule The policy routing rule is enabled or not. Enabled / Disabled Enabled Status text string Rule name The policy routing rule name. GenlManaRoom (Max: 200 entries)

  • Page 79: The Priority Of The Routing

    MH-5001 User Manual Chapter 8 Routing Step 8. View the result Advanced Settings > Routing > Policy Route After filling data completely, view the policy routing entries which have been set. Step 9. View the routing table Device Status > System Status > Routing Table Finally click the “Routing Table”...

  • Page 80: Setup Address

    MH-5001 User Manual Chapter 9 IP/Services grouping Chapter 9 IP/Services grouping This chapter introduces group functions and explains how to edit it. Demands 1. You hope to group some similar IP addresses to make it easier for editing the firewall rule.
  • Page 81 MH-5001 User Manual Chapter 9 IP/Services grouping FIELD DESCRIPTION Range / Format EXAMPLE Select the interface which you are going to define address Define Objects on __ All the interfaces LAN1 object. Table 9-1 Define the address objects Step 11. Insert a new Address object BASIC SETUP >...
  • Page 82 MH-5001 User Manual Chapter 9 IP/Services grouping Step 13. Address Group Settings BASIC SETUP > Books > Address > Group You can add, edit, and delete all other addresses definition as required. You can also organize related addresses into address group to simplify firewall rule creation.
  • Page 83 MH-5001 User Manual Chapter 9 IP/Services grouping Step 15. view the address group result BASIC SETUP > Books > Address > Group According to our setting as previous steps, the address group is shown as right diagram.

  • Page 84: Setup Service

    9.4.2 Setup Service Step 16. Service Settings BASIC SETUP > Books > Service > Objects The MH-5001 predefined firewall services are listed as right diagram. You can add these services to any firewall rule or you can add a service if you need to create a firewall rule for a service that is not in the predefined service list.
  • Page 85 MH-5001 User Manual Chapter 9 IP/Services grouping Step 17. Insert a new service object BASIC SETUP > Books > Service > Insert Enter the Service name. Select which protocol type (TCP, UDP, ICMP) used by this service. Specify a Source and Destination Port number range for the service.

  • Page 86: Setup Schedule

    MH-5001 User Manual Chapter 9 IP/Services grouping FIELD DESCRIPTION Range / Format EXAMPLE The service group name. Note that group name should be an alphanumeric value Group Name text string Service_mail (including dash ‘-‘ and underscore ‘_’), can start with a letter only and, please note, it is case-sensitive! Spaces and other special characters are not allowed.
  • Page 87 MH-5001 User Manual Chapter 9 IP/Services grouping Stop time The stop time of the schedule object. 24-hour format 12:00 Table 9-7 The field of the Schedule object Step 21. Add a Schedule group BASIC SETUP > Books > Schedule > Groups > Insert As Step 2 indicated, you have already created two schedule objects to block the MSN service.

  • Page 88: Chapter 10 Firewall

    4. Administrators detect that PC1_1 in LAN_1 is doing something that may hurt our company and should instantly block his traffic towards the Internet. 5. A DMZ server was attacked by SYN-Flooding attack and requires the MH-5001 to protect it. 10.2 Objectives 1.

  • Page 89: Steps

    Enable Firewall feature of MH-5001 Enabled Inspection Firewall Disabled Enable this feature will block the fragmented packets by the Block all fragment Enabled / firewall of MH-5001. Warning: Enable this feature will Disabled packets Disabled cause problem in some applications. BUTTON DESCRIPTION...
  • Page 90 MH-5001 User Manual Chapter 10 Firewall Step 3. Customize the rule ADVANCED SETTINGS > Firewall > Edit Rules > Insert Check the Activate this rule checkbox. Enter the rule name as PC1_1, and enter the IP (192.168.40.1 address PC1_1 255.255.255.255). Select Block and Log to block and log the matched traffic.

  • Page 91: Setup Anti-Dos

    Setup Anti-DoS ADVANCED SETTINGS > Firewall > Anti-DoS With the Anti-DoS attacks protection enabled, the MH-5001 will be equipped with the built-in Anti-DoS engine. Normal DoS attacks will show up in the log when detecting and blocking such traffic. However, Flooding attacks require extra parameters to recognize.
  • Page 92 Table 10-4 Setup the thresholds of Anti-DoS Step 6. View Anti-DoS Logs DEVICE Status > Firewall Logs > Anti-DoS Logs While there are any DoS attackts through MH-5001 Firewall, it will block the attacked packets and log it as right diagram.

  • Page 94: Chapter 11 Ip/Mac Binding

    IP spoofing: IP spoofing attempts to use the IP address of a trusted computer to connect to or through the MH-5001 unit from a different computer. The IP address of a computer can easily be changed to a trusted address, but MAC addresses are added to Ethernet cards at the factory and cannot easily be changed.
  • Page 95 Advanced Setting > IP/MAC binding > Edit Rules > Insert Add an IP/MAC binding rule to allow our PC passing through the MH-5001. Otherwise our PC will be blocked by MH-5001 in the further steps. Here the IP address “192.168.40.5” is the MAC address of our login PC.
  • Page 96 Advanced Setting > IP/MAC binding > Edit Rules > Insert Add another IP/MAC rule to allow an IP address range to pass through MH-5001. This rule type is useful for local PC using DHCP feature specially. Suppose DHCP IP range of LAN1 interface is 192.168.40.100 to 192.168.40.119.
  • Page 97 “Block” Through the previous steps, we have configured two IP/MAC rules for allowing passing through MH-5001. In this step, we will change the IP/MAC binding status to “Block” to prohibit invalid IP address to pass through MH-5001. Step 13. Show the IP/MAC binding rule Advanced Setting >...

  • Page 98: Vpn Benefit

    MH-5001 User Manual Chapter 12 VPN Technical Introduction Chapter 12 VPN Technical Introduction This chapter introduces VPN related technology 12.1 VPN benefit If you choose to implement VPN technology in your enterprise, then it may bring the following benefits to your company.

  • Page 99: Key Management

    MH-5001 User Manual Chapter 12 VPN Technical Introduction 12.2.5 Key Management Key Management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in order to setup a VPN. IKE Phases There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange established an IKE SA and the second one uses that SA to negotiate SAa for IPSec.

  • Page 100: Ipsec Protocols

    This may be unnecessary for data that does not require such security, so PFS is disabled (None) by default in the MH-5001. Disabling PFS means new authentication and encryption keys are derived from the same root secret (which may have security implications in the long run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).

  • Page 101: Make Vpn Packets Pass Through Mh-5001

    Step 1. Enable IPSec ADVANCED SETTINGS > VPN Settings > Pass Through If we need to setup MH-5001 between the existed IPSec / PPTP / L2TP connections. We need to open up the Firewall blocking port of MH-5001 in advance. Here we provide a simple way. You can through enable the IPSec / PPTP / L2TP pass through checkbox on this page.

  • Page 102: Chapter 13 Virtual Private Network – Ipsec

    1. Let the users in LAN_1 and LAN_2 share the resources through a secure channel established using the public Internet. 13.3 Methods 1. Separately configure WALL-1 and WALL-2, the two MH-5001, which are the edge gateways of LAN_1 and LAN_2 respectively. You have to determine a key management method between IKE (Internet Key Exchange) and Manual Key.

  • Page 103: Steps

    MH-5001 User Manual Chapter 13 Virtual Private Network – IPSec Same “Local Address” means the local LAN subnet; “Remote Address” means the remote LAN subnet; “My IP Address” means the WAN IP address of the local VPN gateway while the “Peer’s IP Address” means the WAN IP address of the other VPN gateway.
  • Page 104 MH-5001 User Manual Chapter 13 Virtual Private Network – IPSec FIELD DESCRIPTION EXAMPLE Enable IPSec Enable IPSec feature of MH-5001 Enabled BUTTON DESCRIPTION Apply Apply the settings which have been configured. Table 13-2 Enable the IPSec feature Step 2. Add an IKE rule ADVANCED SETTINGS >...
  • Page 105 MH-5001 User Manual Chapter 13 Virtual Private Network – IPSec Step 3. Customize the rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add Check the Active checkbox. Enter a name for this rule like IKErule. Enter the Local IP (192.168.40.0/255.255.255.0)
  • Page 106 MH-5001 User Manual Chapter 13 Virtual Private Network – IPSec Outgoing The WAN interface you are going to build IPSec WAN interfaces WAN1 Interface tunnel with. The IP address of remote VPN device. The IP Static IP / Peer’s IP Address Static IP 210.2.1.1...
  • Page 107 MH-5001 User Manual Chapter 13 Virtual Private Network – IPSec Step 4. Detail settings of IPSec IKE ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add > Advanced In this page, we will set the detailed value of IKE Table 13-5 parameter.
  • Page 108 MH-5001 User Manual Chapter 13 Virtual Private Network – IPSec Choose a Diffie-Hellman public-key Key Group DH1 / DH2 / DH5 cryptography key group Phase2 View only, it is set previously and can not be Encapsulation Can not be edited Tunnel edited again.
  • Page 109 Here we have a new rule before the default firewall rule. This rule will allow packets from 192.168.88.0 / 255.255.255.0 pass through MH-5001. And accomplish the VPN tunnel establishment. At WALL-2: Here we will install the IPSec properties of WALL-2. Note that the “Local Address” and “Remote address” field are opposite...
  • Page 110 MH-5001 User Manual Chapter 13 Virtual Private Network – IPSec Step 1. Enable IPSec ADVANCED SETTINGS > VPN Settings > IPSec Check the Enable IPSec checkbox and click Apply. Step 2. Add an IKE rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE Click the IKE hyperlink and click Add to add a new IPSec VPN tunnel endpoint.
  • Page 111 MH-5001 User Manual Chapter 13 Virtual Private Network – IPSec Step 4. Remind to add a Firewall rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add After finishing IPSec rule settings, we need to add a firewall rule. Here system shows a window message to remind you of adding a firewall rule.

  • Page 112: Des/Md5 Ipsec Tunnel: The Manual-Key Way

    192.168.40.0/24 to 192.168.88.0/24 will be allowed to pass through the MH-5001 and successfully access the 192.168.88.0/24 through the VPN tunnel. DES/MD5 IPSec tunnel: the Manual-Key way In the previous section, we have introduced IKE method. Here we will introduce another method using Manual-Key way instead of IKE to install WALL-1.
  • Page 113 MH-5001 User Manual Chapter 13 Virtual Private Network – IPSec Step 3. Customize the rule ADVANCED SETTINGS > VPN Settings > IPSec > Manual Key > Add Same as those in IKE. But there is no pre-shared key in the manual-key mode. Enter the Key for encryption, such as 1122334455667788.
  • Page 114 Interface tunnel with. The IP address of remote site device, like Peer’s IP Address IPv4 format 210.2.1.1 MH-5001 Multi-Homing Security Gateway. The Outgoing SPI (Security Parameter Index) hex (600 ~ 600000) / value. Outgoing SPI hex: 2222 dec(1500 ~ 6300000)
  • Page 115 MH-5001 User Manual Chapter 13 Virtual Private Network – IPSec Enable Replay Whether is the “Replay Detection” enabled? Action NO / YES Detection Table 13-7 Setup Advanced feature in the IPSec Manual Key rule Step 5. Remind to add a Firewall rule ADVANCED SETTINGS >...
  • Page 116 Here we have a new rule before the default firewall rule. This rule will allow packets from 192.168.88.0 / 255.255.255.0 pass through MH-5001. And accomplish the VPN tunnel establishment. At WALL-2: Second, we will use the Manual-Key way to install the IPSec properties of WALL-1.
  • Page 117 MH-5001 User Manual Chapter 13 Virtual Private Network – IPSec Step 3. Customize the rule ADVANCED SETTINGS > VPN Settings > IPSec > Manual Key > Add Similar to those in WALL-1, except that you should interchange the Local IP Address with...
  • Page 118 ADVANCED SETTINGS > Firewall > Edit Rules Now we have inserted a new rule before the default firewall rule. packets from 192.168.40.0/24 to 192.168.88.0/24 will be allowed to pass through the MH-5001 and successfully access the 192.168.88.0/24 through the VPN tunnel.

  • Page 119: Chapter 14 Virtual Private Network –Dynamic Ipsec

    MH-5001 User Manual Chapter 14 Virtual Private Network –Dynamic IPSec Chapter 14 Virtual Private Network –Dynamic IPSec This chapter introduces Dynamic IPSec VPN and explains how to implement it. As described in the Figure 2-1, we will extend to explain how to make a dynamic VPN link between LAN_1 and LAN_2 in this chapter.

  • Page 120: Steps

    MH-5001 User Manual Chapter 14 Virtual Private Network –Dynamic IPSec 14.4 Steps In the following we will separately explain how to set up a secure DES/MD5 tunnel with the dynamic remote gateway IP address type. At WALL-1: At the first, we will install the IPSec properties of WALL-1. For the related explanation, please refer to Chapter 12 and Chapter 10.
  • Page 121 MH-5001 User Manual Chapter 14 Virtual Private Network –Dynamic IPSec Step 3. Customize the rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add Check the Active checkbox. Enter a name for this rule like IKErule. Enter the Local IP (192.168.40.0/255.255.255.0)
  • Page 122 MH-5001 User Manual Chapter 14 Virtual Private Network –Dynamic IPSec Step 5. Remind to add a Firewall rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add After finishing IPSec rule settings, we need to add a firewall rule. Here system shows a window message to remind you of adding a firewall rule.
  • Page 123 Here we have a new rule before the default firewall rule. This rule will allow packets from 192.168.88.0 / 255.255.255.0 pass through MH-5001. And accomplish the VPN tunnel establishment. At WALL-2: Here we will install the IPSec properties of WALL-2. Note that the “Local Address” and “Remote address” field are opposite to the WALL-1, and so are “My IP Address”...
  • Page 124 MH-5001 User Manual Chapter 14 Virtual Private Network –Dynamic IPSec Step 3. Customize the rule ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add Check the Active checkbox. Enter a name for this rule like IKErule. Enter the Local IP (192.168.88.0/255.255.255.0)
  • Page 125 ADVANCED SETTINGS > Firewall > Edit Rules Now we have inserted a new rule before the default firewall rule. packets from 192.168.40.0/24 to 192.168.88.0/24 will be allowed to pass through the MH-5001 and successfully access the 192.168.88.0/24 through the VPN tunnel.

  • Page 126: Chapter 15 Virtual Private Network – Hub And Spoke Vpn

    15.2 Objectives 1. Using the VPN hub we can create a hub and spoke VPN configuration to direct traffic through a central MH-5001 from one VPN tunnel to another VPN tunnel. Each VPN tunnel provides connectivity to a different remote VPN gateway. All of the...

  • Page 127: Methods

    MH-5001 User Manual Chapter 15 Virtual Private Network – Hub and Spoke VPN 15.3 Methods 1. Configuring the IKE tunnels. 2. Configuring the WAN1-to-LAN1 Firewall Rule. 3. Configuring the VPN Hub for the Main Office. 4. Configuring the VPN spoke for the Branch Offices.
  • Page 128 MH-5001 User Manual Chapter 15 Virtual Private Network – Hub and Spoke VPN MD5) MD5) MD5) MD5) AH Algorithm Not selected Not selected Not selected Not selected Pre-Shared Key 1234567890 1234567890 1234567890 1234567890 Table 15-1 The IKE tunnel configuration Configuring the VPN Hub for Main Office Step 8.
  • Page 129 MH-5001 User Manual Chapter 15 Virtual Private Network – Hub and Spoke VPN Step 10. Customize a Firewall rule from ADVANCED SETTINGS > Firewall > Edit Rules > Insert Spoke 2 to Spoke 1 Enter the Rule Name Source IP...
  • Page 130 MH-5001 User Manual Chapter 15 Virtual Private Network – Hub and Spoke VPN Step 13. Customize a Firewall rule ADVANCED SETTINGS > Firewall > Edit Rules > Insert Enter the Rule Name as AllowVPN, Source IP as Hub-Spoke2 [Hub (192.168.1.0), Spoke_2 (192.168.88.0)], and Dest.
  • Page 131 MH-5001 User Manual Chapter 15 Virtual Private Network – Hub and Spoke VPN Configuring the VPN Spoke for the Branch_2 Step 16. Add a Firewall rule ADVANCED SETTINGS > Firewall > Edit Rules Suppose Brach_2 Office has already added a VPN tunnel to communicate with the Main Office.
  • Page 132 MH-5001 User Manual Chapter 15 Virtual Private Network – Hub and Spoke VPN Step 19. View the added VPN Spoke ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add > Advanced You can view the added VPN spoke here.

  • Page 134: Chapter 16 Remote Access Vpn – Pptp

    MH-5001 User Manual Chapter 16 Remote Access VPN – PPTP Chapter 16 Remote Access VPN – PPTP This chapter introduces PPTP and explains how to implement it. 16.1 Demands 1. One employee in our company may sometimes want to connect back to our coporate network to work on something. His PC is PC1_1 in LAN_1 instead of DMZ_1 so he cannot directly access the host by simply with virtual server settings.

  • Page 135: Setup Pptp Network Server

    16.3 Methods 1. Setup the PPTP server at WALL-1, the MH-5001. Setup the remote PC as the PPTP client. After dialing up to WALL-1, WALL-1 will assign a private IP which falls in the range of the settings in the PPTP server at WALL-1. Suppose the range is defined as 192.168.40.180 ~ 192.168.40.199, the remote host may get an IP of 192.168.40.180 and logically become a...

  • Page 136: Setup Pptp Network Client

    Next. 7. In the VPN Server Selection dialog, enter the public IP or hostname of the MH-5001 to connect to and select Next. 8. Set Connection Availability to Only for myself and select Next.
  • Page 137 Chapter 16 Remote Access VPN – PPTP FIELD DESCRIPTION EXAMPLE Enable PPTP Client Enable PPTP Client feature of MH-5001 Enabled Server IP The IP address of PPTP server. 61.2.1.1 Username The designed account which allows PPTP client to dial in.

  • Page 138: Chapter 17 Remote Access Vpn – L2Tp

    1. Setup the L2TP server at WALL-1, the MH-5001 (LNS: L2TP Network Server). After dialing up to MH-5001, MH-5001 will assign a private IP which falls in the range of the settings in the L2TP server at MH-5001. Suppose the range is defined as 192.168.40.200 ~ 192.168.40.253, the remote host may get an IP of 192.168.40.200 and logically become a...

  • Page 139: Setup L2Tp Network Server

    The IP address ending range which is allowed user to dial in LNS server by LAC End IP 211.54.63.5 using L2TP protocol. Username The account which allows L2TP client user to dial in MH-5001. L2tpUsers Password The password which allows L2TP client user to dial in MH-5001. Dif3wk...
  • Page 140 Next. 7. In the VPN Server Selection dialog, enter the public IP or hostname of the MH-5001 to connect to and select Next. 8. Set Connection Availability to Only for myself and select Next.
  • Page 141 MH-5001 User Manual Chapter 17 Remote Access VPN – L2TP Connecting to the L2TP VPN 1. Connect to your ISP. 2. Start the dial-up connection configured in the previous procedure. 3. Enter your L2TP VPN User Name and Password. 4. Select Connect.
  • Page 142 MH-5001 User Manual Chapter 17 Remote Access VPN – L2TP...

  • Page 143: Chapter 18 Remote Access Vpn – Windows Client

    18.3 Methods As the Figure 18-1 illustrated, we need to setup the IPSec feature of WALL-1, the MH-5001 at company first. On the other hand, we have to setup the related IPSec setting in the Windows client at employee’s side so that the employee can establish the IPSec tunnel through windows client to access the resource of the company.

  • Page 144: Steps

    Create a custom MMC console, please refer 18.4.2 description. Create an IPSec policy, please refer 18.4.3 description. Add a filter rule from WinXP to MH-5001, please refer 18.4.4 description. Add a filter rule from MH-5001 to WinXP, please refer 18.4.5 description.
  • Page 145 ADVANCED SETTINGS > VPN Settings > IPSec > IKE > Add > Apply Here appears a warning message to remind you to add a firewall rule which can allow IPSec traffic into the MH-5001, because the WAN-to-LAN traffic of the MH-5001 by default is blocked. Step 23. Finish adding an IPSec rule ADVANCED SETTINGS >...

  • Page 146: Create A Custom Mmc Console

    MH-5001 User Manual Chapter 18 Remote Access VPN – Windows client Step 24. Add Firewall rule settings Additionally, because the traffic of WAN to LAN default is blocked. So we must add a firewall rule to allow the local area of remote side to pass through the device.
  • Page 147 MH-5001 User Manual Chapter 18 Remote Access VPN – Windows client Step 28. Add “Computer Management” snap-in In the Add Standalone Snap-in dialog box, click Computer Management, and then click Add. Step 29. Verify the Local Computer is selected Verify that Local Computer (default setting) is selected, and click Finish.
  • Page 148 MH-5001 User Manual Chapter 18 Remote Access VPN – Windows client Step 32. Add “Certificates” snap-in In the Add Standalone Snap-in dialog box, click Certificates, and then click Add. Step 33. Select Computer account In the Certificates snap-in dialog box, select Computer account, and click Next.

  • Page 149: Create An Ipsec Policy

    Open textbox, type secpol.msc. And then click OK. Step 38. Create IP Security policy Select Action > Create IP Security policy to add security policy. Step 39. Enter policy name Click Next, and type a name for your policy. For example, WinXP to MH-5001 tunnel.
  • Page 150 MH-5001 User Manual Chapter 18 Remote Access VPN – Windows client Step 40. Uncheck the item Uncheck Active the default response rule checkbox, and click Next Step 41. Finish the IP Security policy creation Keep the Edit properties check box selected and click Finish.

  • Page 151: Add A Filter Rule From Winxp To Mh-5001

    Step 45. Remain the corresponding item For this example, we remain the item of DES, MD5 and DH1 combinations. 18.4.4 Add a filter rule from WinXP to MH-5001 Step 46. Add a new filter rule In the tunnel properties, uncheck Use Add Wizard check box, and click Add to create a new rule.
  • Page 152 On the IP Filter List tab, click Add to add an IP Filter List. Step 48. Edit IP filter list Type a name for the filter list (e.g., WinXP to MH-5001), uncheck Use Add Wizard check box, and click Add. Step 49. Edit address...
  • Page 153 MH-5001 User Manual Chapter 18 Remote Access VPN – Windows client Step 50. Edit protocol filter properties Click the Protocol tab. Leave the protocol type to Any. Step 51. Edit the description of filter properties Click the Description tab. You can give a name for this filter list.

  • Page 154: Add A Filter Rule From Mh-5001 To Winxp

    Click the IP Filter List tab, and then click Add to add an IP Filter List. Step 54. Edit IP filter list Type a name for the filter list (e.g., MH-5001 to WinXP), uncheck Use Add Wizard check box, and click Add.
  • Page 155 MH-5001 User Manual Chapter 18 Remote Access VPN – Windows client Step 56. Edit protocol filter properties Click the Protocol tab. Leave the protocol type to Any. Step 57. Edit the description of filter properties Click the Description tab. You can give a name for this filter list.

  • Page 156: Configure A Rule For Winxp Client To Mh-5001

    MH-5001 User Manual Chapter 18 Remote Access VPN – Windows client 18.4.6 Configure a rule for WinXP client to MH-5001 Step 59. Select the first IP filter list Now there are two IP filter lists for the WinXP IPSec use. Select the first filter list you have created above from the IP Filter List, such as WinXP to MH-5001.
  • Page 157 You must do this to ensure secure connections. Click Add to proceed. Step 64. Setting the Security Method Select Custom (for expert users) if you want to define specific algorithms and session key lifetimes). Please make sure the settings match whatever we had configured in MH-5001 before...
  • Page 158 Fill the new key generation rate (ex. 28800 sec). Note that the settings of this page must match the settings of IPSec phase2 at MH-5001. Step 66. New Filter Action Properties Click the General tab. Give a name to the filter action.
  • Page 159 Select Use this string (pre-shared key) option. And enter the string 1234567890 in the text box. Step 70. Delete Kerberos method Delete the original Kerberos method. Just select the Preshared Key we defined before. Click Close to finish the WinXP to MH-5001 Rule settings.

  • Page 160: Configure A Rule For Mh-5001 To Winxp Client

    18.4.7 Configure a rule for MH-5001 to WinXP client Step 71. Add a new IP filter rule Now we are going to configure the rule of MH-5001 to WinXP client. Click Add to add a new IP filter rule. Step 72. Select IP filter list Click the IP Filter List tab.
  • Page 161 MH-5001 User Manual Chapter 18 Remote Access VPN – Windows client Step 74. Connection Type Click Connection Type tab, and then click All network connections. Step 75. Filter Action Click Filter Action tab, and then select the filter action (DES-MD5) you just created.

  • Page 162: Enable The Security Settings

    Chapter 18 Remote Access VPN – Windows client Step 77. Finish the rules edition The IP Security rule of MH-5001 to WinXP is configured completely as the figure listing. Click Close to finish the settings. 18.4.8 Enable the security settings Step 78.

  • Page 163: Chapter 19 Content Filtering – Web Filters

    MH-5001 User Manual Chapter 19 Content Filtering – Web Filters Chapter 19 Content Filtering – Web Filters This chapter introduces web content filters and explains how to implement it. 19.1 Demands Figure 19-1 Use web filter functionality to avoid users browsing the forbidden web site 1.

  • Page 164: Objectives

    MH-5001 User Manual Chapter 19 Content Filtering – Web Filters Figure 19-2 Use web filter functionality to avoid users view the forbidden web site 2. As the above Figure 19-2 illustrates, someone (PC1_1) is browsing forbidden web pages on office hours. The contents of the web pages may include stock markets, violence, or sex that will waste the bandwidth of the Internet access link while degrading the efficiency of normal working hours.

  • Page 165: Steps

    Enabled If enabling this feature, all the web pages pass through proxy (Only port Enable Web Proxy Filtering 3128) will also be verified by MH-5001. If disabling the “Web Proxy”, all Disabled the web pages through will bypass the verification.
  • Page 166 Trusted Domains. However, if the web objects are set to be blocked by the MH-5001 in step 3, these allowed accesses will never be able to retrieve these objects. Check the “Don’t block …” to allow the objects for these trusted domains.
  • Page 167 Enable Filter List will be allowed to pass through Trusted Domains Enable/Disable Enabled Customization MH-5001. Contrarily, all the domains in the will be blocked by the Forbidden Domain MH-5001. Disable all web traffic Except the following specified domain range except for trusted specified by the trusted domain.
  • Page 168 Step 6. Customize Categories ADVANCED SETTINGS > Content Filters > Web Filter > Categories With the built-in URL database, MH-5001 can block web sessions towards several pre-defined Categories of URLs. Check the items that you want to block or log. Simply click the Block all categories will apply all categories.
  • Page 169 FIELD DESCRIPTION EXAMPLE Restricted Features Select the below items that will verified by Web Filter of MH-5001. ActiveX filter the web page that includes ActiveX Enabled Java filter the web page that includes Java applet...

  • Page 170: Setting Priorities

    MH-5001 User Manual Chapter 19 Content Filtering – Web Filters Step 8. Setup contents keyword ADVANCED SETTINGS > Content Filters > Web Filter > Keyword blocking Check the Enable Keyword Blocking to block any Web pages that contain the entered keywords.
  • Page 171 MH-5001 User Manual Chapter 19 Content Filtering – Web Filters High Priority Low Priority Figure 19-3 web filter features priority (from High to Low) According to the priorities of web filter, we have the guiding principle to setup the web filter now. As we know, there are many choices according to your requirement in the web filter settings.
  • Page 172 MH-5001 User Manual Chapter 19 Content Filtering – Web Filters If the web page contains the components included activex/java/javascript/cookie which indicated in “Web Filter > Web Filter > Features Web page Web”, or the keywords indicated in “Web Filter > Keyword”. The contents Web Filter >...

  • Page 174: Chapter 20 Content Filtering – Mail Filters

    MH-5001 User Manual Chapter 20 Content Filtering – Mail Filters Chapter 20 Content Filtering – Mail Filters This chapter introduces SMTP proxies and explains how to implement it. 20.1 Demands 1. Sometimes there are malicious scripts like *.vbs that may be attached in the email. If the users accidentally open such files, their computers may be infectious with virus.

  • Page 175: Steps For Anti-Virus

    MH-5001 User Manual Chapter 20 Content Filtering – Mail Filters Figure 20-1 Use SMTP / POP3 filter functionality to avoid some sensitive e-mail directly opened 20.4 Steps for Anti-Virus Step 1 – Enable Anti-Virus ADVANCED SETTINGS > Content Filters > Mail Filters > Anti-Virus Click the Anti-Virus hyperlink.

  • Page 176: Steps For Anti-Spam

    Content Filtering – Mail Filters Step 3 – Block attached files When enabled SMTP/POP3/IMAP filter function, MH-5001 will do Anti-Virus with two steps. Step 1, add the extensions which you would like to block. (Max: 32 items) You can add/delete the items by clicking Add/Delete button.

  • Page 177: Steps For Smtp Relay

    Content Filtering – Mail Filters Step 3 – Add the black list When enabled SMTP/POP3/IMAP filter function, MH-5001 will do Anti-Spam with three steps. Step 1, add the emails which you would like to block. You can add/delete the block list by clicking Add/Delete button.
  • Page 178 MH-5001 User Manual Chapter 20 Content Filtering – Mail Filters Step 2 – Apply SMTP Relay ADVANCED SETTINGS > Content Filters > Mail Filters > Anti-Spam When you apply the SMTP Relay, the IP addresses of the LAN and DMZ interfaces will be...

  • Page 179: Chapter 21 Content Filtering – Ftp Filtering

    MH-5001 User Manual Chapter 21 Content Filtering – FTP Filtering Chapter 21 Content Filtering – FTP Filtering This chapter introduces FTP proxies and explains how to implement it. 21.1 Demands 1. Some users in LAN1 use FTP to download big MP3 files and cause waste of bandwidth.

  • Page 180: Steps

    Click the Add button to add a new FTP filter. FIELD DESCRIPTION EXAMPLE Enable FTP Filter Enable FTP Filter feature of MH-5001 Enabled Table 21-1 FTP Filter FTP setting page Step 2. Add an FTP Filter ADVANCED SETTINGS > Content Filters > FTP Filter > FTP > Add Enter mp3 in the Name field and select Extension Name in the Blocked Type field.
  • Page 181 MH-5001 User Manual Chapter 21 Content Filtering – FTP Filtering Step 3. View the result ADVANCED SETTINGS > Content Filters > FTP Filter > FTP We can see the specified record in this page. Step 4. Add an Exempt Zone ADVANCED SETTINGS >...
  • Page 182 MH-5001 User Manual Chapter 21 Content Filtering – FTP Filtering Step 5. Show the Exempt Zones ADVANCED SETTINGS > Content Filters > FTP Filter > FTP Exempt Zone Here we can discover that new added Exempt Zone record is appeared.

  • Page 183: Chapter 22 Content Filters – L7 Firewall

    Action field. All traffic will be normalized to go out via the well-known port. If you will not manage a certain applications, select “--------------“ to tell MH-5001 to skip it. That will make MH-5001 keep its good performance.

  • Page 184: Steps

    Select Allow/Block/Allow only at port ( ) in the Action field for the applications. If you will not manage a certain application, please select or leave it as “--------------“. That will make MH-5001 keep its good performance. Click Apply button to apply the settings. Note, MH-5001...

  • Page 185: View L7 Firewall Logs

    IM/P2P applications Chat-ICQ can manage currently. Chat-AOL -------------------- Allow only at port 1863 The action for MH-5001 to do when user Allow Allow only at port 5050 implements the chosen applications. If you Action Allow only at port 5190 select “--------------“, it means that MH-5001...

  • Page 186: Chapter 23 Intrusion Prevention Systems

    Methods 1. Specify where to put Web server and let the IPS on the MH-5001 prevent the network from the attacks. 2. Setup logs to send mails to the specified email address during the defined time. You can set daily/weekly to receive mails and periodically monitor the IPS logs.

  • Page 187: Steps

    MH-5001 User Manual Chapter 23 Intrusion Prevention Systems 23.4 Steps Step 1 – Enable IPS ADVANCED SETTINGS > IPS > IPS Status Check the Enable IPS checkbox, and then click the Apply button. When IPS enabled, priority-1 inbound/outbound attacks through the default WAN link will be blocked.
  • Page 188 Signature-based IPS different ways. It uses a database table to store the state of the finite state machines representing possible attacks in progress. MH-5001 has a complete attack database to provide you a corporate-wide real-time protection. Anomaly-based IPS captures all the headers of the IP packets running towards the network. From this,...

  • Page 189: Bandwidth Management

    MH-5001 User Manual Chapter 24 Bandwidth Management Chapter 24 Bandwidth Management This chapter introduces bandwidth management and explains how to implement it. 24.1 Demands Figure 24-1 Use bandwidth management mechanism to shape the data flow on the downlink direction 1. As the above Figure 24-1 illustrated, we hope LAN_1 users can watch the Video Stream Server smoothly. Besides, we...

  • Page 190: Objectives

    MH-5001 User Manual Chapter 24 Bandwidth Management Figure 24-2 Use bandwidth management mechanism to shape the data flow on the uplink direction 2. As the above Figure 24-2 illustrated, LAN_1 PCs are using the E-Commerce service from the E-Commerce Server (140.113.79.3), causing the blocking of the VPN transfer from LAN_1 to LAN_2.

  • Page 191: Methods

    24.4 Steps Step 1. Enable Bandwidth ADVANCED SETTINGS > Bandwidth Mgt. > Status Management Check the Enable Bandwidth Management checkbox, and click the Apply button. FIELD DESCRIPTION Range/Format EXAMPLE Enable Bandwidth Enable Bandwidth Management feature of MH-5001 Enable/Disable Enabled Management...
  • Page 192 MH-5001 User Manual Chapter 24 Bandwidth Management BUTTON DESCRIPTION Reset Bandwidth Reset all the bandwidth management rules to default status. Management Apply Apply the settings which have been configured. Reset Clean the filled data and restore the original one. Table 24-3 Setup status page of Bandwidth Management Step 2.
  • Page 193 MH-5001 User Manual Chapter 24 Bandwidth Management Step 3. Add new classes ADVANCED SETTINGS > Bandwidth Mgt. > Edit Actions > Create Sub-class Create a sub-class named web-from-WAN from the default class. Enter 0.3% in the bandwidth field. Make sure that Borrow button is unchecked...
  • Page 194 MH-5001 User Manual Chapter 24 Bandwidth Management Step 5. Setup WAN1-to-LAN1 Rules ADVANCED SETTINGS > Firewall > Edit Rules Select WAN1 to LAN1 to display the rules. There is a pre-defined rule that matches all traffic into the default class. Click Insert to insert a rule before the default rule.
  • Page 195 ADVANCED SETTINGS > Firewall > Edit Rules Now we can see that there are existed two customized rules in the queue of WAN1 to LAN1 direction. In the No. 1 rule. The MH-5001 is configured to direct video-from-WAN packets into video-from-WAN queue (300kbps).

  • Page 196: Outbound Traffic Management

    MH-5001 User Manual Chapter 24 Bandwidth Management Step 10. View the results ADVANCED SETTINGS > Firewall > Edit Rules We can see the result of our settings at the DMZ-to-LAN rule direction. 24.4.1 Outbound Traffic Management Step 1. Enable Bandwidth ADVANCED SETTINGS >...
  • Page 197 MH-5001 User Manual Chapter 24 Bandwidth Management Step 3. Partition into Classes ADVANCED SETTINGS > Bandwidth Mgt. > Edit Actions > Create Sub-Class Create a sub-class named LAN_1-to-LAN_2 from the default class. Enter 40% in the bandwidth field, uncheck the Borrow button, and click Apply.
  • Page 198 MH-5001 User Manual Chapter 24 Bandwidth Management Step 6. View the rules ADVANCED SETTINGS > Firewall > Edit Rules MH-5001 configured direct outE-Commerce matched packets into E-Commerce queue (308 kbps), outVPN matched packets into the LAN_1-to-LAN_2 queue (617 kbps). Here we reserve 40% WAN1 bandwidth for the LAN_1 to LAN_2 VPN data, to guarantee the data communication between VPN.

  • Page 199: Chapter 25 Load Balancer

    The WAN load balancer module consists of outbound load balancing and inbound load balancing. Users may want to subscribe multiple WAN links and make their outbound traffic load-balanced among the WAN links. MH-5001 now supports outbound WAN load balancing. Inbound load balancing will be supported in a very near future.

  • Page 200: Outbound Load Balancer

    MH-5001 User Manual Chapter 25 Load Balancer 25.4 Steps 25.4.1 Outbound Load Balancer Step 1. Make Firewall rules the same ADVANCED SETTINGS > Firewall > Edit Rules Since the traffic will be intelligently load-balanced among the WAN links, the Firewall settings for all WAN links should be set to the same settings.

  • Page 202: Chapter 26 High Availability

    MH-5001 User Manual Chapter 26 High Availability Chapter 26 High Availability This chapter introduces High Availability and explains how to implement it. 26.1 Demands Figure 26-1 Use High Availability mechanism to let network connection continually 1. As the above Figure 22-1 illustrates, your company is afraid that the firewall may be crashed someday, so it needs a backup system to let the network connection continually.

  • Page 203: Setup High Availability

    Chapter 26 High Availability 26.2 Objectives 1. Prepare two MH-5001 devices, and then let one as a primary firewall and the other as a secondary firewall. While the primary firewall is crashed, you can replace it with secondary firewall. 26.3 Methods There are five steps to configure High Availability feature.
  • Page 204 MH-5001 User Manual Chapter 26 High Availability Step 2. Show the result in Web ADVANCED SETTINGS > High Availability > Status After you apply the High Availability feature, the secondary device will show the message to tell that “Sync configuration...

  • Page 205: System Status

    Chapter 27 System Status 27.1 Demands 1. Since we have finished the settings of MH-5001, we need to gather the device information quickly. Then we can have a overview of the system status. 27.2 Objectives 1. We can know the current situation easily through an integrated interface.
  • Page 206 Click the Routing Table to see the routing table information of MH-5001. Step 6. Active Sessions DEVICE STATUS > System Status > Active Sessions Click the Active Sessions to see all the current sessions of MH-5001. The Active Sessions include all the outbound and inbound sessions.
  • Page 207 MH-5001 User Manual Chapter 27 System Status Step 7. Top20 Sessions DEVICE STATUS > System Status > Top20 Sessions Click the Top20 Sessions to see the front-20 sessions of transmitted bytes amount. These front-20 sessions were sorted by the amount of transmitted bytes.

  • Page 208: System Logs

    1. Through tracking the system logs, you can distinguish which administrated action is valid or not. 2. Use the syslog server to receive mail, or edit the “Mail Logs” page of MH-5001. Make the log mailed out automatically every periodic time.

  • Page 209: Syslog & Mail Log

    Syslog Server. It will let MH-5001 send logs to the Syslog Server specified in the “Syslog Server IP Address” field. Notice: If the logs were sent out to the syslog server, they will still keep a copy in the MH-5001. FIELD DESCRIPTION EXAMPLE...
  • Page 210 MH-5001 User Manual Chapter 28 Log System Test test the mail logs configuration in this page Table 28-3 Setup the Mail Logs...

  • Page 211: System Maintenance

    GUI with the lost password. 3. Anthoer issue is that after setup the MH-5001 properly, we might want to keep the current configuration to avoid the unknown accident. Then we can recover the original state from the previous reserved configuration.

  • Page 212: Steps For Firmware Upgrade From Web Gui

    MH-5001‘s LAN1. Login to MH-5001’s console. Enter en to enter privileged mode. Configure the MH-5001> en LAN1 address so that the MH-5001 can connect MH-5001# ip ifconfig INTF3 192.168.40.254 255.255.255.0 to the TFTP server. The CLI command to configure LAN1 interface is ip ifconfig INTF3 192.168.1.254 255.255.255.0.

  • Page 213: Steps For Database Update From Web Gui

    MH-5001 User Manual Chapter 29 System Maintenance 2. Upgrade firmware SYSTEM TOOLS > Firmware Upgrade > Firmware Upgrade In the System Tools / Firmware Upgrade page. Select the path of firmware through Browse button, check Preserve Saved Configurations to reserve original settings.

  • Page 214: Steps For Factory Reset

    Factory reset SYSTEM TOOLS > System Utilities > Factory Reset In the Web GUI mode. Follow the path of right side. We can make MH-5001 configuration restored to the factory defaults with simply clicking the Apply button. Warning: Be careful to use this function. It will make all your present configurations disappear.

  • Page 215: Save The Current Configuration

    Backup the current SYSTEM TOOLS > System Utilities > Save Configuration configuration After finishing the settings of MH-5001, be sure to Press the Save button in this page to keep the running configuration. 29.7 Steps for Backup / Restore Configurations Step 1.

  • Page 216: Steps For Reset Password

    MH-5001 User Manual Chapter 29 System Maintenance 29.8 Steps for Reset password Step 1. Enter the boot loader >> NetOS Loader (i386), V1.5 (Fri Feb 20 10:25:11 CST 2004) Press <TAB> to prompt - starting in 0 If you forget the password, you can use the following way to reset the password.

  • Page 217: A.1 Enable The Port Of Mh-5001

    Command Line Interface (CLI) You can configure the MH-5001 through the web interface (http/https) for the most time. Besides you can use another method, console/ssh/telnet method to configure the MH-5001 in the emergency. This is known as the Command Line Interface (CLI). By the way of CLI commands, you can effectively set the IP addresses, restore factory reset, reboot/shutdown system etc.
  • Page 218 Show system and network status version (ver) sys version Show MH-5001 firmware version Table A-1 Non-privileged mode of normal mode Note: If you don’t know what parameter is followed by the commands, just type “?” following the command. Ex “ip ?”. It will show all the valid suffix parameters from “ip”.

  • Page 219: A.3 Cli Commands List (Rescue Mode)

    If the original firmware was damaged by some accidents, you may need to recover it with the factory reset process in the rescue mode. Boot the MH-5001 and press <tab> or <space> during the 2-second countdown process. You may refer Section 29.5.3 for details.
  • Page 220 MH-5001 User Manual A.3CLI commands list (Rescue Mode) Privileged mode Main Sub commands Example Command description commands Show the help menu disable (dis) disable Turn off privileged mode command exit (ex) exit Exit command shell Configure IP related settings ip arp status Show the ip/MAC mapping table ip dns query www.yam.com.tw...

  • Page 222: Trouble Shooting

    Please neglect the LED status, because it will confuse your judgment sometimes. I have already set the WAN1 ip address of MH-5001 the same subnet with my pc, but I can’t use https to login MH-5001 via WAN1 port from my pc all the time, why?...
  • Page 223 Make sure if you have already added a WAN to LAN policy in the Advanced Settings/Firewall to let the IPSec packets pass through the MH-5001. (The default value from WAN to LAN is block.). When you add a Firewall rule, the Source IP and Netmask are the IP address, PrefixLen/Subnet Mask in the pages of the Remote Address Type.
  • Page 224 MH-5001 User Manual Appendix B Trouble Shooting The following Figure B-1, Figure B-2 indicated the WALL_A IPSec and Firewall setting. The Figure B-3, Figure B-4 indicated the opposite side WALL_B IPSec and Firewall setting. When you configure an IPSec policy, please be sure to add a rule to let the packets of the IPSec pass from WAN to LAN.
  • Page 225 Ans: One reason is that you may enter Host Name and following by a space like “MH-5001 “. And enter the Domain Name string like “planet.com.tw” in the firmware version 1.391B. Then the System Name will present as “MH-5001 .planet.com.tw”. After upgrading firmware to upper version (ex.
  • Page 226 But sometimes it will make firmware fail. If the firmware fails, MH-5001 will automatically enter rescue mode when it reboots. You may need to do the factory reset, and then restore your original configuration to MH-5001. Refer to the factory reset procedure of MH-5001 as Section 29.5.

  • Page 228: Appendix C System Log Syntax

    Component type, second part is Log ID, third part is log description and final part is Event ID. When you applied each setting in the MH-5001, you had been issued an Event. So the same Event ID may have many different Log IDs because you may change different settings in the same apply action.
  • Page 229 MH-5001 User Manual Appendix C System Log Syntax BANDWIDTH: [B01] WAN1 Disable bandwidth management with PPPoE connection. Web filter categories CONTENT: [C01] Web filter categories configuration update by CONTENT configuration updated admin (192.168.17.100:443). EID=6 Web filter added trusted host CONTENT: [C02] Web filter add trusted host by admin (192.168.17.100:443).
  • Page 230 MH-5001 User Manual Appendix C System Log Syntax Updated POP3 filter exempt CONTENT: [C22] Updated POP3 filter exempt zone zone configuration configuration by admin (192.168.17.100:443). EID=25 POP3 filter exempt zone CONTENT: [C23] POP3 filter exempt zone added range from added range 140.126.1.1 to 140.126.1.255 by admin (192.168.17.100:443).
  • Page 231 MH-5001 User Manual Appendix C System Log Syntax Mail Log LOG: [L02] mail logfile to tom@hotmail.com. Remote Syslog Server offline Enable/Disable Syslog LOG: [L04] Enable syslog server at 192.168.17.100 by admin Forward to Remote Syslog (192.168.17.102:443). Server LOG: [L04] Disable syslog server by admin (192.168.17.102:443).
  • Page 232 192.168.1.2/255.255.255.0 by admin (192.168.17.102:443). SYSTEM: [S09] LAN1: Change IP address alias 192.168.1.2/255.255.255.0 to 192.168.1.3/255.255.255.0 by admin (192.168.17.102:443). Set Host Name SYSTEM: [S10] HostName:MH-5001, set by admin (192.168.17.102:443). Set Domain Name SYSTEM: [S11] Domain Name: planet.com.tw, set by admin (192.168.17.102:443). Enable/Disable DDNS SYSTEM: [S12] Enable Dynamic DNS with hostname wall.adsldns.org on WAN1 by admin (192.168.17.102:443).
  • Page 233 MH-5001 User Manual Appendix C System Log Syntax Setup TELNET Server Setup SSH Server Setup WWW Server Setup HTTPS Server Setup SNMP Server MISC Setup Enable/Disable SNMP SYSTEM: [S28] Enable SNMP by admin (192.168.17.104:443) SYSTEM: [S28] System Location: Building-A. SYSTEM: [S28] Contact Info: +886-2-28826262.

  • Page 234: Glossary Of Terms

    NAT (Network Address Translation) – By the network address translation skill, we can transfer the internal network private address of MH-5001 to the public address for the Internet usage. By this method, we can use a large amount of private addresses in the enterprise.
  • Page 235 MH-5001 User Manual Appendix D Glossary of Terms OSPF (Open Shortest Path First) – Open Shortest Path First (OSPF), is a routing protocol used to determine the correct route for packets within IP networks. It was designed by the Internet Engineering Task Force to serve as an Interior Gateway Protocol replacing RIP.

Table of Contents