Page 1 NXC5200 Wireless LAN Controller Default Login Details IP Address https://192.168.1.1 User Name admin Password 1234 Version 2.20 www.zyxel.com Edition 1, 05/2010 www.zyxel.com Copyright © 2010 ZyXEL Communications Corporation...
Page 3: About This User's Guide
Click the help icon in any screen for help in configuring that screen and supplementary information. • ZyXEL Web Site Please refer to www.zyxel.com for additional support documentation and product certifications. User Guide Feedback Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead.
Page 4 • Knowledge Base If you have a specific question about your product, the answer may be here. This is a collection of answers to previously asked questions about ZyXEL products. • Forum This contains discussions on ZyXEL products. Learn from others who use ZyXEL products and share your experiences as well.
Page 5 Graphics in this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated firmware/software for your device. Every effort has been made to ensure that the information in this manual is accurate. NXC5200 User’s Guide...
Page 6: Document Conventions
For example, “k” for kilo may denote “1000” or “1024”, “M” for mega may denote “1000000” or “1048576” and so on. • “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”. NXC5200 User’s Guide...
Page 7 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The NXC icon is not an exact representation of your device. Computer Notebook computer Server Firewall Telephone Switch Router NXC5200 User’s Guide...
Page 8: Safety Warnings
Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately. NXC5200 User’s Guide...
Page 9: Table Of Contents
2.2.3 Captive Portal ......................38 2.2.4 Load Balancing ......................38 2.2.5 Dynamic Channel Selection ..................38 2.2.6 User-Aware Access Control ..................39 2.2.7 Device HA ........................39 Chapter 3 The Web Configurator ......................41 3.1 Overview ..........................41 NXC5200 User’s Guide...
Page 10 4.5.2 AP Profile ........................67 4.5.3 MON Profile ........................ 68 4.6 System ..........................68 4.6.1 DNS, WWW, SSH, TELNET, FTP, and SNMP ............68 4.6.2 Logs and Reports ....................... 68 4.6.3 File Manager ......................69 4.6.4 Diagnostics ......................... 69 NXC5200 User’s Guide...
Page 11 6.2.1 CPU Usage ......................109 6.2.2 Memory Usage ......................110 6.2.3 Session Usage ......................111 6.2.4 DHCP Table ......................112 6.2.5 Number of Login Users .....................113 Chapter 7 Monitor..........................115 7.1 Overview ..........................115 7.1.1 What You Can Do in this Chapter ................115 NXC5200 User’s Guide...
Page 12 9.1 Overview ..........................157 9.1.1 What You Can Do in this Chapter ................157 9.1.2 What you Need to Know ..................157 9.2 Anti-Virus ........................... 158 9.3 IDP/AppPatrol ........................159 9.4 System Protect ......................... 161 Chapter 10 Wireless ..........................163 NXC5200 User’s Guide...
Page 13 12.2.1 Add/Edit Policy Route .................... 202 12.3 Static Route ........................206 12.3.1 Static Route Setting ....................207 12.4 Technical Reference ......................208 Chapter 13 Zones ............................ 213 13.1 Overview .......................... 213 13.1.1 What You Can Do in this Chapter ................214 NXC5200 User’s Guide...
Page 14 17.1.1 What You Can Do in this Chapter ................240 17.2 Captive Portal ........................240 17.2.1 Add Exceptional Services ..................242 17.2.2 Auth. Policy Add/Edit ....................243 17.3 Login Page ........................245 Chapter 18 Firewall..........................249 18.1 Overview .......................... 249 NXC5200 User’s Guide...
Page 15 Chapter 21 IDP ............................303 21.1 Overview .......................... 303 21.1.1 What You Can Do in this Chapter ................303 21.1.2 What You Need To Know ..................303 21.1.3 Before You Begin ....................304 21.2 IDP Summary ........................304 NXC5200 User’s Guide...
Page 16 23.1.1 What You Can Do in this Chapter ................357 23.1.2 What You Need to Know ..................358 23.1.3 Before You Begin ....................358 23.2 Device HA General ......................359 23.3 Active-Passive Mode ....................... 361 23.3.1 Edit Monitored Interface ..................364 23.4 Technical Reference ......................366 NXC5200 User’s Guide...
Page 17 27.1.1 What You Can Do in this Chapter ................407 27.1.2 What You Need To Know ..................407 27.2 Address Summary ......................407 27.2.1 Add/Edit Address ....................409 27.3 Address Group Summary ....................410 27.3.1 Add/Edit Address Group Rule ................411 NXC5200 User’s Guide...
Page 18 31.2.1 Add Authentication Method ..................438 Chapter 32 Certificates ......................... 441 32.1 Overview .......................... 441 32.1.1 What You Can Do in this Chapter ................441 32.1.2 What You Need to Know ..................441 32.1.3 Verifying a Certificate ..................... 443 NXC5200 User’s Guide...
Page 19 33.7.1 How SSH Works ....................491 33.7.2 SSH Implementation on the NXC ................492 33.7.3 Requirements for Using SSH ................. 492 33.7.4 Configuring SSH ....................493 33.7.5 Examples of Secure Telnet Using SSH ..............494 33.8 Telnet ..........................496 NXC5200 User’s Guide...
Page 20 36.3.2 Example of Viewing a Packet Capture File ............535 36.4 Wireless Frame Capture ....................536 36.4.1 Wireless Frame Capture Files ................538 Chapter 37 Reboot............................ 539 37.1 Overview .......................... 539 37.1.1 What You Need To Know ..................539 37.2 Reboot ..........................539 NXC5200 User’s Guide...
Page 21 Appendix B Common Services..................... 613 Appendix C Displaying Anti-Virus Alert Messages in Windows..........617 Appendix D Importing Certificates..................619 Appendix E Wireless LANs ....................633 Appendix F Open Software Announcements ............... 647 Appendix G Legal Information....................699 Index............................703 NXC5200 User’s Guide...
Page 22 Table of Contents NXC5200 User’s Guide...
Page 23: Part I User's Guide
User’s Guide...
Page 25: Chapter 1 Introduction
“1234” respectively. 1.2 Rack-mounted Installation Note: ZyXEL provides a sliding rail accessory for your use with your device. Please contact your local vendor for details. The NXC can be mounted on an EIA standard size, 19-inch rack or in a wiring closet with other equipment.
Page 26: Rack-Mounted Installation Procedure
Attach the other bracket in a similar fashion. After attaching both mounting brackets, position the NXC in the rack by lining up the holes in the brackets with the appropriate holes on the rack. Secure the NXC to the rack with the rack-mounting screws. NXC5200 User’s Guide...
Page 27: Lan Module Installation Procedure
Chapter 1 Introduction 1.2.2 LAN Module Installation Procedure Turn the NXC over so that its bottom side faces up, then remove the LAN module screw. Slide the empty LAN Module tray out of the NXC chassis. NXC5200 User’s Guide...
Page 28 Slide the LAN Module into the empty module bay, gently but firmly pressing it into the NXC’s logic board until you feel it snap into place. Secure the newly installed LAN Module with the screw you removed in step 1. NXC5200 User’s Guide...
Page 29: Front And Back Panels
100 Mbps and full duplex only at 1000 Mbps. An auto-negotiating port can detect and adjust to the optimum Ethernet speed (100/1000 Mbps) and duplex mode (full duplex or half duplex) of the connected device. NXC5200 User’s Guide...
Page 30: Optional Fiber Ports
NXC’s expansion bay. Next, an additional fiber connection is established between the NXC and a downstream fiber-based Power over Ethernet (PoE) capable of converting Fiber-to-Ethernet data packets (such as the ZyXEL MC1000- SFP-FP). Finally, you connect your AP to the edge switch using an Ethernet cable.
Page 31: Front Panel Leds
1.4 Management Overview You can use the following ways to manage the NXC. Web Configurator The Web Configurator allows easy NXC setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator. NXC5200 User’s Guide...
Page 32: Starting And Stopping The Nxc
The NXC writes all cached data to the local storage, stops the system processes, and then does a warm start. Using the RESET If you press the RESET button, the NXC sets the configuration to its button default values and then reboots. NXC5200 User’s Guide...
Page 33 It does not stop the system processes or write cached data to local storage. The NXC does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources. NXC5200 User’s Guide...
Page 34 Chapter 1 Introduction NXC5200 User’s Guide...
Page 35: Features And Applications
Many security settings are applied by zone, not by interface, port, or network. As a result, it is much simpler to set up and to change security settings in the NXC. You can create your own custom zones. NXC5200 User’s Guide...
Page 36 Application patrol manages instant messenger and peer-to-peer applications like MSN and BitTorrent. You can even control the use of a particular application’s individual features (like text messaging, voice, video conferencing, and file transfers). Application patrol has powerful bandwidth management including NXC5200 User’s Guide...
Page 37: Applications
WPA encryption from all wireless clients attempting to associate with them. Furthermore, you can protect your network by monitoring for rogue APs. Rogue APs are wireless access points operating in a network’s coverage area that are not NXC5200 User’s Guide...
Page 38: Captive Portal
2.2.5 Dynamic Channel Selection The NXC can automatically select the radio channel upon which its APs broadcast by scanning the area around those APs and determining what channels are currently being used by other devices not connected to the network. NXC5200 User’s Guide...
Page 39: User-Aware Access Control
2.2.7 Device HA Set one NXC as the master device and an additional NXC as a backup device to ensure that one is always available for the network. NXC5200 User’s Guide...
Page 40 Chapter 2 Features and Applications NXC5200 User’s Guide...
Page 41: The Web Configurator
• Enable Java permissions (enabled by default) • Enable cookies The recommended screen resolution is 1024 x 768 pixels and higher. 3.2 Access Make sure your NXC hardware is properly connected. See the Quick Start Guide. Browse to https://192.168.1.1. The Login screen appears. NXC5200 User’s Guide...
Page 42 Update Admin Info screen appears. Otherwise, the dashboard appears. This screen appears every time you log in using the default user name and default password. If you change the password for the default user account, this screen does not appear anymore. NXC5200 User’s Guide...
Page 43: The Main Screen
Chapter 3 The Web Configurator 3.3 The Main Screen The Web Configurator’s main screen is divided into these parts: Figure 9 The Web Configurator’s Main Screen • A - Title Bar • B - Navigation Panel • C - Main Window NXC5200 User’s Guide...
Page 44: Title Bar
Click the arrow in the middle of the right edge of the navigation panel to hide the navigation panel menus or drag it to resize them. The following sections introduce the NXC’s navigation panel menus and their screens. Figure 11 Navigation Panel NXC5200 User’s Guide...
Page 45 NXC has detected. Collects and display statistics on the intrusions that the NXC has detected. View Log Lists log entries for the NXC. View AP Allows you to query connected APs and view log entries for them. NXC5200 User’s Guide...
Page 46: Configuration Menu
Configure ranges of IP addresses to which the NXC does not apply IP/MAC binding. Captive Portal Captive Portal Assign the captive portal web page to various network services. Login Page Assign and customize the login page user’s see when they hit the captive portal. NXC5200 User’s Guide...
Page 47 AP Profile Radio Create and manage wireless radio settings files that can be associated with different APs. SSID Create and manage wireless SSID, security, and MAC filtering settings files that can be associated with different APs. NXC5200 User’s Guide...
Page 48 Language Select the Web Configurator language. Log & Report Email Daily Configure where and how to send daily reports and Report what reports to send. Log Setting Configure the system log, e-mail logs, and remote syslog servers. NXC5200 User’s Guide...
Page 49: Warning Messages
Capture wireless frames from APs for analysis. Capture Reboot Restart the NXC. Shutdown Turn off the NXC. 3.3.3 Warning Messages Warning messages, such as those resulting from misconfiguration, display in a popup window. Figure 12 Warning Message NXC5200 User’s Guide...
Page 50: Site Map
Refresh to show which configuration settings reference the object. The following example shows which configuration settings reference the ldap-users user object (in this case the first firewall rule). Figure 14 Object Reference NXC5200 User’s Guide...
Page 51 Click CLI to look at the CLI commands sent by the Web Configurator. These commands appear in a popup window, such as the following. Figure 15 CLI Messages Click Clear to remove the currently displayed information. Note: See the Command Reference Guide for information about the commands. NXC5200 User’s Guide...
Page 52 If you are logged into the NXC, see the CLI Reference Guide for details on using the command line to configure it. Device IP Address This is the IP address of the device that you are currently logged into. NXC5200 User’s Guide...
Page 53 NXC. • Your web browser allows Java programs. • You are using the latest version of the Java program (http://www.java.com). To login in through the Console: Click the Console button on the Web Configurator title bar. NXC5200 User’s Guide...
Page 54 Next, enter the User Name of the account being used to log into your target device and then click OK. You may be prompted to authenticate your account password, depending on the type of device that you are logging into. Enter the password and click OK. NXC5200 User’s Guide...
Page 55: Tables And Lists
The options available vary depending on the type of fields in the column. Here are some examples of what you can do: • Sort in ascending alphabetical order • Sort in descending (reverse) alphabetical order • Select which columns to display • Group entries by field NXC5200 User’s Guide...
Page 56 Select a column heading cell’s right border and drag to re-size the column. Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location. NXC5200 User’s Guide...
Page 57 To remove an entry, select it and click Remove. The NXC confirms you want to remove it before doing so. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. NXC5200 User’s Guide...
Page 58 In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list. Figure 17 Working with Lists NXC5200 User’s Guide...
Page 59: Configuration Basics
If you are in a screen that uses objects, you can also usually select Create new Object to be able to configure a new object. Use the Object Reference screen to see what objects are configured and which configuration settings reference specific objects. NXC5200 User’s Guide...
Page 60: Zones, Interfaces, And Physical Ports
• VLAN interfaces recognize tagged frames. The NXC automatically adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet interface. Note: By default, all Ethernet interfaces are placed into vlan0, allowing the NXC to function as a bridge device. NXC5200 User’s Guide...
Page 61: Example Interface And Zone Configuration
These APs uses private IP addresses that can be assigned by an upstream DHCP server (default) or the NXC itself in some configurations. • The console port is not in a zone and can be directly accessed by a computer attached to it using a special console-to-Ethernet adapter. NXC5200 User’s Guide...
Page 62: Feature Configuration Overview
4.4.2 Licensing Registration Use these screens to register your NXC and subscribe to services like anti-virus, IDP and application patrol. You must have Internet access to myZyXEL.com. Configuration > Licensing > Registration MENU ITEM(S) Internet access to myZyXEL.com PREREQUISITES NXC5200 User’s Guide...
Page 63: Licensing Update
Configuration > Network > Routing > Policy Routes MENU ITEM(S) Criteria: users, user groups, interfaces (incoming), addresses (source, destination), address groups (source, destination), schedules, services, service groups PREREQUISITES Next-hop: addresses (HOST gateway), interfaces NAT: addresses (translated address), services and service groups (port triggering) NXC5200 User’s Guide...
Page 64: Static Routes
Interfaces, addresses (HOST) PREREQUISITES 4.4.10 ALG The NXC’s Application Layer Gateway (ALG) allows VoIP and FTP applications to go through NAT on the NXC. You can also specify additional signaling port numbers. Configuration > Network > ALG MENU ITEM(S) NXC5200 User’s Guide...
Page 65: Captive Portal
Use anti-virus to detect and take action on viruses. You must subscribe to use anti-virus. You can subscribe using the Licensing > Registration screens or one of the wizards. Configuration > Anti-X > Anti-Virus MENU ITEM(S) Registration, zones PREREQUISITES NXC5200 User’s Guide...
Page 66: Idp
OBJECT WHERE USED user/group See the User/Group section on page 67 for details. ap profile See the AP Profile section on page 67 for details. mon profile See the MON Profile section on page 68 for details. NXC5200 User’s Guide...
Page 67: User/Group
Create radio profiles for the APs on your network. SSID Create SSID profiles for the APs on your network. Security Create security profiles for the APs on your network. MAC Filtering Create MAC filtering profiles for the APs on your network. NXC5200 User’s Guide...
Page 68: Mon Profile
The NXC provides a system log, offers two e-mail profiles to which to send log messages, and sends information to four syslog servers. It can also e-mail you statistical reports on a daily basis. Configuration > Log & Report MENU ITEM(S) NXC5200 User’s Guide...
Page 69: File Manager
Use this to shutdown the device in preparation for disconnecting the power. Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the NXC or remove the power. Not doing so can cause the firmware to become corrupt. Maintenance > Shutdown MENU ITEM(S) NXC5200 User’s Guide...
Page 70 Chapter 4 Configuration Basics NXC5200 User’s Guide...
Page 71: Chapter 5 Tutorials
Web Configurator, as well as an understanding of networking concepts and topology design. The default login information for the NXC’s Web Configurator is: Table 18 NXC Default Login Information LOGIN VALUE SEE ALSO IP Address 192.168.1.1 Chapter 3 on page User Name admin Password 1234 NXC5200 User’s Guide...
Page 72: Sample Network Setup
Note: In this topology, vlan 199 is managed by the router responsible for the upstream portion of the network, such as a ZyWALL. The following VLAN settings are used in this tutorial: Table 19 Tutorial Topology Summary VLAN VLAN ID IP ADDRESS Management 10.10.99.10/24 Staff 10.1.101.254/24 Guest 10.1.102.254/24 NXC5200 User’s Guide...
Page 73: Tutorial Tasks
Create the AP Profiles (staff, guest) Chapter 25 on page 387 Create the Guest User Account Chapter 24 on page 373 Configure the Captive Portal Settings Chapter 17 on page 239 Configure the Guest Firewall Rules Chapter 18 on page 249 NXC5200 User’s Guide...
Page 74: Set The Management Vlan (Vlan99)
The Add VLAN window opens. Enable Interface: Select this to enable this interface. Interface Name: Enter ‘vlan99’. VID: Enter ‘99’ as the VLAN ID tag. Under Member Configuration, set the ge1 Member status to Yes and TX Tagging to Yes. NXC5200 User’s Guide...
Page 75: Set The Other Vlans (Vlan101, Vlan102)
Note: You will use this procedure twice: once for VLAN 101 and the other time for VLAN 102. VLAN 101 is presented first, while VLAN 102 is presented second. For VLAN 101: Open the Configuration > Network > Interface > VLAN screen then click the Add button. NXC5200 User’s Guide...
Page 76 For VLAN 102: Open the Configuration > Network > Interface > VLAN screen then click the Add button. The Add VLAN window opens. Enable Interface: Select this to enable this interface. Interface Name: Enter ‘vlan102’. VID: Enter ‘102’ as the VLAN ID tag. NXC5200 User’s Guide...
Page 77: Configure The Aaa Object
This section shows you how to set up the AAA (Authentication, Authorization, Accounting) server settings to allow registered users to log into the network through the staff SSID. Open the Configuration > Object > AAA Server > Active Directory screen and then click the Add button. NXC5200 User’s Guide...
Page 78 ‘cn=Users,dc=zyxel,dc=test’. Under Server Authentication, enter a Bind DN that has privileges on your AD server. In this tutorial, use ‘zyxel’. Password: Enter the password for the Bind DN that has privileges on your AD server. In this tutorial, use ‘1234’.
Page 79: Configure The Auth. Method Objects (Staff, Guest)
Click the rule to exand the list of available AAA server profiles and then select group AD-1. This is the AAA server profile created in Section 5.2.4 on page Click OK to save these settings. To create a guest authentication object, repeat steps 1-3 but with the following guest settings instead: NXC5200 User’s Guide...
Page 80: Create The Ap Profiles (Staff, Guest)
Finally, you will associate them with a radio profile which is linked to your AP’s radio transmitter. Open the Configuration > Object > AP Profile > SSID > Security List screen and then click the Add button. The Add Security Profile window opens. Profile Name: Enter ‘wap2’. NXC5200 User’s Guide...
Page 81 Security Profile: Select wap2 from the list. This is the security profile created in Step 1a. QoS: Select WMM. Forwarding Mode: Select Tunnel from the list. VLAN Interface: Select vlan101 from the list, which you created in Section 5.2.3 on page NXC5200 User’s Guide...
Page 82 VLAN Interface: Select vlan102 from the list. Open the Configuration > Object> AP Profile > Radio screen and then click the Add button. The Add Radio Profile window opens. Activate: Select this to make the radio profile active. Profile Name: Enter ‘nxc5200’. NXC5200 User’s Guide...
Page 83: Create The Guest User Account
This section shows you how to create a guest user account. Guest users should log into the network with the following user name and password: guest1 / guest1. Open the Configuration > Object > User/Group > User screen and click the Add button. The Add A User window opens. NXC5200 User’s Guide...
Page 84: Configure The Captive Portal Settings
SSIDs; only those assigned to the feature. Authentication Method: Select guest from the list. This is the Auth. Method profile that you created in Section 5.2.5 on page Under Authentication Policy Summary, click the Add button. NXC5200 User’s Guide...
Page 85: Configure The Guest Firewall Rules
Finally, configure the firewall rules required for regulating how guest users can use the network. There are 5 firewall rules that you will need to configure: Table 21 Tutorial Firewall Rules RULE USER SERVICE ACCESS guest1 deny guest1 DNS_UDP allow guest1 DNS_TCP allow guest1 HTTP allow guest1 HTTPS allow NXC5200 User’s Guide...
Page 86 Chapter 5 Tutorials Open the Configuration > Firewall screen. For each rule, click the Add button to open the Add Firewall Rule window. Enter the settings for the specific firewall rule described in Table 21 on page NXC5200 User’s Guide...
Page 87: Blocking Network Protocols
This section shows you how to configure the WLAN zone, which is necessary for implementing the firewall rules and Application Patrol rules. Open the Configuration > Network > Zone screen. Select WLAN from the User Configuration table and click the Edit button. NXC5200 User’s Guide...
Page 88: Configuring The Firewall
Click OK to save these settings. See Also: Chapter 13 on page 213. 5.3.2 Configuring the Firewall This section shows you how to configure the firewall to block certain network protocols, such as AIM. Click Configuration > Firewall. NXC5200 User’s Guide...
Page 89 Service: Select AIM from the list. Access: Select reject from this list to block the service. Click OK to save your changes. See Also: Chapter 18 on page 249. NXC5200 User’s Guide...
Page 90: Blocking Sub-Protocols
This tutorial shows you how to do that with the NXC’s Application Patrol feature. Click Configuration > App Patrol > IM. In the Configuration table, select aol-icq then click Edit. NXC5200 User’s Guide...
Page 91 Action Block: Select Video and File Transfer. This limits the restriction only to video chat and file transfer requests. Click OK to save your changes. See Also: Chapter 19 on page 265. NXC5200 User’s Guide...
Page 92: Rogue Ap Detection
In this example, an employee illicitly connects his own AP (RG) to the network that the NXC manages. While not necessarily a malicious act, it can nonetheless have severe security consequences on the network. Figure 22 Rogue AP Example A NXC5200 User’s Guide...
Page 93 NXC-controlled SSID in order to capture passwords and other information when authorized wireless clients mistakenly connect to it. Figure 23 Rogue AP Example B This tutorial shows you how to detect rogue APs on your network: Click Configuration > Object > MON Profile. NXC5200 User’s Guide...
Page 94 AP scans each channel before moving on to the next. Scan Channel Mode: Set this to auto to automatically scan channels in the area. Click OK to save your changes. Next, click Configuration > Wireless > AP Management. NXC5200 User’s Guide...
Page 95 Radio 1 OP Mode: Set this to MON Mode to turn the AP into a rogue AP monitoring device. Radio 1 Profile: Select your newly created ‘Monitor01’ profile from the list. Click OK to save your changes. See also: Chapter 7 on page 115 Chapter 26 on page 401. NXC5200 User’s Guide...
Page 96: Rogue Ap Containment
NXC can interfere with it by broadcasting dummy packets so that it cannot makes connections with employee clients and capture data from them. Figure 24 Containing a Rogue AP This tutorial shows you how to quarantine a rogue AP on your network: Click Configuration > Wireless > MON Mode. NXC5200 User’s Guide...
Page 97: Load Balancing
The second response is to kick the connections until the AP is no longer considered overloaded. Both of these tactics are known as ‘load balancing’. This tutorial shows you how to configure the NXC’s load balancing feature. NXC5200 User’s Guide...
Page 98: Dynamic Channel Selection
AP is using (or at least a channel that has a lower level of interference) in order to give the connected stations a minimum degree of channel interference. NXC5200 User’s Guide...
Page 99 Select a 2.4 GHz Channel Deployment scheme. Choose Three-Channel Deployment to have the device rotate through 3 channels. Choose Four- Channel Deployment to have the device rotate through 4 channels, if allowed. Click Apply to save your changes. See also: Chapter 10 on page 163. NXC5200 User’s Guide...
Page 100 Chapter 5 Tutorials NXC5200 User’s Guide...
Page 101: Part Ii: Technical Reference
Technical Reference...
Page 103: Chapter 6 Dashboard
112) displays the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. • The Current Users screen (Section 6.2.5 on page 113) displays the users currently logged into the NXC. NXC5200 User’s Guide...
Page 104: Dashboard
Use this link to re-open closed widgets. Widgets that are already open appear grayed out. Up Arrow (B) Click this to collapse a widget. Refresh Time Set the interval for refreshing the information displayed in the widget. Setting (C) NXC5200 User’s Guide...
Page 105 This field displays what percentage of the NXC’s processing capability is currently being used. Hover your cursor over this field to display the Show CPU Usage icon that takes you to a chart of the NXC’s recent CPU usage. NXC5200 User’s Guide...
Page 106 If this interface is a member of an active virtual router, this field displays the IP address it is currently using. This is either the static IP address of the interface (if it is the master) or the management IP address (if it is a backup). NXC5200 User’s Guide...
Page 107 This section displays a summary for all connected wireless APs. Online This displays the number of currently connected management APs. Management Offline This displays the number of currently offline managed APs. Management This displays the number of non-managed APs. Management NXC5200 User’s Guide...
Page 108 This column displays when you display the entries by Signature Name. It shows the categories of intrusions. Severity This is the level of threat that the intrusions may pose. Occurrence This is how many times the NXC has detected the event described in the entry. NXC5200 User’s Guide...
Page 109: Cpu Usage
The x-axis shows the time period over which the CPU usage occurred Refresh Enter how often you want this window to be automatically updated. Interval Refresh Now Click this to update the information in the window right away. NXC5200 User’s Guide...
Page 110: Memory Usage
The x-axis shows the time period over which the RAM usage occurred Refresh Enter how often you want this window to be automatically updated. Interval Refresh Now Click this to update the information in the window right away. NXC5200 User’s Guide...
Page 111: Session Usage
The x-axis shows the time period over which the session usage occurred Refresh Enter how often you want this window to be automatically updated. Interval Refresh Now Click this to update the information in the window right away. NXC5200 User’s Guide...
Page 112: Dhcp Table
This field displays the MAC address to which the IP address is currently assigned or for which the IP address is reserved. Click the column’s heading cell to sort the table entries by MAC address. Click the heading cell again to reverse the sort order. NXC5200 User’s Guide...
Page 113: Number Of Login Users
This field displays the way the user logged in to the NXC. IP address This field displays the IP address of the computer used to log in to the NXC. Force Logout Click this icon to end a user’s session. NXC5200 User’s Guide...
Page 114 Chapter 6 Dashboard NXC5200 User’s Guide...
Page 115: Chapter 7 Monitor
• The AppPatrol Statistics screen (Section 7.13 on page 135) displays a bandwidth usage graph and statistics for each protocol. • The Anti-Virus screen (Section 7.14 on page 139) starts or stops data collection and displays virus statistics. NXC5200 User’s Guide...
Page 116: What You Need To Know
Friendly APs are other wireless access points that are detected in your network, as well as any others that you know are not a threat (those from neighboring networks, for example). See Chapter 26 on page 401 for details. NXC5200 User’s Guide...
Page 117: Port Statistics
This field displays the number of packets received by the NXC on the physical port since it was last connected. Collisions This field displays the number of collisions on the physical port since it was last connected. NXC5200 User’s Guide...
Page 118: Port Statistics Graph
Enter how often you want this window to be automatically updated. Interval Refresh Now Click this to update the information in the window right away. Port Selection Select the number of the physical port for which you want to display graphics. NXC5200 User’s Guide...
Page 119: Interface Status
7.4 Interface Status This screen lists all of the NXC’s interfaces and gives packet statistics for them. Click Monitor > System Status > Interface Status to access this screen. Figure 33 Monitor > System Status > Interface Status NXC5200 User’s Guide...
Page 120 Renew to send a new DHCP request to a DHCP server. Click Connect to try to connect the interface. If the interface cannot use one of these ways to get or to update its IP address, this field displays n/a. NXC5200 User’s Guide...
Page 121: Traffic Statistics
NXC counts HTTP GET packets. • Most-used protocols or service ports and the amount of traffic on each one • LAN IP with heaviest traffic and how much traffic has been sent to and from each one NXC5200 User’s Guide...
Page 122 Web Site Hits - displays the most-visited Web sites and how many times each one has been visited. Each type of report has different information in the report (below). Refresh Click this button to update the report display. NXC5200 User’s Guide...
Page 123 Table 32 on page 124. These fields are available when the Traffic Type is Web Site Hits. This field is the rank of each record. The domain names are sorted by the number of hits. NXC5200 User’s Guide...
Page 124: Session Monitor
You can look at all the active sessions by user, service, source IP address, or destination IP address. You can also filter the information by user, protocol / service or service group, source address, and/or destination address and view it by user. NXC5200 User’s Guide...
Page 125 The NXC identifies the service by comparing the protocol and destination port of each packet to the protocol and port of each services that is defined. (See Chapter 28 on page 413 for more information about services.) NXC5200 User’s Guide...
Page 126 This field displays the amount of information received by the source in the active session. This field displays the amount of information transmitted by the source in the active session. Duration This field displays the length of the active session in seconds. NXC5200 User’s Guide...
Page 127: Ip/Mac Binding Monitor
This field displays the MAC address to which the IP address is currently assigned. Last Access This is when the device last established a session with the NXC through this interface. Refresh Click this button to update the information in the screen. NXC5200 User’s Guide...
Page 128: Login Users
This field displays the IP address of the computer used to log in to the NXC. Force Logout Click this icon to end a user’s session. Refresh Click this button to update the information in the screen. NXC5200 User’s Guide...
Page 129: Ap List
The following table describes the icons in this screen. Table 37 Monitor > Wireless > AP List Icons LABEL DESCRIPTION This is an AP that is not on the management list. This is an AP that is on the management list and which is online. NXC5200 User’s Guide...
Page 130: Station Count Of Ap
Use this screen to look at station statistics for the connected AP. To access this screen, click the More Information button in the AP List screen. Figure 39 Monitor > System Status > AP List > Station Count of AP NXC5200 User’s Guide...
Page 131: Radio List
This indicates the wireless frequency currently being used by the radio. Channel ID This indicates the radio’s channel ID. Rx PKT This displays the total number of packets received by the radio. Tx PKT This displays the total number of packets transmitted by the radio. NXC5200 User’s Guide...
Page 132: Ap Mode Radio Information
24 hours. To access this window, click the More Information button in the Radio List Statistics screen. Figure 41 Monitor > Wireless > AP Info > Radio List > AP Mode Radio Information NXC5200 User’s Guide...
Page 133: Station List
Click this to close this window. 7.11 Station List Use this screen to view statistics pertaining to the associated stations (or “wireless clients”). Click Monitor > Wireless > Station Info to access this screen. Figure 42 Monitor > Wireless > Station List NXC5200 User’s Guide...
Page 134: Detected Device
Click this button to mark the selected AP as a friendly AP. For more on Friendly AP managing friendly APs, see the Configuration > Wireless > MON Mode screen (Chapter 10 on page 163). This is the station’s index number in this list. NXC5200 User’s Guide...
Page 135: Application Patrol
Click Monitor > AppPatrol Statistics to open the following screens. 7.13.1 Application Patrol: General Settings Use the top of the Monitor > AppPatrol Statistics screen to configure what to display. Figure 44 Monitor > AppPatrol Statistics: General Settings NXC5200 User’s Guide...
Page 136: Application Patrol: Bandwidth Statistics
• The x-axis shows the time period over which the bandwidth usage occurred. • A solid line represents a protocol’s incoming bandwidth usage. This is the protocol’s traffic that the NXC sends to the initiator of the connection. NXC5200 User’s Guide...
Page 137: Application Patrol: Protocol Statistics
This is how much of the application’s traffic the NXC has discarded and (KB) notified the client that the traffic was rejected (in kilobytes). This traffic was rejected because it matched an application policy set to “reject”. NXC5200 User’s Guide...
Page 138: Application Patrol: Protocol Statistics By Rule
LAN to the WAN, the traffic sent from the LAN to the WAN is the outbound traffic. Forwarded This is how much of the application’s traffic the NXC has sent (in Data (KB) kilobytes). NXC5200 User’s Guide...
Page 139: Anti-Virus
Reset Click Reset to return the screen to its last-saved settings. Refresh Click this button to update the report display. Flush Data Click this button to discard all of the screen’s statistics and update the report display. NXC5200 User’s Guide...
Page 140 The statistics display as follows when you display the top entries by source. Figure 49 Monitor > Anti-X Statistics > Anti-Virus: Source IP The statistics display as follows when you display the top entries by destination. Figure 50 Monitor > Anti-X Statistics > Anti-Virus: Destination IP NXC5200 User’s Guide...
Page 141: Idp
NXC has dropped. Total Packet The NXC can detect and drop malicious packets from network traffic. This Reset field displays the number of packets that the NXC has reset. NXC5200 User’s Guide...
Page 142 The statistics display as follows when you display the top entries by source. Figure 52 Monitor > Anti-X Statistics > IDP: Source The statistics display as follows when you display the top entries by destination. Figure 53 Monitor > Anti-X Statistics > IDP: Destination NXC5200 User’s Guide...
Page 143: View Log
Events that generate an alert (as well as a log message) display in red. Regular logs display in black. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 54 Monitor > View Log NXC5200 User’s Guide...
Page 144 Click this button to clear the whole log, regardless of what is currently displayed on the screen. This field is a sequential value, and it is not associated with a specific log message. Time This field displays the time the log message was recorded. NXC5200 User’s Guide...
Page 145 This field displays the destination IP address and the port number of the event that generated the log message. Note This field displays any additional information about the log message. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. NXC5200 User’s Guide...
Page 146: View Ap Log
- Indicates the query has not been initialized. querying - Indicates the query is in process. fail - Indicates the query failed. success - Indicates the query succeeded. AP Information This displays the MAC address for the selected AP. NXC5200 User’s Guide...
Page 147 Click this to clear the log on the specified AP. This field is a sequential value, and it is not associated with a specific log message. Time This indicates the time that the log messages was created or recorded on the AP. NXC5200 User’s Guide...
Page 148 This displays content of the selected log message. Source This displays the source IP address of the selected log message. Destination This displays the source IP address of the selected log message. Note This displays any notes associated with the selected log message. NXC5200 User’s Guide...
Page 149 Chapter 7 Monitor NXC5200 User’s Guide...
Page 150 Chapter 7 Monitor NXC5200 User’s Guide...
Page 151: Chapter 8 Registration
This section introduces the topics covered in this chapter. myZyXEL.com myZyXEL.com is ZyXEL’s online services center where you can register your NXC and manage subscription services available for the NXC. To update signature files or use a subscription service, you have to register the NXC and activate the corresponding service at myZyXEL.com (through the NXC).
Page 152 • After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and enter the PIN number (license key) in the Registration > Service screen. You must use the ZyXEL anti-virus iCard for the ZyXEL anti- virus engine and the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine.
Page 153: Registration
If you select existing myZyXEL.com account, only the User Name and Password fields are available. new myZyXEL.com If you haven’t created an account at myZyXEL.com, select this account option and configure the following fields to create an account and register your NXC. NXC5200 User’s Guide...
Page 154 The NXC’s anti-virus packet scanner uses the signature files on the Service NXC to detect virus files. Select ZyXEL’s anti-virus engine or the Kaspersky anti-virus engine. During the trial you can use these fields to change from one anti-virus engine to the other.
Page 155: Service
To activate or extend a standard service subscription, purchase an iCard and enter the iCard’s PIN number (license key) in this screen. Click Configuration > Licensing > Registration > Service to open the screen as shown next. Figure 58 Configuration > Licensing > Registration > Service NXC5200 User’s Guide...
Page 156 (specific to your NXC) and enter the new PIN number to extend the service. Service License Click this button to renew service license information (such as the Refresh registration status and expiration day). NXC5200 User’s Guide...
Page 157: Chapter 9 Signature Update
• Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network. • Your custom signature configurations are not over-written when you download new signatures. Note: The NXC does not have to reboot when you upload new signatures. NXC5200 User’s Guide...
Page 158: Anti-Virus
The following fields display information on the current signature set that Information the NXC is using. Anti-Virus This field displays whether the NXC is set to use ZyXEL’s anti-virus Engine Type engine or the one powered by Kaspersky. Upgrading the NXC to firmware version 2.11 and updating the anti-virus signatures automatically upgrades the ZyXEL anti-virus engine to v2.0.
Page 159: Idp/Apppatrol
NXC periodically if you have subscribed for the IDP/ AppPatrol signatures service. You need to create an account at myZyXEL.com, register your NXC and then subscribe for IDP service in order to be able to download new packet inspection NXC5200 User’s Guide...
Page 160 Auto Update Select this check box to have the NXC automatically check for new IDP signatures regularly at the time and day specified. You should select a time when your network is not busy for minimal interruption. NXC5200 User’s Guide...
Page 161: System Protect
You do not need an IDP subscription to use the system-protection feature or to download updated system-protection signatures. Figure 61 Configuration > Licensing > Update > System Protect NXC5200 User’s Guide...
Page 162 Select this option to have the NXC check for new signatures once a week on the day and at the time specified. Apply Click this button to save your changes to the NXC. Reset Click this button to return the screen to its last-saved settings. NXC5200 User’s Guide...
Page 163: Chapter 10 Wireless
Dynamic Channel Selection (DCS) is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by scanning the area around it and determining what channels are currently being used by other devices. NXC5200 User’s Guide...
Page 164: Controller
This certificate is required if the NXC is used as a RADIUS server Certificate for wireless 802.1x authentation (EAP-PEAP/TTLS/TLS). Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC5200 User’s Guide...
Page 165: Ap Management
R1 Mode / Profile This field displays the AP or MON profile for Radio 1. Description This field displays the AP’s description, which you can configure by selecting the AP and clicking the Edit button. NXC5200 User’s Guide...
Page 166: Edit Ap List
MON Mode means the AP monitors the broadcast area for other APs, then passes their information on to the NXC where it can be determined if those APs are friendly or rogue. If an AP is set to this mode it cannot receive connections from wireless clients. NXC5200 User’s Guide...
Page 167: Mon Mode
Click Configuration > Wireless > MON Mode to access this screen. Figure 65 Configuration > Wireless > MON Mode NXC5200 User’s Guide...
Page 168 Click this button to export the current list of either rogue APs or friendly APS. Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC5200 User’s Guide...
Page 169: Add/Edit Rogue/Friendly List
Role Select either Rogue AP or Friendly AP for the AP’s role. Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC5200 User’s Guide...
Page 170: Load Balancing
Max Station Enter the threshold number of stations at which an AP begins load Number balancing its connections. Traffic Level Select the threshold traffic level at which the AP begins load balancing its connections (low, medium, high). NXC5200 User’s Guide...
Page 171: Disassociating And Delaying Connections
AP cannot resume the connection. For example, here the AP has a balanced bandwidth allotment of 6 Mbps. If laptop R connects and it pushes the AP over its allotment, say to 7 Mbps, then the AP NXC5200 User’s Guide...
Page 172 NXC first looks to see which devices have been idle the longest, then starts kicking them in order of highest idle time. If no connections are idle, the next criteria the NXC analyzes is signal strength. Devices with the weakest signal strength are kicked first. NXC5200 User’s Guide...
Page 173: Dcs
Note: Generally speaking, the higher the sensitivity level, the more frequently the AP switches channels. As a consequence, anyone connected to the AP will experience more frequent disconnects and reconnects unless you select Enable DCS Client Aware. NXC5200 User’s Guide...
Page 174: Technical Reference
Dynamic channel selection frees the network administrator from this task by letting the AP do it automatically. The AP can scan the area around it looking for the channel with the least amount of interference. NXC5200 User’s Guide...
Page 175 AP, signal strength, activity, and so on. Finally, there is an alternative four channel scheme for ETSI, consisting of channels 1, 5, 9, 13. This offers significantly less overlap that the other one. Figure 73 An Alternative Four-Channel Deployment NXC5200 User’s Guide...
Page 176: Load Balancing
AP has the bandwidth to spare. If too many people connect and the AP hits its bandwidth cap then all new connections must basically wait for their turn or get shunted to the nearest identical AP. NXC5200 User’s Guide...
Page 177: Chapter 11 Interfaces
• An interface is bound to a physical port or another interface. • Many interfaces can share the same physical port. • An interface belongs to at most one zone. • Many interfaces can belong to the same zone. NXC5200 User’s Guide...
Page 178: Ethernet Summary
The more routing information is exchanged, the more efficient the routers should be. However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management. NXC5200 User’s Guide...
Page 179 This field displays the interface’s subnet mask in dot decimal notation. PVID This field indicates the interface’s PVID. Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC5200 User’s Guide...
Page 180: Edit Ethernet
DESCRIPTION Show / Hide Click this button to display a greater or lesser number of configuration Advanced fields. Settings General Settings Enable Select this to enable this interface. Clear this to disable this interface. Interface Interface Properties NXC5200 User’s Guide...
Page 181 This field is enabled if you select Use Fixed IP Address. Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. NXC5200 User’s Guide...
Page 182 Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure. Check Fail Enter the number of consecutive failures before the NXC stops routing Tolerance through the gateway. Check Default Select this to use the default gateway for the connectivity check. Gateway NXC5200 User’s Guide...
Page 183 If this field is blank, the IP Pool Start Address must also be blank. In this case, the NXC can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. NXC5200 User’s Guide...
Page 184 ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. MAC Address Have the interface use either the factory assigned default MAC Setting address, a manually specified MAC address, or clone the MAC address of another device or computer. NXC5200 User’s Guide...
Page 185: Object References
When a configuration screen includes an Object References icon, select a configuration object and click Object References to open the Object References screen. This screen displays which configuration settings reference the selected object. The fields shown vary with the type of object. Figure 76 Object References NXC5200 User’s Guide...
Page 186: Vlan Interfaces
VID cannot be changed. Figure 77 Example: Before VLAN In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. NXC5200 User’s Guide...
Page 187 In this example, the new switch handles the following types of traffic: • Inside VLAN 2. • Between the router and VLAN 1. • Between the router and VLAN 2. NXC5200 User’s Guide...
Page 188: Vlan Summary
For VLAN interfaces, this field displays • the Ethernet interface on which the VLAN interface is created • the VLAN ID For virtual interfaces, this field is blank. Member This field indicates which zones the VLAN belongs to as a member. NXC5200 User’s Guide...
Page 189: Add/Edit Vlan
Show / Hide Click this button to display a greater or lesser number of configuration Advanced fields. Settings General Settings Enable Select this to turn this interface on. Clear this to disable this interface. Interface Interface Properties NXC5200 User’s Guide...
Page 190 The lower the number, the higher the priority. If two or more gateways have the same priority, the NXC uses the one that was configured first. Related Setting NXC5200 User’s Guide...
Page 191 If this field is blank, the Pool Size must also be blank. In this case, the NXC can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address. NXC5200 User’s Guide...
Page 192 Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. This field is a sequential value, and it is not associated with a specific entry. NXC5200 User’s Guide...
Page 193: Technical Reference
Specify the port number to use for a TCP connectivity check. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving. 11.4 Technical Reference The following section contains additional technical information about the features described in this chapter. NXC5200 User’s Guide...
Page 194 If the interface gets its IP address and subnet mask from a DHCP server, the DHCP server also specifies the gateway, if any. Interface Parameters The NXC restricts the amount of traffic into and out of the NXC through each interface. NXC5200 User’s Guide...
Page 195 DHCP requests to all of them. It is possible for an interface to be a DHCP relay and a DHCP client simultaneously. As a DHCP server, the interface provides the following information to DHCP clients. At the time of writing, the NXC does not support ingress bandwidth management. NXC5200 User’s Guide...
Page 196 IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server. NXC5200 User’s Guide...
Page 197: Policy And Static Routes
TCP and UDP traffic). You can also use policy routes to manage other types of traffic (like ICMP traffic). Note: Bandwidth management in policy routes has priority over application patrol bandwidth management. NXC5200 User’s Guide...
Page 198 In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going. NXC5200 User’s Guide...
Page 199: Policy Route
IP protocol (ICMP, UDP, TCP, etc.) and port. The actions that can be taken include: • Routing the packet to a different gateway or outgoing interface. • Limiting the amount of bandwidth available and setting a priority for traffic. NXC5200 User’s Guide...
Page 200 [ENTER] to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering. This is the number of an individual policy route. NXC5200 User’s Guide...
Page 201 This is the maximum bandwidth allotted to the policy. 0 means there is no bandwidth limitation for this route. Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC5200 User’s Guide...
Page 202: Add/Edit Policy Route
Click this button to display a greater or lesser number of configuration Advanced fields. Settings Create new Use this to configure any new settings objects that you need to use in Object this screen. Configuration Enable Select this to activate the policy. NXC5200 User’s Guide...
Page 203 NXC send traffic that matches the policy route through the specified interface. Auto- This field displays when you select Interface in the Type field. Select Disable this to have the NXC automatically disable this policy route when the next-hop’s connection is down. NXC5200 User’s Guide...
Page 204 To move an entry to a different number in the list, click the Move icon. In the field that appears, specify the number to which you want to move the entry. This is the rule index number. NXC5200 User’s Guide...
Page 205 Do not select this if you want to reserve bandwidth for traffic that does not match any of the policy routes. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving. NXC5200 User’s Guide...
Page 206: Static Route
The gateway is a router or switch on the same segment as your NXC's interface(s). The gateway helps forward packets to their destinations. Metric This is the route’s priority among the NXC’s routes. The smaller the number, the higher priority the route has. NXC5200 User’s Guide...
Page 207: Static Route Setting
The number need not be precise, but it must be 0~127. In practice, 2 or 3 is usually a good number. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving. NXC5200 User’s Guide...
Page 208: Technical Reference
Class 3 Class 4 Low Drop Precedence AF11 (10) AF21 (18) AF31 (26) AF41 (34) Medium Drop Precedence AF12 (12) AF22 (20) AF32 (28) AF42 (36) High Drop Precedence AF13 (14) AF23 (22) AF33 (30) AF43 (38) NXC5200 User’s Guide...
Page 209: Port Triggering
Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding, you set the port(s) and IP address to forward a service (coming in from the remote server) to a client NXC5200 User’s Guide...
Page 210 1 using the same port triggering rule as computer A unless they are using a different next hop (gateway or outgoing interface) from computer A or until the connection is closed or times out. Figure 85 Trigger Port Forwarding Example NXC5200 User’s Guide...
Page 211: Maximize Bandwidth Usage
(as much as they require, if there is enough available bandwidth), and then to lower priority policy routes if there is still bandwidth available. The NXC distributes the available bandwidth equally among policy routes with the same priority level. NXC5200 User’s Guide...
Page 212 Chapter 12 Policy and Static Routes NXC5200 User’s Guide...
Page 213: Chapter 13 Zones
The NXC uses zones instead of interfaces in many security and policy settings, such as firewall rules and anti-virus. Zones cannot overlap. Each interface can be assigned to just one zone. Figure 86 Example: Zones NXC5200 User’s Guide...
Page 214: What You Can Do In This Chapter
• Extra-zone traffic is traffic to or from any interface that is not assigned to a zone. • Some zone-based security and policy settings may apply to extra-zone traffic, especially if you can set the zone attribute in them to Any or All. See the specific feature for more information. NXC5200 User’s Guide...
Page 215: Zone
This field displays the name of the zone. Block Intra- This field indicates whether or not the NXC blocks network traffic zone between members in the zone. Member This field displays the names of the interfaces that belong to each zone. NXC5200 User’s Guide...
Page 216: Add/Edit Zone
Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. NXC5200 User’s Guide...
Page 217: Chapter 14 Nat
14.1.1 What You Can Do in this Chapter The NAT screens (see Section 14.2 on page 218) display and manage the list of NAT rules and see their configuration details. You can also create new NAT rules and edit or delete existing ones. NXC5200 User’s Guide...
Page 218: Nat Summary
Mapped IP This field displays the new destination IP address for the packet. Protocol This field displays the service used by the packets for this NAT entry. It displays any if there is no restriction on the services. NXC5200 User’s Guide...
Page 219: Add/Edit Nat
Table 78 Configuration > Network > NAT > Add/Edit LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this Object screen. Enable Rule Use this option to turn the NAT rule on or off. NXC5200 User’s Guide...
Page 220 User Defined field. HOST address - the drop-down box lists all the HOST address objects in the NXC. If you select one of them, this NAT rule supports the IP address specified by the address object. NXC5200 User’s Guide...
Page 221 IP address as the source address for the traffic it sends to the LAN server. If you do not enable NAT loopback, this NAT rule only applies to packets received on the rule’s specified incoming interface. NXC5200 User’s Guide...
Page 222: Technical Reference
Suppose a NAT 1:1 rule maps a public IP address to the private IP address of a LAN SMTP e-mail server to give WAN users access. NAT loopback allows other users to also use the rule’s original IP to access the mail server. NXC5200 User’s Guide...
Page 223 The LAN SMTP server replies to the NXC’s LAN IP address and the NXC changes the source address to 1.1.1.1 before sending it to the LAN user. The return traffic’s source matches the original destination address (1.1.1.1). If the SMTP server NXC5200 User’s Guide...
Page 224 LAN user without the traffic going through NAT, the source would not match the original destination address which would cause the LAN user’s computer to shut down the session. Figure 94 LAN to LAN Return Traffic Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP 192.168.1.21 192.168.1.89 NXC5200 User’s Guide...
Page 225: Chapter 15 Alg
The ALG feature is only needed for traffic that goes through the NXC’s NAT. 15.1.1 What You Can Do in this Chapter The ALG screen (Section 15.2 on page 228) configures the SIP, H.323, and FTP ALG settings. NXC5200 User’s Guide...
Page 226: What You Need To Know
• The NXC can also apply bandwidth management to traffic that goes through the H.323 ALG. The following example shows H.323 signaling (1) and audio (2) sessions between H.323 devices A and B. Figure 96 H.323 ALG Example NXC5200 User’s Guide...
Page 227: Before You Begin
WAN IP address. The policy routing lets the NXC correctly forward the return traffic for the calls initiated from the LAN IP addresses. 15.1.3 Before You Begin You must also configure the firewall and enable NAT in the NXC to allow sessions initiated from the WAN. NXC5200 User’s Guide...
Page 228: Alg
SIP ALG time outs. Note: If the NXC provides an ALG for a service, you must enable the ALG in order to use the application patrol on that service’s traffic. Figure 97 Configuration > Network > ALG NXC5200 User’s Guide...
Page 229 If you are using a custom TCP port number (not 1720) for H.323 Port traffic, enter it here. Additional H.323 If you are also using H.323 on an additional TCP port number, enter it Signaling Port here. Transformations NXC5200 User’s Guide...
Page 230: Technical Reference
File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files. NXC5200 User’s Guide...
Page 231 SIP handles telephone calls and can interface with traditional circuit- switched telephone networks. When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. NXC5200 User’s Guide...
Page 232 Chapter 15 ALG NXC5200 User’s Guide...
Page 233: Chapter 16 Ip/Mac Binding
• The Summary and Edit screens (Section 16.2 on page 234) bind IP addresses to MAC addresses. • The Exempt List screen (Section 16.3 on page 238) configures ranges of IP addresses to which the NXC does not apply IP/MAC binding. NXC5200 User’s Guide...
Page 234: What You Need To Know
Click Configuration > Network > IP/MAC Binding to open the IP/MAC Binding Summary screen. This screen lists the total number of IP to MAC address bindings for devices connected to each supported interface. Figure 99 Configuration > Network > IP/MAC Binding > Summary NXC5200 User’s Guide...
Page 235: Edit Ip/Mac Binding
16.2.1 Edit IP/MAC Binding Click Configuration > Network > IP/MAC Binding > Edit to open this screen. Use this screen to configure an interface’s IP to MAC address binding settings. Figure 100 Configuration > Network > IP/MAC Binding > Edit NXC5200 User’s Guide...
Page 236 This is the MAC address of the device to which the NXC assigns the entry’s IP address. Description This helps identify the entry. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving. NXC5200 User’s Guide...
Page 237: Add/Edit Static Dhcp Rule
Enter up to 64 printable ASCII characters to help identify the entry. For example, you may want to list the computer’s owner. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving. NXC5200 User’s Guide...
Page 238: Ip/Mac Binding Exempt List
Click the Add icon to add a new entry. Click the Remove icon to delete an entry. A window displays asking you to confirm that you want to delete it. Apply Click Apply to save your changes back to the NXC. NXC5200 User’s Guide...
Page 239: Chapter 17 Captive Portal
Figure 103 Captive Portal Example The captive portal page only appears once per authentication session. Unless a user idles out or closes the connection, he or she generally will not see it again during the same session. NXC5200 User’s Guide...
Page 240: What You Can Do In This Chapter
Click Configuration > Captive Portal to access this screen. Note: You can configure the look and feel of the captive portal web page on the Login Page screen; see Section 17.3 on page 245 for details Figure 104 Configuration > Captive Portal NXC5200 User’s Guide...
Page 241 SSID Profile This indicates the SSID profile to which a policy belongs. Source This indicates the source IP address to be monitored by the policy. All traffic from the source IP has the policy applied to it. NXC5200 User’s Guide...
Page 242: Add Exceptional Services
Table 85 Configuration > Captive Portal > Add Exceptional Services LABEL DESCRIPTION Available This lists all available network services eligible for being excepted from captive portal interception. Member This lists all networks services currently assigned to the Exceptional Services table. NXC5200 User’s Guide...
Page 243: Auth. Policy Add/Edit
Select this to enable the new authentication policy. You can later edit the authentication policy and deselect it if you want to disable it. Description Enter an optional description of the authentication policy. You can enter up to 60 characters. NXC5200 User’s Guide...
Page 244 Select this option to redirect HTTP traffic to the login screen if the user Authentication has not logged in yet. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving. NXC5200 User’s Guide...
Page 245: Login Page
Use Customized Select this to a custom login page instead of the default one built into the Login Page NXC. Once this option is selected, the custom login page controls below become active. NXC5200 User’s Guide...
Page 246 This section allows you to choose and upload a custom logo image for the customized login page. This corresponds to the “ZyXEL” logo image in the default page. File Path / Browse for the image file or enter the file path in the available input box, Browse / then click the Upload button to put it on the NXC.
Page 247 Figure 108 Login Page Customization Title Logo Message (color of all text) Background Note Message (last line of text) Figure 109 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background NXC5200 User’s Guide...
Page 248 Your desired color should display in the preview screen on the right after you click in another field, click Apply, or press [ENTER]. If your desired color does not display, your browser may not support it. Try selecting another color. NXC5200 User’s Guide...
Page 249: Chapter 18 Firewall
(Section 18.2 on page 257) enable or disable the firewall and asymmetrical routes, and manage and configure firewall rules. • The Session Limit screens (Section 18.3 on page 262) limit the number of concurrent NAT/firewall sessions a client can use. NXC5200 User’s Guide...
Page 250: What You Need To Know
• The firewall allows only LAN, WAN computers to access or manage the NXC. • The NXC drops most packets from the WAN zone to the NXC itself, except for VRRP traffic for Device HA, and generates a log. NXC5200 User’s Guide...
Page 251 To use a service, make sure both the firewall and application patrol allow the service’s packets to go through the NXC. The NXC checks the firewall rules before the application patrol rules for traffic going through the NXC. NXC5200 User’s Guide...
Page 252: Firewall Rule Example Applications
SOURCE DESTINATION SCHEDULE SERVICE ACTION Deny Allow • The first row blocks LAN access to the IRC service on the WAN. • The second row is the firewall’s default policy that allows all LAN to WAN traffic. NXC5200 User’s Guide...
Page 253 Figure 112 Limited LAN to WAN IRC Traffic Example Your firewall would have the following configuration. Table 90 Limited LAN to WAN IRC Traffic Example 1 USER SOURCE DESTINATION SCHEDULE SERVICE ACTION 192.168.1.7 Allow Deny Allow NXC5200 User’s Guide...
Page 254 The rule for the CEO must come before the rule that blocks all LAN to WAN IRC traffic. If the rule that blocks all LAN to WAN IRC traffic came first, the CEO’s IRC traffic would match that rule and the NXC would drop it and not check any other firewall rules. NXC5200 User’s Guide...
Page 255: Firewall Rule Configuration Example
The screen for configuring an address object opens. Configure it as follows and click OK. Click Create new Object > Service. Configure it as follows and click OK. Select From WLAN and To LAN1. Enter the name of the firewall rule. NXC5200 User’s Guide...
Page 256: Asymmetrical Routes
(not reset the connection). However, allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the NXC. A better solution is to use virtual interfaces to put the NXC and the backup gateway NXC5200 User’s Guide...
Page 257: Firewall
(implicit) rules to deny packet passage between the interfaces in the specified zone. • Besides configuring the firewall, you also need to configure NAT rules to allow computers on the WAN to access LAN devices. NXC5200 User’s Guide...
Page 258 Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the NXC. A better solution is to use virtual interfaces to put the NXC and the backup gateway on separate subnets. NXC5200 User’s Guide...
Page 259 This is the user name or user group name to which this firewall rule applies. Source This displays the source address object to which this firewall rule applies. Destination This displays the destination address object to which this firewall rule applies. NXC5200 User’s Guide...
Page 260: Add/Edit Firewall Screen
For through-NXC rules, select the direction of travel of packets to which the rule applies. any means all interfaces. NXC means packets destined for the NXC itself. Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. NXC5200 User’s Guide...
Page 261 Select whether to have the NXC generate a log (log), log and alert (log alert) or not (no) when the rule is matched. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. NXC5200 User’s Guide...
Page 262: Session Limit
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The NXC confirms you want to remove it before doing so. NXC5200 User’s Guide...
Page 263: Add/Edit Session Limit
Table 95 Configuration > Firewall > Session Limit > Add/Edit LABEL DESCRIPTION Create new Use to configure any new settings objects that you need to use in this Object screen. Enable Rule Select this check box to turn on this session limit rule. NXC5200 User’s Guide...
Page 264 For this rule’s users and addresses, this setting overrides the Default Session per Host setting in the general Firewall Session Limit screen. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. NXC5200 User’s Guide...
Page 265: Chapter 19 Application Patrol
281) control what the NXC does when it does not recognize the application, and it identifies the conditions that refine this. It also lets you open the Other Configuration Add/Edit screen to create new conditions or edit existing ones. NXC5200 User’s Guide...
Page 266: What You Need To Know
The second approach is called service ports. The NXC uses only OSI level-4 information, such as ports, to identify what application is using the connection. This approach is available in case the NXC identifies a lot of “false positives” for a particular application. NXC5200 User’s Guide...
Page 267 UDP traffic. Use policy routes to manage other types of traffic (like ICMP). Note: Bandwidth management in policy routes has priority over application patrol bandwidth management. It is recommended to use application patrol instead of policy routes to manage the bandwidth of TCP and UDP traffic. NXC5200 User’s Guide...
Page 268 • Then lower-priority traffic gets bandwidth. • The NXC uses a fairness-based (round-robin) scheduler to divide bandwidth among traffic flows with the same priority. • The NXC automatically treats traffic with bandwidth management disabled as priority 7 (the lowest priority). NXC5200 User’s Guide...
Page 269 In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate. Table 96 Configured Rate Effect POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE 300 kbps 300 kbps 200 kbps 200 kbps NXC5200 User’s Guide...
Page 270 B gets almost no bandwidth with this configuration. Table 99 Priority and Over Allotment of Bandwidth Effect POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE 1000 kbps 999 kbps 1000 kbps 1 kbps NXC5200 User’s Guide...
Page 271: Application Patrol Bandwidth Management Examples
FTP: WAN to DMZ Up: 1 Mbps Outbound: 100 Kbps Down 8 Mbps Inbound: 300 Kbps Priority: 3 No Max. B. U. FTP: LAN to DMZ Outbound: 50 Mbps Inbound: 50 Mbps Priority: 4 No Max. B. U. NXC5200 User’s Guide...
Page 272 • Inbound traffic (to the LAN and DMZ from the WAN) is also limited to 200 kbps. The NXC applies this limit before sending the traffic to LAN or DMZ. • Highest priority (1). Set policies for other applications to lower priorities so the SIP traffic always gets the best treatment. NXC5200 User’s Guide...
Page 273 HTTP traffic gets sent before non-SIP traffic. • Enable maximize bandwidth usage so the HTTP traffic can borrow unused bandwidth. Figure 121 HTTP Any to WAN Bandwidth Management Example Outbound: 200 kbps Inbound: 500 kbps NXC5200 User’s Guide...
Page 274 ADSL device) so you limit both outbound and inbound traffic to 50 Mbps. • Fourth highest priority (4). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. Figure 123 FTP LAN to DMZ Bandwidth Management Example Inbound: 50 Mbps Outbound: 50 Mbps NXC5200 User’s Guide...
Page 275: Application Patrol Common Applications
This field displays what the NXC does with packets for this application. Choices are: forward, drop, and reject. Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC5200 User’s Guide...
Page 276: Edit Application
This is available if the Classification is Service Ports. You can view and edit the list of ports used to identify this application. Click this to create a new entry. Edit Select an entry and click this to be able to modify it. NXC5200 User’s Guide...
Page 277 This is the source address or address group for whom this policy applies. If any displays, the policy is effective for every source. Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination. NXC5200 User’s Guide...
Page 278 The NXC ignores this number if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field’s configuration. NXC5200 User’s Guide...
Page 279: Add/Edit Policy
Select this check box to turn on this policy for the application. Port Use this field to specify a specific port number to which to apply this policy. Type zero, if this policy applies for every port number. NXC5200 User’s Guide...
Page 280 Configure these fields to set the amount of bandwidth the application Management can use. These fields only apply when Access is set to forward. You must also enable bandwidth management in the main application patrol screen (AppPatrol > General) in order to apply bandwidth shaping. NXC5200 User’s Guide...
Page 281: Other Applications
NXC should do more precisely. You can also control NXC5200 User’s Guide...
Page 282 This is the user name or user group to which the policy applies. If any displays, the policy applies to all users. From This is the source zone of the traffic to which this policy applies. This is the destination zone of the traffic to which this policy applies. NXC5200 User’s Guide...
Page 283 (7) regardless of this field’s configuration. Select whether to have the NXC generate a log (log), log and alert (log alert) or neither (no) when traffic matches this policy. NXC5200 User’s Guide...
Page 284: Add/Edit Policy
Type zero, if this policy applies for every port number. Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one. Otherwise, select any to make the policy always effective. NXC5200 User’s Guide...
Page 285 If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. NXC5200 User’s Guide...
Page 286 - the NXC creates a record in the log log alert - the NXC creates an alert Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC5200 User’s Guide...
Page 287: Chapter 20 Anti-Virus
(Section 20.3 on page 295) sets up anti-virus black (blocked) and white (allowed) lists of virus file patterns. • The Signature screen (Section 20.6 on page 299) allows you to search the signatures to get more information about them. NXC5200 User’s Guide...
Page 288: What You Need To Know
Registration screen. After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and register it in the Registration > Service screen. You must use the ZyXEL anti-virus iCard for the ZyXEL anti-virus engine and the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine. See Chapter 8 on page 151 for details.
Page 289: Before You Begin
• Before using anti-virus, see Chapter 8 on page 151 for how to register for the anti-virus service. • You may need to customize the zones (in the Network > Zone) used for the anti-virus scanning direction. NXC5200 User’s Guide...
Page 290: Anti-Virus Summary
Enable Anti- Select this check box to check traffic for viruses and spyware. The Virus and Anti- following table lists policies that define which traffic the NXC scans and Spyware the action it takes upon finding a virus. NXC5200 User’s Guide...
Page 291 IMAP4 applies to traffic using TCP port 143. License The following fields display information about the current state of your subscription for virus signatures. License This field displays whether a service is activated (Licensed) or not (Not Status Licensed) or expired (Expired). NXC5200 User’s Guide...
Page 292 The following fields display information on the current signature set that Information the NXC is using. Anti-Virus This field displays whether the NXC is set to use ZyXEL’s anti-virus Engine Type engine or the one powered by Kaspersky. Upgrading the NXC to firmware version 2.11 and updating the anti-virus signatures automatically upgrades the ZyXEL anti-virus engine to v2.0.
Page 293: Add/Edit Rule
FTP applies to traffic using the TCP port number specified for FTP in the ALG screen. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. IMAP4 applies to traffic using TCP port 143. NXC5200 User’s Guide...
Page 294 You can upload the firmware package to the NXC with the option enabled, so you only need to clear this option while you download the firmware package. NXC5200 User’s Guide...
Page 295: Black List
To turn off an entry, select it and click Inactivate. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. This is the entry’s index number in the list. NXC5200 User’s Guide...
Page 296: Add/Edit Pattern
• For a black list entry, enter a file pattern that should cause the NXC to log and delete a file. • For a white list entry, enter a file pattern that should cause the NXC to allow a file. Figure 133 Black List (or White List) > Add/Edit Pattern NXC5200 User’s Guide...
Page 297 If you do not use a wildcard, the NXC checks up to the first 80 characters of a file name. Click OK to save your changes. Cancel Click Cancel to exit this screen without saving your changes. NXC5200 User’s Guide...
Page 298: White List
This is the file name pattern. If a file’s name matches this pattern, the NXC does not check the file for viruses. Apply Click Apply to save your changes. Reset Click Reset to return the screen to its last-saved settings. NXC5200 User’s Guide...
Page 299: Signature
Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 135 Configuration > Anti-X > Anti-Virus > Signature NXC5200 User’s Guide...
Page 300 Category This column displays whether the signature is for identifying a virus or spyware. Click the column heading to sort your search results by category. NXC5200 User’s Guide...
Page 301: Technical Reference
The virus spreads to other files and programs on the computer. The infected files are unintentionally sent to another computer thus starting the spread of the virus. Once the virus is spread through the network, the number of infected networked computers can grow exponentially. NXC5200 User’s Guide...
Page 302 • NAV scanners stops virus threats at the network edge before they enter or exit a network. • NAV scanners reduce computing loading on computers as the read-time data traffic inspection is done on a dedicated security device. NXC5200 User’s Guide...
Page 303: Chapter 21 Idp
Zone A zone is a combination of NXC interfaces used for configuring security. See the zone chapter for details on zones and the interfaces chapter for details on interfaces. NXC5200 User’s Guide...
Page 304: Before You Begin
Click Configuration > Anti-X > IDP > General to open this screen. Use this screen to turn IDP on or off, bind IDP profiles to traffic directions, and view registration and signature information. Note: You must register in order to use packet inspection signatures. See the Registration screens. NXC5200 User’s Guide...
Page 305 To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. NXC5200 User’s Guide...
Page 306 Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones. Released Date This field displays the date and time the set was released. NXC5200 User’s Guide...
Page 307: Profile Summary
• Delete an existing profile. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 137 Configuration > Anti-X > IDP > Profile NXC5200 User’s Guide...
Page 308: Base Profiles
(greater than two) generate logs (not log alerts) and no action is taken on packets that trigger them. Signatures with a very low or low severity level (less than or equal to two) are disabled. NXC5200 User’s Guide...
Page 309: Creating New Profiles
To create a new profile: Click the Add icon in the Configuration > Anti-X > IDP > Profile screen to display a pop-up screen allowing you to choose a base profile. NXC5200 User’s Guide...
Page 310 Note: If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. Type a new profile name Enable or disable individual signatures. Edit the default log options and actions. NXC5200 User’s Guide...
Page 311: Add/Edit Profile
Select Configuration > Anti-X > IDP > Profile and then Add a new or Edit an existing profile select. Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer-4 to layer-7. Figure 139 Configuration > Anti-X > IDP > Profile > Add/Edit Profile NXC5200 User’s Guide...
Page 312 NXC create a log when a packet matches a signature(s). log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the NXC send an alert when a packet matches a signature(s). NXC5200 User’s Guide...
Page 313 Low (2): These denote mild threats or attacks that could be false alarms. Very Low (1): These denote possible attacks caused by traffic such as Ping, trace route, ICMP queries etc. Policy Type This is the attack type as defined on the NXC. NXC5200 User’s Guide...
Page 314: Policy Types
Internet. A Distributed Denial of Service (DDoS) attack is one in which multiple compromised systems attack a single target, thereby causing denial of service for users of the targeted system. NXC5200 User’s Guide...
Page 315 Access control attacks try to bypass validation checks in order to access network resources such as servers, directories, and files. Web Attack Web attacks refer to attacks on web servers such as IIS (Internet Information Services). NXC5200 User’s Guide...
Page 316: Idp Service Groups
Logs and actions applied to a service group apply to all signatures within that group. If you select original setting for service group logs and/or actions, all signatures within that group are returned to their last-saved settings. Figure 140 Configuration > Anti-X > IDP > Edit Profile NXC5200 User’s Guide...
Page 317: Query View Screen
ID fields are left blank, then all custom signatures are displayed. Name Type the name or part of the name of the signature(s) you want to find. Signature Type the ID or part of the ID of the signature(s) you want to find. NXC5200 User’s Guide...
Page 318 Click Save to save the configuration to the NXC, but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile. NXC5200 User’s Guide...
Page 319: Query Example
This example shows a search with these criteria: • Severity: severe and high • Attack Type: DDoS • Platform: Windows 2000 and Windows XP computers • Service: Any • Actions: Any Figure 142 Query Example Search Results NXC5200 User’s Guide...
Page 320: Custom Idp Signatures
This is a byte count from the start of the original sent packet. Time To Live This is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. It is used to prevent accidental routing loops. NXC5200 User’s Guide...
Page 321: Custom Signatures
Click the SID or Name heading to sort. Click the Add icon to create a new signature or click the Edit icon to edit an existing signature. You can also delete custom signatures here or save them to your computer. NXC5200 User’s Guide...
Page 322 This is the name of your custom signature. Duplicate names can exist, but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent. NXC5200 User’s Guide...
Page 323: Add/Edit Custom Signature
Edit icon to edit an existing signature. A packet must match all items you configure in this screen before it matches the signature. The more specific your signature (including packet contents), then the fewer false positives the signature will trigger. NXC5200 User’s Guide...
Page 324 Chapter 21 IDP Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. Figure 145 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit NXC5200 User’s Guide...
Page 325 If a datagram is fragmented, it contains a value that identifies the datagram to which the fragment belongs. Some intrusions use an invalid Identification number. Select the check box and then type in the invalid number that the intrusion uses. NXC5200 User’s Guide...
Page 326 Transport Protocol The following fields vary depending on whether you choose TCP, UDP or ICMP. Transport Protocol: TCP Port Select the check box and then enter the source and destination TCP port numbers that will trigger this signature. NXC5200 User’s Guide...
Page 327 ICMP fields when they communicate. Payload Options The longer a payload option is, the more exact the match, the faster the signature processing. Therefore, if possible, it is recommended to have at least one payload option in your signature. NXC5200 User’s Guide...
Page 328 %2 for directory traversals, these signatures will not be triggered because the content is normalized out of the URI buffer. For example, the URI: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver will get normalized into: /winnt/system32/cmd.exe?/c+ver NXC5200 User’s Guide...
Page 329: Custom Signature Example
As an example, say you want to check if your router is being overloaded with DNS queries so you create a signature to detect DNS query traffic. NXC5200 User’s Guide...
Page 330 From the details about DNS query you see that the protocol is UDP and the port is 53. The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2. Therefore enter |010| as the first pattern. NXC5200 User’s Guide...
Page 331: Applying Custom Signatures
21.7.3 Applying Custom Signatures After you create your custom signature, it becomes available in the IDP service group category in the Configuration > Anti-X > IDP > Profile > Edit screen. Custom signatures have an SID from 9000000 to 9999999. NXC5200 User’s Guide...
Page 332: Verifying Custom Signatures
All IDP signatures come under the IDP category. The Note column displays ACCESS FORWARD when no action is configured for the signature. It displays ACCESS DENIED if you configure the signature action to drop the packet. NXC5200 User’s Guide...
Page 333: Technical Reference
Disadvantages of host IDPs are that you have to install them on each device (that you want to protect) in your network and due to the necessarily tight integration with the host operating system, future operating system upgrades could cause problems. NXC5200 User’s Guide...
Page 334 These are some equivalent Snort terms in the NXC. Table 122 NXC - Snort Equivalent Terms NXC TERM SNORT EQUIVALENT TERM Type Of Service Identification Fragmentation fragbits Fragmentation Offset fragoffset Time to Live IP Options ipopts NXC5200 User’s Guide...
Page 335 (Snort rule options) Payload Size dsize Offset (relative to start of offset payload) Relative to end of last match distance Content content Case-insensitive nocase Decode as URI uricontent Note: Not all Snort functionality is supported in the NXC. NXC5200 User’s Guide...
Page 336 Chapter 21 IDP NXC5200 User’s Guide...
Page 337: Adp
Traffic Anomalies Traffic anomaly rules look for abnormal behavior or events such as port scanning, sweeping or network flooding. It operates at OSI layer-2 and layer-3. Traffic anomaly rules may be updated when you upload new firmware. NXC5200 User’s Guide...
Page 338: Before You Begin
ADP Policy An ADP policy refers to application of an ADP profile to a traffic flow. 22.1.3 Before You Begin Configure the NXC’s zones - see Chapter 13 on page 213 for more information. NXC5200 User’s Guide...
Page 339: Adp Summary
This is the rank in the list of anomaly profile policies. The list is applied in order of priority. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. NXC5200 User’s Guide...
Page 340: Profile Summary
Click Reset to return the screen to its last-saved settings. 22.3 Profile Summary Use this screen to: • Create a new profile using an existing base profile • Edit an existing profile • Delete an existing profile NXC5200 User’s Guide...
Page 341: Base Profiles
22.3.1 Base Profiles The NXC comes with base profiles. You use base profiles to create new profiles. In the Configuration > Anti-X > ADP > Profile screen, click Add to display the following screen. Figure 152 Base Profiles NXC5200 User’s Guide...
Page 342: Creating New Adp Profiles
In the Configuration > Anti-X > ADP > Profile screen, click the Edit icon or click the Add icon and choose a base profile. If you made changes to other screens NXC5200 User’s Guide...
Page 343 Chapter 22 ADP belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. Figure 153 Add/Edit Profile > Traffic Anomaly NXC5200 User’s Guide...
Page 344 The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. Name This is the name of the traffic anomaly rule. Click the Name column heading to sort in ascending or descending order according to the rule name. NXC5200 User’s Guide...
Page 345: Protocol Anomaly Profiles
Add icon and choose a base profile, then select the Protocol Anomaly tab. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Protocol Anomaly tab. NXC5200 User’s Guide...
Page 346 Chapter 22 ADP Figure 154 Add/Edit Profile > Protocol Anomaly NXC5200 User’s Guide...
Page 347 To edit an item’s log option, select it and use the Log icon. Select whether to have the NXC generate a log (log), log and alert (log alert) or neither (no) when traffic matches this anomaly rule. NXC5200 User’s Guide...
Page 348 The NXC takes no action when a packet matches the signature(s). block: The NXC silently drops packets that matches the rule. Neither sender nor receiver are notified. Click OK to save your settings to the NXC, complete the profile and return to the profile summary page. NXC5200 User’s Guide...
Page 349: Technical Reference
Decoy Port Scans Decoy port scans are scans where the attacker has spoofed the source address. These are some decoy scan types: • TCP Decoy Portscan • UDP Decoy Portscan • IP Decoy Portscan NXC5200 User’s Guide...
Page 350 • IP Filtered Decoy Portscan Portscan Portscan • TCP Filtered • UDP Filtered Portsweep • IP Filtered Portsweep Portsweep • ICMP Filtered • TCP Filtered Distributed • UDP Filtered Portsweep Portscan Distributed Portscan • IP Filtered Distributed Portscan NXC5200 User’s Guide...
Page 351 If an attacker (A) spoofs the source IP address of the ICMP echo request packet, the resulting ICMP traffic will not only saturate the receiving network (B), but the network of the spoofed source IP address (C). Figure 155 Smurf Attack NXC5200 User’s Guide...
Page 352 SYN-ACKs are only moved off the queue when an ACK comes back or when an internal timer ends the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for other users. Figure 157 SYN Flood NXC5200 User’s Guide...
Page 353 “/abc/xyz”. Also, “/abc/./xyz” gets normalized to “/abc/xyz”. If a user wants to configure an alert, then specify “yes”, otherwise “no”. This alert may give false positives since some web sites refer to files using directory traversals. NXC5200 User’s Guide...
Page 354 % encoding. Apache uses this standard, so for any Apache servers, make sure you have this option turned on. When this rule is enabled, ASCII decoding is also enabled to enforce correct functioning. NXC5200 User’s Guide...
Page 355 8 bytes. This may cause some applications to crash. ICMP Decoder TRUNCATED-ADDRESS- This is when an ICMP packet is sent which has an ICMP HEADER ATTACK datagram length of less than the ICMP address header length. This may cause some applications to crash. NXC5200 User’s Guide...
Page 356 TRUNCATED- This is when an ICMP packet is sent which has an ICMP TIMESTAMP-HEADER datagram length of less than the ICMP Time Stamp header ATTACK length. This may cause some applications to crash. NXC5200 User’s Guide...
Page 357: Chapter 23 Device Ha
• The Active-Passive Mode screens (Section 23.3 on page 361) use active- passive mode device HA. You can configure general active-passive mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup NXCs. NXC5200 User’s Guide...
Page 358: What You Need To Know
NXCs are both subscribed. For example, a backup subscribed to IDP/AppPatrol, but not anti-virus, gets IDP/AppPatrol updates from the master, but not anti- virus updates. It is highly recommended to subscribe the master and backup NXCs to the same services. NXC5200 User’s Guide...
Page 359: Device Ha General
IP / Netmask mask. You can use this IP address and subnet mask to access the NXC whether it is in master or backup mode. Link Status This tells whether the monitored interface’s connection is down or up. NXC5200 User’s Guide...
Page 360 NXC can take over all of the master NXC’s functions. Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC5200 User’s Guide...
Page 361: Active-Passive Mode
HA settings, view and manage the list of monitored interfaces, and synchronize backup NXCs. To access this screen, click Configuration > Device HA > Active-Passive Mode. Figure 160 Configuration > Device HA > Active-Passive Mode NXC5200 User’s Guide...
Page 362 Select an entry and click this to be able to modify it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. This is the entry’s index number in the list. NXC5200 User’s Guide...
Page 363 Synchronize specified NXC according to the specified Interval. The first synchronization begins after the specified Interval; the NXC does not synchronize immediately. Interval When you select Auto Synchronize, set how often the NXC synchronizes with the master. NXC5200 User’s Guide...
Page 364: Edit Monitored Interface
Device HA will recover the interface’s setting. A bridge interface’s device HA settings are not retained if you delete the bridge interface. Figure 161 Device HA > Active-Passive Mode > Edit Monitored Interface NXC5200 User’s Guide...
Page 365 IP address. Manage IP Enter the subnet mask of the interface’s management IP address. Subnet Mask Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC5200 User’s Guide...
Page 366: Technical Reference
You can have multiple NXC virtual routers on your network. Use a different cluster ID to identify each virtual router. In the following example, NXCs A and B form a virtual router that uses cluster ID 1. NXCs C and D form a virtual router that uses cluster ID 2. NXC5200 User’s Guide...
Page 367 For example, NXC B takes over A’s 192.168.1.1 LAN interface IP address. This is a virtual router IP address. NXC A keeps it’s LAN management IP address of 192.168.1.5 and NXC B has its own LAN management IP address of 192.168.1.6. These do not change when NXC B becomes the master. NXC5200 User’s Guide...
Page 368 The first way is to activate device HA before connecting the bridge interfaces as shown in the following example. Make sure the bridge interfaces of the master NXC (A) and the backup NXC (B) are not connected. NXC5200 User’s Guide...
Page 369 Br0 {ge4, ge5} Configure the bridge interface on the backup NXC, set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Br0 {ge4, ge5} Connect the NXCs. Br0 {ge4, ge5} Br0 {ge4, ge5} NXC5200 User’s Guide...
Page 370 HA. Br0 {ge4, ge5} Disabled Configure a corresponding disabled bridge interface on the backup NXC. Then set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} Disabled Br0 {ge4, ge5} Disabled NXC5200 User’s Guide...
Page 371 Synchronization affects the entire device configuration. You can only configure one set of settings for synchronization, regardless of how many VRRP groups you might configure. The NXC uses Secure FTP (on a port number you can change) to NXC5200 User’s Guide...
Page 372 • The backup NXC cannot be the master. This refers to the actual role at the time of synchronization, not the role setting in the configuration screen. The backup applies the entire configuration if it is different from the backup’s current configuration. NXC5200 User’s Guide...
Page 373: Chapter 24 User/Group
User Account A user account defines the privileges of a user logged into the NXC. User accounts are used in firewall rules and application patrol, in addition to controlling access to configuration and services in the NXC. NXC5200 User’s Guide...
Page 374 NXC sets the user type for this session to User. Ext-Group-User Accounts Ext-Group-User accounts work are similar to ext-user accounts but allow you to group users by the value of the group membership attribute configured for the AD or LDAP server. NXC5200 User’s Guide...
Page 375 ‘user-aware policies’ that define what services they can use. User Role Priority The NXC checks the following in order of priority. User role setting in ext-user. User role setting in ext-group-user. User role setting in default user (ldap-users, ad-users, radius-users). NXC5200 User’s Guide...
Page 376: User Summary
The User Add/Edit screen allows you to create a new user account or edit an existing one. 24.2.1.1 Rules for User Names Enter a user name from 1 to 31 characters. The user name can only contain the following characters: NXC5200 User’s Guide...
Page 377 • root • shutdown • sshd • sync • uucp • zyxel To access this screen, go to the User screen, and click Add or Edit. Figure 166 Configuration > User/Group > User > Add/Edit A User NXC5200 User’s Guide...
Page 378 Renew button on their screen. If you allow access users to renew time automatically, the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires. NXC5200 User’s Guide...
Page 379: Group Summary
Select an entry and click Object References to open a screen that References shows which settings use the entry. This field is a sequential value, and it is not associated with a specific user group. Group Name This field displays the name of each user group. NXC5200 User’s Guide...
Page 380: Add/Edit Group
This value is case-sensitive. User group names have to be different than user names. Description Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces. NXC5200 User’s Guide...
Page 381: Setting
NXC. You can also use this screen to specify when users must log in to the NXC before it routes traffic for them. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > Setting. NXC5200 User’s Guide...
Page 382 Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. This field is a sequential value, and it is not associated with a specific entry. NXC5200 User’s Guide...
Page 383 If you do not select for administration this, admin users can login as many times as they want at the account same time using the same or different IP addresses. NXC5200 User’s Guide...
Page 384: Edit User Authentication Timeout Settings
These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account’s authentication timeout settings. NXC5200 User’s Guide...
Page 385 Unlike Lease Time, the user has no opportunity to renew the session without logging out. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC5200 User’s Guide...
Page 386: User Aware Login Example
Remaining This field displays the amount of time that remains before the NXC time before automatically logs the access user out, regardless of the lease time. auth. timeout NXC5200 User’s Guide...
Page 387: Chapter 25 Ap Profile
MAC addresses. If a client’s MAC address is on the list, then it is either allowed or denied, depending on how you set up the MAC Filter profile. You can have a maximum of 64 MAC filtering profiles on the NXC. NXC5200 User’s Guide...
Page 388: Radio
To access this screen click Configuration > Object > AP Profile. Note: You can have a maximum of 64 radio profiles on the NXC. Figure 172 Configuration > Object > AP Profile > Radiot NXC5200 User’s Guide...
Page 389: Add/Edit Radio Profile
This screen allows you to create a new radio profile or edit an existing one. To access this screen, click the Add button or select a radio profile from the list and click the Edit button. Figure 173 Configuration > Object > AP Profile > Add/Edit Profile NXC5200 User’s Guide...
Page 390 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates. A-MPDU Limit Enter the maximum frame size to be aggregated. A-MPDU Enter the maximum number of frames to be aggregated each time. Subframe NXC5200 User’s Guide...
Page 391 Basic Rate (Mbps) - Set the basic rate configuration in Mbps. • Support Rate (Mbps) - Set the support rate configuration in Mbps. • MCS Rate - Set the MCS rate configuration. MBSSID Settings This section allows you to associate an SSID profile with the radio profile. NXC5200 User’s Guide...
Page 392: Ssid
To access this screen click Configuration > Object > AP Profile > SSID. Note: You can have a maximum of 64 SSID profiles on the NXC. Figure 174 Configuration > Object > AP Profile > SSID List NXC5200 User’s Guide...
Page 393 This screen allows you to create a new SSID profile or edit an existing one. To access this screen, click the Add button or select an SSID profile from the list and click the Edit button. Figure 175 Configuration > Object > AP Profile > Add/Edit SSID Profile NXC5200 User’s Guide...
Page 394 SSID by wireless client MAC addresses. Any clients that have MAC addresses not in the MAC filtering profile of allowed addresses are denied connections. The disable setting means no MAC filtering is used. NXC5200 User’s Guide...
Page 395 Enable Intra- Select this option to prevent crossover traffic from within the same BSS Traffic SSID. Blocking Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC5200 User’s Guide...
Page 396: Security List
This field is a sequential value, and it is not associated with a specific user. Profile Name This field indicates the name assigned to the security profile. Security Mode This field indicates this profile’s security mode (if any). NXC5200 User’s Guide...
Page 397 Enter the IP address of the RADIUS server to be used for Address authentication. Radius Server Enter the port number of the RADIUS server to be used for Port authentication. Radius Server Enter the shared secret password of the RADIUS server to be used for Secret authentication. NXC5200 User’s Guide...
Page 398 Pre- Enable or Disable pre-authentication to allow the AP to send Authentication authentication information to other APs on the network, allowing connected wireless clients to switch APs without having to re- authenticate their network connection. NXC5200 User’s Guide...
Page 399: Mac Filter List
This field is a sequential value, and it is not associated with a specific user. Profile Name This field indicates the name assigned to the MAC filtering profile. Filter Action This field indicates this profile’s filter action (if any). NXC5200 User’s Guide...
Page 400 This field specifies a MAC address associated with this profile. Description This field displays a description for the MAC address associated with this profile. You can click the description to make it editable. Enter up to 60 characters, spaces and underscores allowed. NXC5200 User’s Guide...
Page 401: Chapter 26 Mon Profile
802.11 frequencies by sending probe request frames. Passive Scan A passive scan is performed when an 802.11-compatible monitoring device is set to periodically listen to a specified channel or number of channels for other wireless devices broadcasting on the 802.11 frequencies. NXC5200 User’s Guide...
Page 402: Mon Profile
Click this to view which other objects are linked to the selected monitor Reference mode profile (for example, an AP management profile). This field is a sequential value, and it is not associated with a specific user. Profile Name This field indicates the name assigned to the monitor profile. NXC5200 User’s Guide...
Page 403: Add/Edit Mon Profile
Select auto to have the AP switch to the next sequential channel Mode once the Channel dwell time expires. Select manual to set specific channels through which to cycle sequentially when the Channel dwell time expires. Selecting this options makes the Scan Channel List options available. NXC5200 User’s Guide...
Page 404: Technical Reference
APs in order to capture information from wireless clients. If a scan reveals a rogue AP, you can use commercially-available software to physically locate it. Figure 182 Rogue AP Example NXC5200 User’s Guide...
Page 405 (those from recognized networks, for example). It is recommended that you export (save) your list of friendly APs often, especially if you have a network with a large number of access points. NXC5200 User’s Guide...
Page 406 Chapter 26 MON Profile NXC5200 User’s Guide...
Page 407: Chapter 27 Addresses
27.2 Address Summary The address screens are used to create, maintain, and remove addresses. There are the types of address objects. • HOST - a host address is defined by an IP Address. NXC5200 User’s Guide...
Page 408 This field displays the IP addresses represented by each address object. If the object’s settings are based on one of the NXC’s interfaces, the name of the interface displays first followed by the object’s current address settings. NXC5200 User’s Guide...
Page 409: Add/Edit Address
Use dotted decimal format. Interface If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as the Address Type, use this field to select the interface of the network that this address object represents. NXC5200 User’s Guide...
Page 410: Address Group Summary
This field is a sequential value, and it is not associated with a specific address group. Name This field displays the name of each address group. Description This field displays the description of each address group, if any. NXC5200 User’s Guide...
Page 411: Add/Edit Address Group Rule
Move any members you do not want included to the Available list. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC5200 User’s Guide...
Page 412 Chapter 27 Addresses NXC5200 User’s Guide...
Page 413: Chapter 28 Services
TCP puts it in sequence or waits for the data to be re- transmitted. Then, the connection is terminated. In contrast, computers use UDP to send short messages to each other. There is no guarantee that the messages arrive in sequence or that the messages arrive at all. NXC5200 User’s Guide...
Page 414 Use service groups when you want to create the same rule for several services, instead of creating separate rules for each service. Service groups may consist of services and other service groups. The sequence of members in the service group is not important. NXC5200 User’s Guide...
Page 415: Service Summary
Object Select an entry and click Object References to open a screen that References shows which settings use the entry. This field is a sequential value, and it is not associated with a specific service. NXC5200 User’s Guide...
Page 416: Add/Edit Service Rule
Number Enter the number of the next-level protocol (IP protocol). Allowed values are 0 - 255. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC5200 User’s Guide...
Page 417: Service Group Summary
This field displays the name of each service group. By default, the NXC uses services starting with “Default_Allow_” in the firewall rules to allow certain services to connect to the NXC. Description This field displays the description of each service group, if any. NXC5200 User’s Guide...
Page 418: Add/Edit Service Group Rule
Move any members you do not want included to the Available list. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC5200 User’s Guide...
Page 419: Chapter 29 Schedules
Recurring schedules begin at a specific start time and end at a specific stop time on selected days of the week (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday). Recurring schedules always begin and end in the same day. Recurring schedules are useful for defining the workday and off-work hours. NXC5200 User’s Guide...
Page 420: Schedule Summary
To remove an entry, select it and click Remove. The NXC confirms you want to remove it before doing so. Object Select an entry and click Object References to open a screen that References shows which settings use the entry. NXC5200 User’s Guide...
Page 421: Add/Edit Schedule One-Time Rule
Year - 1900 - 2999 Month - 1 - 12 Day - 1 - 31 (it is not possible to specify illegal dates, such as February 31.) Hour - 0 - 23 Minute - 0 - 59 NXC5200 User’s Guide...
Page 422: Add/Edit Schedule Recurring Rule
To access this screen, go to the Schedule screen and click either the Add icon or an Edit icon in the Recurring section. Figure 193 Configuration > Object > Schedule > Add/Edit (Recurring) NXC5200 User’s Guide...
Page 423 Minute - 0 - 59 Weekly Week Days Select each day of the week the recurring schedule is effective. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC5200 User’s Guide...
Page 424 Chapter 29 Schedules NXC5200 User’s Guide...
Page 425: Chapter 30 Aaa Server
LDAP/AD allows a client (the NXC) to connect to a server to retrieve information from a directory. A network example is shown next. Figure 194 Example: Directory Service Client and Server The following describes the user authentication procedure via an LDAP/AD server. NXC5200 User’s Guide...
Page 426 Import each token’s database file (located on the included CD) into the server. Assign users to OTP tokens (on the ASAS server). Configure the ASAS as a RADIUS server in the NXC’s Configuration > Object > AAA Server screens. Give the OTP tokens to (local or remote) users. NXC5200 User’s Guide...
Page 427 Note: Because the NXC has an internal authentication database, you can create local login accounts on it without needing to rely on an external authentication server. The built-in authentication server supports PEAP/EAP-TLS/EAP-TTLS. NXC5200 User’s Guide...
Page 428 Base DN A base DN specifies a directory. A base DN usually contains information such as the name of an organization, a domain name and/or country. For example, o=MyCompany, c=UK where o means organization and c means country. NXC5200 User’s Guide...
Page 429: Active Directory / Ldap
Select an entry and click Object References to open a screen that References shows which settings use the entry. This field displays the index number. Server This is the address of the AD or LDAP server. Address Base DN This specifies a directory. For example, o=ZyXEL, c=US NXC5200 User’s Guide...
Page 430: Add/Edit Active Directory / Ldap Server
Use this screen to create a new entry or edit an existing one. Note: The Active Directory and LDAP server setup screens are almost identical, so the features for both screens are described in this section. Figure 198 AAA Server > Active Directory > Add/Edit NXC5200 User’s Guide...
Page 431 Enter a number between 1 and 65535. This port number should be the same on all AD or LDAP server(s) in this group. Base DN Specify the directory (up to 127 alphanumerical characters). For example, o=ZyXEL, c=US NXC5200 User’s Guide...
Page 432 Enter the realm IP address. Note: This is only for LDAP. Configuration Use a user account from the server specified above to test if the Validation configuration is correct. Enter the account’s user name in the Username field and click Test. NXC5200 User’s Guide...
Page 433: Radius
Select an entry and click Object References to open a screen that References shows which settings use the entry. This field displays the index number. Name This is the name of the RADIUS server entry. Server This is the address of the AD or LDAP server. Address NXC5200 User’s Guide...
Page 434: Add/Edit Radius
If the RADIUS server has a backup server, enter its address here. Address Backup Specify the port number on the RADIUS server to which the NXC sends Authentication authentication requests. Enter a number between 1 and 65535. Port NXC5200 User’s Guide...
Page 435 “sales”, “RD”, and “management”. Then you could also create a ext- group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”. Click OK to save the changes. Cancel Click Cancel to discard the changes. NXC5200 User’s Guide...
Page 436 Chapter 30 AAA Server NXC5200 User’s Guide...
Page 437: Authentication Method
Configure AAA server objects before you configure authentication method objects. 31.2 Authentication Method Click Configuration > Object > Auth. Method to display this screen. Note: You can create up to 16 authentication method objects. Figure 202 Configuration > Object > Auth. Method NXC5200 User’s Guide...
Page 438: Add Authentication Method
If two accounts with the same username exist on two authentication servers you specify, the NXC does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. NXC5200 User’s Guide...
Page 439 NXC does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. Click OK to save the changes. Cancel Click Cancel to discard the changes. NXC5200 User’s Guide...
Page 440 Chapter 31 Authentication Method NXC5200 User’s Guide...
Page 441: Chapter 32 Certificates
In the same way, your private key “writes” your digital signature and your public key allows people to verify whether data was signed by you, or by someone else. NXC5200 User’s Guide...
Page 442 • The NXC only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate. • Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys. NXC5200 User’s Guide...
Page 443: Verifying A Certificate
MD5 or SHA1 algorithm. The following procedure describes how to check a certificate’s fingerprint to verify that you have the actual certificate. Browse to where you have the certificate saved on your computer. NXC5200 User’s Guide...
Page 444 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. NXC5200 User’s Guide...
Page 445: My Certificates
This field displays the certificate index number. The certificates are listed in alphabetical order. Name This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. NXC5200 User’s Guide...
Page 446 Expired! message if the certificate has expired. Import Click Import to open a screen where you can save a certificate to the NXC. Refresh Click Refresh to display the current validity status of the certificates. NXC5200 User’s Guide...
Page 447: Add My Certificates
Add icon to open the My Certificates Add screen. Use this screen to have the NXC create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 204 Configuration > Object > Certificate > My Certificates > Add NXC5200 User’s Guide...
Page 448 Create a self- Select this to have the NXC generate the certificate and act as the signed certificate Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates. NXC5200 User’s Guide...
Page 449 You must have the certification authority’s certificate already imported in the Trusted Certificates screen. Click Trusted CAs to go to the Trusted Certificates screen where you can view (and manage) the NXC's list of certificates of trusted certification authorities. NXC5200 User’s Guide...
Page 450 Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the NXC to enroll a certificate online. NXC5200 User’s Guide...
Page 451: Edit My Certificates
Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. Figure 205 Configuration > Object > Certificate > My Certificates > Edit NXC5200 User’s Guide...
Page 452 “none” displays for a certification request. Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. “none” displays for a certification request. NXC5200 User’s Guide...
Page 453 Use this button to save a copy of the certificate with its private key. with Private Key Type the certificate’s password and click this button. Click Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save. NXC5200 User’s Guide...
Page 454: Import Certificates
Click Browse to find the certificate file you want to upload. Password This field only applies when you import a binary PKCS#12 format file. Type the file’s password that was created when the PKCS #12 file was exported. NXC5200 User’s Guide...
Page 455: Trusted Certificates
Object You cannot delete certificates that any of the NXC’s features are Reference configured to use. Select an entry and click Object References to open a screen that shows which settings use the entry. NXC5200 User’s Guide...
Page 456 Click Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the NXC. Refresh Click this button to display the current validity status of the certificates. NXC5200 User’s Guide...
Page 457: Edit Trusted Certificates
NXC to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority. Figure 208 Configuration > Object > Certificate > Trusted Certificates > Edit NXC5200 User’s Guide...
Page 458 (usually a certification authority). Password Type the password (up to 31 ASCII characters) from the entity maintaining the CRL directory server (usually a certification authority). Certificate These read-only fields display detailed information about the Information certificate. NXC5200 User’s Guide...
Page 459 MD5 Fingerprint This is the certificate’s message digest that the NXC calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate. NXC5200 User’s Guide...
Page 460: Import Trusted Certificates
NXC. Note: You must remove any spaces from the certificate’s filename before you can import the certificate. Figure 209 Configuration > Object > Certificate > Trusted Certificates > Import NXC5200 User’s Guide...
Page 461: Technical Reference
NXC only gets information on the certificates that it needs to verify, not a huge list. When the NXC requests certificate status information, the OCSP server returns a “expired”, “current” or “unknown” response. NXC5200 User’s Guide...
Page 462 Chapter 32 Certificates NXC5200 User’s Guide...
Page 463: Chapter 33 System
SNMP can be used to access the NXC. You can also specify from which IP addresses the access can come. • The Language screen (Section 33.11 on page 503) sets the user interface language for the NXC’s Web Configurator screens. NXC5200 User’s Guide...
Page 464: Host Name
For effective scheduling and logging, the NXC system time must be accurate. The NXC’s Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server. NXC5200 User’s Guide...
Page 465 This field displays the last updated time from the time server or the mm-ss) last time configured manually. When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply. NXC5200 User’s Guide...
Page 466 European Union you would select Last, Sunday, March. The time you type in the at field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). NXC5200 User’s Guide...
Page 467: Pre-Defined Ntp Time Servers List
If the synchronization fails, then the NXC goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried. NXC5200 User’s Guide...
Page 468: Time Server Synchronization
Click System > Date/Time. Select Get from Time Server under Time and Date Setup. Under Time Zone Setup, select your Time Zone from the list. Under Time and Date Setup, enter a Time Server Address. Click Apply. NXC5200 User’s Guide...
Page 469: Console Speed
• The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields. NXC5200 User’s Guide...
Page 470: Configuring The Dns Screen
(FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Page 471 Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. A “*” means all domain zones. Type...
Page 472: Address Record
An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com” is the top level domain.
Page 473: Ptr Record
For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Page 474: Domain Zone Forwarder
DNS server to resolve domain zones for features like the time server. A domain zone is a fully qualified domain name without the host. For example, zyxel.com is the domain zone for the www.zyxel.com fully qualified domain name. 33.5.7 Add Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record.
Page 475: Mx Record
For example, whenever the NXC receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address. Enter * if all domain zones are served by the specified DNS server(s).
Page 476: Add Mx Record
Select ALL to allow or deny any computer to send DNS queries to the Object NXC. Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the NXC. NXC5200 User’s Guide...
Page 477: Www Overview
IP address (the NXC disallows the session). The IP address (address object) in the Service Control table is not in the allowed zone or the action is set to Deny. There is a firewall rule that blocks it. NXC5200 User’s Guide...
Page 478: System Timeout
NXC a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the NXC. Please refer to the following figure. HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the NXC’s web server. NXC5200 User’s Guide...
Page 479: Configuring Www Service Control
NXC using HTTP or HTTPS. You can also specify which IP addresses the access can come from. Note: Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the NXC. NXC5200 User’s Guide...
Page 480 The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the NXC, for example 8443, then you must notify people who need to access the NXC Web Configurator to use “https://NXC IP Address:8443” as the URL. NXC5200 User’s Guide...
Page 481 NXC Web Configurator using HTTP connections. Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service to access the NXC. NXC5200 User’s Guide...
Page 482 Authentication client. Method You must have configured the authentication methods in the Auth. method screen. Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC5200 User’s Guide...
Page 483: Service Control Rules
If you haven’t changed the default HTTPS port on the NXC, then in your browser enter “https://NXC IP Address/” as the web site address where “NXC IP Address” is the IP address or domain name of the NXC you wish to access. NXC5200 User’s Guide...
Page 484: Internet Explorer Warning Messages
• To have the browser trust the certificates issued by a certificate authority, import the certificate authority’s certificate into your operating system as a trusted certificate. Refer to Appendix D on page 619 for details. NXC5200 User’s Guide...
Page 485: Login Screen
Authenticate Client Certificates to be active (see the Certificates chapter for details). Apply for a certificate from a Certification Authority (CA) that is trusted by the NXC (see the NXC’s Trusted CA Web Configurator screen). Figure 225 Trusted Certificates NXC5200 User’s Guide...
Page 486 33.6.6.5 Installing the CA’s Certificate Double click the CA’s trusted certificate to produce a screen similar to the one shown next. Click Install Certificate and follow the wizard as shown earlier in this appendix. NXC5200 User’s Guide...
Page 487 CA to produce a screen similar to the one shown next Click Next to begin the wizard. The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. NXC5200 User’s Guide...
Page 488 Chapter 33 System Enter the password given to you by the CA. Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. NXC5200 User’s Guide...
Page 489 You should see the following screen when the certificate is correctly installed on your computer. 33.6.6.7 Using a Certificate When Accessing the NXC To access the NXC via HTTPS: Enter ‘https://NXC IP Address/ in your browser’s web address field. NXC5200 User’s Guide...
Page 490: Ssh
Specify which zones allow SSH access and from which IP address the access can come. SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an NXC5200 User’s Guide...
Page 491: How Ssh Works
The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. NXC5200 User’s Guide...
Page 492: Ssh Implementation On The Nxc
NXC for management using port 22 (by default). 33.7.3 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the NXC over SSH. NXC5200 User’s Guide...
Page 493: Configuring Ssh
Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. NXC5200 User’s Guide...
Page 494: Examples Of Secure Telnet Using Ssh
This section describes how to access the NXC using the Secure Shell Client program. Launch the SSH client and specify the connection information (IP address, port number) for the NXC. Configure the SSH client to accept connection using SSH version 1. NXC5200 User’s Guide...
Page 495 22 on the NXC (using the default IP address of 192.168.1.1). A message displays indicating the SSH protocol version supported by the NXC. Figure 230 SSH Example 2: Test $ telnet 192.168.1.1 22 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. SSH-1.5-1.0.0 NXC5200 User’s Guide...
Page 496: Telnet
Configuration > System > TELNET to configure your NXC for remote Telnet access. Use this screen to specify from which zones Telnet can be used to manage the NXC. You can also specify from which IP addresses the access can come. Figure 232 Configuration > System > TELNET NXC5200 User’s Guide...
Page 497: Ftp
You can upload and download the NXC’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. See Chapter 35 on page 519 for more information about firmware and configuration files. NXC5200 User’s Guide...
Page 498 Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. NXC5200 User’s Guide...
Page 499 This displays whether the computer with the IP address specified above can access the NXC zone(s) configured in the Zone field (Accept) or not (Deny). Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC5200 User’s Guide...
Page 500: Snmp
Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects. NXC5200 User’s Guide...
Page 501: Supported Mibs
CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. You can download the NXC’s MIBs from www.zyxel.com. 33.10.2 SNMP Traps The NXC will send traps to the SNMP manager when any one of the following events occurs.
Page 502: Configuring Snmp
The default is private and allows all requests. Trap Community Type the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests. NXC5200 User’s Guide...
Page 503: Language
Click Reset to return the screen to its last-saved settings. 33.11 Language Click Configuration > System > Language to open this screen. Use this screen to select a display language for the NXC’s Web Configurator screens. Figure 236 Configuration > System > Language NXC5200 User’s Guide...
Page 504 You also need to open a new browser session to display the screens in the new language. Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC5200 User’s Guide...
Page 505: Chapter 34 Log And Report
34.2 Email Daily Report Use this screen to start or stop data collection and view various statistics about traffic passing through your NXC. Note: Data collection may decrease the NXC’s traffic throughput rate. NXC5200 User’s Guide...
Page 506 Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the NXC e-mail you system statistics every day. Figure 237 Configuration > Log & Report > Email Daily Report NXC5200 User’s Guide...
Page 507: Log Setting
The NXC provides a system log and supports e-mail profiles and remote syslog servers. The system log is available on the View Log tab, the e-mail profiles are used to mail log messages to the specified destinations, and the other four logs are stored on specified syslog servers. NXC5200 User’s Guide...
Page 508: Log Setting Summary
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. NXC5200 User’s Guide...
Page 509 Log Format This field displays the format of the log. Internal - system log; you can view the log on the View Log tab. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format. CEF/Syslog - Common Event Format, syslog-compatible format. Summary This field is a summary of the settings for each log.
Page 510: Edit Log Settings
This screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen and click the system log Edit icon. Figure 239 Configuration > Log & Report > Log Setting > Edit NXC5200 User’s Guide...
Page 511 2 also has normal logs enabled, the NXC will e-mail logs to them. enable normal logs and debug logs (yellow check mark) - create log messages, alerts, and debugging information for all categories. The NXC does not e-mail debugging information, even if this setting is selected. NXC5200 User’s Guide...
Page 512 (green check mark) and/or in alerts (red exclamation point) for the e-mail settings specified in E-Mail Server 2. The NXC does not e-mail debugging information, even if it is recorded in the System log. Log Consolidation NXC5200 User’s Guide...
Page 513 “[count=x]”, where x is the number of original log messages, appended at the end of the Message field. Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. NXC5200 User’s Guide...
Page 514: Edit Remote Server
This screen controls the settings for each log in the remote server (syslog). Go to the Log Settings Summary screen and click a remote server Edit icon. Figure 240 Configuration > Log & Report > Log Setting > Edit Remote Server NXC5200 User’s Guide...
Page 515 Active Log section. Log Format This field displays the format of the log information. It is read-only. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format. CEF/Syslog - Common Event Format, syslog-compatible format. Server Type the server name or the IP address of the syslog server to which to Address send log information.
Page 516: Active Log Summary
Figure 241 Active Log Summary This screen provides a different view and a different way of indicating which messages are included in each log and each alert. (The Default category includes debugging messages generated by open source software.) NXC5200 User’s Guide...
Page 517 Log Category This field displays each category of messages. It is the same value used in the Display and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software. NXC5200 User’s Guide...
Page 518 (yellow check mark) - log regular information, alerts, and debugging information from this category Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. NXC5200 User’s Guide...
Page 519: Chapter 35 File Manager
When you apply a configuration file, the NXC uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the NXC only applies the commands that it contains. Other settings do not change. NXC5200 User’s Guide...
Page 520 NXC treat the line as a comment. Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the NXC exit sub command mode. NXC5200 User’s Guide...
Page 521 The NXC ignores any errors in the configuration file or shell script and applies all of the valid commands. The NXC still generates a log for any errors. NXC5200 User’s Guide...
Page 522: Configuration File
The NXC still generates a log for any errors. Figure 243 Maintenance > File Manager > Configuration File Do not turn off the NXC while configuration file upload is in progress. NXC5200 User’s Guide...
Page 523 Copy File screen. Specify a name for the duplicate configuration file. Use up to 25 characters (including a-zA-Z0-9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. NXC5200 User’s Guide...
Page 524 The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space. NXC5200 User’s Guide...
Page 525: Firmware Package
Click Upload to begin the upload process. This process may take up to two minutes. 35.3 Firmware Package Click Maintenance > File Manager > Firmware Package to open this screen. Use the Firmware Package screen to check your current firmware version and upload firmware to the NXC. NXC5200 User’s Guide...
Page 526 See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “nxc.bin”.
Page 527: Shell Script
Click Maintenance > File Manager > Shell Script to open this screen. Use the Shell Script screen to store, name, download, upload and run shell script files. You can store multiple shell script files on the NXC at the same time. NXC5200 User’s Guide...
Page 528 Click OK to delete the shell script file or click Cancel to close the screen without deleting the shell script file. Download Click a shell script file’s row to select it and click Download to save the configuration to your computer. NXC5200 User’s Guide...
Page 529 Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. NXC5200 User’s Guide...
Page 530 Chapter 35 File Manager NXC5200 User’s Guide...
Page 531: Chapter 36 Diagnostics
This screen provides an easy way for you to generate a file containing the NXC’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting. Click Maintenance > Diagnostics to open the Diagnostic screen. Figure 249 Maintenance > Diagnostics NXC5200 User’s Guide...
Page 532: Packet Capture
Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen. Note: New capture files overwrite existing files of the same name. Change the File Suffix field’s setting to avoid this. Figure 250 Maintenance > Diagnostics > Packet Capture > Capture NXC5200 User’s Guide...
Page 533 NXC automatically truncates packets that exceed this size. As a result, when you view the packet capture files in a packet analyzer, the actual size of the packets may be larger than the size of captured packets. NXC5200 User’s Guide...
Page 534: Packet Capture Files
Click a file to select it and click Download to save it to your computer. This column displays the number for each packet capture file entry. The total number of packet capture files that you can save depends on the file sizes and the available flash storage space. NXC5200 User’s Guide...
Page 535: Example Of Viewing A Packet Capture File
Notice that the size of frame 15 on the wire is 1514 bytes while the captured size is only 1500 bytes. The NXC truncated the frame because the capture screen’s Number Of Bytes To Capture (Per Packet) field was set to 1500 bytes. Figure 252 Packet Capture File Example NXC5200 User’s Guide...
Page 536: Wireless Frame Capture
Use the arrow buttons to move APs off this list and onto the Captured MON Mode APs list. Capture MON This column displays the monitor-mode configured APs selected to Mode APs for wireless frame capture. Misc Setting NXC5200 User’s Guide...
Page 537 Once the flash storage space is full, adding more frame captures will fail. Stop Click this button to stop a currently running frame capture and generate a combined capture file for all APs. Reset Click this button to return the screen to its last-saved settings. NXC5200 User’s Guide...
Page 538: Wireless Frame Capture Files
This column displays the label that identifies the file. The file name format is interface name-file suffix.cap. Size This column displays the size (in bytes) of a configuration file. Last This column displays the date and time that the individual files were saved. Modified NXC5200 User’s Guide...
Page 539: Chapter 37 Reboot
Click the Reboot button to restart the NXC. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser. You can also use the CLI command reboot to restart the NXC. NXC5200 User’s Guide...
Page 540 Chapter 37 Reboot NXC5200 User’s Guide...
Page 541: Chapter 38 Shutdown
Click the Shutdown button to shut down the NXC. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power. You can also use the CLI command shutdown to shutdown the NXC. NXC5200 User’s Guide...
Page 542 Chapter 38 Shutdown NXC5200 User’s Guide...
Page 543: Chapter 39 Troubleshooting
NXC and plugged into appropriate power sources. Also make sure you have the power sources and both of the NXC’s power switches turned • Replace the NXC power module that has a red PWR light. NXC5200 User’s Guide...
Page 544 I cannot update the anti-virus signatures. • Make sure your NXC has the anti-virus service registered and that the license is not expired. Purchase a new license if the license is expired. • Make sure your NXC is connected to the Internet. NXC5200 User’s Guide...
Page 545 The NXC is not applying the custom firewall rule I configured. The NXC checks the firewall rules in the order that they are listed. So make sure that your custom firewall rule comes before any other rules that the traffic would also match. NXC5200 User’s Guide...
Page 546 RADIUS server has priority. Change the RADIUS server’s configuration if you need to use a different re-authentication timer setting. The NXC is not applying an interface’s configured ingress bandwidth limit. At the time of writing, the NXC does not support ingress bandwidth management. NXC5200 User’s Guide...
Page 547 The anti-virus policy may be set to delete zipped files that the NXC cannot unzp. The NXC cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the NXC can concurrently unzip. NXC5200 User’s Guide...
Page 548 Not all Snort functionality is supported in the NXC. The NXC’s performance seems slower after configuring ADP. Depending on your network topology and traffic load, applying an anomaly profile to each and every packet direction may affect the NXC’s performance. NXC5200 User’s Guide...
Page 549 If an alternate gateway on the LAN has an IP address in the same subnet as the NXC’s LAN IP address, return traffic may not go through the NXC. This is called an asymmetrical or “triangle” route. This causes the NXC to reset the connection, as the connection has not been acknowledged. NXC5200 User’s Guide...
Page 550 I configured policy routes to manage the bandwidth of TCP and UDP traffic but the bandwidth management is not being applied properly. It is recommended to use application patrol instead of policy routes to manage the bandwidth of TCP and UDP traffic. NXC5200 User’s Guide...
Page 551 The NXC fails to authentication the ext-user user accounts I configured. An external server such as AD, LDAP or RADIUS must authenticate the ext-user accounts. If the NXC tries to use the local database to authenticate an ext-user, the authentication attempt will always fail. NXC5200 User’s Guide...
Page 552 I cannot get a certificate to import into the NXC. For My Certificates, you can import a certificate that matches a corresponding certification request that was generated by the NXC. You can also import a certificate in PKCS#12 format, including the certificate’s public and private keys. NXC5200 User’s Guide...
Page 553 I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. NXC5200 User’s Guide...
Page 554 The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. NXC5200 User’s Guide...
Page 555: Wireless
If the NXC or a connected Internet access device are managing the network with static IPs, make sure that the server settings for issuing those IPs are properly configured. Check the wireless client’s own network settings to ensure it is already set up with its static IP address. NXC5200 User’s Guide...
Page 556 • Make sure that all the APs are in the same broadcast domain. • Make sure that the wireless clients are in range of the other APs; if they are only in range of a single AP, then load balancing may not be as effective. NXC5200 User’s Guide...
Page 557: Resetting The Nxc
Release the RESET button, and wait for the NXC to restart. You should be able to access the NXC using the default settings. 39.3 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. NXC5200 User’s Guide...
Page 558 Chapter 39 Troubleshooting NXC5200 User’s Guide...
Page 559: Product Specifications
SSID-based RADIUS server selection Secure AP control & management over GRE CAPWAP standard based solution Simultaneous centralized & distributed WLAN support MAC address filtering through WLAN (support 2,048 MAC addresses) Blocking Intra-BSS Traffic Support Primary and Backup RADIUS server NXC5200 User’s Guide...
Page 560 Web-based user interface access over HTTP & HTTPS Administration CLI access using SSH, Telnet & console port Authority conrtol for administration log-in Support administration authentication via RADIUS, LDAP or internal DB SNMP v2 support Standard MIBs & private MIBs support System logs & alerts NXC5200 User’s Guide...
Page 561 Custom Signatures Traffic Anomaly Detection and Protection Flooding Detection and Protection Protocol Anomaly Detection and Protection: HTTP/ICMP/TCP/UDP Anti-Virus ICSA-Certified ZyXEL Anti-Virus or Kaspersky Anti-Virus Stream-Based Anti-Virus engine Covers Top Active Viruses in the Wild List Scans HTTP/FTP/SMTP/POP3/IMAP4 Automatic Signature Updates...
Page 562 3580, 3579, 3576, 2868, 2865, 2607, 2548, 2289, 2284 Built-in service, Domain RFCs 2037 authentication client Hostapd RFCs 1042, 1186, 2104, 2246, 2433, 2548, 2618, 2619, 2620, 2716, 2759, 2865, 2869, 3079, 3394, 3579, 3580, 3610, 3748, 4137, 4186, 4187, 4284, 4746, 4763, 4764 NXC5200 User’s Guide...
Page 563 Chapter 40 Product Specifications Table 209 Standards Referenced by Features (continued) FEATURE STANDARDS REFERENCED Wireless IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, IEEE 802.11n, IEEE 802.11i, IEEE 802.1x Device-HA VRRP (Virtual Router RFC2338 & RFC3768 Redundancy Protocol) NXC5200 User’s Guide...
Page 564 Chapter 40 Product Specifications NXC5200 User’s Guide...
Page 565: Appendix A Log Descriptions
%s: website host The device allowed access to a web site. The content filtering %s: Service is not service is unregistered and the default policy is not set to registered block. %s: website host NXC5200 User’s Guide...
Page 566 The web site contains Java applet and access was blocked %s: Contains Java according to a profile. applet %s: website host The web site contains a cookie and access was blocked %s: Contains cookie according to a profile. %s: website host NXC5200 User’s Guide...
Page 567 1st:zysh group name, 2st:zysh entry name %s: cannot find entry 1st:zysh group name, 2st:zysh entry name %s: cannot remove entry List OPS 1st:zysh entry name can't alloc entry: %s! 1st:zysh entry name can't retrieve entry: 1st:zysh entry name can't get entry: %s! NXC5200 User’s Guide...
Page 568 Unable to change entry #%d! 1st:zysh table name %s: cannot retrieve entries from table! 1st:zysh table name %s: invalid old/new index! 1st:zysh entry num Unable to move entry #%d! 1st:zysh table name %s: apply failed at initial stage! NXC5200 User’s Guide...
Page 569 The NXC’s ADP feature detected traffic with the same IP LAND attack packet. address set as both the source and the destination. Source IP is the same as Destination IP. NXC5200 User’s Guide...
Page 570 1st %s: The protocol of the packet. 2nd %s: The filename of the related file. 3rd %s: The file pattern that the file matched. The anti-virus signatures update did not succeed. AV signature update has failed. Can not update last update time. NXC5200 User’s Guide...
Page 571 Anti-Virus rules have been flushed. The anti-virus rule of the specified number has been Anti-Virus rule %d has deleted. been deleted. The anti-virus rule of the specified number has been Anti-Virus rule %d has changed. been modified. NXC5200 User’s Guide...
Page 572 Action on file: %s 2nd %s: The filename of the related file. 3rd %s: Whether the file was deleted (DESTROY) or forwarded (PASS). Updating of the signature file information failed due to an Update signature info internal error. has failed. NXC5200 User’s Guide...
Page 573 Too many failed login attempts were made from an IP Address %u.%u.%u.%u has address so the NXC is blocking login attempts from that IP been put into lockout address. state %u.%u.%u.%u: the source address of the user’s login attempt NXC5200 User’s Guide...
Page 574 The user name does not yet exist in MyZyXEL.com's User does not exist. database. So the user can use it for device registration. Internal server error. MyZyXEL.com's database had an error when checking the user name. NXC5200 User’s Guide...
Page 575 The device could not retrieve the myZyXEL.com server's IP Server setting error. address or FQDN from local. The device could not resolve the myZyXEL.com server's FQDN Resolve server IP has to an IP address through gethostbyname(). failed. NXC5200 User’s Guide...
Page 576 MyZyXEL.com agent's return code, this log Timeout for get server will be shown when timeout. response. The device could not send an update message to the update Send update request to server. update server has failed. NXC5200 User’s Guide...
Page 577 The device still cannot download the system protect signature System protect file after 3 retries. signature download has failed. The device could not resolve the myZyXEL.com server's FQDN Resolve server IP has to an IP address through gethostbyname(). failed. NXC5200 User’s Guide...
Page 578 MyZyXEL.com server or by the device’s own count. The content filtering service period has expired. The device Content-Filter can find this through either a service expiration day check via service has expired. MyZyXEL.com server or by the device’s own count. NXC5200 User’s Guide...
Page 579 There was an internal system error. The device failed in System internal error. turning on IDP. Enable IDP failed. There was an internal system error. The device failed in System internal error. turning off IDP. Disable IDP failed. NXC5200 User’s Guide...
Page 580 An attempt to replace a custom IDP signature failed. The Custom signature more maximum number of custom signatures (first num) and the than <num>. Replacement number of the replacement signature (second num) display. custom signature number is <num>. NXC5200 User’s Guide...
Page 581 Create IDP statistics entry failed. The IDP system-protect function had an error. The device System-protect error. did not have enough available memory. The setting for IDP Out of memory. IDP activation has not changed. activation unchanged. NXC5200 User’s Guide...
Page 582 Enable IDP system- protect succeeded. The IDP system-protect feature was successfully turned off. Disable IDP system- protect succeeded. Checking for duplicated signature IDs failed. There was an Check duplicate sid error while allocating memory. failed. Allocate memory error. NXC5200 User’s Guide...
Page 583 Name, 2nd %s: "port-less" or "port-base", 3rd %s: "login", Action=%s Access=drop "message", "audio", "video" or "file-transfer". Application patrol was successfully initiated. Initialize App. Patrol has succeeded. An application patrol rule has been modified. 1st %s: Rule %s:%s has been Protocol Name, 2nd: Rule Index. modified NXC5200 User’s Guide...
Page 584 The device failed to get the application patrol protocol list. System fatal error: 60011002. The device failed to initiate XML. System fatal error: 60011003. The device failed to turn application patrol off while the System fatal error: system was initiating. 60011004. NXC5200 User’s Guide...
Page 585 The Asymmetrical Route has been enabled. Asymmetrical Route has been turned off. The Asymmetrical Route has been disabled. Table 221 Sessions Limit Logs LOG MESSAGE DESCRIPTION %d is maximum sessions per host. Maximum sessions per host (%d) was exceeded. NXC5200 User’s Guide...
Page 586 1st %d: the original policy route rule number 2nd %d: the new policy route rule number Rule is deleted. Policy-route rule %d was deleted. %d: the policy route rule number Policy routing rules are cleared. Policy-route rules were flushed. NXC5200 User’s Guide...
Page 587 An administrator changed the port number for TELNET. TELNET port has been changed to port %s. %s is port number assigned by user An administrator changed the port number for TELNET back TELNET port has been to the default (23). changed to default port. NXC5200 User’s Guide...
Page 588 Enable daylight saving. An administrator turned off daylight saving. Disable daylight saving. An administrator tried to add more than the maximum DNS access control number of DNS access control rules (64). rules have been reached the maximum number. NXC5200 User’s Guide...
Page 589 Wizard apply DNS server fail because the device already has Wizard adds DNS server the maximum number of DNS records configured. %s failed because Zone Forwarder numbers have %s is IP address of the DNS server. reached the maximum number of 32. NXC5200 User’s Guide...
Page 590 %s is dead at %s system). 1st %s: Daemon Name, 2nd %s: date and time The count of the listed process is incorrect. %s process count is incorrect at %s 1st %s: Daemon Name, 2nd %s: date and time NXC5200 User’s Guide...
Page 591 IP address. arp response packets for the requested IP address The ARP cache was cleared successfully. Clear arp cache successfully. A client MAC address is not an Ethernet address. Client MAC address is not an Ethernet address NXC5200 User’s Guide...
Page 592 The specified port has it’s link down. Port %d is down!! Table 225 Connectivity Check Logs LOG MESSAGE DESCRIPTION Cannot recover routing status which is link-down. Can't open link_up2 Cannot open connectivity check process ID file. Can not open %s.pid %s: interface name NXC5200 User’s Guide...
Page 593 The connectivity check process can't use multicast address to Can't use MULTICAST IP check link-status. for destination The connectivity check process can't use broadcast address to The destination is check link-status. invalid, because destination IP is broadcast IP NXC5200 User’s Guide...
Page 594 (AV/AS/IDP/Certificate/System Skip syncing it for %s Configuration), But in fact, there should be something in the Master for the device to synchronize with, 1st %s: The syncing object, 2ed %s: The feature name for the syncing object. NXC5200 User’s Guide...
Page 595 3rd %s: unlicensed or license expired. A VRRP group’s Authentication Type (Md5 or IPSec AH) Device HA configuration may not match between the Backup and the authentication type Master. %s: The name of the VRRP group. for VRRP group %s maybe wrong. NXC5200 User’s Guide...
Page 596 %s for %s due to transmission timeout. %s: The name of the VRRP interface. VRRP interface %s has been shutdown. %s: The name of the VRRP interface. VRRP interface %s has been brought up. NXC5200 User’s Guide...
Page 597 %d: Port number FTP ALG apply additional signal port failed. Register FTP ALG extra port=%d failed. %d: Port number FTP ALG apply signal port failed. Register FTP ALG signal port=%d failed. %d: Port number NXC5200 User’s Guide...
Page 598 An administrator deleted an interface. %s is the interface Interface %s has been name. deleted. A user tried to dial the AUX interface, but the AUX interface is AUX Interface dialing not enabled. failed. This AUX interface is not enabled. NXC5200 User’s Guide...
Page 599 > (base interface MTU - 8), PPP interface may not run correctly. correctly because PPP packets will be fragmented by base interface and peer will not receive correct PPP packets.1st %s: Ethernet interface name, 2nd %s: PPP interface name. NXC5200 User’s Guide...
Page 600 A PPP or AUX interface disconnected successfully. %s: Interface %s is interface name. disconnected. The interface’s connection will be terminated because the Interface %s connect server did not send any LCP packets. %s: interface name. failed: Peer not responding. NXC5200 User’s Guide...
Page 601 Remove the damaged or not device and check its SIM card. If it does not appear to be inserted. Please damaged, try re-inserting the SIM card. remove the device, then check the SIM card. NXC5200 User’s Guide...
Page 602 %s] has been removed from %s. You need to manually enter the password for the listed Interface cellular%d cellular interface (%d). required authentication password.Please set password in cellular%d edit page. NXC5200 User’s Guide...
Page 603 NXC’s local user WPA or WPA2 enterprise database while trying to connect to the specified WLAN internal interface (first %s). The MAC address of the wireless client is authentication. listed (second %s). Interface: %s, MAC: NXC5200 User’s Guide...
Page 604 Force user authentication will be turned off because HTTP Force User server was turned off. Authentication will be disabled due to http server is disabled. Force User Authentication may not work properly! NXC5200 User’s Guide...
Page 605 There is no matching DHCP lease for a DHCP client’s request for DHCP request - %s ! for the specified IP address. DHCP released %s with A DHCP client released the specified IP address. The DHCP %s(%s) client’s hostname and MAC address are listed. NXC5200 User’s Guide...
Page 606 Table 236 IP-MAC Binding Logs LOG MESSAGE DESCRIPTION Drop packet %s- The IP-MAC binding feature dropped an Ethernet packet. The %u.%u.%u.%u- interface the packet came in through and the sender’s IP %02X:%02X:%02X:%02 address and MAC address are also shown. X:%02X:%02X NXC5200 User’s Guide...
Page 607 Model:%s 7th %s: Managed AP Model Name. Delete a Managed AP. The specified AP from managed list was deleted. MACAddr:%02x%02x%0 1st %02x ~ 6th %02x: Managed AP MAC Address. 2x%02x%02x%02x, Model:%s 7th %s: Managed AP Model Name. NXC5200 User’s Guide...
Page 608 Indicates that a Send Updating Configuration request was Configuration to Managed sent to an AP on the Managed List. 1st %02x ~ 6th %02x: Managed AP MAC Address. MACAddr:%02x%02x%0 2x%02x%02x%02x, 7th %s: Managed AP Model Name. Model:%s, Name:%s 8th %s: Managed AP Description. NXC5200 User’s Guide...
Page 609 Indicates the specified station associated with the specified Addr:%02x:%02x:%02x: 1st %02x~6th%02x: Station MAC Address. %02x:%02x:%02x,AP= 7th %s: AP's description. STA Disassociation. Indicates the specified station de-associated from the specified AP. Addr:%02x:%02x:%02x: 1st %02x~6th%02x: Station MAC Address. %02x:%02x:%02x,AP= 7th %s: AP's description. NXC5200 User’s Guide...
Page 610 Indicates that this particular action failed. %d, %d, %d, %d) from 1st %s: tunnel name vwp list! 2nd %s: vwp net dev name 1st %d: tunnel id 2nd %d: radio id 3rd %d: vap id 4th %d: vid NXC5200 User’s Guide...
Page 611 1st %02x ~ 6th %02x: MAC address Table 240 AP Load Balancing Logs LOG MESSAGE DESCRIPTION kick station Indicates that the specified station was removed from an AP’s %02x:%02x:%02x:%02x wireless network because the AP became overloaded. :%02x:%02x NXC5200 User’s Guide...
Page 612 DCS has changed the wireless interface %s channel from %d -> %d\n to channel %d. 1st %s: interface name 1st %d: current channel 2nd %d: new channel dcs is terminated! DCS was terminated for an unknown reason. NXC5200 User’s Guide...
Page 613: Appendix B Common Services
Border Gateway Protocol. BOOTP_CLIENT DHCP Client. BOOTP_SERVER DHCP Server. CU-SEEME 7648 A popular videoconferencing solution from White Pines Software. 24032 TCP/UDP Domain Name Server, a service that matches web names (for example www.zyxel.com) to IP numbers. NXC5200 User’s Guide...
Page 614 ICMP echo requests to test whether or not a remote host is reachable. POP3 Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other). NXC5200 User’s Guide...
Page 615 Access Controller Access Control System). TELNET Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems. NXC5200 User’s Guide...
Page 616 Table 244 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution. NXC5200 User’s Guide...
Page 617: Appendix C Displaying Anti-Virus Alert Messages In Windows
Miscrosoft Windows-based computer is not displaying an alert message, use one of the following procedures to make sure your computer is set to display the messages. Windows XP Click Start > Control Panel > Administrative Tools > Services. NXC5200 User’s Guide...
Page 618 Select the Messenger service and click Start. Close the window when you are done. Windows 2000 Click Start > Settings > Control Panel > Administrative Tools > Services. Select the Messenger service and click Start Service. Close the window when you are done. NXC5200 User’s Guide...
Page 619: Appendix D Importing Certificates
However, because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers, you will need to import the ZyXEL-created certificate into your web browser and flag that certificate as a trusted authority.
Page 620: Internet Explorer
If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Click Continue to this website (not recommended). In the Address Bar, click Certificate Error > View certificates. NXC5200 User’s Guide...
Page 621 Appendix D Importing Certificates In the Certificate dialog box, click Install Certificate. In the Certificate Import Wizard, click Next. NXC5200 User’s Guide...
Page 622 Next again and then go to step 9. Otherwise, select Place all certificates in the following store and then click Browse. In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. NXC5200 User’s Guide...
Page 623 Appendix D Importing Certificates In the Completing the Certificate Import Wizard screen, click Finish. 10 If you are presented with another Security Warning, click Yes. 11 Finally, click OK when presented with the successful certificate installation message. NXC5200 User’s Guide...
Page 624 Appendix D Importing Certificates 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information. Installing a Stand-Alone Certificate File in Internet Explorer...
Page 625 This section shows you how to remove a public key certificate in Internet Explorer 7 on Windows XP. Open Internet Explorer and click Tools > Internet Options. In the Internet Options dialog box, click Content > Certificates. NXC5200 User’s Guide...
Page 626 In the Certificates confirmation, click Yes. In the Root Certificate Store dialog box, click Yes. The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. NXC5200 User’s Guide...
Page 627 The certificate is stored and you can now connect securely to the Web Configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web page’s security information. NXC5200 User’s Guide...
Page 628 Appendix D Importing Certificates Installing a Stand-Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.
Page 629 Use the Select File dialog box to locate the certificate and then click Open. The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information. NXC5200 User’s Guide...
Page 630 Removing a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2. Open Firefox and click Tools > Options. In the Options dialog box, click Advanced > Encryption > View Certificates. NXC5200 User’s Guide...
Page 631 Delete. In the Delete Web Site Certificates dialog box, click OK. The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. NXC5200 User’s Guide...
Page 632 Appendix D Importing Certificates NXC5200 User’s Guide...
Page 633: Appendix E Wireless Lans
(AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate NXC5200 User’s Guide...
Page 634 This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. NXC5200 User’s Guide...
Page 635 AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11. NXC5200 User’s Guide...
Page 636 RTS (Request To Send)/CTS (Clear to Send) handshake. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra NXC5200 User’s Guide...
Page 637: Preamble Type
Use short preamble if you are sure all wireless devices on the network support it, and to provide more efficient communications. Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it, otherwise the NXC uses short preamble. NXC5200 User’s Guide...
Page 638 Table 246 Wireless Security Levels SECURITY SECURITY TYPE LEVEL Least Unique SSID (Default) Secure Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802.1x EAP with RADIUS Server Authentication Wi-Fi Protected Access (WPA) Most Secure WPA2 NXC5200 User’s Guide...
Page 639 RADIUS server. Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication: • Access-Request Sent by an access point requesting authentication. NXC5200 User’s Guide...
Page 640 For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. NXC5200 User’s Guide...
Page 641 However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. NXC5200 User’s Guide...
Page 642: Dynamic Wep Key Exchange
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication. NXC5200 User’s Guide...
Page 643 By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network. NXC5200 User’s Guide...
Page 644 (default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system. The AP passes the wireless client's authentication request to the RADIUS server. NXC5200 User’s Guide...
Page 645 The AP checks each wireless client's password and allows it to join the network only if the password matches. The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. NXC5200 User’s Guide...
Page 646: Security Parameters Summary
Enable without Dynamic WEP Key Open Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable Shared Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable TKIP/AES Enable WPA-PSK TKIP/AES Disable WPA2 TKIP/AES Enable WPA2-PSK TKIP/AES Disable NXC5200 User’s Guide...
Page 647: Appendix F Open Software Announcements
License Agreement remains in full force and effect. Ownership of the Software, Documentation and all intellectual property rights therein shall remain at all times with ZyXEL. Any other use of the Software by any other entity is strictly forbidden and is a violation of this License Agreement.
Page 648 Open-Sourced Components, which have been provided on the License Notice as below for the Software. ZyXEL is not obligated to provide any maintenance, technical or other support for the resultant modified Software. You may not copy, reverse engineer, decompile, reverse compile, translate, adapt, or disassemble the Software, or any part thereof, nor shall you attempt to create the source code from the object code for the Software.
Page 649 ZyXEL may terminate this License Agreement for any reason, including, but not limited to, if ZyXEL finds that you have violated any of the terms of this License Agreement. Upon notification of termination, you agree to destroy or return to ZyXEL all copies of the Software and Documentation and to certify in writing that all known copies, including backup copies, have been destroyed.
Page 650 Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. This Product includes openssl software under the OpenSSL License NXC5200 User’s Guide...
Page 651 * 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" NXC5200 User’s Guide...
Page 652 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. =============================================================== * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim NXC5200 User’s Guide...
Page 653 * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. NXC5200 User’s Guide...
Page 654 * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence This Product includes libevent and xinetd software under the a 3-clause BSD License a 3-clause BSD-style license NXC5200 User’s Guide...
Page 655 THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO NXC5200 User’s Guide...
Page 656 Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." NXC5200 User’s Guide...
Page 657 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, NXC5200 User’s Guide...
Page 658 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. NXC5200 User’s Guide...
Page 659 Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. NXC5200 User’s Guide...
Page 660 Activities other than copying, distribution and modification are not covered by this License; they are NXC5200 User’s Guide...
Page 661 NXC5200 User’s Guide...
Page 662 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library NXC5200 User’s Guide...
Page 663 Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. NXC5200 User’s Guide...
Page 664 NXC5200 User’s Guide...
Page 665 License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) NXC5200 User’s Guide...
Page 666 (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License NXC5200 User’s Guide...
Page 667 OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS All other trademarks or trade names mentioned herein, if any, are the property of their respective owners. NXC5200 User’s Guide...
Page 668 CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. This Product includes openldap software under the OpenLdap License The Public License Version 2.8, 17 August 2003 NXC5200 User’s Guide...
Page 669 1.2.6, August 15, 2004, through 1.4.1, February 25, 2010, are Copyright (c) 2004, 2006-2007 Glenn Randers-Pehrson, and are distributed according to the same disclaimer and license as libpng-1.2.5 with the following individual added to the list of Contributing Authors Cosmin Truta NXC5200 User’s Guide...
Page 670 Copyright (c) 1996, 1997 Andreas Dilger Distributed according to the same disclaimer and license as libpng-0.88, with the following individuals added to the list of Contributing Authors: John Bowler Kevin Bracey Sam Bushell Magnus Holmgren Greg Roelofs Tom Tanner NXC5200 User’s Guide...
Page 671 PNG file format in commercial products. If you use this source code in a product, acknowledgment is not required but would be appreciated. A "png_get_copyright" function is available, for convenient use in "about" boxes and the like: NXC5200 User’s Guide...
Page 672 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. NXC5200 User’s Guide...
Page 673 License Agreement remains in full force and effect. Ownership of the Software, Documentation and all intellectual property rights therein shall remain at all times with ZyXEL. Any other use of the Software by any other entity is strictly forbidden and is a violation of this License Agreement.
Page 674 Notice as below for the Software, and your use of such material is governed by their respective terms. ZyXEL has provided, as part of the Software package, access to certain third party software as a convenience. To the extent that the Software contains third party software, ZyXEL has no express or implied obligation to provide any technical or other support for such software.
Page 675 ZyXEL may terminate this License Agreement for any reason, including, but not limited to, if ZyXEL finds that you have violated any of the terms of this License Agreement. Upon notification of termination, you agree to destroy or return to ZyXEL all copies of the Software and Documentation and to certify in writing that all known copies, including backup copies, have been destroyed.
Page 676 The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style NXC5200 User’s Guide...
Page 677 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. * 5. Products derived from this software may not be called "OpenSSL" NXC5200 User’s Guide...
Page 678 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. ============================================================== * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). Original SSLeay License ----------------------- NXC5200 User’s Guide...
Page 679 * 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software NXC5200 User’s Guide...
Page 680 This Product includes libevent and xinetd software under the a 3-clause BSD License a 3-clause BSD-style license This is a Free Software License "This license is compatible with The GNU General Public License, Version 1 "This license is compatible with The GNU General Public License, Version 2 NXC5200 User’s Guide...
Page 681 OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. NXC5200 User’s Guide...
Page 682 Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable NXC5200 User’s Guide...
Page 683 TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. NXC5200 User’s Guide...
Page 684 Software Foundation. For more information on the Apache Software Foundation, please see <http:// www.apache.org/>. Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign. NXC5200 User’s Guide...
Page 685 Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite NXC5200 User’s Guide...
Page 686 Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an NXC5200 User’s Guide...
Page 687 Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of NXC5200 User’s Guide...
Page 688 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute NXC5200 User’s Guide...
Page 689 Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY NXC5200 User’s Guide...
Page 690 We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's NXC5200 User’s Guide...
Page 691 Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective NXC5200 User’s Guide...
Page 692 It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest NXC5200 User’s Guide...
Page 693 All other trademarks or trade names mentioned herein, if any, are the property of their respective owners. This Product includes ppp, tcpdump, unzip, zip, libnet, net-snmp, openssh, hostapd and ftp-tls software under BSD license Copyright (c) [dates as appropriate to package] NXC5200 User’s Guide...
Page 694 1. Redistributions in source form must retain copyright statements and notices, 2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and NXC5200 User’s Guide...
Page 695 1.0.7, July 1, 2000, through 1.2.5 - October 3, 2002, are Copyright (c) 2000-2002 Glenn Randers-Pehrson, and are distributed according to the same disclaimer and license as libpng-1.0.6 with the following individuals added to the list of Contributing Authors Simon-Pierre Cadieux NXC5200 User’s Guide...
Page 696 0.5, May 1995, through 0.88, January 1996, are Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc. For the purposes of this copyright and license, "Contributing Authors" is defined as the following set of individuals: Andreas Dilger NXC5200 User’s Guide...
Page 697 Also, the PNG logo (in PNG format, of course) is supplied in the files "pngbar.png" and "pngbar.jpg (88x31) and "pngnow.png" (98x31). Libpng is OSI Certified Open Source Software. OSI Certified Open Source is a certification mark of the Open Source Initiative. NXC5200 User’s Guide...
Page 698 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. NXC5200 User’s Guide...
Page 699: Appendix G Legal Information
Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice.
Page 700 CLASS 1 LASER PRODUCT APPAREIL À LASER DE CLASSE 1 Viewing Certifications Go to http://www.zyxel.com. Select your product on the ZyXEL home page to go to that product's page. Select the certification you wish to view from this page. NXC5200 User’s Guide...
Page 701 Appendix G Legal Information ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should...
Page 702 Appendix G Legal Information NXC5200 User’s Guide...
Page 703: Index
Web Configurator false positives account inline profile myZyXEL.com monitor profile user port scanning accounting server prerequisites Active Directory, see AD protocol anomaly active sessions 106, 111, 124 signatures 425, 428, 429, 431, 432 NXC5200 User’s Guide...
Page 704 Apache-whitespace updating signatures ASCII-encoding virus backdoor virus types bare byte encoding white list 294, 298 base36-encoding worm buffer overflow AP (Access Point) NXC5200 User’s Guide...
Page 705 Basic Service Set, See BSS worm Bind DN 429, 432 Authenex Strong Authentication System BitTorrent (ASAS) Blaster authentication LDAP/AD boot module server boot sector virus authentication method objects and users buffer overflow and WWW buffer overflow attacks create where used NXC5200 User’s Guide...
Page 706 CTS (Clear to Send) channel current date/time 107, 464 interference and schedules 32, 51 daylight savings button setting manually messages time server popup window custom signatures 320, 323, 548 Reference Guide applying cluster ID 366, 551 example NXC5200 User’s Guide...
Page 707 EICAR and interfaces e-mail client list daily statistics report pool virus static DHCP e-Mule diagnostics encryption Differentiated Services Code Point (DSCP) and anti-virus Digital Signature Algorithm public-key algorithm, see DSA end of IP list directory NXC5200 User’s Guide...
Page 708 261, 280, 282, 284 and service groups Guide and services 261, 414 CLI Reference and SIP (ALG) Quick Start and user groups 261, 264 and users 261, 264 and zones 250, 259 asymmetrical routes 256, 258 configuration overview NXC5200 User’s Guide...
Page 709 IHL (IP Header Length) flood attack portsweep backslash-evasion attack sequence number emulation Time Stamp header length encoding type server unreachables unicode identification (IP) unicode-codepoint-encoding attack IM (Instant Messenger) action 313, 348 iMesh alerts Independent Basic Service Set and services NXC5200 User’s Guide...
Page 710 Intrusion, Detection and Prevention see IDP 429, 432 directory intrusions directory structure host Distinguished Name, see DN network 428, 429, 431, 432 IP (Internet Protocol) password IP decoy portscan port 431, 434 IP distributed portscan search time limit NXC5200 User’s Guide...
Page 711 Ethernet interface Name Server, see NBNS. range NetMeeting macro virus see also H.323 management access and device HA Netscape Navigator Management Information Base (MIB) 500, 501 Network Address Translation, see NAT managing bandwidth Network Time Protocol (NTP) NXC5200 User’s Guide...
Page 712 204, 549 and policy routes and service groups and services ports Power LED P2P (Peer-to-peer) power off attacks NXC5200 User’s Guide...
Page 713 539, 541 record route routing protocols and Ethernet interfaces Reference Guide, CLI registration 448, 452, 459 configuration overview prerequisites see also ALG product RTS (Request To Send) subscription services, see subscription threshold 636, 637 services registration status NXC5200 User’s Guide...
Page 714 IDP SNAT and policy routes SNMP 500, 501 and port triggering agents subscription and address groups where used and address objects Session Initiation Protocol, see SIP and zones session limits 252, 262 sessions GetNext NXC5200 User’s Guide...
Page 715 105, 464 present at restart system protect startup-config-bad.conf updating signatures static DHCP system reports, see reports static routes system uptime and interfaces system-default.conf configuration overview metric prerequisites NXC5200 User’s Guide...
Page 716 106, 110 vs virtual interfaces onboard flash trojan attacks sessions 106, 111 troubleshooting 531, 543 user authentication truncated-address-header attack external truncated-header attack 355, 356 local user database truncated-options attack user awareness NXC5200 User’s Guide...
Page 717 UTF-8-encoding attack ZyXEL webroot-directory-traversal attack WEP (Wired Equivalent Privacy) Wi-Fi Protected Access 388, 642 Windows Internet Naming Service, see WINS Vantage Report (VRPT) 509, 515 Windows Internet Naming Service, see WINS. virtual interfaces WINS 184, 192, 196 NXC5200 User’s Guide...
Page 718 HTTP, HTTPS www.zyxel.com zones 60, 213 and firewall 250, 259 and FTP and interfaces 60, 213 and SNMP and SSH and Telnet and VPN 60, 213 and WWW NXC5200 User’s Guide...
Page 719 Index NXC5200 User’s Guide...
Page 720 Index NXC5200 User’s Guide...

This manual is also suitable for:

Nxc5200 - v2.20

ZyXEL Communications NXC5200 User Manual

About this User's Guide

Document Conventions

Safety Warnings

Table of Contents

PART I User's Guide

Chapter 1 Introduction

Chapter 2 Features and Applications

Chapter 3 The Web Configurator

Chapter 4 Configuration Basics

Chapter 5 Tutorials

Part II: Technical Reference

Chapter 6 Dashboard

Chapter 7 Monitor

Chapter 8 Registration

Chapter 9 Signature Update

Chapter 10 Wireless

Chapter 11 Interfaces

Chapter 12 Policy and Static Routes

Chapter 13 Zones

Chapter 14 NAT

Chapter 15 ALG

Chapter 16 IP/MAC Binding

Chapter 17 Captive Portal

Chapter 18 Firewall

Chapter 19 Application Patrol

Chapter 20 Anti-Virus

Chapter 21 IDP

Chapter 22 ADP

Chapter 23 Device HA

Chapter 24 User/Group

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications NXC5200

Summary of Contents for ZyXEL Communications NXC5200