Administration
Contents
1. 55 Modifying an Internal Group Step 1 Step 2 E Step 3 Step 4 Step 5 In the Internal Group window locate the network group desired to be modified and click its corresponding Modify option in the Configure field A window displaying the information of the selected group appears Available Address list names of all members of the Internal network Selected Address list names of members which have been assigned to this group Add members Select names in Available Address list and click the Add gt gt button to add them to the Selected Address list Remove members Select names in the Selected Address list and click the lt lt Remove button to remove these members from the Selected Address list Click OK to save changes or click Cancel to discard changes Internet PICON Modify Address Group i Internal Internal Group External External Group DMZ Service Policy Lo Status DMZ Group Schedule pd 2 el Internal Group oe ot Content Filtering Virtual Server 56 Removing an Internal Group Step 1 In the Internal Group window locate the group to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the group or click Cancel to discard changes Internet internal Group PUTOVE Grop internal 1 intonalt moiy Berie2. 89 E Configure modify settings M Move this sets the priority of the policies number 1 being the highest priority Adding a new Outgoing Policy Step 1 Click on the New Entry button and the Add New Policy window will appear Lenn i Outgoing Add New Policy Source Address Inside_Any Destination Address Outside_Any X Service m g Paia o Action PERMIT aces Logging C Enable Incoming External To DMZ Statistics C Enable Internal To DMZ Schedule None x as Alarm Threshold 00 _ KBytes Sec o Interna Ok Cancel VPN _o Cancel Content Filtering Virtual Server Log Step 2 Source Address Select the name of the Internal LAN network from the drop down list The drop down list contains the names of all internal networks defined in the Internal section of the Address menu To create a new source address please go to the Internal section under the Address menu Destination Address Select the name of the External WAN network from the drop down list The drop down list contains the names of all external networks defined in the External section of the Address window To create a new destination address please go to the External section under the Address menu Service Specified services provided by external network servers These are services application that are allowed to pass from the Internal network to the External network Choose ANY for all services 90 Action Select Permit o
3. Step 1 Step 2 G Step 3 Step 4 In the External Group window locate the network group to be modified and click its corresponding Modify button in the Configure field A window displaying the information of the selected group appears Available Address list the names of all the members of the external network Selected Address list the names of the members that have been assigned to this group Add members Select the names to be added in the Available Address list and click the Add gt gt button to add them to the Selected Address list Remove members Select the names to be removed in the Selected Address list and click the lt lt Remove button to remove them from the Selected Address list Step 5 Click OK to save changes or click Cancel to discard changes Internal Internal Group External External Group DMZ DMZ Group Schedule Policy VPN Log Statistics Status Internet External Group PUPOWEIUL Administration Configuration Modify Address Group Name oe icma Virtual Server 64 Removing an External Group Step 1 In the External Group window locate the group to be removed and click its corresponding Modify option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the group or click Cancel to discard changes Internet External Group PICE fuliministratian Extomal Wer yah
4. 2 Di pan reay mant bo deishar Mapped IP aaa eases ce cancel Log Alarmi siafisilira aiaia 149 Log The FIREWALL VPN ROUTER Office Firewall supports traffic logging and event logging to monitor and record services connection times and the source and destination network address The Administrator may also download the log files for backup purposes The Administrator mainly uses the Log menu to monitor the traffic passing through the FIREWALL VPN ROUTER Firewall What is Log Log records all connections that pass through the Firewall s control policies Traffic log s parameters are setup when setting up control policies Traffic logs record the details of packets such as the start and stop time of connection the duration of connection the source address the destination address and services requested for each control policy Event logs record the contents of System Configuration changes made by the Administrator such as the time of change settings that change the IP address used to log on etc How to use the Log The Administrator can use the log data to monitor and manage the FIREWALL VPN ROUTER and the networks The Administrator can view the logged data to evaluate and troubleshoot the network such as pinpointing the source of traffic congestions 150 Traffic Log The Administrator queries the Firewall for information such as source address destination address start time and Protoc
5. Displays current connection status between PPTP Server and PPTP client Configure Click Modify to modify the PPTP Client settings or click Remove to remove the item 120 Modifying PPTP Server Design Step 1 Select VPN PPTP Server Step 2 Click Modify after the Client IP Range Internet PPTP Server PPTP Server Disable Client IP Range 192 92 47 1 254 Modify SIGS A URES eS ei Sewice Schedule Pony new IPSec Autokey PPTP Server PPTP Client Step 3 In the Modify Server Design Window enter appropriate settings Internet PPTP Server inewalll Administration Modify ServerDesign Configuration Disable PPTP Address some C Enable PPTP Schedule ae Client IP Range 192 92471 pa IPSec Autokey Auto Disconnect if idle P minutes 0 means not disconnect PPTP Server Schedule None PPTP Client Content Filtering Ok Can E Disable PPTP Check to disable PPTP Server E LJ Enable PPTP Check to enable PPTPServer 1 Encyption the default is set to disabled 2 Client IP Range Enter the IP range allocated for PPTP Client to connect to the PPTP server E Auto Disconnect if idle minutes Configure this device to disconnect to the PPTP Server when there is no activity for a predetermined period of time To keep the line always connected set the number to 0 Schedule Click the down arrow to select the schedule which was pre determined in Schedule
6. Internal lntemal Group Fiternal Cctormal Group Microsoft internet Explorer 2 nrinn ELHET Lanne ion pg Wiltital Server Siatisiics 57 External Entering the External window Click External under the Address menu to enter the External window The current setting information such as the name of the External network IP and Netmask addresses will show on the screen Internet fp Name IP Netmask Outside Any 0 0 0 0 0 0 0 0 in Use Internal Internal Group per Ea External External Group DMZ DMZ Group Service Schedule Policy VPN Content Filtering Virtual Server Log Statistics Status _ 58 Adding a new External Address Step 1 In the External window click the New Entry button Step 2 In the Add New Address window enter the settings for a new external network address Step 3 Click OK to add the specified external network or click Cancel to discard changes nte ret External PUPAL Name vaia IP Address jel 218 71 89 Internal Internal Group Netmask 255 255 255 258 External Ok Cancel External Group DMZ DMZ Group Service Schedule Policy VPN Content Filtering Virtual Server Log Statistics Status 59 Modifying an External Address Step 1 In the External table locate the name of the network to be modified and click the Modify option in its corresponding Configure field Step 2 The Modify Address window will appear on
7. Option specify the monitoring functions on packets from the DMZ network to external networks travelling through the Firewall Configure modify settings or remove policies Move this sets the priority of the policies number 1 being the highest priority 110 Adding a DMZ To External Policy Step 1 Click the New Entry button and the Add New Policy window will appear ai si DMZ To External Add New Policy Source Address DMZ_Any Destination Address Outside_Any bd Service are Prey o Action PERMIT nes Logging C Enable Incoming External To DMZ Statistics C Enable Internal To DMZ Schedule None x as a Alarm Threshold 00 _ KBytesiSec o Interna Ok Cancel VPN Ok a Content Filtering Virtual Server Log Step 2 Source Address Select the name of the DMZ network from the drop down list The drop down list will contain names of DMZ networks defined in DMZ section of the Address menu To add a new source address please go to the DMZ section under the Address menu Destination Address Select the name of the external network from the drop down list The drop down list lists names of addresses defined in External section of the Address menu To add a new destination address please go to External section of the Address menu Service Select a service from drop down list The drop down list will contain services defined in the Custom or Group section under the Service menu These are service
8. 85 1c 04 26 29 2 packets Traffic Alarm May 1 22 93 1368 00 02 3b 00 85 1 Po Event iarm 04 26 06 saint 51 59 227 170 recheved 2 packets Mayi Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 85 1c 04 25 31 against 61 59 227 170 recieved 2 packets Mayi Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 85 1c O4 24 59 against61 69 227 170 recieved 2 packets Mayi Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 85 1 04 24 31 against 61 69 227 170 recieved 2 packets Mayi Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 85 1c 04 23 13 against61 59 227 170 recieved 2 packets 165 Downloading the Event Alarm Logs The Administrator can back up event alarm logs regularly by downloading it to a file on the computer Step 1 In the Event Alarm window click the Download Logs button at the bottom of the screen Step 2 Follow the File Download pop up box to save the event alarm logs into specific directory on the hard drive internet inewallll Schedule Polity Tralii Alann Evont Alon Event Alarm ay 04 28 37 Event May1 Possible ICMP FLOOD from 211 22 93 138 00 02 36 00 86 1c 04 26 37 agalnst61 69 227 170 recieved 2 packets May 1 Possible ICMP FLOOD from 2 12293 1385 0002 0058S 1c Anh dines te dasi lion an 00202 3b 00 85 1c aes ker eae b G0 202 3 00 86 1c er a a Fiala waits ata Nei 00 02 3 00 86 1c apy es le 0002 3 00
9. Content Filtering Mapped IP Virtual Server Statistics Virtual Server 146 Setting the Virtual Server s services Step 1 Step 2 a Note Step 3 Step 4 For the Virtual Server which has already been set up with an IP address click the New Service button in the table In the Virtual Server Configurations window Virtual Server IP displays the external IP address assigned to the Virtual Server External Service Port select the port number that the virtual server will use Changing the Service will change the port number to match the service Service select the service from the pull down list that will be provided by the Virtual Server The services in the drop down list are all defined in the Pre defined and Custom section of the Service menu Enter the IP address of the internal network server s to which the virtual server will be mapped Up to four IP addresses can be assigned at most Click OK to save the settings of the Virtual Server Internet Administration Configuration Address Seme Schedule Poi C Content Filtering Mapped IP Virtual Server me Statistics status PULTE ILL Virtual Server Virtual Server Configuration Virtual Server Real IP Service Name Port External Service Port Load Balance Server 4 2 3 4 147 61 59 227 170 ra al mo Server Virtual IP m LOr coe Modifying the Virtual Server configuratio
10. Multiple NAT CaN muamo Hacker Alert Route Table Interface Intemal z DHCP Ok Cancel DNS Proxy Dynamic DNS Address Seme Schede Poy C Content Fiering Viua Server To Alarm Status 35 Removing a Static Route Step 1 In the Route Table window find the route to remove and click the corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to confirm removing or click Cancel to cancel it Intern et Route Table PULL Internal 192 168 1 0 255 255 265 0 192 168 200 100 Modify Remove interface Multiple NAT Hacker Alert Rowte Table DHCP DNS Proxy Dynamic ONS Address LY Do you really want to delete Service Schedule Policy VPN Content Filtering Virtual Server Alarm Statistics Status 36 DHCP In the section the Administrator can configure DHCP Dynamic Host Configuration Protocol settings for the Internal LAN network Entering the DHCP window Step 1 Click Configuration on the left hand side menu bar and then click DHCP below it The DHCP window appears in which current DHCP settings are shown on the screen Internet PUTO VEIUL Administration Interface Multiple NAT Hacker Alert Route Table DHCP DNS Proxy Dynamic DNS Address Service Schedule Policy Y Content Filtering an Virtual Server Log Statistics Status DHCP Dynamic IP Address Subnet 192
11. Step 3 Select an External IP address then click OK Step 4 Click the New Service button on the bottom of the screen Step 5 Add the FTP service pointing to the internal server IP address Click OK Virtual server Configuration Virtual Server Real IP 6159 227 170 Service Name Port FIP 21 External Service Port 21 Load Balance Server Server Virtual IP maam z pana 3 LO o y l 4 C Step 6 A new Virtual Service should appear 175 6159297170 Virtual Server Real IP Service Name Port External Port Server VirtuallP Configure _ TP 94 4 192 168 200 200 py ie Bamav FTP 21 21 192 168 200 224 Modify Remove amma Step 7 Go to the Incoming window under the Policy menu and then click on the New Entry button Internet Incoming PIOU Administration No Source Destination Service Action Option Configure Move Configuration Address oe Service New Entry Schedule Outgoing Incoming External To DMZ Internal To DMZ DMZ To External DMZ To Internal VPN Content Filtering Virtual Server Log Statistics Status Step 8 In the Add New Policy window set each parameter then click OK 176 Internet Incoming Administration Add New Policy Configuration Source Address Outside_Any ani Destination Address Virtual Server 61592071 Service Schedule Service FIF Action PERMIT eee Logging I Enable Incoming External To DMZ Stat
12. Virtual Server Log Alarm Statistics Status When Disable appears in the drop down list no Virtual Server can be added 144 Modifying a Virtual Server IP Address Step 1 Click the virtual server to be modified Virtual Server under the Virtual Server menu bar A new window appears displaying the IP address and service of the specified virtual server Step 2 Click on the Virtual Server s IP Address button at the top of the screen Step 3 Choose a new IP address from the drop down list Step 4 Click OK to save new IP address or click Cancel to cancel modification Inte rnet Virtual Server PUPIL Virtual Server Real Configuration Cl Seme og 6159227170 External Port Server Virtual IP New Service Service Name f7ort Schedule Poly eh Content Fiering M Mapped IP Virtual Server oy aterm Statistics sens 145 Removing a Virtual Server Step 1 Click the virtual server to be removed in the corresponding Virtual Server option under the Virtual Server menu bar A new window displaying the virtual server s IP address and service appears on the screen Step 2 Click the Virtual Server s IP Address button at the top of the screen Step 3 Select Disable in the drop down list in Step 4 Click OK to remove the virtual server MAMA PUTO WEILL Add New Virtual Server IP Virtual Server RealIP Disable Assist Address Address Ok Cancel oe Schedule
13. gt 168 85 88 25 1 External 4 Procurement department subnetwork 192 168 4 11 24 Internal lt gt 168 85 88 250 External 5 Accounting department subnetwork 192 168 5 11 24 Internal gt 168 85 88 249 External The first department R amp D department was set while setting interface IP the other four ones have to be added in Multiple NAT after completing the settings each department use the different WAN IP Address to connect to the internet The settings of each department are as the following Service IP Address 192 168 2 1 Subnet Mask 255 255 255 0 Default Gateway 192 168 2 11 The other departments are also set by groups this 1s the function of Multiple NAT 5 Multiple NAT settings Click Multiple NAT in the Configuration menu to enter Multiple NAT window Internet Multiple NAT PUPAL External Interface IP Alias IP of Int Interface Netmask 61 59 227 170 192 168 20 200 255 255 255 0 Modify Remove Interface 61 59 227 170 192 168 400 221 255 255 255 0 Modify Remove Multiple NAT 61 59 227 170 192 168 10 221 255 255 255 0 Modify Remove Hacker Alert Route Table New Entry DHCP _NewEnty DNS Proxy Dynamic DNS Address Service Schedule Policy Content Filtering Virtual Server Log Statistics Status Multiple NAT E Global port interface IP Address Global port IP Address E Local port interface IP Address Local port IP Address and subnet Mask Modify Modify the settings of Mult
14. on the screen Step 3 Enter the new values Step 4 Click OK to accept editing or click Cancel Internetem wn OT PUL EIU Modify User Define Service Service NAME Protocol Client Port Server Port Sawer TCP C UDP otherE Pre defined i TCP C UDP E Other E Group TCP C UDP C Other 6 TCP C UDP C Other z 65535 TCP C UDP C Otherb TCP C UDP C Other TCP C UDP C Other TCP C UDP C Other f Schedule Policy YPN Content Filtering Virtual Server O N ons WN R J i wi a faak a n un ho n Log 13344777 LLL LECE ls Statistics Status 78 Removing Custom Services Step 1 In the Custom window locate the service to be removed Click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the selected service or click Cancel to cancel action Internet TETN PIENE Alininisiration Client Port Config Configuration eDonkey TEP 46614605 46614065 Wasiy Pemai Predefined Nee Entry Cisti Group Microsoft Internet Exolores EJ 2B Go ymu reah want bo delete Conima Filtering Winia Senet Sa Gls _ 79 Group Accessing the Group window Click Service in the menu bar on the left hand side of the window Click Group under it A window will appear with a table displaying current service group settings set by the Administrator Internet Group PI
15. 1 In the Internal window locate the name of the network to be modified Click the Modify option in its corresponding Configure field The Modify Address window appears on the screen immediately Step 2 In the Modify Address window fill in the new addresses Step 3 Click OK to save changes or click Cancel to discard changes Internet i Internal PIOVE Administration Modify Address Configuration Name format A IP Address 192 168 200 1 Internal Internal Group Netmask 255 255 255 255 External MAC Address 00 00 0e 22 33 66 _ SEP 7 Add in Static DHCP Ok Cancel DMZ Group _oe Sa Senice Srei Poy C Content Hering viral Sewer Tos Stasis Status 52 Removing an Internal Address Step 1 In the Internal window locate the name of the network to be removed Click the Remove option in its corresponding Configure field Step 2 In the Remove confirmation pop up box click OK to remove the address or click Cancel to discard changes nter net internal IERTE IP Netmask MAC Address inside Any 05 000 inima 132 168 20 1275 1 Al inta E r binis Ranya Internal Intemal Group External Exctormal Grogi DMZ DM Gripi nhawi Fin mg Wirtinal Server Bististics 53 Internal Group Entering the Internal Group window The Internal Addresses may be combined together to become a group Click Internal Group under the Address menu to enter the Inter
16. 168 200 0 Netmask 255 255 255 0 Gateway 192 168 200 1 Broadcast 192 168 200 255 V Enable DHCP Support Domain Name Domain Name Server Client IP Range 1 Client IP Range 2 Lease Time Dynamic IP Address functions Frewalloom Bm 92168202 To 2iewm0 921682020 To RiB 24 hours E Se Subnet Internal network s subnet NetMask Internal network s netmask Gateway Internal network s gateway IP address Broadcast Internal network s broadcast IP address _37 Enabling DHCP Support Step 1 In the Dynamic IP Address window click Enable DHCP Support Step 2 Domain Name The Administrator may enter the name of the Internal network domain if preferred Step 3 Domain Name Server Enter in the IP address of the DNS Server to be assigned to the Internal network Step 4 Client IP Address Range 1 Enter the starting and the ending IP address dynamically assigning to DHCP clients Step 5 Client IP Address Range 2 Enter the starting and the ending IP address dynamically assigning to DHCP clients Optional Step 6 Click OK to enable DHCP support 38 DNS Proxy The FIREWALL VPN ROUTER s Administrator may use the DNS Proxy function to make the FIREWALL VPN ROUTER Firewall act as a DNS Server for the Internal and DMZ network All DNS requests to a specific Domain Name will be routed to the firewall s IP address For example lets say an organization has their mail server i e mail dfl300
17. 2 packets Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 85 1c against 61 59 227 170 recieved 2 packets Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 85 1c against 61 59 227 170 recieved 2 packets Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 85 1 against 61 59 227 170 recieved 2 packets Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 85 1c against 61 59 227 170 recieved 2 packets Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 85 1 against 61 59 227 170 recieved 2 packets Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 85 1c against 61 59 227 170 recieved 2 packets Clear Logs Download Logs E Event event descriptions 164 Clearing Event Alarm Logs The Administrator may clear on line logs to keep the most updated logs on the screen Step 1 In the Event Alarm window click the Clear Logs button at the bottom of the screen Step 2 In the Clear Logs pop up box click OK Internet ternet Event Alarm PULTE Hay 0428 37 me Zj fuliministratian Bein ETE ETETE Evant aiaia Mayi Possible ICMP FLOOD from 211 22 93 135 00 02 3b 00 85 1c 04 28 37 against 61 69 227 170 recieved 2 packets May 1 Possible CMP FLOOD from 211 22 93 136 00 02 3b 00 85 1c Poly o 04 28319 etc 70 recieved 2 packets May 1 s ai 92 93 1398 00902 3b 00 85 1 04 27 29 Ee 2 packets May 1 72 93 1386 00 02 3b 00 85 1c 04 26 559 2 packets May 1 22 93 1389 00 02 36 00
18. Address of the Firewall f set to enable the FIREWALL VPN ROUTER will respond to ping packets from the internal network WebUI Select this to allow the FIREWALL VPN ROUTER WEBUI to be accessed from the Internal LAN network External Interface Using the External Interface the Administrator sets up the External WAN network These IP Addresses are real public IP Addresses and are routable on the Internet For PPPoE ADSL User This option is for PPPoE users who are required to enter a username and password in order to connect such as ADSL users Current Status Displays the current line status of the PPPoE connection IP Address Displays the IP Address of the PPPoE connection Username Enter the PPPoE username provided by the ISP Password Enter the PPPoE password provided by the ISP IP Address provided by ISP Dynamic Select this if the IP address is automatically assigned by the ISP Fixed Select this if you were given a static IP address Enter the IP address that is given to you by your ISP Service On Demand Auto Disconnect The PPPoE connection will automatically disconnect after a length of idle time no activities Enter in the amount of idle minutes before disconnection Enter O if you do not want the PPPoE connection to disconnect at all Ping Select this to allow the external network to ping the IP Address of the Firewall This will allow people from the Internet to be able to 9D ping the F
19. Configure field Step 2 Enter settings in the Modify Mapped IP window Step 3 Click OK to save change or click Cancel to cancel Internet Mapped IP PUPIL External IP 6139227170 Assist Map To Virtual IP 921682020 E ey Mapped IP Virtual Server Note A Mapped IP cannot be modified if it has been assigned used as a destination address of any Incoming policies 140 Removing a Mapped IP Step 1 In the Mapped IP table locate the Mapped IP desired to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up window click Ok to remove the Mapped IP or click Cancel to cancel Ginewall fuliministratian External IF blap To Virtual IF 6159 227 170 192 166 200200 Modify Remove nrvice Hew Enty Sheila TA Pallty WFH kicroesii Internet Cxpliorer ot L niteni F bedi l Mapped IP Wirwral Server Log Alarmi Satie Slabs 141 Virtual Server Virtual server is a one to many mapping technique which maps a real IP address from the external interface to private IP addresses of the internal network This is done to provide services or applications defined in the Service menu to enter into the internal network Unlike a mapped IP which binds an external IP to an Internal DMZ IP virtual server binds external IP ports to Internal IP ports 142 Adding a Virtual Server Step 1 Click an available virtual serv
20. IP address of the external network and the real IP is translated to a private IP of the internal network Mapped IP and Virtual Server are the two methods to translate the real IP into private IP Mapped IP maps IP in one to one fashion that means all services of one real external IP address is mapped to one private internal IP address Entering the Mapped IP window Click Mapped IP under the Virtual Server menu bar and the Mapped IP configuration window will appear Internet Mapped IP PUCOVWEN Administration Configuration External IP Map To Virtual IP eee Schedule Content Filtering Mapped IP Virtual Server 138 Adding a new IP Mapping Step 1 In the Mapped IP window click the New Entry button the Add New Mapped IP window will appear m External IP select the external public IP address to be mapped E Internal IP enter the internal private IP address or DMZ IP address which will be mapped 1 to 1 to the external IP address Step 2 Click OK to add new IP Mapping or click Cancel to cancel adding Internet PIOVE Administration Add New Mapped IP External IP 61 59 227 170 Assist Map To Virtual IP 192 168 200 200 Ee ee NUET Xe IP Mapped IP Virtual Server Log Statistics Status a 3 139 Modifying a Mapped IP Step 1 In the Mapped IP table locate the Mapped IP desired to be modified and click its corresponding Modify option in the
21. IP of Internal Interface 192 1682020 tit Netmask 255 255 2550 acker Alert Route Table pis ie DHCP DNS Proxy Dynamic DNS Address Service Schedule Policy Content Filtering Virtual Server Log Statistics Status a 28 Delete Multiple NAT Step 1 Click Multiple NAT in the Configuration menu to enter Multiple NAT window Step 2 Find the IP Address you want to delete and click Delete Step 3 A confirmaion pop up box will appear click OK to delete the setting or click Cancel to discard changes internet r Multiple NAT PIOVE Em n 61 59 227 170 192 168 20 200 255 255 255 0 Modify Remove interface 61 69 227 170 192 168 40 221 255 255 255 0 Modify Remove Multiple NAT 61 59 227 170 192 168 10 221 1255 255 255 0 Modify Remove Hacker Alert Route Table DHCP DNS Proxy Dynamic ONS 2 Do you really want to delete Address Service Schedule Policy VPN Content Filtering Statistics Status 29 Hacker Alert The Administrator can enable the FIREWALL VPN ROUTER s auto detect functions in this section When abnormal conditions occur the Firewall will send an e mail alert to notify the Administrator and also display warning messages in the Event window of Alarm Internet Firewall Settings M Detect SYN Attack SYN Flood Threshold 200 Pkts Sec inerinte Detect ICMP Flood ICMP Flood Threshold i000 Pkts Sec Multiple NAT tucker aad M Detect UDP Flood UDP Flood Thres
22. OK to clear the logs or click Cancel to cancel it Internet Event Log SS Neu 2 Bep admin user admin Login success from 192 168 200 2 ae Rene admin Remove FTP Virtual Server 1 from 192 168 2000 200 Policy 05 02 42 a anii AERAN i ver 1 from 192 168 200 200 Wirhial Sarim 05 02 05 74 DD Dio poa realy want bo delete jt cl era im 192 168 200 200 oo piedo D599 Trafic Loy May 1 Fissi bing 0 68 32 ao tas from 192 168 200200 Convection Log May 1 admin Remove Mapped IP Extemal IP i 61 59 227 170 Internal Loy Report 04 57 69 IP 192 169 200 200 from 192 168 200 200 Mayi admin Modify Mapped IP External IP 6189 227 170 Internal IP Tiri 04 57 28 192 169 200 200 from 192 168 200 200 eee Mayi admin Add Mapped IP External IP 61 59 227 170 Internal IP 04 56 31 192 168 200 200 from 192 168 200 200 ahh admin user admin Login success from 192 168 200 200 156 Log Report The Log Report Step 1 Click Log Log Report Internet PIOVE Log Report Log Mail Configuration I Enable Log Mail Support When Log Full 300Kbytes Firewall Appliance sends Log You must set E mail Alarm gt enable Syslog Settings C Enable Syslog Messages Syslog Host IP Address oo ta Systogtibst Pt Traffic Log Event Log 0 Cancel Connection Log E wa Log Report Statistics Step 2 Log Mail Configuration When the Log Mail files accumulated up to 300Kbytes router will no
23. Step 3 Click OK to add the policy Click Cancel to discard changes Internet URL Blocking PUTO WEILL Add New Block String ifiguration Block String www hinet net Add Pms Sidi ice ule icy Cor de Seme Ok Cancel Schedul _Ok Cancel Poy wno URL Blocking General Blocking 132 Modifying a URL Blocking policy Step 1 In the URL Blocking window find the policy to be modified and click the corresponding Modify option in the Configure field Step 2 Make the necessary changes needed Step 3 Click on OK to save changes or click on Cancel to cancel modifications Internet URL Blocking PIOVE Modify Block String configuration Block Seina i T frea Add C Eiai res Service Schedule AS Paty o ven URL Blocking General Blocking Virtual Server Alarm Statistics Status 133 Removing a URL Blocking policy Step 1 In the URL Blocking window find the policy to be removed and click the corresponding Remove option in the Configure field Step 2 A confirmation pop up box will appear click on OK to remove the policy or click on Cancel to discard changes URL Blocking Aulministraticn Block String Schedule Configure www hinet net None Modify Remove Furbrinaee Senice Schmatula Mew Buy Phot lacy WPH a x dazte UAL Bhockiny General Aiaocking VWirtiial Server Microsott Internet Caplkorer Z Do yo
24. To DMZ Statistics l Enable Internal To DMZ Schedule None ae gt _ Alarm Threshold 00 KBytes Sec o Interna Ok Cancel VPN ESE ed Content Filtering Virtual Server Log Step 2 Source Address Select names of the external networks from the drop down list The drop down list contains the names of all external networks defined in the External section of the Address menu To create a new source address please go to the Internal section under the Address menu Destination Address Select the name of the DMZ network from the drop down list The drop down list contains the names of the DMZ network created in the Address menu It will also contain Mapped IP addresses from the Virtual Server menu that were created for the DMZ network To create a new destination address please go to the Virtual Server menu Please refer to the sections entitled Address and Virtual Server for details Service Select a service from drop down list The drop down list will contain services defined in the Custom or Group section under the Service menu These are services application that are allowed to pass from the External network to the DMZ network Choose ANY for all services To add or modify these services please go to the Service menu Please refer to the section 105 entitled Services for details Action Select Permit or Deny from the drop down list to allow or reject the packets travelling from the specified external network to
25. To Firewall Packets Log Alam sd Firewall Reboot Statistics Reboot Firewall Appliance Enabling E mail Alert Notification Step 1 Select Enable E mail Alert Notification under E Mail Settings This function will enable the Firewall to send e mail alerts to the System Administrator when the network is being attacked by hackers or when emergency conditions occur Step 2 SMTP Server IP Enter SMTP server s IP address Step 3 Step 4 Step 5 E Mail Address 1 Enter the first e mail address to receive the alarm notification E Mail Address 2 Enter the second e mail address to receive the alarm notification Optional Click OK on the bottom right of the screen to enable E mail alert notification Internet PUL EIU Setting WHA Pe Firewall Configuration Admin Export System Settings to Client Setting Import System Settings from Client Browse Date Time ex firewall cont Language O Reset Factory Settings Logout il Setti Software Update ilienea e 2 3 V Enable E mail Alert Notification Sender Address Optional E mail Akert Address CE SMTP Server test com Ee E mail Address 1 test testcom E mail Address 2 test test cam VPN z Mail Test MailTest Content Filtering Virtual Server To Firewall Packets Log O Enable To Firewall Packets Log Firewall Reboot Reboot Firewall Appliance 13 To Firewall Packets Log Select this o
26. control policies The address table should be built before creating control policies so that the Administrator can pick the names of correct IP addresses from the address table when setting up control policies 49 Internal Entering the Internal window Step 1 Click Internal under the Address menu to enter the Internal window The current setting information such as the name of the internal network IP and Netmask addresses will show on the screen Internet PUTO VEIL Internal Name IP Netmask MAC Address Inside_Any 0 0 0 0 0 0 0 0 in Use Internal Internal Group New Enty External External Group DMZ DMZ Group Service Schedule Policy VPN Content Filtering Virtual Server Log Statistics Status 50 Adding a new Internal Address Step 1 In the Internal window click the New Entry button Step 2 In the Add New Address window enter the settings of a new internal network address Step 3 Click OK to add the specified internal network or click Cancel to cancel the changes Internet Internal PIOVE Add New Address Configuration Name pe IP Address 192 168 200 1 Internal Internal Group Netmask 255 255 255 255 External MAC Address 00 00 0 22 33 66 Group W Addin Static DHCP DMZ Group Ea C Service Schedule Policy VPN Content Filtering Virtual Server Log Statistics Status 51 Modifying an Internal Address Step
27. the DMZ network Logging select Enable to enable flow monitoring Statistics select Enable to enable flow statistics Alarm Threshold set a maximum flow rate in Kbytes Sec An alarm will be send if a flow rate exceeds the specified value Step 3 Click OK 106 Modifying an External to DMZ policy Step 1 In the External To DMZ window locate the name of policy desired to be modified and click its corresponding Modify option in the Configure field Step 2 In the Modify Policy window fill in new settings Step 3 Click OK to do save modifications Internet External To DMZ PIOVE Source Address OwsideAny Destination Address MSA PAST z Modify Policy Service m Pity o Action PERMIT tgoi 7 neers Logging C Enabie Incoming External To DMZ Statistics C Enable Internal To DMZ Schedule None x een Alarm Threshold O KBytes Sec DMZ To Internal Ok Cancel WP Content Filtering Virtual Server Log Statistics Status 107 Removing an External To DMZ Policy Step 1 In the External To DMZ window locate the name of policy desired to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the policy In ternet External To DMZ PITENWEALL Administration No Source Destination ServiceAction Option Configure Move eo 1 Outside Any Mapped PRIS S271 AHT
28. 0 0 To Destination Remote Gateway Fixed IP L61457 Autokey IKE Subnet Mask 192 168 1020 p 255 255 2550 PPTP Server C Remote Gateway Dynamic IP PPTP Client Subnet Mask O Ro O on ilterin C Remote Client Fixed IP or Dynamic IP Authentication Method Preshare Preshared Key fi23456 0 0 0 CSCS S Encapsulation Data Encryption Authentication C Authentication Only Perfect Forward Secrecy IPSec Lifetime 28800 Seconds Schedule None Ea c Step 2 E Preshare Key The IKE VPN must be defined with a Preshared Key The Key may be up to 128 bytes long E ESP AH The IP level security headers AH and ESP were originally proposed by the Networking Group focused on IP security mechanisms IPSec The term IPSec is used loosely here to refer to packets keys and routes that are associated with these headers The IP Authentication Header AH is used to provide authentication The IP Encapsulating Security Header ESP is used to provide confidentially to IP datagrams E ESP Encryption Algorithm The FIREWALL VPN ROUTER auto selects 56 bit DES CBC or 168 bit Triple DES CBC encryption algorithm The default algorithm is 168 bit Triple DES CBC mE ESP Authentication Method The FIREWALL VPN ROUTER auto selects MD5 or SHA 1 authentication algorithm The default algorithm is MD5 E IPSec Lifetime New keys will be generated whenever the lifetime of the old keys is exceeded The Administrator may enable this
29. 1 04 09 04 May 1 04 09 04 May 1 04 09 04 May 1 04 09 04 May 1 04 09 04 May 1 04 09 04 May 1 04 09 04 May 1 04 09 04 May 1 04 09 04 May 1 04 09 04 May 1 04 09 04 May 1 04 09 04 May 1 04 09 04 May 1 04 09 04 192 168 200 200 192 168 200 200 192 168 200 200 202 1 237 33 192 168 200 200 202 1 237 105 192 168 200 200 192 168 200 200 202 1 237 33 192 168 200 200 202 1 237 33 192 168 200 200 192 168 200 200 202 1 237 33 192 168 200 200 202 1 237 33 202 1 237 105 202 1 237 105 192 168 200 200 202 1 237 105 192 168 200 1 TCP 80 ACCEPT 192 168 200 1 TCP 80 ACCEPT 192 168 200 1 TCP 80 ACCEPT 192 168 200 200 TCP 3694 ACCEPT 202 1 237 33 TCP 80 ACCEPT 192 168 200 200 TCP 3700 ACCEPT 202 1 237 105 TCP 80 ACCEPT 202 1 237 33 TCP 80 ACCEPT 192 168 200 200 TCP 3694 ACCEPT 202 1 237 33 TCP 80 ACCEPT 192 168 200 200 TCP 3694 ACCEPT 202 1 237 33 TCP 80 ACCEPT 202 1 237 33 TCP 80 ACCEPT 192 168 200 200 TCP 3694 ACCEPT 202 1 237 33 TCP 80 ACCEPT 192 168 200 200 TCP 3694 ACCEPT 192 168 200 200 TCP 3711 ACCEPT 192 168 200 200 TCP 3710 ACCEPT 202 1 237 105 TCP 80 ACCEPT 192 168 200 200 TCP 3711 ACCEPT i System Administrator can back up and clear logs in this window Check the chapter entitled Log to get details about the log and ways to back up and clear logs 94 Alarm If Logging is enabled in the outgoing policy the FIREWALL VPN ROUTER will log the traffic alarms and event ala
30. 1 i i 04 56 31 admin user admin Login success from 192 168 200 200 Clear Logs Download Logs a The table in the Event Log window displays the time and description of the events E Time time when the event occurred E Event description of the event 154 Downloading the Event Logs Step 1 In the Event Log window click the Download Logs button at the bottom of the screen Step 2 Follow the File Download pop up window to save the event logs into a specific directory on the hard drive internet y Event Log IENE m May E SE iiia 4 Event Address Soa Pred admin user admin Login success from 192 168 2002 Bual Server 1 fram 192 168 200 200 ee re re aa brans i 492 166 200 200 akrite cl Freer ha bog Coe ET T T Virtual Sones 2 168 200 200 CoP ee ee i a aF ee Traffic Lowy T ape lp lb 200 200 Daia r 392 168 200 200 fala tan i piaga ni baim paag ha a a ia i Lay Report pE Internal a 1 669 227 4170 Internal P Sintistics i Ca ew mre ayi admin Add Mapped IF External IP 61 69227 170 Internal IP 04 66 31 192 168 200200 from 192 168 200 200 Bae ae admin user admin Login success from 192 168 200 200 155 Clearing the Event Logs The Administrator may clear on line event logs to keep just the most updated logs on the screen Step 1 In the Event Log window click the Clear Logs button at the bottom of the screen Step 2 In the Clear Logs pop up box click
31. 118 Removing Autokey IKE Step 1 Locate the name of the Autokey IKE desired to be removed and click its corresponding Delete option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the Autokey IKE or click Cancel to cancel deleting internet aw Autokey IKE PIEN TEU fulrinistratian Name Gateway IP Pestnation PSKIRSA suia Configure Lanha Subnet Audslneess TESTI 61 64 145 171 192 168 1020 psk Disconnect Connect Modify Remove Schedule Pallty we Microiattiaternet Etplarar anobay IHE PPTP Steven 2 Dis rou resi ert in delehe PPTP Clinni LCa J Lera Contam Filtering Virtual Server 119 PPTP Server Entering the PPTP Server window Step 1 Select VPN gt PPTP Server Internet PIOVE Administration Configuration Schedule IPSec Autokey PPTP Server PPTP Client Content Filtering Virtual Server Statistics PPTP Server PPTP Server Disable Client IP Range 192 92 47 1 254 Modify ClientP Uptime Status Configure _ New Entry PPTP Server Click to select Enable or Disable Client IP Range 192 26 145 1 254 Display the IP addresses range for PPTP Client connection User Name Displays the PPTP Client user s name for authentication Client IP Displays the PPTP Client s IP address for authentication Uptime Displays the connection time between PPTP Server and Client Status
32. 168 200 200 TCP 4472 ACCEPT May 1 04 26 08 192 168 200 200 211 20 188 140 TCP 110 ACCEPT May 1 04 26 08 211 20 188 140 192 168 200 200 TCP 4472 ACCEPT i Note The Administrator can also get information on alarm logs from the Alarm window Please refer to the section entitled Alarm for more information 95 Statistics If Statistics is enabled in the outgoing policy the FIREWALL VPN ROUTER will display the flow statistics passing through the Firewall Internet PUTO VEIL Statistics Inside_Any Outside_Any ANY PERMIT Minute Hour Day Content Filtering Note The Administrator can also get flow statistics in Statistics Please refer to Statistics in Chapter 11 for more details 96 Incoming This chapter describes steps to create policies for packets and services from the External WAN network to the Internal LAN network including Mapped IP and Virtual Server Enter Incoming window Step 1 Click Incoming under the Policy menu to enter the Incoming window The Incoming table will display current defined policies from the External WAN network to assigned Mapped IP or Virtual Server Internet Incoming PIOVE No Source DestinationiServicelAction Option ConfigurelMove meea a Outgoing Incoming External To DMZ Internal To DMZ DMZ To External DMZ To Internal VPN Content Filtering Virtual Server g Step 2 The fields of the Incoming window are m Source so
33. 170 TCP 80 ACCEPT May 105 07 48 618384174 6159 227 170 TCP 80 ACCEPT May 1 05 07 44 192 168 200 200 192 168 2001 TCP 80 ACCEPT May 105 07 34 192 168 200 200 192 168 2001 TCP 80 ACCEPT 153 Event Log When the FIREWALL VPN ROUTER Firewall detects events the Administrator can get the details such as time and description of the events from the Event Logs Entering the Event Log window Click the Event Log option under the Log menu and the Event Log window will appear Internet Event Log PIOVE May 1 05 08 58 al Administration Next Configuration Time hies EER 05 08 58 admin user admin Login success from 192 168 200 2 May 1 admin Remove FTP Virtual Server 1 from 192 168 200 200 Poy 05 07 34 Boe admin Modify FTP Virtual Server 1 from 192 168 200 200 Content Fiering Men admin Add FTP Virtual Server 1 from 192 168 200 200 toy May 1 Traffic Loy 04 59 49 admin Add Virtual Server 1 from 192 168 200 200 Event Log May 1 admin user admin Login success from 192 168 200 200 Connection Log 04 58 32 aa eens May1 admin Remove Mapped IP External IP 61 59 227 170 Internal SaR 04 57 59 IP 192 168 200 200 from 192 168 200 200 Alam May1 admin Modify Mapped IP External IP 61 59 227 170 Internal IP 04 57 28 192 168 200 200 from 192 168 200 200 May1 admin Add Mapped IP External IP 61 59 227 170 Internal IP 04 56 31 192 168 200 200 from 192 168 200 200 May
34. 7 170 Decrumed User Name Toes 728 Password eS IP Address provided by ISP Dynamic C Fixed IP Address i Netmask boo o o o Default Gateway E Lua Service On Demand Auto DisconnectifidieP minutes 0 means not disconnect Enable F Ping WebUl Transparent Mode NAT Mode IP Address TACEN Netmask 255 355 3550 Enable F Ping F WebUl Configuring the Interface Settings Internal Interface Using the Internal Interface the Administrator sets up the Internal LAN network The Internal network will use a private IP scheme The private IP network will not be routable on the Internet IP Address The private IP address of the Firewall s internal network is the IP address of the Internal LAN port of the FIREWALL VPN ROUTER The default IP address is 192 168 1 1 Note The IP Address of Internal Interface and the DMZ Interface is 21 a private IP address only If the new Internal IP Address is not 192 168 1 1 the Administrator needs to set the IP Address on the computer to be on the same subnet as the Firewall and restart the System to make the new IP address effective For example if the Firewalls new Internal IP Address is 172 16 0 1 then enter the new Internal IP Address 172 16 0 1 in the URL field of browser to connect to Firewall NetMask This is the netmask of the internal network The default netmask of the FIREWALL VPN ROUTER is 255 255 255 0 Ping Select this to allow the internal network to ping the IP
35. 86 1 gt eee mat bedi eer a Sen a bile 0002 3b 00 86 1 en ranean iii ay ossible oma IT 138 00 02 36 00 86 1 04 24 31 agelnst61 59 227 170 recieved 2 packets Mayi Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 86 1 04 23 13 ageinst 61 69 227 170 recieved 2 packets keeles Dea 166 Statistics In this chapter the Administrator queries the FIREWALL VPN ROUTER Office Firewall for statistics of packets and data which passes across the Firewall The statistics provides the Administrator with information about network traffics and network loads What is Statistics Statistics are the statistics of packets that pass through the Firewall by control policies setup by the Administrator How to use Statistics The Administrator can get the current network condition from statistics and use the information provided by statistics as a basis to mange networks Entering the Statistics window Step 1 The Statistics window displays the statistics of current network connections E Source the name of source address E Destination the name of destination address mM Service the service requested E Action permit or deny E Time viewable by minutes hours or days nte et Statistics PUP ELL Inside_Any Outside_Any ANY PERMIT Minute Hour Day CO a 167 Status In this section the FIREWALL VPN ROUTER displays the status information about the Firewall St
36. A window will appear displaying a table with IP addresses and their corresponding MAC addresses For each computer on the Internal External and DMZ network that replies to an ARP packet the FIREWALL VPN ROUTER will list them in this ARP table Internet ARP Table PIOVE IP Address MAC Address 192 168 200 200 00 48 54 5C A9 4F Internal re ic Content Filtering Virtual Server Log Statistics Interface Status ARP Table DHCP Clients IP Address The IP address of the host computer MAC Address The MAC address of that host computer Interface The port that the host computer is connected to Internal External DMZ 169 DHCP Clients Entering the DHCP Clients window Click on Status in the menu bar and then click on DHCP Clients below it A window will appear displaying the table of DHCP clients that are connected to the FIREWALL VPN ROUTER The table will list host computers on the Internal network that obtain its IP address from the Firewall s DHCP server function Internet DHCP Clients PISNE IP Address MAC Address EISE 192 168 200 1 00 00 0 22 33 66 Service Schedule Policy eS E 192 168 200 2 00 00 0e 22 33 67 Content Filtering Virtual Server Log Statistics Interface Status ARP Table DHCP Clients IP Address the IP address of the internal host computer MAC Address MAC address of the internal host computer Leased Time The Start and End time of the DHCP lea
37. CO Service ANY AFPoverTCP AOL Modify Remave Pairs Pre defined New Enty Custom Group Schedule Policy YPN Content Filtering Virtual Server Log Statistics Status 80 Adding Service Groups Step 1 In the Group window click the New Entry button In the Add Service Group window the following fields will appear E Available Services list all the available services E Selected Services list services to be assigned to the new group Step 2 Enter the new group name in the group Name field This will be the name referencing the created group Step 4 To add new services Select the services desired to be added in the Available Services list and then click the Add gt gt button to add them to the group Step 5 To remove services Select services desired to be removed in the Available Services and then click the lt lt Remove button to remove them from the group Step 6 Click OK to add the new group PULOWEUL Pre defined Custom Group Schedule Policy eDonkey Content Filtering _o Gace Virtual Server Log Statistics Y Status 81 Modifying Service Groups Step 1 Step 2 Step 3 Step 4 In the Group window locate the service group to be edited Click its corresponding Modify option in the Configure field In the Mod modify group window the following fields are displayed Available Services lists all the available services Se
38. DMZ window Click External To DMZ under Policy menu to enter the External To DMZ window The External To DMZ table will show up displaying currently defined External To DMZ No SourceDestination ServicelActiorJOption ConfigureMove eo a Outgoing Incoming External To DMZ Internal To DMZ DMZ To External DMZ To Internal VPN Content Filtering Virtual Server Log Statistics Status The fields in External To DMZ window M Source source networks which are addresses specified in the External section of the Address menu or all the external network addresses E Destination destination networks which are addresses specified in DMZ section of the Address menu and Mapped IP addresses of the Virtual Server menu mM Service services supported by servers in DMZ network 103 E Action control actions to permit or deny packets from external networks to DMZ travelling through the FIREWALL VPN ROUTER E Option specify the monitoring functions of packets from external network to DMZ network travelling through Firewall E Configure modify settings or remove policies 104 Adding a new External To DMZ Policy Step 1 Click the New Entry button and the Add New Policy window will appear ai si External To DMZ Add New Policy Source Address Outside_Any Destination Address Mapped IP 61 59 227 1 70 gt Service mwm Pi o Action PERMIT 7 SAMS Logging C Enable Incoming External
39. Date Time ex Generic_Fw100_023300 img Language Logout i Software Update S are Alam 19 Configuration What is System Configuration In this section the Administrator can 1 2 Set up the Multiple NAT 3 Set up the Firewall detecting functions 4 Set up a static route 5 Set up the DHCP Server 6 Set up DNS Proxy 7 Set up Dynamic DNS Note After all the settings of the Firewall configuration have been set the Administrator can backup the System configuration into the local hard drive as shown in the Administrator section of this manual under the heading 1 2 Settings 20 Interface In this section the Administrator can set up the IP addresses for the office network The Administrator may configure the IP addresses of the Internal LAN network the External WAN network and the DMZ network The netmask and gateway IP addresses are also configured in this section Entering the Interface menu Click on Configuration in the left menu bar Then click on Interface below it The current settings of the interface addresses will appear on the screen nternet Interface PICTEN ai ronsnamnsctniner C Transparent Mode a NAT Mode Interface Multiple NAT IP Address i 168 2001 Hacker Alust Netmask 235 285 2550 Route Tabte Enable F Ping F WebUl tessa PPPoE ADSL User Dynamic IP Address Cable Modem User C Static IP Address Current Status Connecting Chanting IP Address 61 59 22
40. EPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT In the Traffic Log window click the Download Logs button at the bottom of the screen Follow the File Download pop up window to save the traffic logs into lab Clearing the Traffic Logs The Administrator may clear on line logs to keep just the most updated logs on the screen Step 1 In the Traffic Log window click the Clear Logs button at the bottom of the screen Step 2 In the Clear Logs pop up box click Ok to clear the logs or click Cancel to cancel it Internet Traffic Log TPUPENWAUL i ola ad hay 1 06 08 53 192 165 200 2 192 168 200 1 ACCEPT i l May 105 08 58 192 168 200 2 192 169 200 1 ai o ACCEPT May 105 07 54 618384174 6159 227170 TCP 80 ACCEPT May 105 07 53 618384174 61592271470 TCP 80 ACCEPT May 1105 07 53 618384174 6159 227 170 TCP 80 ACCEPT May 1 05 07 63 6163 8417 27470 TCP 80 ACCEPT CC May 1 05 07 sE 70 TCP BO ACCEPT feeble Ed May 1 05 07 25 470 TCP 80 ACCEPT firtual Serves May 105 07 5 SEA Oo vouresty wantta dekte F 470 TCP 80 ACCEPT C May 105 07 5 470 TCP 80 ACCEPT Traffic Loy May 1 05 07 56 70 TCP 80 ACCEPT Evst ing May 1 05 07 50 ST as ea re gzz TCP 80 ACCEPT allies May 05 07 50 618384174 6159227170 TCP 80 ACCEPT gatas May 105 07 49 618384 174 6159227170 TCP 80 ACCEPT May 105 07 49 618384 174 6159 227170 TCP 80 ACCEPT May 1085 07 43 61 8384474 6159 227170 TCP 80 ACCEPT Siatistirs May 105 07 49 G183 984 174 6159 227
41. FIREWALL VPN ROUTER User s Manual Doc No 120602 01 Contents A dministration 5 Admin 6 Setting 10 Date Time 16 Language 17 Logout 18 Software Update co Interface Multiple NAT 29 Hack Alert 32 Route Table 33 DHCP 37 DNS Proxy 39 Dynamic DNS 44 Address Interface 30 Internal Group 54 External 58 External Group 62 DMZ 66 DMZ Group i Zo Pre defined Custom 76 Group 80 Schedule 84 Policy 88 Outgoing 89 Incoming a7 External To DMZ amp Internal to DMZ 103 DMZ To External amp DMZ To Internal 109 A BEE ES Autokey IKE 116 PPTP Server 120 PPTP Client 126 Contentfiltering 130 URL Blocking 131 General Blocking 135 Virtual Server 136 Mapped PE Virtual Server roa o TrfficLog OT Eewo Log Report Alarm ECN Traffic Alam Event Alarm 164 Statistics 167 Status 168 Interface Status TO ARPTable TOD DHCP Clients 170 Setup Examples Administration The FIREWALL VPN ROUTER Firewall Administration and monitoring control is set by the System Administrator The System Administrator can add or modify System settings and monitoring mode The sub Administrators can only read System settings but not modify them In Administration the System Administrator can 1 Add and change the sub Administrator s names and passwords 2 Back up all Firewall settings into local files 3 Set up alerts for Hackers invasion What is Administration Administration is the m
42. IP ee oe cma Step 3 Click OK to save modifications or click Cancel to cancel modifications 123 Modifying PPTP Server Step 1 Select VPN PPTP Server Step 2 In the PPTP Server window find the PPTP server that you want to modify Click Configure and click Modify Step 3 Enter appropriate settings Internet PPIP Server PULTE IUL User Name fest Password CS Remote Client Single Machine pa ti S YS C Multi Machine IPSec Autokey IP Address PPTP Server Netmask a Ene Siem Client IP assigned by Content Filteri IP Range ro C Fixed IP ie oe Step 4 Click OK to save modifications or click Cancel to cancel modifications 124 Removing PPTP Server Step 1 Select VPN PPTP Server Step 2 In the PPTP Server window find the PPTP server that you want to modify Click Configure and click remove Step 3 Click OK to remove the PPTP server or click Cancel to exit without removal PPTP Server PPTP Server Disable Client IP Range 192 92 47 1 264 Modify test 0 0 0 0 _ Disconnect Modify Remove IFSoc Autokoy PPTP Server PPTP Clem Content Filtewing 125 PPTP Client Entering the PPTP Client window Administration Configuration Address Service Schedule rei a IPSec Autokey PPTP Server PPTP Client Content Filtering Virtual Server Statistics PPTP Client PPTP Client Server Address Uptim
43. Nedte amose is i wien Stheilula _NerEay Oubqoimg Microsoft internet Explores fae Incoming ny External To DHZ Internal To UME sae Xe Enea Ce Jls DME To Intnl 2B Do ymi realy want to delete WPH Lanta at Fionn Wittiial Senwves Statistics Simes 108 DMZ To External amp DMZ To Internal This section describes steps to create policies for packets and services from DMZ networks to External WAN networks Please follow the same procedures for DMZ networks to Internal LAN networks Entering the DMZ To External window Click DMZ To External under Policy menu and the DMZ To External table appears displaying currently defined DMZ To External policies Internet DMZ To External PULTE ILL Administration No SourceDestination Service Action Option ConfigureMove Configuration Address New Entry Schedule Outgoing Incoming External To DMZ Internal To DMZ DMZ To External DMZ To Internal VPN Content Filtering Virtual Server g The fields in the DMZ To External window are E Source source network addresses which are specified in the DMZ section of the Address window E Destination destination networks which is the external network address E Service services supported by Servers of external networks Action control actions to permit or deny packets from the DMZ network to external networks travelling through the FIREWALL VPN 109 ROUTER
44. PN _o Conca Content Filtering Virtual Server Log Alarm Statistics Status 92 Removing the Outgoing Policy Step 1 In the Outgoing policy section locate the name of the policy desired to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation dialogue box click OK to remove the policy or click Cancel to cancel removing nter net Out oin PINE utgoing fuliministratian No Source Destination ServicelAction Option Configure Move Lannion 1 Inside_Any Outside Any ANY w uar mewa I 3 Aaddiness New Eney Outpoing Microsoft internet Emplorer Ea incoming Eriamal To OMZ Intomal To DME si ana DMZ To External ce cee i DMZ Ta Intodnal e Do you realy wart to deee 93 Enabled Monitoring function Log If Logging is enabled in the outgoing policy the FIREWALL VPN ROUTER will log the traffic and event passing through the Firewall The Administrator can click Log on the left menu bar to get the flow and event logs of the specified policy Internet i Traffic Log PIOVE CO Configuration Padies Service Schedule Potey en Content Filtering Virtual Server Traffic Log Event Log Connection Log Log Report Alarm Statistics Sian Note May 1 04 10 12 May 1 04 10 11 May 1 04 09 36 May 1 04 09 06 May 1 04 09 06 May 1 04 09 04 May
45. Refer to the corresponding section for details Step 4 Click OK to save modifications or click Cancel to cancel modifications 121 Adding PPTP Server Step 1 Select VPN gt PPTP Server Click NewEntry Internet PPTP Server PULL Administration PPTP Server Disable Client IP Range 192 92 47 1 254 Modify ClientiP Uptime Status Configure che oli ig i ce Schedule Policy New Enty IPSec Autokey PPTP Server PPTP Client Step 2 Enter appropriate settings in the following window m User name Specify the PPTP client This should be unique m Password Specify the PPTP client password m Remote Client O Single Machine Check to connect to single computer OMulti Machine Check to allow multiple computers connected to the PPTP server IP Address Enter the PPTP Client IP address Netmask Enter the PPTP Client Sub net mask E Client IP assigned by 1 IP Range check to enable auto allocating IP for PPTP client to connect 2 Fixed IP check and enter a fixed IP for PPTP client to connect 122 internet PUTO EIUL Adminstration Configuration CO Senice a IPSec Autokey PPTP Server PPTP Client Content Filtering Virtual Server tes Statistics PPTP Server Add New PPTP Server User Name fest Password miii Remote Client Single Machine C Multi Machine IP Address EE Netmask ay Client IP assigned by IP Range C Fixed
46. Selected Address list the names of the members that have been assigned to this group Add members Select names to be added from the Available Address list and click the Add gt gt button to add them to the Selected Address list Remove members Select names to be removed from the Selected Address list and click the lt lt Remove button to remove them from Selected Address list Click OK to save changes or click Cancel to cancel editing Internet DMZ Group PULTE ILL Internal Internal Group External External Group DMZ Policy Administration Configuration DMZ Group Schedule ng a er u Modify Address Group Name oe ot Content Filteri o 72 Removing a DMZ Group Step 1 In the DMZ Group window locate the group to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the group Internet DMZ Group PIETEN Dmg OMS DMJ medy Sersiea Intirrrial intemal Group Wee Entry Exttamal Eatemal Group Microsoft internet Eoplores E DHZ Sai OM Group 2 Bo you reai pact to deste nrinn Palbey m Dni Ce Bat Flor meg Vimal Server _73 Service In this section network services are defined and new network services can be added There are three sub menus under Service which are Pre defined Custom and Group The Administrator can simply fo
47. Table DHCP DNS Proxy Dynamic DNS Alarm E Below is the information needed for setting up the DNS Proxy e Domain Name The domain name of the server e Virtual IP Address The virtual IP address respective to DNS Proxy e Configure modify or remove each DNS Proxy policy 40 Adding a new DNS Proxy Step 1 Click on the New Entry button and the Add New DNS Proxy window will appear Step 2 Fill in the appropriate settings for the domain name and virtual IP address Step 3 Click OK to save the policy or Cancel to cancel Internet DNS Proxy Add New DNS Proxy Contigueadion Domain Name frail oom meres Virtual IP Address 192 168 2004 Multiple NAT Ok Cancel Hacker Alert fae ae Route Table DHCP DNS Proxy Dynamic DNS Address Service Schedule Policy Content Filtering Virtual Server Log Statistics a Status 4l Modifying a DNS Proxy Step 1 In the DNS Proxy window find the policy to be modified and click the corresponding Modify option in the Configure field Step 2 Make the necessary changes needed Step 3 Click OK to save changes or click on Cancel to cancel modifications PIOVE Modify DNS Proxy Cuntawa on Domain Name railor Interface Virtual IP Address 192 168 2004 Multiple NAT Ok Cancel Hacker Alert _ ok Gace Route Table DHCP DNS Proxy Dynamic DNS Address Service Schedule Policy Content Filtering Virtual Server Log Sta
48. alert is sent to the Administrator The default ICMP flood threshold is set to 1000 Pkts Sec Detect UDP Flood Select this option to detect UDP flood attacks A UDP flood attack is similar to an ICMP flood attack After enabling this function the System Administrator can enter the number of UDP packets per second that is allow to enter the network firewall Once the UDP packets exceed this limit the activity will be logged in Alarm and an email alert is sent to the Administrator The default UDP flood threshold is set to 1000 Pkts Sec Detect Ping of Death Attack Select this option to detect the attacks of tremendous trash data in PING packets that hackers send to cause System malfunction This attack can cause network speed to slow down or even make it necessary to restart the computer to get a normal operation Detect Tear Drop Attack Select this option to detect tear drop attacks These are packets that are segmented to small packets with negative length Some Systems treat the negative value as a very large number and copy enormous data into the System to cause System damage such as a shut down or a restart Detect IP Spoofing Attack Select this option to detect spoof attacks Hackers disguise themselves as trusted users of the network in Spoof attacks They use a fake identity to try to pass through the Firewall System and invade the network Filter IP Source Route Option Each IP packet can carry an optional field that specifi
49. all policies therefore will likely not be permitted to pass through the Firewall The Administrator can configure the start time and stop time as well as creating 2 different time periods in a day For example an organization may only want the Firewall to allow the internal network users to access the Internet during work hours Therefore the Administrator may create a schedule to allow the Firewall to work Monday Friday 8AM 5PM only During the non work hours the Firewall will not allow Internet access Accessing the Schedule window Click on Schedule on the menu bar and the schedule window will appear displaying the active schedules Internet Schedule PIOVE Administration Configuration r N Me a CONFUT New Entry Content Filtering Virtual Server Statistics The following items are displayed in this window Name the name assigned to the schedule Comment a short comment describing the schedule Configure modify or remove 84 Adding a new Schedule Step 1 Click on the New Entry button and the Add New Schedule window will appear Step 2 Schedule Name Fill in a name for the new schedule Period 1 Configure the start and stop time for the days of the week that the schedule will be active Step 3 Click Ok to save the new schedule or click Cancel to cancel adding the new schedule MAMA Schedule PUL EIU Schedule Name fest Week Day Start Time Stop Time M
50. an com were Kimo com tw Mest Seriya Intirnal Internal Group Few Entry External Entemal Group Microsoft internet Explores EJ bez 2 Go you really want to deste E Barok Siatistics 65 DMZ Entering the DMZ window Click DMZ under the Address menu to enter the DMZ window The current setting information such as the name of the internal network IP and Netmask addresses will show on the screen Internet DMZ PUCO Name IP Netmask MAC Address Configure Configuration DMZ Any 0 0 0 0 0 0 0 0 In Use Internal Internal Group New Envy External External Group DMZ DMZ Group Service Schedule Policy P Content Filtering Virtual Server g Statistics i lt z Status 66 Adding a new DMZ Address Step 1 In the DMZ window click the New Entry button Step 2 In the Add New Address window enter the settings for a new DMZ address Step 3 Click OK to add the specified DMZ or click Cancel to discard changes Internet DMZ PISE Name per i o IP Address 192 68 30 103 Internal Internal Group Netmask 235 255 255 255 External MAC Address 00 88 54 5c a9 5F External Group Ok Cancel Ea DMZ Group Service Schedule Policy Content Filtering Virtual Server Lo Statistics Status 9 pz itel z 67 Modifying a DMZ Address Step 1 In the DMZ window locate the name of the network to be modified and click the Modify option
51. anaging of settings such as the privileges of packets that pass through the firewall and monitoring controls Administrators may manage monitor and configure firewall settings All configurations are read only for all users other than the Administrator those users are not able to change any settings for the firewall The three sub functions under Administrator are Administrator Setting and Software Update Administrator has control of user access to the firewall He she can add remove users and change passwords Setting The Administrator may use this function to backup firewall configurations and export save them to an Administrator computer or anywhere on the network or restore a configuration file to the FIREWALL VPN ROUTER or restore the firewall back to default factory settings Under Setting the Administrator may enable e mail alert notification This will alert Administrator s automatically whenever the firewall has experienced unauthorized access or a network hit hacking or flooding Once enabled an IP address of a SMTP Simple Mail Transfer protocol Server is required Up to two e mail addresses can be entered for the alert notifications Software Update Administrators may visit distributor s web site to download the latest firmware Administrators may update the FIREWALL VPN ROUTER firmware to maximize its performance and stay current with the latest fixes for intruding attacks Firewall Administration se
52. ancel to discard changes 16 Language The software provides Traditional Chinese Version gt Simplified Chinese Version and English version for you to choose Step 1 Click Language Step 2 Select the language version you want Traditional Chinese Version gt Simplified Chinese Version and English version Step 3 Click OK to change the language version or click Cancel to discard changes Internet Language PUTO WEIUL Binira Language Setting Admin English Version Setting C Traditional Chinese Version Date Time C Simplified Chinese Version Language Logout Software Update Ea o Configuration ries semie Schedule Potey ven Content Filtering Virtual Server toy Statistics Status ooo 17 Logout the firewall Select this option to the FIREWALL VPN ROUTER s Logout the firewall this function protects your system while you are away Step 1 Click Logout the firewall Step 2 Click OK to logout or click Cancel to discard the change internet Logout PUL WEILL Admin Setting Date Time Language Logout Software Update ES Do you really want to Logout Statistics 18 Software Update Under Software Update the admin may update the FIREWALL VPN ROUTER s software with a newer software Internet Software Update PICe Kliininen Software Update Admin Version Number v 2 33 Setting Software Update as
53. and click remove Step 3 Click OK to remove the PPTP client or click Cancel to exit without removal Internet PPTP Client PIPE EL PPTP Client test 211 22 22 22 Disconnect Connect Modify Remove IF Soc Autohoy PPTP Serer PPTP Ciemi 129 Content filtering Content filtering includes URL Blocking and general filtering Content Filtering includes URL Blocking and General Blocking URL Blocking The device manager can use a complete domain name key word or x to make rules for specific websites General Blocking To let Popup ActiveX Java Cookie in or keep them out 130 URL Blocking The Administrator may setup URL Blocking to prevent Internal network users from accessing a specific website on the Internet Any web request coming from an Internal network computer to a blocked website will receive a blocked message instead of the website Entering the URL blocking window Click on URL Blocking under the Configuration menu bar Click on New Entry Internet URL Blocking PIOVE www hinet net None Modify Remove Paates Service Schedule Se Poy C URL Blocking General Blocking Virtual Server Alarm Statistics lt Status 131 Adding a URL Blocking policy Step 1 After clicking New Entry the Add New Block String window will appear Step 2 Enter the URL of the website to be blocked
54. ation Log Mail Configuration I Enable Log Mail Support When Log Full 00Kbytes Firewall Appliance sends Log You must set E mail Alarm gt enable C Enable Syslog Messages Syslog Host IP Address p222 Ma j Syslog Host Port fes Traffic Log Event Log or Cancel Connection Log Log Report Statistics l Log Report 159 Alarm In this chapter the Administrator can view traffic alarms and event alarms that occur and the firewall has logged Firewall has two alarms Traffic Alarm and Event Alarm Traffic alarm In control policies the Administrator set the threshold value for traffic alarm The System regularly checks whether the traffic for a policy exceeds its threshold value and adds a record to the traffic alarm file if it does Event alarm When Firewall detects attacks from hackers it writes attacking data in the event alarm file and sends an e mail alert to the Administrator to take emergency steps 160 Traffic Alarm Entering the Traffic Alarm window Click the Traffic Alarm option below Alarm menu to enter the Traffic Alarm window Internet Traffic Alarm PIOVE Time l Source Destination Service Traffic May 1 04 30 04 45 Inside_Any Outside_Any ANY 0 729KiSec May 1 04 15 04 30 Inside_Any Outside_Any ANY 1 699KiSec May 1 04 00 04 15 Inside_Any Outside_Any ANY 0 798KiSec OTR pamelor aS ena Traffic Alarm Event Alarm Statistics Status The table in the Traf
55. atus will display the network information from the Configuration menu The Administrator may also use Status to check the DHCP lease time and MAC addresses for computers connected to the Firewall Interface Status Entering the Interface Status window Click on Status in the menu bar and then click Interface Status below it A window will appear providing information from the Configuration menu Interface Status will list the settings for Internal Interface External Interface and the DMZ Interface Inte rnet Interface Status PINTEN System Uptime Active Session System Mode 0 Day 5 Hour 16 Min 2 Sec 3 NAT MAC Address 44 44 44 44 44 47 IP Address Netmask 192 168 200 1 24 MTU 1504 Rx Pkts Error Pkts 28362 0 Tx Pkts Error Pkts 31090 0 Ping WebUl Enable Enable External Interface PPPoE Current Status Connection Time Connecting 3 62 14 Interface Status MAC Address 44 44 44 44 44 48 ARP Tale IP Address Netmask 61 59 227 170 32 DHCP Clients Default Gateway 61 65 2271 MTU 1492 Rx Pkts Error Pkts 27584 0 Tx Pkts Error Pkts 23724 0 Ping WebUl Enable Enable OMZ Interface System Mode NAT MAC Address IP Address Netmask MTU Rx Pkts Error Pkts Tx Pkts Error Pkts Ping WebUl 168 44 44 44 44 44 49 192 168 30 210 24 1504 0 0 3 0 Enable Enable ARP Table Entering the ARP Table window Click on Status in the menu bar and then click ARP Table below it
56. bUI to be configured from a user on the Internet Keep in mind that the FIREWALL VPN ROUTER always requires a username and password to enter the WebUI For Static IP Address This option is for users who are assigned a static IP Address from their ISP Your ISP will provide all the information needed for this section such as IP Address Netmask Gateway and DNS Use this option also if you have more than one public IP Address assigned to you IP Address Enter the static IP address assigned to you by your ISP This will be the public IP address of the External WAN port of the FIREWALL VPN ROUTER Netmask This will be the Netmask of the external WAN network i e 255 255 255 0 Default Gateway This will be the Gateway IP address Domain Name Server DNS This is the IP Address of the DNS oe server Ping Select this to allow the external network to ping the IP Address of the Firewall This will allow people from the Internet to be able to ping the Firewall f set to enable the FIREWALL VPN ROUTER will respond to echo request packets from the external network WebUI Select this to allow the FIREWALL VPN ROUTER WEBUI to be accessed from the External WAN network This will allow the WebUI to be configured from a user on the Internet Keep in mind that the FIREWALL VPN ROUTER always requires a username and password to enter the WebUI DMZ Interface The Administrator uses the DMZ Interface to set up the DMZ network The DMZ netw
57. cel modifications Internet Incoming PUPAL Modify Policy Source Address Outside_Any Destination Address ATASATE Service m Pm o Action PERMIT z Outgoing Logging C Enable Incoming External To DMZ Statistics l Enable internal To DMZ Schedule None DMZ To External Alarm Threshold po KBytesiSec DMZ To Internal Ok Cancel P Content Filtering Virtual Server Log Statistics Status 101 Removing an Incoming Policy Step 1 In the Incoming window locate the name of policy desired to be removed and click its corresponding Remove in the Configure field Step 2 In the Remove confirmation window click Ok to remove the policy or click Cancel to cancel removing Internet Ginewall Administration No Source Destination ServiceAction Option Configura Move e T 1 Outside Any Mapped IPG159 227 170 ANY pee Incoming Mod s Ramses jy ji Outgoing Microsoft Internet Emplores ES imconalni External To OMZ E Bo ymi reah want bo delete Intomal To UME ane MZ To External _ cancel _ DME To Intend Siatistics 102 External To DMZ amp Internal to DMZ This section describes steps to create policies for packets and services from the External WAN networks to the DMZ networks Please follow the same procedures for Internal LAN networks to DMZ networks Enter External To DMZ or Internal To
58. cker Alert Route Table DHCP DNS Proxy Dynamic DNS Address Service Schedule Policy Content Filtering Virtual Server Log Statistics a Status Dynamic DNS Add New Dynamic DNS Service Provider DmDNS wwwayndnsog USA sianup External IP 61 59 227 1 70 Automatically User Name feo oo Password eH o Domain Name feo O soe ox a 46 Modify dynamic DNS Step 1 Click Dynamic DNS in the Configuration menu to enter Dynamic DNS window Step 2 Find the item you want to change and click Modify Step 3 Enter the new information in the Modify Dynamic DNS window Step 4 Click OK to change the settings or click Cancel to discard changes internet __ Dynamic DNS _ PIOVE j Cunfigueadion Modify Dynamic DNS Service Provider DynDNS ww dyndns org LUSA Asian up terface External IP 6159 227 170 Automatically runners User Name ferio Hacker Alert Route Table Password E DHCP Domain Name fexio dyndns org DNS Proxy Ok Cancel Dynamic DNS Address Service Schedule Policy Content Filtering Virtual Server Log Statistics Status a _47 Delete Dynamic DNS Step 1 Click Dynamic DNS in the Configuration menu to enter Dynamic DNS window Step 2 Find the item you want to change and click Delete Step 3 A confirmation pop up box will appear click OK to delete the settings or click Cancel to discard changes inter
59. com in the DMZ network i e 192 168 10 10 The outside Internet world may access the mail server of the organization easily by its domain name providing that the Administrator has set up Virtual Server or Mapped IP settings correctly However for the users in the Internal network their external DNS server will assign them a public IP address for the mail server So for the Internal network to access the mail server mail dfl300 com they would have to go out to the Internet then come back through the Firewall to access the mail server Essentially the internal network is accessing the mail server by a real public IP address while the mail server serves their request by a NAT address and not a real one This odd situation occurs when there are servers in the DMZ network and they are bound to real IP addresses To avoid this set up DNS Proxy so all the Internal network computers will use the FIREWALL VPN ROUTER as a DNS server which acts as the DNS Proxy If you want to use the DNS Proxy function of the FIREWALL VPN ROUTER the end user s main DNS server IP address should be the same IP Address as the FIREWALL VPN ROUTER 39 Entering the DNS Proxy window Click on Configuration in the menu bar and then click on DNS Proxy below it The DNS Proxy window will appear nternet DNS Proxy PUPA WEIL Configure Cuntigueation mail com 192 168 200 4 Modify Remove Interface Multiple NAT New Entry Hacker Alert eel Route
60. e L Confirm Password p anguage Logout or Software Update Configuration Changing the Sub Administrator s Password Step 1 In the Administration window locate the Administrator name you want to edit and click on Modify in the Configure field Step 2 The Modify Administrator Password window will appear Enter in the required information E Password enter original password E New Password enter new password a Confirm Password enter the new password again Step 3 Click OK to confirm password change or click Cancel to cancel it PUPAL Atminimo j Modify Sub Admin Password Admin Sub Admin name Sub_Admin Setting Password patune New Password Language Logout Confirm Password Software Update Lox a Content Filtering Statistics Removing a Sub Administrator Step 1 In the Administration table locate the Administrator name you want to edit and click on the Remove option in the Configure field Step 2 The Remove confirmation pop up box will appear Step 3 Click OK to remove that Sub Admin or click Cancel to cancel Internet IENEN Admin Almin admin Read Write Modify Setting Sub_Admin Read Modify Remove Date Time Language New Sub Admin Logout i Soltware Update Z Da you resh vant to dalbe Co Iloa ance 40 ari ae Schedule Policy che a Content Filtering Statistics Status Settings The Administrator may use this function t
61. e Status Configure test 211 22 22 22 Disconnect Connect Modify Remove New Entry Server Address Display the PPTP Server IP addresses User Name Displays the PPTP Client user s name for authentication Client IP Displays the PPTP Client s IP address for authentication Uptime Displays the connection time between PPTP Server and Client Status Displays current connection status between PPTP Server and PPTP client Configure Click Modify to modify the PPTP Client settings or click Remove to remove the item 126 Adding a PPTP Client Step 1 Select VPN PPTP Client a User name Specify the PPTP client This should be unique Pa Password Specify the PPTP client password Server Address Enter the PPTP Server s IP address E Remote Client O Single Machine Check to connect to single computer OMulti Machine Check to allow multiple computers connected to the PPTP server IP Address Enter the PPTP Client IP address Netmask Enter the PPTP Client Sub net mask Internet PPTP Client PUPIL User Name fest Server Address 211 22 22 22 Remote Server a Single Machine IPSec Autokey C Multi Machine PPTP Sayer IP Address PPTP Client O EEE mo l Auto Connect when sending packet through the link Alarm Auto Disconnect if idle 0 minutes 0 means not disconnect Status Schedule None TOE S E Auto Connect when sending packet through t
62. er set names and addresses of mapped IP or virtual server only applied to Incoming policies Step 4 Set control policies in Policy 88 Outgoing This section describes steps to create policies for packets and services from the Internal LAN network to the External WAN network Entering the Outgoing window Click Policy on the left hand side menu bar and then click Outgoing under it A window will appear with a table displaying currently defined Outgoing policies MAMA Outgoing PULTE EIUL No Source Destination ServiceAction Option Configure Move 1 Inside Any Outside Any ANY BO GBR OModify Removes fi Nwe Pma Outgoing Incoming External To DMZ Internal To DMZ DMZ To External DMZ To Internal VPN Content Filtering Virtual Server Log The fields in the Outgoing window are E Source source network addresses that are specified in the Internal section of Address menu or all the Internal LAN network addresses E Destination destination network addresses that are specified in the External section of the Address menu or all the External WAN network addresses Service specify services provided by external network servers E Action control actions to permit or reject deny packets from internal networks to external network travelling through the Firewall E Option specify the monitoring functions on packets from internal networks to external networks travelling through the Firewall
63. er from Virtual Server in the Virtual Server menu bar to enter the virtual server configuration window In the following Virtual Server is assumed to be the chosen option Internet Virtual Server PURE ILL Virtual Server Real IP cick here to configwe Service Name Port External Port Server Virtual IP Configure Service Schedule Content Filtering Mapped IP Virtual Server g Statistics Step 2 Click the click here to configure button and the Add new Virtual Server IP window appears and asks for an IP address from the external network Step 3 Select an IP address from the drop down list of available external network IP addresses Note Ifthe drop down list contains only Disable there is no available IP addresses of external network of the System and no Virtual Server can be added Step 4 Click OK to add new Virtual Server or click Cancel to cancel adding 143 internet PUTO VEIL Administration AddNewVirtualServerIP O O O O O O Configuration Virtual Server Real IP 6159 227 170 Assist Address x Cancel Service Virtual CAET Schedule Policy 2 lt Content Filtering Mapped IP Virtual Server Log Alarm Statistics Status Internet Virtual Server PISE MEEI Fe DEN VIET SOTVA I Configuration Virtual Server Real IP Disable Assist Address Cancel Service Schedule Policy gz lt Content Filtering Mapped IP
64. erface Destination network internal or external networks E Destination IP IP address of destination network E NetMask Netmask of destination network E Gateway Gateway IP address for connecting to destination network E Configure Change settings in the route table Aia Adding a new Static Route Step 1 In the Route Table window click the New Entry button Step 2 In the Add New Static Route window enter new static route information Step 3 In the Interface field s pull down menu choose the network to connect Internal External or DMZ Step 4 Click OK to add the new static route or click Cancel to cancel Intern et l Route Table PIOVE Administration Add New Static Route O Destination IP pairo 0 Interface Netmask 2552552550 Multiple NAT Gateway maamo Hacker Alert Route Table Interface intemal z DHCP _o at DNS Proxy Dynamic DNS Address Seme Schedule Policy ew Content Fiering Viua Server CO Alarm Statistics Status 34 Modifying a Static Route Step 1 In the Route Table menu find the route to edit and click the corresponding Modify option in the Configure field Step 2 In the Modify Static Route window modify the necessary routing addresses Step 3 Click OK to apply changes or click Cancel to cancel it Internet Route Table PUTO VEIL Administration Modify Static Route Cuntawaton Destination IP maso Interface Netmask 5525230
65. erver and Mapped IP are part of the IP mapping scheme By applying the incoming policies Virtual Server and IP mapping work similarly They map real IP addresses to the physical servers private IP addresses which is opposite to NAT but there still exists some differences E Virtual Server can map one real IP to several internal physical servers while Mapped IP can only map one real IP to one internal physical server 1 to 1 Mapping The Virtual Servers load balance feature can map a specific service request to different physical servers running the same services E Virtual Server can only map one real IP to one service port of the internal physical servers while Mapped IP maps one real IP to all the services offered by the physical server IP mapping and Virtual Server work by binding the IP address of the external 136 virtual server to the private internal IP address of the physical server that supports the services Therefore users from the external network can access servers of the internal network by requesting the service from the IP address provided by Virtual Server 137 Mapped IP Internal private IP addresses are translated through NAT Network Address Translation If a server is located in the internal network it has a private IP address and outside users cannot connect directly to internal servers private IP address To connect to an internal network server outside users have to first connect to a real
66. es the replying address that can be different from the source address specified in packet s header Hackers can use this address field on disguised packets to invade internal networks and send internal networks data back to them Detect Port Scan Attack Select this option to detect the port scans hackers use to continuously scan networks on the Internet to detect computers and vulnerable ports that are opened by those computers 31 E Detect Land Attack Some Systems may shut down when receiving packets with the same source and destination addresses the same source port and destination port and when SYN on the TCP header is marked Enable this function to detect such abnormal packets E Default Packet Deny Denies all packets from passing the Firewall A packet can pass only when there is a policy that allows it to pass After enabling the needed detect functions click OK to activate the changes i397 Route Table In this section the Administrator can add static routes for the networks Entering the Route Table screen Click Configuration on the left side menu bar and then click Route Table below it The Route Table window appears in which current route settings are shown Internet Route Table PULL Cuntigucation Internal 192 168 1 0 255 255 255 0 192 168 200 100 Modify Remove Interface Multiple NAT New Fr Hacker Alert ene Route Table DHCP DNS Proxy Dynamic DNS Alarm Route Table functions E Int
67. feature if needed and enter the lifetime in seconds to re key The default is 28800 seconds eight hours Selection of small values could lead 117 to frequent re keying which could affect performance Modifying an Autokey IKE Step 1 In the Autokey IKE window locate the name of policy desired to be modified and click its corresponding Modify option in the Configure field Step 2 In the Modify Policy window fill in new settings Step 3 Click OK to save modifications Connecting the VPN connection Once all the policy is created with the correct settings click on the Connect option in the Configure field The Status field will change to indicate Connecting If the remote Firewall is set up correctly with the VPN active the VPN connection will be made between the two Firewalls and the Status field will change to Connect Autokey KE YPN Auto Keyed Tunnel Name ET From Source Internal DMZ Subnet Mask mamo 0 Poll To Destination i o o i Remote Gateway Fixed IP 6164 145 171 Auitokey IK Subnet Mask 192 168 102 0 j 55 2552550 PPTP Server C Remote Gateway Dynamic IP PPTP Client Subnet Mask j 255 255 255 0 C Remote Client Fixed IP or Dynamic IP Authentication Method Preshare Preshared Key 123456 Statistics Encapsulation Data Encryption Authentication C Authentication Only l Perfect Forward Secrecy IPSec Lifetime 28800 Seconds Schedule None x Lor oe
68. fic Alarm window displays the current traffic alarm logs for connections E Time The start and stop time of the specific connection E Source Name of the source network of the specific connection E Destination Name of the destination network of the specific connection Mm Service Service of the specific connection E Traffic Traffic in Koytes Sec of the specific connection 161 Clearing the Traffic Alarm Logs Step 1 In the Traffic Alarm window click the Clear Logs button at the bottom of the screen Step 2 In the Clear Logs pop up box click Ok to clear the logs or click Cancel to cancel Inter net e Traffic Alarm PISE a fulrministratian May 1 04 30 04 45 Inside_Any Outside Arny ANY O 729K Sec May 104 15 04 30 Inside Any Outside Any ANY 1 699K Sec May 1 04 00 04 15 Inside Any Outside Arny ANY O788KiSec Palley BA i 4 VPH O O O F a o Content Finen E Do pou really want bo delse ea Traic Alann Eveni Alarm siafisilira ETE 162 Downloading the Traffic Alarm Logs The Administrator can back up traffic alarm logs regularly and download it to a file on the computer Step 1 In the Traffic Alarm window click the Download Logs button on the bottom of the screen Step 2 Follow the File Download pop up box to save the traffic alarm logs into specific directory on the hard drive Internet Traffic Alarm Hinewall pn SS ST Destination Service T
69. g Statistics Status 76 Adding a new Service Step 1 In the Custom window click the New Entry button and a new service table appears MAMA PIOVE Custom Administration Configuration Pre defined Custom Group Schedule Policy Content Filtering Virtual Server Lo Statistics S az mt Status Add User Define Service Service NAME Protocol 1 TCPC UDP C Othere 2 TCPC UDP C Other 3 TCP C UDP C Other 4 TCPC UDP C Other gt 5 TCP C UDP C Otherb 6 TCP C UDP C Other 7 TCPC UDP C Other 8 TCPC UDP C Other Step 2 In the new service table E New Service Name This will be the name referencing the new service ae Client Port Server Port pa ee POO Reo fo 65535 pO RE jo 65535 p Ee jo 65535 p a p E Protocol Enter the network protocol type to be used such as TCP UDP or Other please enter the number for the protocol type E Client Port enter the range of port number of new clients E Server Port enter the range of port number of new servers The client port ranges from 1024 to 65535 and the server port ranges from 0 to 1023 Step 3 Click OK to add new services or click Cancel to cancel 771 Modifying Custom Services Step 1 In the Custom table locate the name of the service to be modified Click its corresponding Modify option in the Configure field Step 2 A table showing the current settings of the selected service appears
70. gs When the Choose File pop up window appears select the file to which contains the saved Firewall Settings then click OK Step 2 Click OK to import the file into the Firewall or click Cancel to cancel importing Internet PIOVE i Firewall Configuration Admin File Download x Settin Browse File Download o Browse Date Time Language D You are downloading the file Logout firewall conf from 192 168 200 1 Software Update Would you like to open the file or save it to your computer Ser D Always ask before opening this type of file i i Mail Test MailTest Content Filtering To Firewall Packets Log Enable To Firewall Packets Log Firewall Reboot Statistics Reboot Firewall Appliance J v 11 Restoring Factory Default Settings Step 1 Select Reset Factory Settings under Firewall Configuration Step 2 Click OK at the bottom right of the screen to restore the factory settings Internet Ei T Setting Firewall Configuration Admin Export System Settings to Client Setting Import System Settings from Client Browsen Date Time ex firewall conf Language M Reset Factory Settings Logout E il Setti Software Update hana inlA Aa s Enable E mail Alert Notification rennin ws mar a Seme SMTP Server Schedule E mail Address 1 E mail Address 2 es Mail Test MailTest Content Filtering To Firewall Packets Log Enable
71. he link Check to enable the auto connection whenever there s packet to transmit over the connection m Auto Disconnect if idle L minutes Configure this device to disconnect to the PPTP Server when there is no activity for a predetermined period of time To keep the line always connected set the number to 0 E Schedule Click the down arrow to select the schedule which was pre determined in Schedule Refer to the corresponding section for details Step 4 Click OK to save modifications or click Cancel to cancel modifications Modifying PPTP Client Step 1 Select VPN gt PPTP Client Step 2 Inthe PPTP Client window find the PPTP server that you want to modify Click Configure and click Modify Step 3 Enter appropriate settings i o IPSec Autokey PPTP Server PPTP Client Content Filtering Virtual Server Statistics PPTP Client Modify PPTP Client User Name fest Password reer Server Address PADA Remote Server Single Machine C Multi Machine IP Address Netmask l Auto Connect when sending packet through the link Auto Disconnect if idle p minutes 0 means not disconnect Schedule None gt Ok Cancel Step 4 Click OK to save modifications or click Cancel to cancel modifications 128 Removing PPTP Client Step 1 Select VPN gt PPTP Client Step 2 In the PPTP Client window find the PPTP client that you want to modify Click Configure
72. he usage regulations see the providers websites How to register First Click Dynamic DNS in the Configuration menu to enter Dynamic DNS window then click Add button on the right side of the service providers click Register the service providers website will appear please refer to the website for the way of registration 44 Internet Dynamic DNS PIOVE Administration External Interface IP 61 59 227 170 GL Domainname Extermal IP ferio dyndns org 61 59 227 170 Modify Remove Interface Multiple NAT Hacker Alert Route Table DHCP DNS Proxy Dynamic DNS Address Service Schedule Policy Y Content Filtering uv Virtual Server Log Statistics Status 45 Dynamic DNS settings Step 1 Click Dynamic DNS in the Configuration menu to enter Dynamic DNS window Step 2 Click Add button Step 3 Click the information in the column of the new window Service providers Select service providers Register to the service providers website WAN IP Address IP Address of the WAN port C automatically fill in the external IP Check to automatically fill in the external IP User Name Enter the registered user name Password Enter the password provided by ISP Internet Service Provider Domain name Your host domain name provided by ISP Step 4 Click OK to add dynamic DNS or click Cancel to discard changes Administration Interface Multiple NAT Ha
73. hold i000 Pkts Sec Route Table M Detect Ping of Death Attack M Detect Tear Drop Attack DHCP Detect IP Spoofing Attack I Filter IP Route Option DNS Proxy M Detect Port Scan Attack M Detect Land Attack Dynamic DNS Address Ok Cancel Service Schedule Policy Content Filtering Virtual Server Log Auto Detect functions E Detect SYN Attack Select this option to detect TCP SYN attacks that hackers send to server computers continuously to block or cut down all the connections of the servers These attacks will prevent valid users from connecting to the servers After enabling this function the System Administrator can enter the number of SYN packets per second that is allow to enter the network firewall Once the SYN packets exceed this limit the activity will be logged in Alarm and an email alert is sent to the Administrator The default SYN flood threshold is set to 200 Pkts Sec E Detect ICMP Flood Select this option to detect ICMP flood attacks When hackers continuously send PING packets to all the machines of the internal networks or to the Firewall your network is experiencing an ICMP flood attack This can cause traffic congestion on the network and slows the network down After enabling this function the System Administrator can enter the 30 number of ICMP packets per second that is allowed to enter the network firewall Once the ICMP packets exceed this limit the activity will be logged in Alarm and an email
74. in its corresponding Configure field Step 2 In the Modify Address window fill in new addresses Step 3 Click OK on save the changes or click Cancel to discard changes MAMA DMZ PIOVE Name per Ai IP Address 192 168 30 102 Internal Internal Group Netmask 235 255 255 255 External MAC Address 00 00 02 22 33 68 External Group Ok Cancel Ea Bel DMZ Group Service Schedule Policy Content Filtering Virtual Server Lo Statistics Status Q 2 al 68 Removing a DMZ Address Step 1 In the DMZ window locate the name of the network to be removed and click the Remove option in its corresponding Configure field Step 2 In the Remove confirmation pop up box click OK to remove the address or click Cancel to discard changes Internet DMZ POTEET fuliministratian Name IF i Netmask MAC Address i MAE Any 00 0600 00 0 in Lisa DM WP AGIOS 2525S Mean Mody Renia Intrrn l paz 192 16830 10 55 295 25 24 MERETET Mode penne iniemal Group Ertamal Extamal Group Microsoft internet Eqplores ES DMZ DMF Group 2B Bo ymu real want ito deste E Barok 69 DMZ Group Entering the DMZ Group window Click DMZ Group under the Address menu to enter the DMZ window The current settings information for the DMZ group appears on the screen Internet DMZ Group PIOVE Administration Name M E Configure Configuration Internal _NewEnty Inte
75. iple NAT Click Modify to modify the parameters of Multiple NAT or click Delete to delete settings 96 Add Multiple NAT Step 1 Click Multiple NAT in the Configuration menu to enter Multiple NAT window Step 2 Click the Add button below to add Multiple NAT Step 3 Enter the IP Address in the website name column of the new window 1 1 Global port interface IP Address Select Global port IP Address 3 2 Local port interface IP Address Enter Local port IP Address 3 3 Subnet Mask Enter Local port subnet Mask Step 4 Click OK to add Multiple NAT or click Cancel to discard changes Internet Multiple NAT PIOVE Administration Add New Multiple NAT IP External Interface IP 61 59 227 170 Interface Alias IP of Internal Interface 192 168 1 201 ail Netmask 255 255 2350 acker ert Ok Cancel Route Table DHCP DNS Proxy Dynamic DNS Address Service Schedule Policy VPN iter i Virtual Server tog Statistics Status _27 Modify Multiple NAT Step 1 Click Multiple NAT in the Configuration menu to enter Multiple NAT window Step 2 Find the IP Address you want to modify and click Modify Step 3 Enter the new IP Address in Modify Multiple NAT window Step 4 Click the OK button below to change the setting or click Cancel to discard changes Internet Multiple NAT PIOVE Cunfigueation Modify Multiple NAT IP External Interface IP 61 59 227 170 Interface Alias
76. irewall f set to enable the FIREWALL VPN ROUTER will respond to echo request packets from the external network WebUI Select this to allow the FIREWALL VPN ROUTER WEBUI to be accessed from the External WAN network This will allow the WebUI to be configured from a user on the Internet Keep in mind that the FIREWALL VPN ROUTER always requires a username and password to enter the WebUI For Dynamic IP Address Cable Modem User This option is for users who are automatically assigned an IP address by their ISP such as cable modem users The following fields apply IP Address The dynamic IP address obtained by the Firewall from the ISP will be displayed here This is the IP address of the External WAN port of the FIREWALL VPN ROUTER MAC Address This is the MAC Address of the FIREWALL VPN ROUTER Hostname This will be the name assign to the FIREWALL VPN ROUTER Some cable modem ISP assign a specific hostname in order to connect to their network Please enter the hostname here If not required by your ISP you do not have to enter a hostname Ping Select this to allow the external network to ping the IP Address of the Firewall This will allow people from the Internet to be able to ping the Firewall f set to enable the FIREWALL VPN ROUTER will respond to echo request packets from the external network WebUI Select this to allow the FIREWALL VPN ROUTER WEBUI to be accessed from the External WAN network This will allow the We
77. istics Enable Internal To DMZ Schedule None x DMZ To External Alarm Threshold foo DMZ To Internal KBytesiSec UPN Ok Cancel Content Filtering Virtual Server Log Statistics Status Step 9 An Incoming FTP policy should now be created 177 Example 4 Install a server inside the Internal network and have the Internet External users access the server through IP Mapping Step 1 Enter the Mapped IP window under the Virtual Server menu Step 2 Click the New Entry button Step 3 In the Add New IP Mapping window enter each parameter and then click OK External IP fel 59 227 170 Assist Map To Virtual IP Ok Cane Step 4 When the following screen appears the IP Mapping setup is completed External Map To Virtual IP 61 59 227 170 192 168 200 200 Modify Remove Step 5 Go to the Incoming window under the Policy menu Step 6 Click the New Entry button Step 7 In the Add New Policy window set each parameter then click OK 178 Source Address Cosic Any Destination Address Mapped PGi 59 227 170 service ANY S Action PERMIT Logging C Enable Statistics C Enable schedule None Ok Can Step 8 Open all the services ANY 1 Outside Any Mapped IP 61 59 227 170 ANY w Modity Removero 1 New Entry Step 9 The setup is completed 179
78. lected Services list services that have been assigned to the selected group Add new services Select services in the Available Services list and then click the Add gt gt button to add them to the group Remove services Select services to be removed in the Selected Services list and then click the lt lt Remove button to remove theses services from the group Step 5 Click OK to save editing changes Internet nami PINEAU Pre defined Custom Group Policy Log Statistics Status Schedule Y Content Filtering _o a Virtual Server 82 Removing Service Groups Step 1 In the Group window locate the service group to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the selected service group or click Cancel to cancel removing Internet erar Piae ehe Sarvico ANYTAFP ovar TCP AOL Mody Barsu Predefined irm Custam Group Microsoft Internet Explorer Ea D Do you really pat bo deste Plie Contem Filteing Wirlial SEmi Sa Gls Siau 83 Schedule The FIREWALL VPN ROUTER Office Firewall allows the Administrator to configure a schedule for policies to take affect By creating a schedule the Administrator is allowing the Firewall policies to be used at those designated times only Any activities outside of the scheduled time slot will not follow the Firew
79. llow the instructions below to define the protocols and port numbers for network communication applications Users then can connect to servers and other computers through these available network services What is Service TCP and UDP protocols support varieties of services and each service consists of a TCP Port or UDP port number such as TELNET 23 SMTP 21 POP3 110 etc The FIREWALL VPN ROUTER Firewall defines two services pre defined service and custom service The common use services like TCP and UDP are defined in the pre defined service and cannot be modified or removed In the custom menu users can define other TCP port and UDP port numbers that are not in the pre defined menu according to their needs When defining custom services the client port ranges from 1024 to 65535 and the server port ranges from 0 to 1023 How do I use Service The Administrator can add new service group names in the Group option under Service menu and assign desired services into that new group Using service group the Administrator can simplify the processes of setting up control policies For example there are 10 different computers that want to access 5 different services on a server such as HTTP FIP SMTP POP3 and TELNET Without the help of service groups the Administrator needs to set up 50 10x5 control policies but by applying all 5 services to a single group name in the service field it takes only one control policy to achieve the
80. nal Group Administration Name a ED ET Configure Configuration Aiton nm Internal Nwy Internal Group External External Group DMZ DMZ Group Service Schedule Policy VPN Content Filtering Virtual Server Log Statistics Status 62 Adding an External Group Step 1 Step 2 E a a Step 3 Step 4 Step 5 In the External Group window click the New Entry button and the Add New Address Group window will appear In the Add New Address Group window the following fields will appear Name enter the name of the new group Available Address List the names of all the members of the external network Selected Address List the names to assign to the new group Add members Select the names to be added in the Available Address list and click the Add gt gt button to add them to the Selected Address list Remove members Select the names to be removed in the Selected Address list and click the lt lt Remove button to remove them from the Selected Address list Click OK to add the new group or click Cancel to discard changes Internet PUL EIU Administration Configuration Internal Internal Group External External Group DMZ Service Schedule Policy Lo Statistics Status DMZ Group 9 2 al External Group Add New Address Group Name Lok sc Content Filtering Virtual Server 63 Editing an External Group
81. nal Group window The current setting information for the Internal network group appears on the screen Internet Internal Group PUTO VEIL Administration Name OT Member Configure Configuration Mime Internal Nwy Internal Group External External Group DMZ DMZ Group Service Schedule Policy VPN Content Filtering Virtual Server Log Statistics Status 54 Adding an Internal Group Step 1 In the Internal Group window click the New Entry button to enter the Add New Address Group window Step 2 In the Add New Address Group window Step 3 Step 4 Step 5 Internet E Available Address list the names of all the members of the internal network E Selected Address list the names to be assigned to the new group E Name enter the name of the new group in the open field Add members Select names to be added in Available Address list and click the Add gt gt button to add them to the Selected Address list Remove members Select names to be removed in the Selected Address list and click the lt lt Remove button to remove these members from Selected Address list Click OK to add the new group or click Cancel to discard changes internal Group PICON Internal Internal Group External External Group DMZ Policy Conten fi Administration Configuration DMZ Group Schedule Add New Address Group Name oe iltering er
82. net aM Dynamic DNS IERTE fulministration External Interface IP 6189 227 170 i Domainname External Interfaces B ferio dyndns org 6159 227 170 Modify Remove Multiplo MAT Hacker Alert Hew Bnisy Finite Table Ee HHOP Microsoli internct Enplarer EJ DKS Prony Diiimie DMS E Do yorasi wart bo delete J ce Sarvicn Pini lay Ll H Canisii Hiteiing Virtual Sorser Statistics 48 Address The FIREWALL VPN ROUTER Office Firewall allows the Administrator to set Interface addresses of the Internal network Internal network group External network External network group DMZ and DMZ group What is the Address Table An IP address in the Address Table can be an address of a computer or a sub network The Administrator can assign an easily recognized name to an IP address Based on the network it belongs to an IP address can be an internal IP address external IP address or DMZ IP address If the Administrator needs to create a control policy for packets of different IP addresses he can first add a new group in the Internal Network Group or the External Network Group and assign those IP addresses into the newly created group Using group addresses can greatly simplify the process of building control policies With easily recognized names of IP addresses and names of address groups shown in the address table the Administrator can use these names as the source address or destination address of
83. ng Outgoing Incoming External To DMZ Internal To DMZ DMZ To External DMZ To Internal P Content Filtering Virtual Server Log Statistics Status 172 Example 2 The Internal network can only access Yahoo com website Step 1 Enter the External window under the Address menu Step 2 Click the New Entry button Step 3 In the Add New Address window enter relating parameters Add New Address Name frw yahoo com IP Address l 218 71 99 Netmask 255 255 255 455 E a Step 4 Click OK to end the address table setup Step 5 Go to the Outgoing window under the Policy menu Step 6 Click the New Entry button Step 7 In the Add New Policy window enter corresponding parameters Click OK Sdad New Folicy Source Address Inside_Any Destination Address warw yahoo com gt Service ANY Action PERMIT Logging Enable Statistics C Enable schedule None v Alarm Threshold 0 0 KBytes Sec Ok 173 Step 8 When the following screen appears the setup is completed No Source Destination ServicelAction Option Configure Move _ 1 Inside Any Gutside Any ANY wj w 24 Modity Remove Ta fi 2 Inside Anywww yahoo com ANY 4 Modify Remove q 2 7 New Entry 174 Example 3 Outside users can access the internal FTP server through Virtual Servers Step 1 Enter Virtual Server under the Virtual Server menu Step 2 Click the click here to configure button
84. ns Step 1 In the Virtual Server window s service table locate the name of the service desired to be modified and click its corresponding Modify option in the Configure field Step 2 In the Virtual Server Configuration window enter the new settings Step 3 Click OK to save modifications or click Cancel to cancel modification Internet PIOVE Virtual Server Virtual Server Real IP _ 6159227170 CAT Service Name Port External Port Server Virtual IP Configure Service Service 192 168 200 200 4 FER 21 21 192 168 200 224 Modify Remove New Serice Content Filtering Mapped IP Virtual Server el Mom Statistics Status Note A virtual server cannot be modified or removed if it has been assigned to the destination address of any Incoming policies 148 Removing the Virtual Server service Step 1 In the Virtual Server window s service table locate the name of the service desired to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click Ok to remove the service or click Cancel to cancel removing l nternet i Virtual Server PISNE Virtual Server Real IP 149207170 Service Hame Port External Port Server Virtual iP Configure 192 168 200 200 FTP Modify Remove Sch Bible 21 21 192 166 200 274 fy poate ipiri Fhollhiey VEH Wicraeoit Internet Lxplorer E L niteni Fading
85. o backup firewall configurations and export save them to an Administrator computer or anywhere on the network or restore a configuration file to the device or restore the firewall back to default factory settings Entering the Settings window Click Setting in the Administrator menu to enter the Settings window The Firewall Configuration settings will be shown on the screen Internet PIOVE Admin Setting Date Time Language Logout Software Update Configuration Address Content Filtering Virtual Server o we Setting Firewall Configuration Export System Settings to Client Import System Settings from Client Browse _ ex firewall cont O Reset Factory Settings O Enable E mail Alert Notification Sender Address Optional SMTP Server E mail Address 1 E mail Address 2 Mail Test ailTest V Enable To Firewall Packets Log Firewall Reboot Reboot Firewall Appliance Exporting FIREWALL VPN ROUTER Firewall settings Step 1 Under Firewall Configuration click on the Download button next to Export System Settings to Client Step 2 When the File Download pop up window appears choose the destination place in which to save the exported file Administrator may choose to rename the file if preferred 10 The Importing Firewall settings Step 1 Under Firewall Configuration click on the Browse button next to Import System Settin
86. o create a new source address please go to the Internal section under the Address menu Destination Address Select names of the internal networks from the drop down list The drop down list contains the names of IP mapping addresses specified in the Mapped IP or the Virtual Server sections of Virtual Server menu To create a new destination address please go to the Virtual Server menu Please refer to Chapter 8 for Virtual Server for details Service Specified services provided by internal network servers These are services application that are allowed to pass from the External network to the Internal network Choose ANY for all services Action Select Permit or Deny from the drop down list to allow or reject the packets travelling between the specified external network and Virtual Server Mapped IP Logging select Enable to enable flow monitoring Statistics select Enable to enable flow statistics Alarm Threshold set a maximum flow rate in Kbytes Sec An alarm will 99 be sent if flow rates are higher than the specified value Step 3 Click OK to add new policy or click Cancel to cancel adding new incoming policy 100 Modifying Incoming Policy Step 1 In the Incoming window locate the name of policy desired to be modified and click its corresponding Modify option in the Configure field Step 2 In the Modify Policy window fill in new settings Step 3 Click OK to save modifications or click Cancel to can
87. ol port of all connections Entering the Traffic Log window Click the Traffic Log option under Log menu to enter the Traffic Log window Internet Traffic Log PUT elllL x May 105 07 44 192 168 200 200 192 168 200 1 TCP 80 ACCEPT May 105 07 34 192 168 200 200 192 168 200 1 TCP 80 ACCEPT May 105 02 41 192 168 200 200 192 168 200 1 TCP 80 ACCEPT May 105 02 04 192 168 200 200 192 168 200 1 TCP 80 ACCEPT May 1 05 00 57 192 168 200 200 192 168 2001 TCP 80 ACCEPT May 104 59 46 192 168 200 200 192 168 200 1 TCP 80 ACCEPT May 1 04 58 32 192 168 200 200 192 168 200 1 TCP 80 ACCEPT May 1 04 58 01 192 168 200 200 192 168 200 1 TCP 80 ACCEPT May 1 04 57 59 192 168 200 200 192 168 200 1 TCP 80 ACCEPT Ma j May 1 04 57 28 192 168 200 200 192 168 200 1 TCP 80 ACCEPT Traffic Log May 1 04 57 00 192 168 200 200 192 168 200 1 TCP 80 ACCEPT enisi May 1 04 56 31 192 168 200 200 192 168 200 1 TCP 80 ACCEPT URASA May 1 04 55 50 192 168 200 200 192 168 200 1 TCP 80 ACCEPT epe May 1 04 55 44 61 111 143 141 6159 227 170 TCP 80 ACCEPT May 1 04 55 43 61 111 143 141 61 59 227 170 TCP 80 ACCEPT May 1 04 55 42 61 111 143 141 6159 227 170 TCP 80 ACCEPT May 1 04 55 41 61 111 143 141 61 59 227 170 TCP 80 ACCEPT May 1 04 55 40 61 111 143 141 61 59 227 170 TCP 80 ACCEPT May 1 04 55 39 61 111 143 141 6159 227 170 TCP 80 ACCEPT May 1 04 55 38 61 111 143 141 61 59 227 170 TCP 80 ACCEPT Clear Logs Download Logs al Traffic Log The table in
88. onday Ms Alas Tuesday pra 08 00 e e Wednesday Disable Disable HO eee ee mom _Fiday Mog AeA Saturday Disable Disable EE 85 Modifying a Schedule Step 1 In the Schedule window find the policy to be modified and click the corresponding Modify option in the Configure field Step 2 Make needed changes Step 3 Click OK to save changes Internet Schedule PUTO VEIL Modify Schedule Soanseve i Period Week Da aa y Start Time Stop Time Monday Mw Mw VPN Tuesday OO a uo sy a EE Wednesday Diae O Disatte Thursday Diae Die Alam Friday Allday Allday Saturday Diaez Disa Sunday Alday x Alday z Ok Cancel 86 Removing a Schedule Step 1 In the Schedule window find the policy to be removed and click the corresponding Remove option in the Configure field Step 2 A confirmation pop up box will appear click on OK to remove the schedule Internet Schedule TPIT test Modify Remove 87 Policy This section provides the Administrator with facilities to sent control policies for packets with different source IP addresses source ports destination IP addresses and destination ports Control policies decide whether packets from different network objects network services and applications are able to pass through the Firewall What is Policy The FIREWALL VPN ROUTER uses policies
89. ork consists of server computers such as FTP SMTP and HTTP web These server computers are put in the DMZ network so they can be isolated from the Internal LAN network traffic Broadcast messages from the Internal network will not cross over to the DMZ network to cause congestions and slow down these servers This allows the server computers to work efficiently without any slowdowns IP Address The private IP address of the Firewall s DMZ interface This will be the IP address of the DMZ port The IP address the Administrator chooses will be a private IP address and cannot use the same network as the External or Internal network NetMask This will be the netmask of the DMZ network 24 Multiple NAT Multiple NAT allows local port to set multiple subnetworks and connect with the internet through different external IP Addresses For instance The lease line of a company applies several real IP Addresses 168 85 88 0 24 gt and the company is divided into R amp D department service sales department procurement department accounting department gt the company can distinguish each department by different subnetworks for the purpose of convenient management The settings are as the following 1 R amp D department subnetwork 192 168 1 11 24dIintemal gt 168 85 88 253 External 2 Service department subnetwork 192 168 2 11 24 Internal gt 168 85 88 252 External 3 Sales department subnetwork 192 168 3 11 24dntemal
90. ption to the FIREWALL VPN ROUTER s To Firewall Packets Log Once this function is enabled every packet to this appliance will be recorded for system manager to trace Internet Setting PICO Firewall Configuration Admin Export System Settings to Client Setting import System Settings from Client CBrowse Date Time ex firewall conf Language O Reset Factory Settings Logout E il Setti Software Update ce 5 z O Enable E mail Alert Notification Configuration Sedan Aue Opti i Cd ee ender ress Optional SMTP Server E mail Address 1 Policy E mail Address 2 Mail Test MeailTest Content Filtering Virtual Server Log Alarm To Firewall Packets Log M Enable To Firewall Packets Log Firewall Reboot Reboot Firewall Appliance 14 Firewall Reboot Select this option to the FIREWALL VPN ROUTER s Firewall Reboot Once this function is enabled the firewall will be rebooted Step 1 Click Setting in the Administration menu to enter the settings window Step 2 Reboot Firewall Click Reboot Step 3 A confirmation pop up box will appear Step 4 Follow the confirmation pop up box click OK to restart firewall or click Cancel to discard changes Internet Setting PIOVE Anne Firewall Configuration Admin Export System Settings to Client Setting Import System Settings from Client C Browse Date Time ex firewall conf Language O Reset Fac
91. r Deny from the drop down list to allow or reject the packets travelling between the source network and the destination network Logging Select Enable to enable flow monitoring Statistics Select Enable to enable flow statistics Alarm Threshold set a maximum flow rate in Kbytes Sec An alarm will be sent if flow rates are higher than the specified value Step 3 Click OK to add a new outgoing policy or click Cancel to cancel adding a new outgoing policy _9 Modifying an Outgoing policy Step 1 In the Outgoing policy section locate the name of the policy desired to be modified and click its corresponding Modify option under the Configure field Step 2 In the Modify Policy window fill in new settings Note To change or add selections in the drop down list for source or destination address go to the section where the selections are setup Source Address Internal of Address menu Destination Address External of Address menu Service Pre defined Custom or Group under Service Step 3 Click OK to do confirm modification or click Cancel to cancel it Outgoing Modify Policy Source Address inside Any Administration Configuration Add Dy Destination Address Outside Any Schedule Service ANY z Pwa o Action PERMIT gt aes Logging Enable Incoming External To DMZ Statistics Enable Internal To DMZ Schedule None T al PE ES Alarm Threshold 1 _ KBytesiSec DMZ To Internal ie V
92. rame May 1 04 30 04 45 Inside Any Outside Any ANY O 729K Sec May 1 04 15 04 30 Inside Any Outside Any ANY 1699kKiSec May 1 04 00 04 15 Inside Any Outside Arny ANY O7S8KiSec Adress Sire Schedule ar E mi bps o Beram Ban i barsi a Med ne Dee beer Ea Lows bau bire TT 7 WPH Datani FHE Virtual Seriei WA ec pa hha Aa ah en D ipse iia E h h arm rae T Eimi P i es te Tiati Gham Evpni Alan T abei aa lii p a a a ike Sha then ica a ac come ears 163 Event Alarm Entering the Event Alarm window Click the Event Alarm option below the Alarm menu to enter the Event Alarm window MAMA PITAL CO hies May 1 Senice 04 28 37 Schedule May 1 ie May 1 04 27 29 Content Emering MEP 04 26 59 Loo May 1 C 04 26 29 Traffic Alarm May 1 Event Alarm Sula Statisties 04 25 31 sus May 1 04 24 59 May 1 04 24 31 May 1 04 23 13 The table in Event Alarm window displays current traffic alarm logs for connections E Time log time Event Alarm May 1 04 28 37 gt Event Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 85 1c against 61 59 227 170 recieved 2 packets Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 85 1 against 61 59 227 170 recieved 2 packets Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 85 1c against 61 59 227 170 recieved 2 packets Possible ICMP FLOOD from 211 22 93 138 00 02 3b 00 85 1c against 61 59 227 170 recieved
93. rms passing through the Firewall The Administrator can click Alarm on the left menu to get the logs of flow and event alarms of the specified policy Internet i Traffic Log PUCOVWEN Administration May 1 04 26 09 2002 Next Configuration E Address Service May 1 04 26 09 192 168 200 200 219 101 135 7 TCP 80 ACCEPT Schedule May 1 04 26 09 219 101 135 7 192 168 200 200 TCP 4467 ACCEPT Policy May 1 04 26 09 192 168 200 200 219 101 135 7 TCP 80 ACCEPT VPN May 1 04 26 09 219 101 135 7 192 168 200 200 TCP 4471 ACCEPT Content Filtering May 1 04 26 09 192 168 200 200 219 101 135 7 TCP 80 ACCEPT Siaual Saver May 104 26 09 192 168 200 200 219 101 135 7 TCP 80 ACCEPT May 1 04 26 09 192 168 200 200 219 101 135 7 TCP 80 ACCEPT May 1 04 26 09 219 101 135 7 192 168 200 200 TCP 4467 ACCEPT Traffic Log May 1 04 26 09 211 22 93 138 61 59 227 170 ICMP 8 ACCEPT Event Log May 1 04 26 08 192 168 200 200 219 101 135 7 TCP 80 ACCEPT Connection Log May 1 04 26 08 192 168 200 200 211 13 168 106 TCP 80 ACCEPT Log Report May 104 26 08 192 168 200 200 211 13 168 106 TCP 80 ACCEPT Alam o May 1 04 26 08 219 101 135 7 192 168 200 200 TCP 4466 ACCEPT May 1 04 26 08 219 101 135 7 192 168 200 200 TCP 4470 ACCEPT May 1 04 26 08 219 101 135 7 192 168 200 200 TCP 4471 ACCEPT May 1 04 26 08 192 168 200 200 211 20 188 140 TCP 110 ACCEPT May 1 04 26 08 211 20 188 140 192 168 200 200 TCP 4472 ACCEPT May 1 04 26 08 211 20 188 140 192
94. rnal Group External External Group DMZ DMZ Group Service Schedule Policy Content Filtering Virtual Server Log Statistics Status Uv 70 Adding a DMZ Group Step 1 In the DMZ Group window click the New Entry button Step 2 In the Add New Address Group window E Available Address list names of all members of the DMZ E Selected Address list names to assign to a new group Step 3 Name enter a name for the new group Step 4 Step 5 Add members Select the names to be added from the Available Address list and click the Add gt gt button to add them to the Selected Address list Remove members Select names to be removed from the Selected Address list and click the lt lt Remove button to remove them from the Selected Address list Step 6 Click OK to add the new group or click Cancel to discard changes DMZ Group Add New Address Group TE Internal Internal Group External External Group DMZ DMZ Group Schedule Policy Virtual Serve Log i fi Statistics Content Filtering F s Lor oa Tic Modifying a DMZ Group Step 1 Step 2 m Step 3 Step 4 Step 5 In the DMZ Group window locate the DMZ group to be modified and click its corresponding Modify button in the Configure field A window displaying information about the selected group appears Available Address list the names of all the members of the DMZ
95. s application that are allowed to pass from the DMZ network to the External network Choose ANY for all services To add or modify these services please go to the Service menu 111 Action Select Permit or Deny from the drop down list to allow or reject the packets travelling from the specified DMZ network to the external network Logging select Enable to enable flow monitoring Statistics click Enable to enable flow statistics Alarm Threshold set a maximum flow rate in Kbytes Sec An alarm will be sent if the flow rate exceeds the specified value Step 3 Click OK to add new policy or click Cancel to cancel adding 112 Modifying a DMZ To External policy Step 1 In the DMZ to External window locates the name of policy desired to be modified and click its corresponding Modify option in the Configure field Step 2 In the Modify Policy window fill in new settings Note To change or add selections in the drop down list go to the section where the selections are setup Source Address gt DMZ of Address Destination Address External Service Pre defined Service Custom or Group under Service Step 3 Click OK to save modifications or click Cancel to cancel DMZ To External Modify Policy Source Address DMZ_Any Administration Configuration Add re Destination Address Outside_Any ha Service w Pmi Action PERMIT Outgoi 7 ae Logging C Enable Incoming External To DMZ Statistic
96. s l Enable Internal To DMZ Schedule None PST ENAS Alarm Threshold 0 _ KBytesiSec DMZ To Internal Ok Cancel Content Filtering Virtual Server Log Statistics Status 113 Removing a DMZ To External Policy Step 1 In the DMZ To External window locate the name of policy desired to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation dialogue box click OK Internet DMZ To External PUPA No soucebestoatorsericecvor option Contgure Move Confliqnathon 1 DMZ Any Dutsido rr ANT Pr Mahy Reruns fn Autciness New Enty Oubpoing incoming Extarmal To DMZ Intomal To UME DME To External DME To Intnanal iP Wirt Servet e 114 VPN The FIREWALL VPN ROUTER Firewalls VPN Virtual Private Network is set by the System Administrator The System Administrator can add modify or remove VPN settings What is VPN To set up a Virtual Private Network VPN you don t need to configure an Access Policy to enable encryption Just fill in the following settings VPN Name Source Subnet Destination Gateway Destination Subnet Authentication Method Preshare key Encapsulation and IPSec lifetime The firewalls on both ends must use the same Preshare key and IPSec lifetime to make a VPN connection 115 Autokey IKE This chapter describes steps to create a VPN connection using Autokey IKE Autokey IKE Internet Key Exchange provides a
97. same effect as the 50 control policies 74 Pre defined Entering a Pre defined window Click Service on the menu bar on the left side of the window Click Pre defined under it A window will appear with a list of services and their associated IP addresses This list cannot be modified nte rnet Pre defined PUTO WEIL GD ANY am GD MA as a YH TELNET e GD AFPover TCP sm GH InterLocator i rrm Gree amp AOL 6190 5194 amp gt IRC 6660 6669 amp gt Real Media 7020 icme TRACEROUTE 3 11 Sowee GD BCP an GD OP any O x0 GD Fo em Pre defined G s GD LDAP o QPRLosnss Gwe cw Custom GD FINGER oy G NetMeeting usosaima QED SMTP os GED VDO Live 7000 70103 Group GD FIP wan GD uy C u GH VAB w Schedule GDP COHR oy D NNTP GD SSH oa GD V INFRAME 1494 Policy gt HTTP ca eg NTP 237 amp SYSLOG ts14 amp 2 WINDOWS 6000 6063 P GD HTIPS as GD aea GD Li cvs GB MSN uey Content Filtering UDP IEE tso icme PING aay amp TCP ANY any Virtual Server Log Statistics lt Status B n Custom Entering the Custom window Click Service on the menu bar on the left side of the window Click Custom under it A window will appear with a table showing all services currently defined by the Administrator Internet Ei 7 Custom Client Port eDonkey TCP 4661 4665 4661 4665 Modify Remove Pre defined New Bary Custom Group Schedule Policy YPN Content Filtering Virtual Server Lo
98. se for the internal host computer 170 Setup Examples Example 1 Allow the Internal network to be able to access the Internet Example 2 The Internal network can only access Yahoo com website Example 3 Outside users can access the internal FTP server through Virtual Servers Example 4 Install a server inside the Internal network and have the Internet External users access the server through IP Mapping Please see the explanation of the examples below Example 1 Allow the Internal network to be able to access the Internet Step 1 Enter the Outgoing window under the Policy menu Step 2 Click the New Entry button on the bottom of the screen Step 3 In the Add New Policy window enter each parameter then click OK nte net Outgoing PIOVE Add New Policy Source Address Inside_Any Destination Address Outside_Any bd Service p E Pwa Action PERMIT 7 meres Logging C Enable Incoming External To DMZ Statistics C Enable Internal To DMZ Schedule None x a Deha Alarm Threshold o KBytes Sec o Interna Ok Cancel VPN Oi Save Content Filtering Virtual Server Log Statistics Status 171 Step 4 When the following screen appears the setup is completed internet _ IPUTFOW IL No Source DestinationServiceAction Option Configure Move 1 Inside_Any Outside Any ANY J GBR BModify Removes fi gt Schedule New Entry Outgoi
99. standard method to negotiate keys between two security gateways For example with two firewall devices IKE allows new keys to be generated after a set amount of time has passed or a certain threshold of traffic has been exchanged Accessing the Autokey IKE window Click Autokey IKE under the VPN menu to enter the Autokey IKE window The Autokey IKE table displays current configured VPNs Internet Autokey IKE PULL Name Gateway Ip Destination PSKIRSA Status Configure Subnet TEST1 61 64 145 171 192 168 102 0 psk Disconnect Connect Modify Remove Schedule pe Autokey IKE PPTP Server PPTP Client Content Filtering Virtual Server Statistics a ary Status The fields in the Autokey IKE window are mE Name The VPN name to identify the VPN tunnel definition The name must be different for the two sites creating the tunnel E Gateway IP The external interface IP address of the remote Firewall E Destination Subnet Destination network subnet E PSK RSA The IKE VPN must be defined with a Preshared Key The Key may be up to 128 bytes long E Status Connect Disconnect or Connecting Disconnecting E Configure Connect Disconnect Modify and Delete 116 Adding the Autokey IKE Step 1 Click the New Entry button and the VPN Auto Keyed Tunnel window will appear ME Autokey IKE ineWwWra Name ESTI S From Source Internal C DMZ Subnet Mask 192 168 2000 4p f255 255 255
100. te enough IP addresses for all computers an enterprise assigns each computer a private IP address and converts it into a real IP address through Firewall s NAT Network Address Translation function If a server which provides service to the external networks is located in the internal networks outside users can t directly connect to the server by using the server s private IP address The FIREWALL VPN ROUTER Firewall s Virtual Server can solve this problem A virtual server has set the real IP address of the Firewall s external network interface to be the Virtual Server IP Through the virtual server feature the Firewall translates the virtual server s IP address into the private IP address of physical server in the Internal LAN network When outside users on the Internet request connections to the virtual server the request will be forwarded to the private internal server Virtual Server owns another feature know as one to many mapping This is when one virtual server IP address on the external interface can be mapped into 4 internal network server private IP addresses This option is useful for Load Balancing which causes the virtual server to distribute data packets to each private IP addresses which are the real servers By sending all data packets to all similar servers this increases the server s efficiency reduces risks of server crashes and enhances servers stability How to use Virtual Server and mapped IP Virtual S
101. the Traffic Log window displays current System statuses E Time The start time of the connection E Source IP address of the source network of the specific connection E Destination IP address of the destination network of the specific connection E Protocol amp Port Protocol type and Port number of the specific connection E Disposition Accept or Deny 151 Downloading the Traffic Logs The Administrator can backup the traffic logs regularly by downloading it to the computer Step 1 Step 2 a specified eae on the hard drive Internet PUNE Trmice Policy Virtual Serer Tratihc Lowy Evan Lag Connaction Lag Log Report lain RE Ee Be E Siatintics May 1004 55 39 617 191 143 141 6159 227170 TCP Traffic Log hiay 105 02 41 192 166 200 200 192 168 200 1 TCF eari VOETEN EOD ine 168 200 TCP i z EE N i TCP E mi Daeg o erare En i arii on a gt ra Da biaa ICP rag er TE TW CP pas CP C iese ia Tie F a iar ae PCP ee nT ICP CP T bei aa jai ga a a a i MEP EP CP mE May 1 04 55 40 617 111 143 141 6159227170 TCP May 1004 55 33 61 111143141 6159 227 170 TCP Che Leg 152 SSSSSSSSSSSeszszeses Downilced Log Hay 10550744 192 168 200 200 192 168 200 1 TCP 60 Auliiress hay 1 05 07 34 192 166 200 200 192 168 200 1 TCP ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACC
102. the screen immediately In the Modify Address window fill in new addresses Step 3 Click OK to save changes or click Cancel to discard changes Internet External PIOVE Administration Modify Address Configuration Name vvii Ai IP Address l 232 254 137 Internal Internal Group Netmask 255 255 255 255 External Ok Cancel External Group DMZ DMZ Group Service Schedule Policy Content Filtering Virtual Server Lo Statistics Status 9 2 al 60 Removing an External Address Step 1 In the External table locate the name of the network to be removed and click the Remove option in its corresponding Configure field Step 2 In the Remove confirmation pop up box click OK to remove the address or click Cancel to discard changes Intern et External LPOG LIL a n Configuration Outlet Amy 0 0 0 0 0 0 0 0 bi toe O wa yahoo com LP IF i PPR ko T e bo a Tar bay Ramia internat were kiini tim ta 1227 254197255 255205 2 Moy Remove Internal Group Exchenmal Lachman Girma Lez DM Group 2 Do you phy Want to diti cancel Sarvice Palhty WPH Contant Fiitoring Winia Servet Status 61 External Group Entering the External Group window Click the External Group under the Address menu bar to enter the External window The current settings for the external network group s will appear on the screen Internet PIOVE Exter
103. tify administrator by email with the traffic log and event log Note Before enabling this function you have to enable E mail Alarm in Administrator Syslog Settings If you enable this function system will transmit the Traffic Log and the Event Log simultaneously to the server which supports Syslog function 157 Enable Log Mail Support amp Syslog Message Log Mail Configuration Enable Log Mail Support Step 1 Firstly go to Admin Select Enable E mail Alert Notification under E Mail Settings Enter the e mail address to receive the alarm notification Click OK Step 2 Go to LOG Log Report Check to enable Log Mail Support Click OK System Settings Enable Syslog Message Step 3 Check to enable Syslog Message Enter the Host IP Address and Host Port number to receive the Syslog message Step 4 Click OK iternet Log Report PUP EIL Log Mail Configuration V Enable Log Mail Support When Log Full 300Kbytes Firewall Appliance sends Log You must set E mail Alarm gt enable Syslog Settings M Enable Syslog Messages Syslog Host IP Address 211 22 2222 toy o Sorat esas p Traffic Log Event Log Ok Cancel Connection Log or Sa Log Report Statistics 158 Disable Log Mail Support amp Syslog Message Step 1 Go to LOG Log Report Uncheck to disable Log Mail Support Click OK Step 2 Go to LOG Log Report Uncheck to disable Settings Message Click OK Internet ma PUTO VEIUL Administr
104. tistics a Status 42 Removing a DNS Proxy Step 1 In the DNS Proxy window find the policy to be removed and click the corresponding Remove option in the Configure field Step 2 A confirmation pop up box will appear click OK to remove the DNS Proxy or click Cancel Internet Hinewalll l B E mail com 192 168 2004 Modify Remove Interface Multiple NAT Nev Ey Hacker Alert ee Rowte Table DHCP DNS Proxy Dynamic ONS canica Schedule DNS Proxy Administration Lontent Filtering Statistics status 43 Dynamic DNS The Dynamic DNS require Dynamic DNS Service allows you to alias a dynamic IP address to a static hostname allowing your device to be more easily accessed by specific name When this function is enabled the IP address in Dynamic DNS Server will be automatically updated with the new IP address provided by ISP Click Dynamic DNS in the Configuration menu to enter Dynamic DNS window 1 The nouns in Dynamic DNS window E Update Status Connecting Update succeed Update fail Unidentified error E Domain name Enter the password provided by ISP Mm WAN IP Address IP Address of the WAN port E Modify Modify dynamic DNS settings Click Modify to change the DNS parameters click Delete to delete the settings a 2 Howto use dynamic DNS The firewall provides 3 service providers users have to register first to use this function For t
105. to filter packets The policy settings are source address destination address services permission packet log packet statistics and flow alarm Based on its source addresses a packet can be categorized into 1 Outgoing a client is in the internal networks while a server is in the external networks 2 Incoming a client is in the external networks while a server is in the internal networks 3 To DMZ a client is either in the internal networks or in the external networks while server is in DMZ 4 From DMZ a client is in DMZ while server is either in the internal networks or in the external networks How do I use Policy The policy settings are source addresses destination addresses services permission log statistics and flow alarm Among them source addresses destination addresses and IP mapping addresses have to be defined in the Address menu in advance Services can be used directly in setting up policies if they are in the Pre defined Service menu Custom services need to be defined in the Custom menu before they can be used in the policy settings If the destination address of an incoming policy is a Mapped IP address or a Virtual Server address then the address has to be defined in the Virtual Server section instead of the Address section Policy Directions Step 1 In Address set names and addresses of source networks and destination networks Step 2 In Service set services Step 3 In Virtual Serv
106. tory Settings Logout E mail Set Microsoft Internet Explorer x Software Update Configuration YD Do you really want to Reboot Address Ca Can E mail Folicy E mail Address 2 Al Mail Test MailTest Content Filtering Virtual Server To Firewall Packets Log Log O Enable To Firewall Packets Log Firewall Reboot Reboot Firewall Appliance ok anes 15 Date Time nte rnet Date Time PIOVE System time Wed May 1 00 41 11 2002 Admin Synchronize system clock Setting C Enable synchronize with an Internet time Server Date Time Set offset 0 z hours from GMT Language st Server IP Name 0 000 Logout Software Update Update system clock every fo minutes 0 means not update Synchronize system clock with this client Sme LOk Conc Content Filtering Virtual Server Statistics Step 1 Click System Date Time Step 2 Click the down arrow w to select the offset time from GMT Step 3 Enter the Server IP Address or Server name with which you want to synchronize Step 4 Update system clock every O minutes You can set the interval time to synchronize with outside servers If you set it to 0 it means the device will not synchronize automatically Step 5 Synchronize system clock with this client You can synchronize this Homing Gateway with this client computer by clicking the Sync button Step 6 Click the OK button below to change the setting or click C
107. tup On the left hand menu click on Administration and then select Administrator below it The current list of Administrator s shows up Internet WETTIG PIOVE Admin admin Read Write Modify Setting Date Time New Sub Admin Language Logout Software Update Configuration Address Service Schedule Policy YPN Content Filtering Virtual Server Log Alarm Statistics Status Settings of the Administration table Administrator Name The username of Administrators for the firewall The user admin cannot be removed Privilege The privileges of Administrators Admin or Sub Admin The username of the main Administrator is Administrator with read write privilege Sub Admins may be created by the Admin by clicking New Sub Admin Sub Admins have read only privilege Configure Click Modify to change the Sub Administrator s password and click Remove to delete a Sub Administrator Adding a new Sub Administrator Step 1 In the Administration window click the New Sub Admin button to create a new Sub Administrator Step 2 In the Add New Sub Administrator window E Sub Admin Name enter the username of new Sub Admin E Password enter a password for the new Sub Admin E Confirm Password enter the password again Step 3 Click OK to add the user or click Cancel to cancel the addition Internet RATT PIOVE Anioien Add New Sub Admin a Sub Admin name Sub_Admnin i Password p Date Tim
108. u rey ert io ce caret Blocked URL site When a user from the Internal network tries to access a blocked URL the error below will appear T ahoo oso erne plore ie Edit Yiew Favorites Tools Help Bak fat GRsearch SyFavorites history G5 Sp EG ES D x Links 4 Customize Links 4 Free Hotmail 4 Windows Media 4 Windows This page is blocked Eal Done Internet 134 General Blocking To let Popup ActiveX Java Cookie in or keep them out Step 1 Click Content Filtering in the menu Step 2 General Blocking detective functions E Popup filtering Prevent the pop up boxes appearing m Activex filtering Prevent ActiveX packets E Java filtering Prevent Java packets E Cookie filtering Prevent Cookie packets Step 3 After selecting each function click the OK button below MAMA PIOVE V Popup Block T ActiveX Block e ce e General Blocking General Blocking l Cookie Block Confi F Java Block Service i Schedul Ok Cancel oe URL Blocking General Blocking Virtual Server Log Statistics Status When the system detects the setting the firewall will spontaneously work pi lt 135 Virtual Server The FIREWALL VPN ROUTER Office Firewall separates an enterprise s Intranet and Internet into internal networks and external networks respectively Generally speaking in order to alloca
109. urce networks which are specified in the External section of the Address menu or all the external network addresses E Destination destination networks which are IP Mapping addresses or Virtual server network addresses created in Virtual Server menu mM Service services supported by Virtual Servers or Mapped IP E Action control actions to permit or deny packets from external networks to Virtual Server Mapped IP travelling through the FIREWALL VPN ROUTER 97 Option specify the monitoring functions on packets from external networks to Virtual Server Mapped IP travelling through the Firewall Configure modify settings or remove incoming policy Move this sets the priority of the policies number 1 being the highest priority 98 Adding an Incoming Policy Step 1 Under Incoming of the Policy menu click the New Entry button Internet Ej T Incoming Add New Policy Source Address Outside_Any Destination Address Manel FEZI z Service m g Pia o Action PERMIT 7 AH Logging C Enable Incoming External To DMZ Statistics l Enable Internal To DMZ Schedule None x as n Alarm Threshold 00 KBytesiSec o Interna Ok Cancel VPN _o Cancel Content Filtering Virtual Server Log Statistics Step 2 Source Address Select names of the external networks from the drop down list The drop down list contains the names of all external networks defined in the External section of the Address menu T
Download Pdf Manuals
Related Search
Administration administration administration definition administration tools administration jobs administration for community living administration command prompt administration assistant administration day administration synonym administration of justice administration day 2025 administration for children and families administration jobs near me administration of justice degree administration for a healthy america administration manager administration department administration officer administration cost administration support administration team administration expenses administration route administration for children services administration \u0026 society