Planet Technology CS-500 User's Manual
Contents
1. F Mail Security E Anti Attack 4 4 SEHE ili e Clear Logs Download Logs Traffic Event Connection Log Backup 4 8 1 4 Log Backup Click Log gt Log Backup Monitor Log Log Backup Log Mail Configuration E Enable Log Mail Support hen Log Full 300K bytes Content Security Gateway Appliance sends Log You must enable the E mail Alarm Syslog Setting L Enable y loq Messages Syslog Host IP Address q ar ex 192 168 1 61 Syslog Host Port TE w Trane yelog i de Range 0 65535 ex 5147 Event Connection Cancel Log Backup 197 Content Security Gateway User s Manual Log Mail Configuration When the Log Mail files accumulated up to 300Kbytes router will notify administrator by email with the traffic log and event log NOTE Before enabling this function you have to configure E mail Settings in System gt Settings Syslog Settings If you enable this function system will transmit the Traffic Log and the Event Log simultaneously to the server which supports Syslog function NOTE To restart Connection Log click the Refresh button on the right hand side in Log window Enable Log Mail Support amp Syslog Message Log Mail Configuration Enable Log Mail Support Step 1 Firstly go to Admin Select Enable E mail Alert Notification under E Mail Settings Enter the e mail address to receive the alarm notification Click OK S2. E mail Address 1 i Administration ex usen mvdomain com Setting Mail Test f Mail Test j DateTime mitidle Subnet Web Management WAM Interfaces Route Table HTTP Par DHCP Dynamic ONS MTU 1500 ytes Host Table Language Link Speed Duplex Mode Setting wa ae Auto Mode Dynamit Routing RIPV2 TOM Half Duplex 10M Full Duplex 100M Half Duplex 100M Full Duplex D seconds WTU Setting Enable O Lam O wan OO omz Routing information update timer Routing information timeout 150 Seconds Dynamic Routing RIPv2 Enable Dynamic Routing RIPv2 CS 500 will advertise an IP address pool to the specific network so that the address pool can be provided to the network You can choose to enable LAN WAN or DMZ interface to allow RIP protocol supporting Routing information update timer CS 500 will send out the RIP protocol in a period of time to update the routing table the default timer is 30 seconds Routing information timeout If CS 500 does not receive the RIP protocol from the other router in a period of time CS 500 will cut off the routing automatically until it receives RIP protocol again The default timer is 180 seconds PLANET Writers A lomera wine System Configure Setting SMTP Server ex mail mydomain com J E mail Address 1 i a E tt ex Userlimydomain com j Setting Mail Test i Mai
3. Authentication O nly Step 7 Choose GROUP 2 as the Perfect Forward Secrecy setting and leave the default setting with 28800 seconds in IPSec Lifetime and 3600 seconds for ISAKMP Lifetime Optional Item Perfect Forward Secrecy GROUP 2 e ISAKMP Lifetime S600 Seconds IPSec Lifetime 25000 Seconds Step 8 Select main mode as the algorithm Step 9 Click OK to finish the IPSec Aotukey setting of Company A Policy Object VPM gt PSec Autokey Gateway IF IPSec Algorithm configure Dynamic IP 3DES MDS NN II Step 10 Click Tunnel and press New Entry to configure the further setting Step 11 Enter Site_A as the new tunnel name and select LAN interface as the VPN source Fill LAN IP 112 Content Security Gateway User s Manual subnet 192 168 10 0 with subnet mask IP 255 255 255 0 Mew Entry Tunnel From Ovan oz From Source Subnet f Mask 192 165 10 0 7 255 2455 255 0 Step 12 In To Destination table select Remote Client To Destination To Destination Subnet Mask Remote Client Step 13 In IPSec PPTP Setting select VPN_A as the available tunnel PSec J PPTP Setting YENA w Step 14 Click OK to finish the Tunnel setting of Company A Policy Object VPN gt Trunk Source Subnet Destination Subnet Configure 192 168 10 0 Remote Client Step 15 Enable Tunnel setting in Incoming Policy Modify Policy Source Sddress Outside _ Any e D
4. Be Content Security Gateway User s Manual Step 2 Click Logout the Content Security Gateway Step 3 Click OK to logout or click Cancel to discard the change PLANET System Logout Logout Administration Configure Logout L Logout l Microsoft Internet Explorer E LY Are you sure vou want to logout 4 2 Interface In this section the Administrator can set up the IP addresses for the office network The Administrator may configure the IP addresses of the LAN network the WAN network and the DMZ network The netmask and gateway IP addresses are also configured in this section 4 2 1 LAN Entering the Interface menu Click on Interface in the left menu bar Then click on LAN below it The current settings of the interface addresses will appear on the screen PLANET Interface LAN LAM Interface IP Address 4192416844 Netmask 255 255 255 0 Enable Ping HTTP E Mail Secu rity Configuring the Interface Settings Using the LAN Interface the Administrator sets up the LAN network The LAN network will use a private IP scheme The private IP network will not be routable on the Internet 237 Content Security Gateway User s Manual IP Address The private IP address of the Content Security Gateway s LAN network is the IP address of the LAN port of the device The default IP address is 192 168 1 1 If the new LAN IP
5. Policy Outgoing Configure hove Outgoing Incoming Please make sure that all the computers that are connected to the LAN port have their Default Gateway IP Address set to the Content Security Gateway s LAN IP Address i e 192 168 1 1 At this point all the computers on the LAN network should gain access to the Internet immediately If a Content Security Gateway filter function is required please refer to the Policy section in chapter 4 10 Content Security Gateway User s Manual Chapter 4 Web Configuration 4 1 System The Content Security Gateway Administration and monitoring configuration is set by the System Administrator The System Administrator can add or modify System settings and monitoring mode The sub Administrators can only read System settings but not modify them In System the System Administrator can 1 Add and change the sub Administrator s names and passwords 2 Back up all Content Security Gateway settings into local files System is the managing of settings such as the privileges of packets that pass through the Content Security Gateway and monitoring controls Administrators may manage monitor and configure Content Security Gateway settings All configurations are read only for all users other than the Administrator those users are not able to change any settings for the Content Security Gateway System setting can divide into two parts Administration Configure and Logo
6. Step 3 Name enter a name for the new group Step 4 Add members Select the names to be added from the Available address list and click the Add gt gt button to add them to the Selected address list Step 5 Remove members Select names to be removed from the Selected address list and click the lt lt Remove button to remove them from the Selected address list Step 6 Click OK to add the new group or click Cancel to discard changes 56 Content Security Gateway User s Manual PLANET PARRAS Mier amp Commer yiia Policy Object gt Address gt DMZ Group Add New Address Group E System EF Interface Address lt Available address gt A lt Selected address gt LAN Appach LAN Group Y WAN WAN Group DMZ DMZ Group Add Service Remove Schedule Q05 Authentication Content Blocking Virtual Server VPN na a 7 JE f ok f Cancel Modifying a DMZ Group Step 1 In the DMZ Group window locate the DMZ group to be modified and click its corresponding Modify button in the Configure field Step 2 A window displaying information about the selected group appears Available address list the names of all the members of the DMZ Selected address list the names of the members that have been assigned to this group Step 3 Add members Select names to be added from the available Address list and click the Add gt
7. lA specific IP Subnet Y IF address 192 166 10 O Subnetmask 255 255 255 0 136 Content Security Gateway User s Manual Step 47 Click next Filter Wizard IP Protocol Type Select the IP protocol type If this type is TCF or UDP you will also specity the source and destination ports Selecta protocol type Step 48 Please enable Edit properties and click finish IP Filter Wizard Completing the IF filter wizard ou have successtully completed the IP filter wizard To edit pour IP filter now select the Edit properties check box and then click finish W Edit properties To close this wizard click Finish 137 Content Security Gateway User s Manual Step 49 Please don t enable Mirrored and click ok Filter Properties Addressing Protocol Description Source address My IF Address Y Destination address la specific IP Subnet IF address 192 168 10 JO Subnetmask 255 255 255 0 Mirrored Also match packets with the exact opposite source and destination addresses Step 50 Click ok MM IP Filter List An IP filter litis composed of multiple filters In this way multiple subnets IF gt addresses and protocols can be combined into one IP filter Hame p rattic out Description Add Edit Remove Filters W Use Add Wizard Mirrored Description Protocol Source Port Destination Ho ANY ANY AN
8. Confiqure Import Spam Mail from Client Browse Anti Spam Setting Ham Mail for Training Free space for training 876 KBytes oni import Ham Mail from Client P Browse Whitelist Blacklist Spam Account for Training Free space for training 876 KBytes Training POP3 Server PA ex my_domain com Spam Mail User name a ex spam Anti Virus Password EJ ex 5d2 k Account test Ham Account for Training Free space for training 876 KBytes POPS Server Se ex my_domain com User name po ex ham Password MA ex 5d2 k Account test System training starts at I day Training immediately Training NOW F Cancel Example How to train mail into CS 500 STEP 1 Create a new folder SpamMail in Outlook Express m Press the right key of the mouse and select New Folder E In Create Folder WebUl and enter the Folder s Name as SpamMail and then click on OK 179 Content Security Gateway User s Manual a more apa Ted call dl lar o ee AH Goa Ths ae Pa Te Te cheery Ci E CEPR i ee di ee oe Create Folder Folder name fs pamblail Cancel Select the folder in which to create the new folder ee Outlook Express Ee Local Folders oe Eo Inbox Outbox Sent Items E 3 Deleted Items B Drafts STEP 2 In Inbox Outlook Express move spam mail to SpamMail Folder In Inbox select all of the s
9. e Direction From To judge the sending address of the mail To To judge the receiving address of the mail e Auto Training Select enable to allow Auto Training system updating the CS 500 s database Adding a new Whitelist Step 1 Click on the New Entry button and the Whitelist window will appear Step 2 Fill in the appropriate settings for the related information Step 3 Click OK to save the policy or Cancel to cancel Mito log A Comreal Mail Security gt Anti Spam gt Whitelist ath ll Direction Whitelist Auto Training F Interface Policy Object New Entry y Policy Setting Rule Whitelist Blacklist Training Spam Mail Modifying a Whitelist Step 1 In the Whitelist window find the policy to be modified and click the corresponding Modify option in the Configure field Step 2 Make the necessary changes needed Step 3 Click OK to save changes or click on Cancel to cancel modifications 175 Content Security Gateway User s Manual PLANET F System Mail Security gt Anti Spam gt Whitelist Modify Whitelist CCE ex yahoo wildcard Direction mo Auto Training e E Interface Policy Object Enable Configure Cancel Anti Spam g 2 Setting Rule Whitelist Blacklist Training Spam Mail Removing a Whitelist Step 1 In the Rule window find the policy to be removed and click the corresp
10. specific computers or groups of computers subnets and hor particular IP traffic types To continue click Hert 117 Content Security Gateway User s Manual Step 9 Enter the Name of this VPN and optionally give it a brief description IP Security Policy Wizard IP Security Policy Name Name this IP Securty policy and provide a brief description Descriptions IPSec Step 10 Disable Activate the default response rule And click Next IP Security Policy Wizard Requests for Secure Communication Specify how this policy responds to requests for secure communication The default response rule responds to remote computers that request secunty when no other rule apples To communicate securely the computer must respond to requests for secure communication E Activate the default response rule 118 Content Security Gateway User s Manual Step 11 Completing the IP Security Policy setting and click Finish Enable Edit properties IP Security Policy Wizard Completing the IF Security policy wizard dl A You have successtully completed specifying the properties for Your new IP Security policy ae To edit pour IF Security policy now select the Edit properties check box and then click Finish lw Edit properties To close this wizard click Finish Step 12 In window click Add and click Use Add Wizard IPSec Properties General Securty rules for communicating with other compu
11. 0 PA source Destination Service Action Option Configure Move Outqeing Incoming WAN To DMZ LAN To DMZ DMZ To WAN DMZ To LAN The fields in the DMZ To WAN window are Source Source network addresses which are specified in the DMZ section of the Address window Destination Destination networks which is the WAN network address Service Services supported by Servers of WAN networks Action Control actions to permit or deny packets from the DMZ network to WAN networks travelling through the Content Security Gateway Option Specify the monitoring functions on packets from the DMZ network to WAN networks travelling through the Content Security Gateway Configure Modify settings or remove policies Move This sets the sequence of the policies number 1 being the first policy to proceed Adding a DMZ To WAN Policy Step 1 Click the New Entry button and the Add New Policy window will appear 163 PLANET Wrong amp Corrs clica Outgoing Incoming An To DMZ s LAN To DMZ OMZ To WAN Y OMZ To LAN Monitor Content Security Gateway User s Manual Policy DMZ To WAN Comment Max 32 characters Add New Policy Source Address DMF Any Destination Address Outside _Any Schedule T a fa o J T f 4 Authentication User Traffic Log Statistics Enable Content Blocking
12. Configure DHCP Administration Subnet 192 168 1 0 Metmazk 255 253 200 Configure Dynamic IF Address Setting Gateway 192 168 14 Broadcast 492 169 1255 A fs rr rr ee Multiple Subnet Enable DHCP Support Route Table Domain Mame ex dhcp domain_name J DHCP amp C Automatically Get DNS Dynamic ONS Host Table es Language DNS Server 2 Ws Server 1 7 LAM Interface Client IF Range 1 192 1651 2 To 192 165 1254 nL cet Range 2 EOS E T F Monitor Cw Interface Client IF Range 1 192 168 10 2 T 192 1 68 10 254 Leased Time hours f Cancel 30 Content Security Gateway User s Manual Dynamic IP Address functions Subnet LAN network s subnet E Netmask LAN network s netmask m Gateway LAN network s gateway IP address E Broadcast LAN network s broadcast IP address Enabling DHCP Support Step 1 Inthe Dynamic IP Address window click Enable DHCP Support Domain Name The Administrator may enter the name of the LAN network domain if preferred Automatically Get DNS Check this box to automatically detect DNS server DNS Server 1 Enter the distributed IP address of DNS Server 1 DNS Server 2 Enter the distributed IP address of DNS Server 2 WINS Server 1 Enter the distributed IP address of WINS Server 1 WINS Server 2 Enter the distributed IP address of WINS Ser
13. Step 2 Inthe Modify Static Route window modify the necessary routing addresses Step 3 Click OK to apply changes or click Cancel to cancel it PLANET i rl dora in System Configure Route Table hlodify Static Route Administration odify Static Route Destination IF Configure PRA S Multiple Subnet Route Table DHCP Dinamic ONS Fos f Cancel Removing a Static Route Step 1 Inthe Route Table window find the route to remove and click the corresponding Remove option in the Configure field Step 2 Inthe Remove confirmation pop up box click OK to confirm removing or click Cancel to cancel it 29 Content Security Gateway User s Manual PLANET Watwortlog amp Loma celo System Configure Route Table Administration Interface Destination IP Metmask Gatewa 192 168 4 0 255 255 255 0 5 1 192 16 Setting DateTime f New Entry Multiple Subnet Route Table DHCP Microsoft Internet Explorer Dynamic OMS gt Hoet Table Ly 4re you sure you want Lo remove Language 4 1 8 DHCP In the section the Administrator can configure DHCP Dynamic Host Configuration Protocol settings for the LAN LAN network Entering the DHCP window Click System on the left hand side menu bar then click DHCP below the Configure menu The DHCP window appears in which current DHCP settings are shown on the screen PLANET System
14. This function allows the Content Security Gateway dial up to remote PPTP server and accesses the network resources on remote network Entering the PPTP Client window Step 1 Select VPN PPTP Client PLANET Hatworting amp Cora plia Policy Object VPN gt PPTP Client PPTP Client i Liser Marne Server F or Domain Mame Encryption Configure f New Entry PSec Autokey PPTP Server FPTP Client Tunnel User Namel Displays the PPTP Client user s name for authentication Server IP or Domain Namel Displays the PPTP Server s IP address or Domain name Encryption Displays the PPTP Client Encryption ON or OFF Uptime Displays the connection time between PPTP Server and Client Configure Click Modify to modify the PPTP Client settings or click Remove to remove the item 100 Content Security Gateway User s Manual Adding a PPTP Client Step 1 Select VPN gt PPTP Client PLANET Wetweoriing amp Comes pli Policy Object VPM PPTP Client Add Mew PPTP Client Password ee Interface Server IP or Domain Mame Bl 20 30 40 we Encryption chedule a M nATiCconnect to Windows PPTP Server Authentication content Blocking Virtual Server ok f Cancel WPN Posec Autokey PPTP Server PPTP Client Tunnel Step 2 Configure the parameters User name Specify the PPTP client This should be unique Password Specify the
15. Using the WAN Interface the Administrator can sets up the WAN network These IP addresses are real public IP Addresses and are routable on the Internet For PPPoE ADSL User This option is for PPPoE users who are required to enter a username and password in order to connect such as ADSL users Current Status Displays the current line status of the PPPoE connection IP Address Displays the IP address of the PPPoE connection 38 Content Security Gateway User s Manual Username Enter the PPPoE username provided by the ISP Password Enter the PPPoE password provided by the ISP IP Address provided by ISP Dynamic Select this if the IP address is automatically assigned by the ISP Fixed Select this if you were given a static IP address Enter the IP address that is given to you by your ISP Max Upstream Downstream Bandwidth The bandwidth provided by ISP Service On Demand Auto Disconnect The PPPoE connection will automatically disconnect after a length of idle time no activities Enter in the amount of idle minutes before disconnection Enter 0 if you do not want the PPPoE connection to disconnect at all Ping Select this to allow the WAN network to ping the IP address of the Content Security Gateway This will allow people from the Internet to be able to ping the Content Security Gateway If it sets to enable the device will respond to echo request packets from the WAN network HTTP Select this to allow the device We
16. write privilege Sub Admin may be created by clicking New Sub Admin Sub Admin have read only privilege Configure Click Modify to change the Sub Admin password and click Remove to delete a Sub Admin Changing the Main Sub Admin s Password Step 1 The Modify Admin Password window will appear Enter in the required information a Password enter original password a New Password enter new password Confirm Password enter the new password again Step 2 Click OK to confirm password change or click Cancel to cancel it PLANET System Administration Admin Modify Admin Password s Admin Permitted IPs Sofware Update j X SSS 73000 it cone E miT a E Interface OK Cancel F Policy Object Adding a new Sub Admin Step 1 Inthe Add New Sub Admin window E Sub Admin Name enter the username of new Sub Admin Password enter a password for the new Sub Admin Confirm Password enter the password again Step 2 Click OK to add the user or click Cancel to cancel the addition 43 Content Security Gateway User s Manual PLANET system Administration Admin E System Add New Sub Admin Administration gd Me 1 Admin Sofware Update Configure Contirm Password OK if Cancel Removing a Sub Admin Step 1 In the Administration table locate the Admin name you want to edit and click on the Re
17. DMZ System IP Netmask MAC Address Interface MAT TT O O Address LAN LAN Group WAN WAN Group DMZ DMZ Group Removing a DMZ Address Step 1 In the DMZ window locate the name of the network to be removed and click the Remove option in its corresponding Configure field Step 2 In the Remove confirmation pop up box click OK to remove the address or click Cancel to discard o Wiwin amp Cosa ion Policy Object gt Address gt DMZ IP Netmask MAC Address zaw oooowooo en AAA _o0oEacoFanon F System Configure E Interface Address p New Entry LAN Group WAN Microsoft Internet Explorer Ed WAN Group A 7 DMZ E fre you sure you want bo remove DMZ Group Service Schedule 4 3 1 6 DMZ Group Entering the DMZ Group window Click DMZ Group under the Address menu to enter the DMZ window The current settings information for the DMZ group appears on the screen 55 Content Security Gateway User s Manual i O Wing A Comnena alice Policy Object gt Address gt DMZ Group Po Name Member Configure 5 Policy Object LAN LAN Group WAN WAN Group DMZ DMZ Group Adding a DMZ Group Step 1 In the DMZ Group window click the New Entry button Step 2 In the Add New Address Group window W Available address list names of all members of the DMZ Selected address list names to assign to a new group
18. EN PRB a O E a a S SDES MDS Configure Step 10 Click Tunnel and press New Entry to configure the further setting Step 11 Enter Site_B as the new tunnel name and select LAN interface as the VPN source Fill LAN IP subnet 192 168 20 0 with subnet mask IP 255 255 255 0 Mew Entry Tunnel From Source Ocvan imz From Source Subnet Mask 192 165 20 0 7 255 255 255 0 Step 12 In To Destination table fill company B s subnet IP and mask 192 168 10 0 and 255 255 255 0 respectively To Destination To Destination Subnet Mask 192 168 10 0 J 255 253 255 0 Remote Client Step 13 In IPSec PPTP Setting select VPN_B as the available tunnel IPSec PPTP Setting Step 14 Fill company As gateway IP 192 168 10 1 in Keep alive IP to keep VPN tunnel connecting 192 168 10 1 Step 15 Click OK to finish the Tunnel setting of Company B Policy Object YPN Tunnel Mame Source Subnet Destination Subnet Roerne configure 192 168 20 0 192 168 10 0 Step 16 If you want to configure bi direction VPN connection you should enable Tunnel setting in Outgoing 110 Content Security Gateway User s Manual and Incoming Policy Outgoing Policy Policy Outgoing Configure hove Configure Moye Example 2 Create a VPN connection between the Content Security Gateway and Windows XP Professional VPN Client Preparation Task Company A External IP is 210 66 155 90 Internal IP is 192 168
19. Enable 001 n ngj 7 i i z XD T Ei MAX Concurrent Sessions Range 1 99999 0 means unlimited Step 2 Configure the parameters Source Address Select the name of the DMZ network from the drop down list The drop down list will contain names of DMZ networks defined in DMZ section of the Address menu To add a new source address please go to the DMZ section under the Address menu Destination Address Select the name of the WAN network from the drop down list The drop down list lists names of addresses defined in WAN section of the Address menu To add a new destination address please go to WAN section of the Address menu Service Select a service from drop down list The drop down list will contain services defined in the Custom or Group section under the Service menu These are services application that are allowed to pass from the DMZ network to the WAN network Choose ANY for all services To add or modify these services please go to the Service menu Schedule Select the item listed in the schedule to enable the policy to automatically execute the function in a certain time and range Authentication User Select the item listed in the Authentication User to enable the policy to automatically execute the function in a certain time and range Tunnel Select the specific VPN tunnel to enable the VPN traffic in Policy rule Action Select Permit or Deny ALL from the drop down list to allow or reject th
20. ICMP Flood UDP Flood Blaster Alert Scanning Mail Settings The allowed size of scanned mail 10 512Kbytes Anti Virus Email attachment virus scanning by SMTP POP3 Inbound scanning for internal and external Mail server Action of infected mail Delete Deliver to the recipient forward to a specific account Automatic or manual update virus database Anti Spam Inbound scanning for external and internal Mail Server Check sender address in RBL Black list and white list support auto training system Action of spam mail Delete Deliver to the recipient forward to a specific account Content Security Gateway User s Manual Anomaly Syn Flood UDP Flood ICMP Flood and more Pre defined Backdoor DDoS DoS Exploit NetBIOS and Spyware Custom User defined based on TCP UDP ICMP or IP protocol Policy rules with Inbound Outbound traffic management Guaranteed and maximum bandwidth Scheduled in unit of 30 minutes 3 Priorities User Authentication Built in user database with up to 500 entries Support local database RADIUS and POP3 authentication QoS Log can be saved from web sent by e mail or send to syslog server ee statistics for WAN interface and policies Graphic display thers Others Dynamic DNS NTP support DHCP server Virtual server Mapping IP DMZ Content Security Gateway User s Manual Chapter 2 Hardware Installation 2 1 Installation Requirements Before installing the Content Security Gateway make
21. the end user s main DNS server IP address should be the same IP Address as the device Click on System in the menu bar then click on Host Table below the Configure menu The Host Table window will appear 34 Content Security Gateway User s Manual PLANET System Configure Host Table Administration Host Mame Virtual IP Address DHCP Dinamic OMS HostTable Setting Date Time Multiple Subnet Route Table Language Below is the information needed for setting up the Host Table e Host Name The domain name of the server e Virtual IP Address The virtual IP address respective to Host Table e Configure modify or remove each Host Table policy Adding a new Host Table Step 1 Click on the New Entry button and the Add New Host Table window will appear Step 2 Fill in the appropriate settings for the domain name and virtual IP address Step 3 Click OK to save the policy or Cancel to cancel PLANET system Configure Host Table Administration Add Mew Host Table Virtual IP Address 19216810410 ex 192168100102 Multiple Subnet f OK Jf Cancel Route Table DHCP Dynamic ONS Host Table Language Setting Y DateTime Modifying a Host Table Step 1 In the Host Table window find the policy to be modified and click the corresponding Modify option in the Configure field Step 2 Make the necessary changes ne
22. the file must be ACSII form 2 When the training file of CS 500 is Microsoft Office Outlook exporting file pst it has to close Microsoft Office Outlook first to start Importing STEP 6 Remove all of the mails in SpamMail File in Outlook Express so that new mails can be compressed and upload to CS 500 to training directly next time NH Select all of the mails in SpamMail File and press the right key of the mouse to select Delete function W Make sure that all of the mails in SpamMail file had been deleted completely hi alba Doa rs Bio LE Prisa e a dd pp an Had Hir 0 pan Pads i ole eee eof de erie T ee ea At 1 Paya Lo iram di dea pre rar rn r re A A i i ort 6 le eee 170 ee PS PA im ele Pu EE F Laird Pas Poor are ara oe Fa 10 A i Epa 170 H Ge ae im thee a TN sl 1 Peed coe e lr a ree A ld A 70 PO DA PH A L ia bi a il i Ural fren pa ered CA r Regd ma oie IF siuke mers z emma ii bee ii ra oe caer mirar A tel rie 184 Content Security Gateway User s Manual Sparta peed Peg y Th 5 FD soca Falls Feet art ou Mites the veer Mes re o n decd Ch an onbecte lo rate g res Cod 4 5 2 6 Spam Mail This item will show the top chart that represents the received and sent spam mail from recipient In Top Total Spam report you can choose to display the scanned mails that sent to Internal Mail Server or received
23. 192 168 1 1 Bandwidth Administration Tools User name admin Password sses Remember my password x Content Security Gateway User s Manual 3 2 Configure WAN interface After entering the username and password the Content Security Gateway WEB UI screen will display Select the Interface tab on the left menu then click on WAN below it Click on Modify button of WAN the following page is shown PLANET Interface WWAN WAN Interface PPPoE ADSL User O Dynamic IF Address Cable Modem User Static IP Address O PPTP European User Only IF Address Metmask 255 255 255 0 Default Gateway 192 168 99 253 DNS Server 1 168 9511 Max Downstream Bandwidth 30000 Kbps Max 30 Mbps Max Upstream Bandweicth 30000 Kbps Max 30 Mbps Enable Ping HTTP ok Cancel PPPoE ADSL User This option is for PPPoE users who are required to enter a username and password in order to connect Username Enter the PPPoE username provided by the ISP Password Enter the PPPoE password provided by the ISP IP Address provided by ISP Dynamic Select this if the IP address is automatically assigned by the ISP Fixed Select this if you were given a static IP address Enter the IP address that is given to you by your ISP Service On Demand The PPPoE connection will automatically disconnect after a length of idle time no activities Enter in the amount of i
24. 192 168 1 23 7 Address Service HTTP 80 Schedule 005 Authentication New Entry Content Blocking Virtual Server Mapped IP Server 1 Server 2 RE BE E A T A m t TTT Click OK to execute the change of the virtual server or click Cancel to discard changes NOTE If the destination Network in Policy has set a virtual server it will not be able to change or configure this virtual server you have to remove this configuration of Policy and then you can execute the modification or configuration Removing the Virtual Server service Step 1 In the Virtual Server window s service table locate the name of the service desired to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the service or click Cancel to cancel removing PLANET Wenn amp Comme elo Policy Object gt Virtual Server gt Server 1 Virtual Server Real IP WAN Port Server Virtual IP Configure 192 168 1 20 192 168 1 21 192 168 1 22 192 168 1 23 Address Service Schedule QoS Authentication Are you sure you want to remove Y Cancel E y Content Blocking HIT z a eI m Virtual Server Mapped IP Server 1 Server 2 NOTE If the destination Network in Policy has set a virtual server it will not be able to change or configure this virtual server u
25. 3 Click OK to add Multiple Subnet or click Cancel to discard changes PLANET Metworhing amp Comores Aine System Configure Multiple Subnet ra Add Mew Multiple Subnet iP Administration n Date Time Multiple Subnet Route Table Forwarding Mode DHCP R j A Dynamic ONS 169 Assist NAT Routing Host Table Language ok 1 Cancel Modify a Multiple Subnet 24 Content Security Gateway User s Manual Step 1 Find the IP address you want to modify and click Modify Step 2 Enter the new IP address in Modify Multiple Subnet window Step 3 Click the OK button below to change the setting or click Cancel to discard changes PLANET Hatworting amp Comme wine E System Configure Setting DateTime Multiple Subnet Route Table DHCP Dynamic OMS Host Table Language System Configure Multiple Subnet Modify Multiple Subnet IP Interface Olam 0 Dmz Alias IP of Interface 192 168 2 1 Metmask 2552552550 WAN Interface IP Forwarding Mode 168 85 88 252 Assist MAT Routing OK Cancel Removing a Multiple Subnet Step 1 Find the IP address you want to delete and click Delete Step 2 A confirmation pop up box will appear click OK to delete the setting or click Cancel to discard changes PLANET Mindo amp Lora plia Administration Setting Date Time Multiple Subnet Route Ta
26. Blocking Virtual Server Mapped IP Server 1 Mm pa mmj m m m Server Removing a Virtual Server Step 1 Click the virtual server to be removed in the corresponding Virtual Server option under the Virtual Server menu bar A new window displaying the virtual server s IP address and service appears on the screen Step 2 Click the Virtual Server s IP Address button at the top of the screen Step 3 Delete the IP address Step 4 Click OK to remove the virtual server tig amp corral n Policy Object gt Virtual Server gt Server 1 Add New Virtual Server IP Virtual Server Real IP E System E Interface ce ponies Schedule QoS Authentication Content Blocking Virtual Server Mapped IP Server 1 Server 2 Setting the Virtual Server s services Step 1 For the Virtual Server which has already been set up with an IP address click the New Service button in the table Step 2 Inthe Virtual Server Configurations window al Virtual Server Real IP displays the WAN IP address assigned to the Virtual Server Service Port select the service from the pull down list that will be provided by the Real 90 Content Security Gateway User s Manual Server Load Balance Server E External Service Port Input the port number that the virtual server will use Changing the Service will change the port number to match the service E Load Balance Server The internal serve
27. Cancel to cancel modifications Modifying PPTP Server Step 1 Select VPN gt PPTP Server Step 2 Inthe PPTP Server window find the PPTP server that you want to modify Click Configure and click Modify Step 3 Enter appropriate settings PLANET Watworting amp Commga plia Policy Object VPM PPTP Server PPTP Server Enable Encryption On 3 Client IP Range 192 238 6 1 254 Modify 7 Service Liser Mame IF 7 Gog ig Authentication New Entry Content Blocking Address Configure Virtual Server WPN PSec Autokey PPTP Server PPTP Client Tunnel Step 4 Click OK to save modifications or click Cancel to cancel modifications Removing PPTP Server Step 1 Select VPN gt PPTP Server Step 2 In the PPTP Server window find the PPTP server that you WAN t to modify Click Configure and click Remove Step 3 Click OK to remove the PPTP server or click Cancel to exit without removing 99 PLANET Wetworting A Corra line E Interface E Policy Object Content Security Gateway User s Manual Policy Object VPN PPTP Server PPTP Server Enable Encryption On 3 Client IP Range 192 235 6 1 254 Modify ia User Name Client IP configure Microsoft Internet Explorer x Content Blocking Virtual Server 2 Are ou sure you want to remove PSec Autokey PPTP Server PPTP Client Tunnel 4 3 8 3 PPTP Client
28. Definition Virus Scan Engine Select Clam to enable Anti virus function or Select Disable to disable it The Mail Server is placed in Internal LAN or DMZ or External WAN Select to choose the location of the mail server Add the message to the subject line If the mail has been filtered to the virus mail CS 500 will add a message in the mail s subject You can configure the message you want by default it will be add VIRUS in the subject Update virus definitions immediately Press Update Now to update CS 500 virus database Action of Infected Mail When CS 500 filters the infected mail there are three kinds of actions for Internal Mail Server and one action for External Mail server to arrange the infected mail Delete the virus mail If select this option the virus mail will be deleted without any notification Deliver to the recipient This action is available for Internal Mail Server and External Mail Server setting Deliver a notification mail instead of the original virus mail Recipient will only receive a notification and virus mail will be deleted Deliver the original virus mail Recipient will receive the original virus mail the virus will not be arranged but CS 500 will add a VIRUS message at the subject Forward to You can configure CS 500 to forward virus mail to a specific mail account it will be easily to manage the infected mail 186 Content Security Gateway User s Manual 4 5 3 2 Virus Ma
29. Flow IP Blocking Blocking Time seconds Enable E Mail Alert Motitication C Enable NetBIOS Alert Notification IF Address of Administrator F Setting virus infected IP F ok Jf Cancel Anomaly Flow IP Settings 192 Content Security Gateway User s Manual Enable Anomaly Flow IP Blocking Select this option to enable the Anomaly Flow IP blocking function Once the Anomaly Flow IP attacked is detected it will block the connection for user drefined blocking time Enable E mail Alert Notification When Anomaly Flow IP attacked is detected send alert e mail to administrator by using e mail address defined on System gt Setting Enable NetBIOS Alert Notification When Anomaly Flow IP attacked is detected send alart message to administrator by using Net send command After enabling the needed options click OK to activate the changes 4 8 Monitor CS 500 provides varied of information that can be used to check the status 4 8 1 Log The Content Security Gateway supports traffic logging and event logging to monitor and record services connection times and the source and destination network address The Administrator may also download the log files for backup purposes The Administrator mainly uses the Log menu to monitor the traffic passing through the Content Security Gateway What is Log Log records all connections that pass through the Content Security Gateway s control policies Traffic log s
30. Gateway User s Manual PLANET Policy Outgoing F PERIE Comment Max 32 characters Policy Object HSU E Outgoing Destination Address Outside Any Y Incoming LAN To DMZ Wane ean ne Autnentication User one t DMZ To WAN eons noe A DMZTO LAN E Mail Security Actio PERMIT w M Enable E Anomaly Flow IP M Enable M Enable M Enable Removing the Outgoing Policy Step 1 In the Outgoing policy section locate the name of the policy desired to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation dialogue box click OK to remove the policy or click Cancel to cancel removing eomme PR F Policy Object Modify Outgoing Incoming Microsoft Internet Explorer WAN To DMZ LAN To DMZ YQ Are ou sure You want to remove Y DMZ To WAN A DMZ To LAN E Mail Security 4 4 2 Incoming This section describes steps to create policies for packets and services from the WAN network to the LAN network including Mapped IP and Virtual Server Enter Incoming window 156 Content Security Gateway User s Manual Step 1 Click Incoming under the Policy menu to enter the Incoming window The Incoming table will display current defined policies from the WAN network to assigned Mapped IP or Virtual Server Policy Incoming Source Destination Service Action Configure New En
31. LAN user to WAN server Upstream The percentage of upstream and the statistic value of the connection from WAN server to LAN user First Packet The time record of the first packet that was sent to LAN user from WAN service server Last Packet The time record of the last packet sent from LAN user and received by the WAN server Duration The time statistic record that started from the first packet and end to the last packet Total Traffic CS 500 will record the sum of upstream downstream packets from LAN user to WAN service server Outbound Service Accounting Report Pull down the menu and select Service to show the outbound service accounting report 201 PLANET Content Security Gateway User s Manual Monitor Accounting Report OutBound E System Setting Y Outbound amp InBound Service Distribution Downstream O BREED OBH 7 When LAN users connect to WAN Service Server through CS 500 all of the Downstream Upstream First Packet Last Packet Duration log of the Communication Service will be recorded Definitions Top Select the data type you want to check It presents 10 results in one page Service The report of Communication Service when LAN users connect to WAN service server through CS 500 Port indicates the protocol port number Downstream The percentage of downstream and the statistic value of the connection from WAN server to LAN user Upstream The percentage of up
32. Name Server DNS This is the IP Address of the DNS server For PPTP European User Only This is mainly used in Europe You need to know the PPTP Server address as well as your name and password User Name The user name is provided by ISP Password The password is provided by ISP IP Address Enter the static IP address assigned to you by your ISP or obtain an IP address automatically from ISP PPTP Gateway Enter the PPTP server IP address assigned to you by your ISP Connect ID This is the ID given by ISP This is optional BEZEQ ISRAEL Select this item if you are using the service provided by BEZEQ in Israel Service On Demand The PPPoE connection will automatically disconnect after a length of idle time no activities Enter in the amount of idle minutes before disconnection Enter 0 if you do not want the PPPoE connection to disconnect at all Ping Select this to allow the WAN network to ping the IP Address of the Content Security Gateway This will allow people from the Internet to be able to ping the Content Security Gateway If set to enable the device will respond to echo request packets from the WAN network WebUI Select this to allow the device WEBUI to be accessed from the WAN network This will allow the WebUI to be configured from a user on the Internet Keep in mind that the device always requires a username and password to enter the WebUI 3 3 Configure DMZ interface Depends on your network requirement
33. Netscape 4 0 or above with full java script support The default IP address of the Content Security Gateway is 192 168 1 1 with a subnet mask of 255 255 255 0 Therefore the IP address of the Administrator PC must be in the range between 192 168 1 2 192 168 1 254 If the company s LAN IP Address is not subnet of 192 168 1 0 i e LAN IP Address is 172 16 0 1 then the Administrator must change his her PC IP address to be within the same range of the LAN subnet i e 172 16 0 2 Reboot the PC if necessary By default the Content Security Gateway is shipped with its DHCP Server function enabled This means the client computers on the LAN network including the Administrator PC can set their TCP IP settings to automatically obtain an IP address from the Content Security Gateway The following table is a list of private IP addresses These addresses may not be used as a WAN IP address 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 STEP 2 Once the Administrator PC has an IP address on the same network as the Content Security Gateway open up an Internet web browser and type in http 192 168 1 1 in the address bar A pop up screen will appear and prompt for a username and password A username and password is required to connect to the Content Security Gateway Enter the default login username and password of Administrator see below Username admin Password admin Click OK Connect to
34. PPTP client password Server IP or Domain Name Enter the PPTP Server s IP address Encryption Enable or Disabled the Encryption NAT Connect to Windows PPTP Server Select this function to setup the connection with PPTP VPN Client of CS 500 and Windows PPTP Server Modifying PPTP Client Step 1 Select VPN gt PPTP Client Step 2 Inthe PPTP Client window find the PPTP server that you want to modify and click Modify Step 3 Enter appropriate settings PLANET Metroid Lora eine Policy Object YPM PPTP Client PPTP Client Wiser Name Server IF or Domain Mame Soe TET VFN PPTP Client PSec Autokey PPIP Server Tunnel 101 Content Security Gateway User s Manual Step 4 Click OK to save modifications or click Cancel to cancel modifications Removing PPTP Client Step 1 Select VPN PPTP Client Step 2 Inthe PPTP Client window find the PPTP client that you want to modify and click Remove Step 3 Click OK to remove the PPTP client or click Cancel to exit without removal PLANET Haning amp borrarla Policy Object YPM PPTP Client E System PPTP Client User Mame server IF or Domain Mame Encryption Sera PSec Autokey PPTP Server PPTP Client Tunnel Microsoft Internet Explorer 3 re you sure you want ko remove 4 3 8 4 Tunnel This function allows to be configured the related information for local and remote VPN device then to selec
35. Security Gateway Model CS 500 Rev 3 0 May 2006 Part No EM CS500v3 Content Security Gateway User s Manual Table of Contents CHAPTER INTRODUCTION aa AA 1 A A A A E 1 12 PACKAGE CONTEN T Ocorre neroa tend OE a done ea aa o 2 1 3 CONTENT SECURITY GATEWAY FRONT VIEW errean ain e a 2 1 4 CONTENT SECURITY GATEWAY REAR PANEL isos a dar 2 LO SPECIFICA HON ti 3 CHAPTER 2 HARDWARE INSTALLATION unica 5 2 1 INSTALLATION REQUIREMENTS td 5 22 OPERATION MODE titanio 5 2 2 1 Transparent Mode Connection EXamMple oooocoooocccononcnonanononanonananononononononononnnonannnono nn nono nnncno nacos 5 2 2 2 NAT MOde Connecting EXAM Ol ni 6 CHAPTER 3 GETTING STARTED iaa dai 7 3 1 WEB CONFIGURATION buscan 7 3 2 CONFIGURE WAN INTERFACE tddi idad 8 3 9 CONFIGURE DMZINTERFACE comino oia 9 SA CONFIGURE POLIC a 9 CHAPTER 4 WEB CONFIGURATION cccccccccccccccnncccnnnnnnnnnnnnnnnnnnnnnnncnncrrrnnnnnnnnnnnnnnn cnn nnnere rn nr nn nn nnnnnnnnnannannnnnnns 11 AO VS TEM ao 11 A e 12 AE MTC AMES NEEE EEEE A A E T 14 ATI SoftWare Uplate 0 ii 16 PS AO A en RAE E A RT nd AN E to AE ee SP E 16 AO ADAMO Maia eur 22 A OMITIDO O A AAA A A das AR AA 23 APA ROUTE LAO e o o ol O 28 ANS DAGA a a 30 AER NARUC DOIN Sasuke cetera AAA AE AAA E AAA ae 31 EN AA N E E echt wseiied Smetana cat adele onde S 34 A TAT PANU AGO niee e a a a a e a e dsLeeenees 36 Aole le OO OUI aina naan E E E nt i O E E TN AEO 36 AZ INTER ACE caier AE E E E E
36. Snap in Ctrl M Tis les a There are no items to show in this view Options LCAWINDOW svstemazidewmagnnt Exit Adds or removes individual snap ins Step 4 Enter Add Remove Embedded Management Option window and click Add In Add Remove Embedded Management Option window click Add to add Create IP Security Policy Available Standalone Snap ins _ nep n _ Vendor ae Group Policy Microsoft Corporation e Indexing Service Microsoft Corporation B Internet Information Services Microsoft Corporation I P ceciu Monito i IR F Security Policy Management Microsoft Corporation E Link to Web Address Microsoft Corporation i Local Users and Groups Microsoft Corporation ds Performance Logs and Alerts Microsoft Corporation ey Removable Storage Management Microsoft Corporation eg Resultant Set of Policy Microsoft Corporation Description D escription Internet Protocol Security l PSec Administration Manage IPSec policies for secure communication with other computers Remove bout 115 Content Security Gateway User s Manual Step 5 Choose Local Machine L for finishing the setting of Add select Computer or Domain Select which computer or domain this snap in will manage When this console iz saved the location will also be saved f Local computer The computer this console is running ori The Active Directory domain of which this computer is a member I Another Active Directory domain Use
37. The Virtual Servers load balance feature can map a specific service request to different physical servers running the same services m Virtual Server can only map one real IP to one service port of the LAN physical servers while Mapped IP maps one real IP to all the services offered by the physical server E P mapping and Virtual Server work by binding the IP address of the WAN virtual server to the private LAN IP address of the physical server that supports the services Therefore users from the WAN network can access servers of the LAN network by requesting the service from the IP address provided by Virtual Server 4 3 7 1 Mapped IP Internal private IP addresses are translated through NAT Network Address Translation If a server is located in the LAN network it has a private IP address and outside users cannot connect directly to LAN servers private IP address To connect to a LAN network server outside users have to first connect to a real IP 85 Content Security Gateway User s Manual address of the WAN network and the real IP is translated to a private IP of the LAN network Mapped IP and Virtual Server are the two methods to translate the real IP into private IP Mapped IP maps IP in one to one fashion that means all services of one real WAN IP address is mapped to one private LAN IP address Entering the Mapped IP window Step 1 Click Mapped IP under the Virtual Server menu bar and the Mapped IP configu
38. Traffic CS 500 will record the sum of upstream downstream packets from LAN host to WAN host Inbound Service Accounting Report Pull down the menu and select Service to show the inbound service accounting report 204 Content Security Gateway User s Manual A PLANET Maig amp Corra ein Monitor Accounting Report InBound Service Distribution Downstream InBound id El Setting p Outbound ad ad MONA E OBH 7 When WAN host connect to LAN host through CS 500 all of the Downstream Upstream First Packet Last Packet Duration log of the Communication Service will be recorded Definitions Top Select the data type you want to check It presents 10 results in one page Service The report of Communication Service when WAN host connect to LAN host through CS 500 Port indicates the protocol port number Downstream The percentage of Downstream and the statistic value of the connection from WAN host to LAN host via CS 500 Upstream The percentage of Upstream and the statistic value of the connection from LAN host to WAN host via CS 500 First Packet The time record of the first packet that was sent to LAN host from WAN host Last Packet The time record of the last packet sent to LAN host from WAN host Duration The time statistic record that started from the first packet and end to the last packet Total Traffic CS 500 will record the sum of upstream downstream packets from WAN host to L
39. URL policy Step 1 After clicking New Entry the Add New URL String window will appear Step 2 Enter the URL of the website to be blocked Step 3 Click OK to add the policy Click Cancel to discard changes PLANET Sa Hatecrhing amp Comes aio Policy Object gt Content Blocking gt URL Add New URL String E System E Interface eS Address Service Schedule O05 Authentication Content Blocking URL Script _ Modifying a URL String Policy Step 1 In the URL window find the policy to be modified and click the corresponding Modify option in the Configure field Step 2 Make the necessary changes needed Step 3 Click on OK to save changes or click on Cancel to discard changes PLANET SS Metering amp Comme ice Policy Object gt Content Blocking gt URL E System URL sting Address New Entry Service Schedule 00S Authentication mA E mmh m m m Content Blocking URL Script 80 Content Security Gateway User s Manual Step 1 Inthe URL window find the policy to be removed and click the corresponding Remove option in the Configure field Step 2 A confirmation pop up box will appear click on OK to remove the policy or click on Cancel to discard changes o Mtwerklng amp Comeneaicoion Policy Object gt Content Blocking gt URL URL String all gamble PELETA E Application re you sure
40. WAN DMZ To LAN 4 4 3 WAN To DMZ amp LAN To DMZ This section describes steps to create policies for packets and services from the WAN networks to the DMZ networks Please follow the same procedures for LAN networks to DMZ networks Enter WAN To DMZ or LAN To DMZ window Click WAN To DMZ under Policy menu to enter the WAN To DMZ window The WAN To DMZ table will show up displaying currently defined policies Before to set up WAN To DMZ rule you need to create Virtual Server or Mapped IP first 159 Content Security Gateway User s Manual e Configure Move Please specify the Mapped IP or Virtual Server F Policy Object Outqoing Incoming WAN To DMZ LAN To DMZ DMZ To WAN DMZ To LAN The fields in WAN To DMZ window Source Source networks which are addresses specified in the WAN section of the Address menu or all the WAN network addresses Destination Destination networks which are addresses specified in DMZ section of the Address menu and Mapped IP addresses of the Virtual Server menu Service Services supported by servers in DMZ network Action Control actions to permit or deny packets from WAN networks to DMZ travelling through the Content Security Gateway Option Specify the monitoring functions of packets from WAN network to DMZ network travelling through Content Security Gateway Configure Modify settings or remove policies Move This sets the priority of the polic
41. WebUI to be configured from a user on the Internet Keep in mind that the device always requires a username and password to enter the WebUI PLANET O E tion Interface WWAN WAN Interface PPPoE ADSL User D Dynamic IPF Address Cable Modem Useri Static IP Address PPTP European User Only Current Status Disconnected f Connecting i IP Address 0 0 0 0 Disconnect E Anomaly Flow IP IP Address provided by ISP Obtain an IP address automatically WAC Address 00 30 4F 44 42 FS Clone MAC Address Hostname ete Use the following IP address IP Address Metmask ae Default Gateway po PPTP Gateway Connect ID f Max Downstream Bandwidth 30000 kops Max 30 Mbps Max Upstream Bandwidth 30000 lkbps Max 30 Mbps O BEFEG ISRAEL Service On Demand Auto Disconnect if idle lo minutes 0 means always connected Enable LJ Ping LJ HTTP Cancel 4 2 3 DMZ The Administrator uses the DMZ Interface to set up the DMZ network The DMZ network consists of server computers such as FTP SMTP and HTTP web These server computers are put in the DMZ network so they can be isolated from the LAN LAN network traffic Broadcast messages from the LAN network will not cross over to the DMZ network to cause congestions and slow down these servers This allows the server computers to work efficiently without any slowdowns 42 Content Security Gateway User s Manual PLANET ing am
42. Yahoo Messenger Blocking F ICO Messenger Blocking O ae Messenger Blocking CI Skype Messenger Blocking Sia Cancel sw Script P2P mb il gt Download E CS 500 provides a feature that will auto detect the IM program version When it detects a new version IM program in the LAN site CS 500 will connect to Internet and download the pattern to update the IM Blocking function and to keep the function working well to block new version IM program The current pattern version will display at the top side 4 3 6 5 Download Step 1 Click Download below Content Blocking menu Step 2 Select Download detective functions All Types Block To block all types of the files downloading from web page Audio and Video Types block To block audio and video downloading from web page Extensions Block To block specific extensions name of the files from web page Step 3 After selecting each function click the OK button below 83 Content Security Gateway User s Manual PLANET Hetworting amp Cora Policy Object Content Blocking Download F System E Interface Download Blocking F All Types Blocking F Audio and Wideo Types Blocking URL Script P2P me hl Y Download amp E Virtual Server 4 3 6 6 Upload Step 1 Click Upload below Content Blocking menu Extension Blocking El EXE E iso d doc O por O bat E CF O pit CI reg LI mpg Step 2 Select Upload detect
43. You want to remove Y Auth Setting Auth User Auth Group RADIUS TTT T 74 Content Security Gateway User s Manual 4 3 5 3 Auth Group Accessing the Auth Group window Click Authentication in the menu bar on the left hand side of the window Click Auth Group under it A window will appear with a table displaying current Auth Group settings by the Administrator Metering amp Cereal Policy Object gt Authentication gt Auth Group Dorem Name Member Radius POP3 Configre F Interface m i Auth Setting Auth User Auth Group RADIUS POPS Adding Auth Group Step 1 In the Auth Group window click the New Entry button In the Auth Group window the following fields will appear Name Enter the new Auth Group name W Available auth user List all the available Auth User Selected auth user List Auth User to be assigned to the new group Step 2 Enter the new group name in the group Name field This will be the name referencing the created group Step 3 To add new Auth User Select the Auth User desired to be added in the Available auth user list and then click the Add gt gt button to add them to the group Step 4 To remove Auth User Select Auth User desired to be removed in the Available auth user list and then click the lt lt Remove button to remove them from the group Step 5 Click OK to add the new group 75 Content Security Gateway User s Manu
44. access the mail server mail planet com tw they would have to go out to the Internet then come back through the Content Security Gateway to access the mail server Essentially the LAN network is accessing the mail server by a real public IP address while the mail server serves their request by a NAT address and not a real one This odd situation occurs when there are servers in the DMZ network and they are bound to real IP addresses To avoid this set up Host Table so all the LAN network computers will use the Content Security Gateway as a DNS server which acts as the DNS Proxy Language Both Chinese and English are supported in the Content Security Gateway Logout Logout Administrator logs out the Content Security Gateway This function protects your system while you are away 4 1 1 Admin On the left hand menu click on Administration and then select Admin below it The current list of Administrator s shows up PLANET Ad Comme stipe system Administration Admin E Admin Mare Privilege Co nig Jre p Admin E Permitted IPs Software Update New Sub Admin i ad ad E Interface 12 Content Security Gateway User s Manual Settings of the Administration table Admin Name The username of Administrators for the Content Security Gateway The user admin cannot be removed Privilege The privileges of Administrators Admin or Sub Admin The username of the main Administrator is Admin with read
45. action and provide a brief description Hame Security Description Step 30 Select Negotiate security and click next Filter Action Filter Action General Options Set the filter action behavior l Pernt Block Negotiate security 128 Content Security Gateway User s Manual Step 31 Click next Filter Action Wizard Communicating with computers that do not support IPSec Communicating with computers that do not support PSec may expose your network to security risks Do vou want to allow communication with computers the do not support iPoec f Do not communicate with computers that do not support IPSec C Fall back to unsecured communication Use this option if there are computers that do not support IPSec on pour network Communication with computers that do not support IPSec may expose your network to security risks Step 32 Select Custom and click settings Filter Action Wizard IP Traffic Security Specify a secunty method for IF traffic To add multiple secunty methods edit the filter action after completing the wizard This filter action requires at least one security method tor IF traffic f Encryption and Integrity Data will be encrypted authenticated and unmodified C Integrity only Data will be authentic and unmodified but will not be encrypted f Custom Settings 129 Content Security Gateway User s Manual Step 33 Click Data Integrity
46. address and Forwarding Mode which is NAT Mode or Routing Mode Interface Indicate the multiple subnet location in LAN or DMZ site Alias IP of Int Interface Netmask Local port IP address and subnet Mask Configure Modify the settings of Multiple Subnet Click Modify to modify the parameters of Multiple Subnet or click Delete to delete settings Adding a Multiple Subnet Routing Mode Step 1 Click the Add button below to add Multiple Subnet Step 2 Enter the IP address in Add Multiple Subnet window Alias IP of LAN Interface Enter Local port IP Address Netmask Enter Local port subnet Mask WAN Interface IP Add WAN IP Forwarding Mode Click the Routing button below to setup Step 3 Click OK to add Multiple Subnet or click Cancel to discard changes PLANET oyster Configure gt Multiple Subnet Administration Add Mew Multiple Subnet iP DateTime hultiple Subnet i WAN Interface IP Forwarding Mode DHCP z i Dynamic DNS aT O Routing Host Table Language _ OK l Cancel l 26 Content Security Gateway User s Manual Step 4 Adding a new WAN to LAN Policy In the Incoming window click the New Entry button PLANET Policy Incoming E Source ination Service Action Configure F Interface nfigur B E Policy Object Outgoing Incoming WARN To DMZ e LAN To DMZ Modify a Multiple Subnet Routing Mode Step 1 Find the IP address you want to
47. and Encapsulation and choose MD5 and 3DES Click Generate a New key after every 28800 seconds And click 3 times OK to return Custom Security Method Settings Specify the settings for this custom security method Data and address integrity without encryption AH Intearitysalgorntir Mos r M Data integrity and encryption ESP Integrity algorithm MDS Encmption algorithm 3DES gt Session key settings Generate a new key every e Generate a new key every 100000 Kyles 28809 seconds Cancel Step 34 Click finish Filter Action Wizard Completing the IP Security filter action Wizard ou have successtully completed the IP Security policy wizard To edit your filter action now select the Edit properties checkbos then click Finish Edit properties To close this wizard click Finish 130 Content Security Gateway User s Manual Step 35 Select security and click next security Rule Wizard Filter Action Select the filter action for this security rule Fino filter actions in the following list matches your needs click Add to create a new one Select Use Add wizard to create a filter action using the wizard Filter Actions MW Use Add Wizard Add Permit Permit unsecured IP packets t Request Security Optional Accepts unsecured communi Require Security Accepts unsecured communi Edit Remove Security Step 36 Click finish
48. create a new one IP filter lists Add O ANICMP Traffic Matches all ICMP packets ber O ANP Traffic Matches all IP packets from t Edit Oo Traffic Remove 126 Content Security Gateway User s Manual Step 27 Enable User Add Wizard and click add security Rule Wizard Filter Action Select the filter action for this security rule Fino filter actions in the following list matches pour needs click Add to create a new one Select Use Add Wizard to create a filter action using the wizard Filter Actions W Use Add Wizard Add O Permit Permit unsecured IP packets t Request Security Optional Accepts unsecured communi Edit Require Security Accepts Unsecured communi as Cs Jen Step 28 Click next Filter Action Wizard Welcome to the IP Security filter action wizard Use this wizard to specify properties for a new filter action A filter action sets the security requirements for a data transfer These requirements are specified in a list of security methods contained in the filter action Data transter 12 only possible when the computers involved use the same security methods Multiple security methods Increase the chance that two computers will use the same method To continue click Hest 127 Content Security Gateway User s Manual Step 29 Enter the name of filter action and click next Filter Action Wizard Filter Action Hame Mame this filter
49. defined in the Service menu to enter into the LAN network Unlike a mapped IP which binds a WAN IP to a LAN IP virtual server binds WAN IP ports to LAN IP ports PLANET Aetwortiog d Comreacilica E System Address Service Schedule 005 Authentication Content Blocking Te mmk m m m Virtual Server Mapped IP Sever1 E Server 2 Server 3 Server 4 Definition Policy Object gt Virtual Server gt Server 1 Virtual Server Real IP WAN Port Server Virtual IP Virtual Server Real IP The WAN IP address configured by the virtual server Click Click here to configure button to add a real IP address Service The service names that provided by the virtual server WAN Port The TCP UDP ports that present the service items provided by the virtual server Server Virtual IP The virtual IP which mapped by the virtual server 88 Content Security Gateway User s Manual Configure To change the service configuration click Configure to change the parameters click Delete to delete the configuration This virtual server provides four real IP addresses which means you can setup four virtual servers at most The administrator can select Virtual Server1 2 3 4 under Virtual Server selection in the menu bar on the left hand side click Server Virtual IP to add or change the virtual server IP address click Click here to configure to add or change the virtual
50. enter the range of port number of new clients NH Server Port enter the range of port number of new servers The client port ranges from 1024 to 65535 and the server port ranges from 0 to 1023 Step 1 Click New Entry to add new services Step 2 Click OK to accept editing or click Cancel 60 Content Security Gateway User s Manual PLANET Policy Object gt Service gt Custom Add User Defined Service Service NAME x rt i lt i O C CS A ees Be O TCP UDP Other Ga eit E TCP e UDP O Other MN Pre defined Custom Group Schedule TCP UDP Other ME TCP UDP Other MN LL A ee AAA TIT e TCP e UDP O Omer MN E STCP o UDP o ON E EN AAC Other Authentication o TCP_ UDP Other CM OK 1f Cancel VPN Modifying Custom Services Step 1 A table showing the current settings of the selected service appears on the screen Step 2 Enter the new values Step 3 Click OK to accept editing or click Cancel PLANET ee Horas amp Comnen plima Policy Object gt Service gt Custom Service name Client Port ew En Pre defined Custom Group a AA Removing Custom Services Step 1 Click its corresponding Remove option in the Configure field Step 2 Inthe Remove confirmation pop up box click OK to remove the selected service or click Cancel to canc
51. from External Mail Server It also can sort the mail according to Recipient Total Spam and Total Mail PLANET Watworting amp Comores plia Mail Security gt Anti Spam gt Spam Mail No Recipient Total Spam Total Mail No spam mail in the External Mail Server Setting Rule Whitelist Blacklist Training Spam Mail 4 5 3 Anti Virus CS 500 built in Clam virus scanning engine can protect your LAN network from being infected virus 4 5 3 1 Setting 185 Content Security Gateway User s Manual PLANET etilo A Cosmet eine Mail Security gt Anti Virus gt Setting Anti Virus Setting Virus Scan Engine The Mail Server is placed in Internal LAN or DMZ Please set Mail Relay first External WAN Add the message to the subject line Max 256 characters E Interface F Policy Object The latest update time 2003 01 01 00 23 19 Update virus definitions every ten minutes Setting The newest version 0 0 Virus Mail Update virus definitions immediately Update NOW E Anti Attack Monitor Action of Infected Mail Internal Mail Server Delete the virus mail Deliver to the recipient Deliver a notification mail instead of the original virus mail Deliver the original virus mail Forwardto External Mail Server Deliver to the recipient Deliver a notification mail instead of the original virus mail Deliver the original virus mail Cancel
52. gt button to add them to the Selected address list Step 4 Remove members Select names to be removed from the Selected address list and click the lt lt Remove button to remove them from Selected address list Step 5 Click OK to save changes or click Cancel to cancel editing 57 Content Security Gateway User s Manual k Hatwortlag amp Comers plio Policy Object gt Address gt DMZ Group Name Member Configure E Interface Address LAN LAN Group WAN WAN Group DMZ DMZ Group Removing a DMZ Group Step 1 In the DMZ Group window locate the group to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the group Mita dog amp Coma ation Policy Object gt Address gt DMZ Group all Interface Address New Entry LAN LAN Group WAN WAN Group DMZ DMZ Group YQ re you sure you wank to remove Service Schedule In this section network services are defined and new network services can be added There are three sub menus under Service which are Pre defined Custom and Group The Administrator can simply follow the instructions below to define the protocols and port numbers for network communication applications Users then can connect to servers and other computers through these available network services What is Service
53. minutes hour 24 hours day 30 days Month and Year Select the time units minute hour day month or year of the graph Monitor gt Statistics gt WAN E System a _ 1 ae Bits sec Bytes sec Total Minute Hour Day Week Month Year bytes sec lotal E Interface Policy Object Real time Down 7 2 Kbits sec Up 4 2 Kbits sec Downstream E Mail Security E Anti Attack Max te 1K ad Ej 5 wee ee eam E A A A AA mon Ranco ee ee eee pees Policy E A a A O IU cry pee 6 i A pu Pre pve e ae bonded ae pue E z S penjant bl jui TE Bits per Seconds 77 FG Ave 10 766K Minutes MA WAN stream M Maximum stream M Average stream Y Coordinate Four options are available Total Bits sec Bytes sec and Utilization X Coordinate Time Hour Minute Day 4 8 3 2 Policy Statistics 206 Content Security Gateway User s Manual Entering the Statistics window The Statistics window displays the statistics of current network connections E Source the name of source address E Destination the name of destination address w Service the service requested E Action permit or deny m Time viewable by minutes hours or days eoue poo Source Destination Service Action Time O F Interface F Policy Object F Mail Security E Anti Attack Statistic Eb Policy ee NOTE To use Statistics the administrator needs to go to Policy to enable Statistics fun
54. relative compare rule to different attack behavior include three sections Anomaly Pre defined and Custom Anomaly Anomaly signature can allow user to define the signature in order to detect and prevent the irregular attack behavior Take Syn Flood as the example Definition Enable Check to enable the protection for Syn Flood signature 188 Content Security Gateway User s Manual Max Threshold O Pkts Sec Configure the value to define the Syn Flood signature Blocking Time Set up the timing to block the attacked connection The function is available when the Action sets to Drop Action When the packets match the signature select Pass to pass the packets or select Drop to discard the packets Log Check Log function to record the log in IDP Report PLANET IDP Signature Anomaly Modify Anomaly Detect Setting i syn flood El Enable Max Threshold 20 i Sec Downstream 1024 Kbps 200 recommended Blocking Time Anomaly Pre defined Custom Pre defined Pre defined signatures can detect and prevent to intrusive pattern which can be discovered at present These signatures can not be modified and deleted Definition Action Select Pass to pass the packets or select Drop to discard the packets Log Check Log function to record the log in IDP Report PLANET IDF Signature Pre defined F System RE Modify Signature Acti
55. security Rule Wizard Completing the New Rule Wizard You have successfully completed specifying the properties hor your new rule To edit pour security rule now select the Edit properties check box and then click Finish To close this wizard click Finish 131 Content Security Gateway User s Manual Step 37 Click Add IPSec Properties Rules General Security rules for communicating with other computers IF Security rules IP Filter List Authentication Tu Tratfic in Security Preshared Kep 2 O Dinamic Default Response Kerberos Mo el Edit Remove M Use Add Wizard Step 38 Click next Security Rule Wizard Welcome to the Create IP Security Rule Wizard A security rule governs how and when security is invoked based upon crtena such as the source destination and type of lP traffic in the security rule s IP filter list A security rule contains a collection of security actions that are activated when a communication matches the criteria in the IF filter list Security actions IP tunneling attributes Authentication methods Filter actions To continue click Next 132 Content Security Gateway User s Manual Step 39 Enter the WAN IP of company A 210 66 155 90 security Rule Wizard Tunnel Endpoint The tunnel endpoint i the tunneling computer closest to the IF traffic destination as specified by the security rule s IP filter list An 1PSec tunnel allows
56. setting Scanned Mail Setting Setup to deal with the mail size in order to judge the mail should be scanned or not Unscanned Mail Setting If the mail does not be scanned via CS 500 it can be marked an unscanned message in the mail subject For example if the mail size is less than the Scanned Mail Setting when you receive mail you will find out the subject with the mark Unscanned PLANET Mail Security gt Configure gt Setting Scanned Mail Setting The scanned mail size is less than 128 KBytes 10 512 KBytes Unscanned Mail Setting Configure T Add the message to the subject line Unscmel ro Setting Mail Relay oon OK Fcancal Anti Virus E Anti Attack 166 Content Security Gateway User s Manual When receive unscanned mail it will add the tag in front of the e mail subject 3 Deleted Mems 78 2 Grafts O Mere are mo cortachs bo deplay EE n Confocts Loira pra pd AR i message s O unread LE Working Online Mail Relay After scanning the mails that sent to Internal Mail Server by Anti Spam and Anti Virus function of CS 500 then to setup the relevant setting in Mail Relay function For the examples below you can understand more about how to configure your setting Example 1 To setup CS 500 as Gateway Mail Server in DMZ Transparent Mode Preparation WAN Port IP 61 11 11 11 Mail Server IP 61 11 11 12 Map the DNS Domain
57. the action to Delete spam mail Deliver to the recipient or Forward to another mail account e Auto Training If Classification is set as Spam and enable this function the mails that correspond to this rule will be trained to identify as spam mail or if Classification is set as Ham Non Spam and enable this function the mails correspond to this rule will be trained to identify as ham non spam mail according to the setting in Training function e Item The items use to judge the spam mail according to Header Body and Size of the mail The packet Header includes Received Envelope To Form To Cc Bcc Subject Sender Reply To Errors To Message ID and Date e Condition Item set to Header or Body The available conditions are Contains Does Not Contain Is Equal To Is Not Equal To Starts With Ends With Exist and Does Not Exist Item set to Size The available conditions are More Than Is Equal To Is Not Equal To and Less Than e Pattern Enter the relevant value in Item and Condition field For example From Item and use Contains Condition and enter josh as a characteristics When the sender and receiver s mail account has josh inside and then it will be considered as spam mail or ham mail 173 Content Security Gateway User s Manual Adding a new Rule Step 1 Click on the New Entry button and the Rule window will appear Step 2 Fill in the appropriate settings for the related information Step 3 C
58. use the different WAN IP address to connect to the internet The settings of LAN computers on Service department are as the following Service IP Address 192 168 2 1 Subnet Mask 255 255 255 0 Default Gateway 192 168 2 11 The other departments are also set by groups this is the function of Multiple Subnet 93 Content Security Gateway User s Manual Multiple Subnet settings Click System on the left side menu bar select Configure then click Multiple Subnet to enter Multiple Subnet window PLANET Haetworting amp Comerescetion System Configure Multiple Subnet Administration Setting DateTime Multiple Subnet Route Table DHCP Multiple Subnet functions WAN Interface IP Forwarding Mode Display WAN Port IP address and Forwarding Mode Interface Indicate the multiple subnet location in LAN or DMZ site Alias IP of Int Interface Netmask Local port IP address and subnet Mask Configure Modify the settings of Multiple Subnet Click Modify to modify the parameters of Multiple Subnet or click Delete to delete settings Add a Multiple Subnet NAT Mode Step 1 Click the New Entry button below to add Multiple Subnet Step 2 Enter the IP address in the website name column of the new window Alias IP of LAN Interface Enter Local port IP address Netmask Enter Local port subnet Mask WAN Interface IP Add WAN IP Forwarding Mode Click the NAT button below to setup Step
59. via VPN the Content Security Gateway will force you to choose 3DES for ENC Algorithm SHA 1 for AUTH Algorithm and select Group 2 to connect Local ID and Remote ID are optional parameters If we choose to enter Local ID Remote ID they couldn t be the same For instance Local ID is 11 11 11 11 and Remote ID is 22 22 22 22 If you want to use number or text add in the front for instance 123 and abc Encapsulation IS4KMP Algorithm ENC Algorithm SDES AUTH Algorithm SHAT pe Main mode O Aggressive mode Peer ID aes Step 6 In IPSec Algorithm Table choose Data Encryption Authentication We choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm 146 Content Security Gateway User s Manual 3DES ss MDS ow O Step 7 Choose GROUP 1 as the Perfect Forward Secrecy setting and leave the default setting with 28800 seconds in IPSec Lifetime and 3600 seconds for ISAKMP Lifetime Optional Item GROUP 1 e 3600 28800 Step 8 Click OK to finish the setting of Company B Policy Object VPN IPSec Autokey E Mame A Gateway IP IPSec Algorithm Configure Modify Remove Step 9 Click Tunnel and press New Entry to configure the further setting Step 10 Enter Site_B as the new tunnel name and select LAN interface as the VPN source Fill LAN IP subnet 192 168 20 0 with subnet mask IP 255 255 255 0 Mew Entry Tunnel Site B OLan 0 192 168 20 0 255 255 255 0 Step 11 In To De
60. window find the policy to be modified and click the corresponding Modify option in the Configure field Step 2 Make the necessary changes needed Step 3 Click OK to save changes or click on Cancel to cancel modifications Mail Security gt Anti Spam gt Blacklist Modify Blacklist Blacklist hacker ex yahoo wildcard IS Direction ro O E Interface Auto Training Enable aa OK cance Setting Rule Whitelist Blacklist Training Spam Mail Removing a Blacklist Step 1 In the Blacklist window find the policy to be removed and click the corresponding Remove option in the Configure field 177 Content Security Gateway User s Manual Step 2 A confirmation pop up box will appear click OK to remove the Host Table or click Cancel i O Wiig amp Comment lio Mail Security gt Anti Spam gt Blacklist Direction Blacklist Auto Training Configure 4 Mod ify Remove E Interface F Policy Object EE i SN Microsoft Internet Explorer fx Setting 2 Are you sure you want to remove Rule Whitelist Blacklist Training Spam Mail 4 5 2 5 Training CS 500 provides a training system to improve the identify rate of spam the database can be updated by manually or from the rule setting Below is the information needed for setting up the Training e Training Database The System Manager can Import or Export Training Database
61. you want to remove E Cancel i a i nt 1 Authentication Content Blocking H URL Script 4 3 6 2 Scripts To let Popup ActiveX Java or Cookies in or keep them out Step 1 Click Scripts below Content Blocking menu Step 2 Select Scripts detective functions Popup Blocking Prevent pop up boxes from appearing ActiveX Blocking Prevent ActiveX packets Java Blocking Prevent Java packets Cookie Blocking Prevent Cookie packets Step 3 After selecting each function click the OK button below 81 Content Security Gateway User s Manual PLANET traidos amp Comercio Policy Object gt Content Blocking gt Script Script Blocking C Popup Blocking C ActiveX Blocking LJ Java Blocking L Cookie Blocking OK if Cancel Service Schedule Content Blocking URL Script amp P2P i Download When the system detects the setting the Content Security Gateway will spontaneously work 4 3 6 3 P2P Step 1 Click P2P below Content Blocking menu Step 2 Select P2P detective functions eDonkey Blocking Prevent eDonkey connection built up Bit Torrent Blocking Prevent Bit Torrent connection built up WinMX Blocking Prevent WinMX connection built up Step 3 After selecting each function click the OK button below PLANET Aatworting amp Creeps sling Policy Object Content Blocking P2P F System Peer to Peer Application Blo
62. 00 seconds one hours Selection of small values could lead to frequent re keying which could affect performance IPSec Lifetime New keys will be generated whenever the lifetime of the old keys is exceeded The Administrator may enable this feature if needed and enter the lifetime in seconds to re key The default is 28800 seconds eight hours Selection of small values could lead to frequent re keying which could affect performance Mode Select Main mode or Aggressive mode algorithm 96 Content Security Gateway User s Manual m My ID Peer ID My ID and Peer ID are optional parameters If we choose to enter My ID Peer ID they couldn t be the same For instance My ID is 11 11 11 11 and Peer ID is 22 22 22 22 If you want to use number or text add in the front for instance 123A and abcd123 E GRE IPSec Select GRE IPSec Generic Routing Encapsulation packet seal technology You may enter IP to be identified for both VPN gateways Dead Peer Detection Configure the timing to detect the VPN status If failed CS 500 will disconnect the VPN tunnel For the complete VPN setting you can refer to the example for more detail information 4 3 8 2 PPTP Server This function allows the remote client dialup to your local network and access local resources by PPTP Point to Point Tunnel Protocol client software Entering the PPTP Server window Select VPN gt PPTP Server PLANET Policy Object PIN PPTP Ser
63. 05 44 21 admin Add Policy Incoming Outside_Any Inside_Any Routing ANY permit trom 192 165 1 2 Statistics Way 3 04 01 29 user admin Login success from 192 168 1 2 Status Way 3 03 12 17 user admin Login success from 192 168 1 3 Step 2 The table in the Event Log window displays the time and description of the events E Time time when the event occurred a Event description of the event Downloading the Event Logs Step 1 Inthe Event Log window click the Download Logs button at the bottom of the screen 195 Content Security Gateway User s Manual Step 2 Follow the File Download pop up window to save the event logs into a specific directory on the hard drive Clearing the Event Logs The Administrator may clear on line event logs to keep just the most updated logs on the screen Step 1 Inthe Event Log window click the Clear Logs button at the bottom of the screen Step 2 Inthe Clear Logs pop up box click OK to clear the logs or click Cancel to cancel it eoo PR ES Jun 29 08 05 22 admin Clear Traffic Log from 211 75 117 114 Mail Security Jun 29 08 05 14 admin Clear Event Log from 211 75 117 114 Microsoft Internet Explorer ES P Do you really want to clean a Cee Download Logs Log Traffic Event r 4 8 1 3 Connection Click Log in the menu bar on the left hand side and then select the sub selection Connection Log PLA
64. 06 57 36 67 11 214 24 192 168 1 Event May 3 06 57 36 192 166 1 2 67 11 214 24 Connection May 3 06 57 25 221 58 9016 192168412 Log Backup May 3 06 57 24 182 168 1 2 221 58 90 16 Traffic Log Table The table in the Traffic Log window displays current System statuses Definition Time The start time of the connection Source IP address of the source network of the specific connection Destination IP address of the destination network of the specific connection Protocol Protocol type of the specific connection Port Port number of the specific connection Disposition Accept or Deny Downloading the Traffic Logs The Administrator can backup the traffic logs regularly by downloading it to the computer Step 1 Inthe Traffic Log window click the Download Logs button at the bottom of the screen Step 2 Follow the File Download pop up window to save the traffic logs into a specified directory on the hard drive Clearing the Traffic Logs The Administrator may clear on line logs to keep just the most updated logs on the screen Step 1 Inthe Traffic Log window click the Clear Logs button at the bottom of the screen Step 2 In the Clear Logs pop up box click Ok to clear the logs or click Cancel to cancel it 194 Content Security Gateway User s Manual Mirrors A Coserescelion Monitor gt Log gt Traffic Jun 29 06 05 49 v F Interface F Policy Object Jun 29 08 05 49 2
65. 1 Click System on the left hand side menu bar then click Route Table below the Configure menu The Route Table window appears in which current route settings are shown PLANET hatesr ing amp Comensais System Configure Route Table Administration Interface Destination IP MNetmask Configure Configure Setting Date Time Multiple Subnet Route Tabe DHCP Route Table functions Interface Destination network LAN or WAN networks Destination IP Netmask IP address and subnet mask of destination network Gateway Gateway IP address for connecting to destination network E Configure Change settings in the route table Adding a new Static Route Step 1 Inthe Route Table window click the New Entry button Step 2 Inthe Add New Static Route window enter new static route information Step 3 In the Interface field s pull down menu choose the network to connect LAN WAN DMZ 298 Content Security Gateway User s Manual Step 4 Click OK to add the new static route or click Cancel to cancel System Configure Route Table Add New Static Route Administration 0 Me atic Route Configure Setting Netmask 255 255 2550 Multiple Subnet gt E Route Table l DHCP Dynamic DNS ok 1 Cancel Modifying a Static Route Step 1 Inthe Route Table menu find the route to edit and click the corresponding Modify option in the Configure field
66. 10 X Remote User External IP is 210 66 155 91 Remote user with an external IP wants to create a VPN connection with company A and connect to 192 168 10 100 for downloading the sharing file The Gateway of Company A is 192 168 10 1 The settings of company A are as the following Configuration of CS 500 Step 1 Enter the default IP of Company A s Content Security Gateway 192 168 10 1 Click VPN in the menu bar on the left hand side and then select the sub select IPSec Autokey Click Add Step 2 Enter the VPN name VPN_A in IPSec Autokey window Mecessary ltem Step 3 In to Destination table choose Remote Gateway or Client Dynamic IP To Destination Remote Gateway Fixed IP or Domain Mame Remote Gateway or Client Dynamic IP Step 4 In Authentication Method Table enters the Preshared Key 111 Content Security Gateway User s Manual Authentication Method Preshared Key 123456709 Step 5 In Encapsulation or Authentication table choose ISAKMP Algorithm For communication via VPN we choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm And select Group 2 to connect Encapsulation IS SKMP Algorithm ENC Algorithm DES E E AUTH Algorithm EA E Step 6 In IPSec Algorithm Table choose Data Encryption Authentication We choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm IPSec Algorithm Data Enc ryption Authentication ENC Algorithm AUTH Algorithm MDS
67. 11 75 117 114 210 66 155 90 A7243 gt 80 Y Jun 29 08 05 49 211 75 117 114 210 66 155 90 47242 gt 80 v Microsoft Internet Explorer EJ F Policy F Mail Security E Anti Attack YD Do you really wank to clean Ca Cesa Log Traffic Event Connection Log Backup 4 8 1 2 Event When the Content Security Gateway WAN detects events the Administrator can get the details such as time and description of the events from the Event Logs Entering the Event Log window Step 1 Click the Event Log option under the Log menu and the Event Log window will appear PLANET Hatworting amp Comm celica Monitor Log Event Way 3 06 53 57 admin Modify Accounting Report Setting trom 192 168 1 2 admin Add Policy incoaming Outside _Any 210 66 155 91 FTP 21 permit from 192 168 1 2 admin Modify Folicy i Outgoing Inside_Any Outside_ Any ANY permiti trom 192 168 1 2 user admin Login success trom 192 166 1 2 user admin Login failure from 192 168 1 2 Way 3 05 56 00 admin Add Policy OMZ to External DMZ _Any Gutside_Any ANY permiti from 194 168 1 2 Trafic Event Ge 3 admin Add Policy k External to DMZ Outside Any DMZ_Any Routing ANY permit trom 192 165 1 2 Connection Way 3 05 44 46 admin Delete Policy lncoming Outside Any Inside_AnylRouting ANY permit fram 192 168 1 2 Log Backup 3 05 45 44 admin Modify DMZ Interface from 192 168 1 2 Accounting Report t a
68. 125 Kbps 512 Kbps f ok 1 cancel 1 Priority 64 Kbps Middle 123 Kbps Upstream Bangi configure 3 Bandwidth Mi Bandwicth 69 Content Security Gateway User s Manual Step 4 Enable the QoS rule in Outgoing or Incoming Policy a PLANET Matworing A Corro Policy Outgoing F Policy Object Add New Policy Outgoing Destination Address Qutside_4ny Incoming i BOAAN To DMZ Schedule e LAN To Ohiz gt DMZ To WAN Authentication User e OMZ To LAN E Mail Security Actio PERMIT w Enable M Enable E Anomaly Flow IF M Enable Content Blocking M Enable zllzllzll llol FENE mi om amam lt E a E lt q MAX Concurrent Sessions O means unlimited Alice Gos E ok f cancel 4 3 5 Authentication By configuring the Authentication you can control the user s access right time of LAN to WAN The administrator can configure the authentication according to the authentication account and password CS 500 configures the authentication of LAN s user by setting account and password to identify the privilege 4 3 5 1 Auth Setting The administrator can specify the port number and authentication time of authentication management system for LAN user to access WAN network Configuration of Authentication Click Authentication in the menu bar on the left hand side and click Auth Setting lt 10 Content Security Gateway User s Manual PLANET O A ia P
69. 66 99 2535 ONS Server 2 Max Downstream Bandwidth 30000 Kbps Max 30 Mbp Max Upstream Bandwidth 30000 Kbps Max 30 Mbps Enable Ping HTTF f Cancel For PPTP European User Only This is mainly used in Europe You need to know the PPTP Server address as well as your name and password User Name The user name is provided by ISP Password The password is provided by ISP IP Address Enter the static IP address assigned to you by your ISP or obtain an IP address automatically from ISP PPTP Gateway Enter the PPTP server IP address assigned to you by your ISP Connect ID This is the ID given by ISP This is optional Max Upstream Downstream Bandwidth The bandwidth provided by ISP BEZEQ ISRAEL Select this item if you are using the service provided by BEZEQ in Israel Service On Demand The PPPoE connection will automatically disconnect after a length of idle time no activities Enter in the amount of idle minutes before disconnection Enter O if you do not want the PPPoE connection to disconnect at all Ping Select this to allow the WAN network to ping the IP address of the Content Security Gateway This will allow people from the Internet to be able to ping the Content Security Gateway If set to enable the device will respond to echo request packets from the WAN network 41 Content Security Gateway User s Manual HTTP Select this to allow the device WEBUI to be accessed from the WAN network This will allow the
70. 92 168 123 f oK f Cancel hid Virtual Server Real IP displays the WAN IP address assigned to the Virtual Server E Service Port select the service from the pull down list that will be provided by the Real Server Load Balance Server E External Service Port Input the port number that the virtual server will use Changing the Service will change the port number to match the service E Load Balance Server The internal server IP address mapped by the virtual server Four computer IP addresses can be set at most and the load can be maintained in a balance by round robin algorithm Click OK to execute adding new virtual server service or click Cancel to discard adding Remember to configure the service items of virtual server before you configure Policy or the service names will not be shown in Policy Modifying the Virtual Server configurations Step 1 In the Virtual Server window s service table locate the name of the service desired to be modified and click its corresponding Modify option in the Configure field Step 2 Inthe Virtual Server Configuration window enter the new settings Step 3 Click OK to save modifications or click Cancel to discard changes 92 Content Security Gateway User s Manual PLANET Heels amp Comer plia Policy Object gt Virtual Server gt Server 1 Virtual Server Real IP Service WAN Port Server Virtual IP 192 168 1 20 192 168 1 21 192 168 1 22
71. AN host NOTE To correctly display the pizza chart please install the latest java VM for http www java com 4 8 3 Statistic In this chapter the Administrator queries the Content Security Gateway for statistics of packets and data which passes across the Content Security Gateway The statistics provides the Administrator with information about network traffics and network loads What is Statistics Statistics are the statistics of packets that pass through the Content Security Gateway by control policies 205 Content Security Gateway User s Manual setup by the Administrator How to use Statistics The Administrator can get the current network status from statistics and use the information provided by Statistics as a basis to mange networks How to apply WAN Statistics The Administrator needs to go to Policy to set the network IP addresses that you want to gather statistics In this way the administrator can handle the whole network condition and takes it as a basis of managing the network The administrator needs to go to the Policy to set the network IP of the statistics By the WAN statistics you can obtain the status of the network 4 8 3 1 WAN Statistics Step 1 Click Statistics in the menu bar on the left hand side and then select WAN Statistics Step 2 The WAN Statistics will be displayed It displays statistics of WAN network connections downstream and upstream as well in a total amount by minute 60
72. AP OE A E pu A 153 Ph Pl VAD e sa LOTSA 153 AA WACOM Ve 156 AAS WAIN TEDMZ SLAN TOM AAA E AR O eveaspanrencs epee 159 Content Security Gateway User s Manual 444 DMZ TO VAIN amp DMZ TOLAN ia biie 162 AS MAL SECURIT oeur iaee E EE T E E E 166 AD GON Ud a e a R a a e a a a e 166 A O Eis E R es RE 170 NS EEEN EAA RIN 171 LE AO E AS 172 TE A A A seeenc Mosatnansestes 175 AO AOS ld 176 ADO AID AAA A A AAA Seestrwoitins E atta EN 178 ARE Opan MU dal 185 ST AAA A A II A 185 4 S3 T OGUNI PONENCIA COOPER O PER O O telah cre ae alae E RERE 185 Aide VUS MA A A Mead A A iio 187 O A A A A IA O E AT shares 187 4 A A A nen cse 187 46 2 ONU a 188 E A Rn Ear nea ae ET 192 AT ANOMALY FEOW IP retiran inia eE a ar a aeae e an i niie 192 O o A 193 LOT LOD oE shies Bates helices alesis nts REA ecclesia Bale e heath tates lst E adel al sete tas alist nts 193 AL INC a roda 193 CBr ele A See eae Te ET E Ce eT S ne ee ee eo eRe Teen Mee on Te 195 E A A sect a 196 4 86 14 LOG Bac dd 197 He ACCOUN FAC OM sso iat ie tery te E tC tot Ice ae sees sae eas tb dan enna N tessvodtdin tenet teacie 198 A O2 T OCUN G eaae a a diadacesi ccd a aa a an aia aba aeaaae 199 GP UMD OUND soea a ues e E E E E O 199 EFM OUNCE AA A O 202 Os IOLA SUG iat eas tus O aan da ned e eS cee ona 205 4 o TWAN US CS ecb isis ote E O eee ace etl een ce eens 206 ASO PONGY SAUS UGS A A A E SES 206 48 A SUAS esses lancet ai adel anu nhctlc cov shcs dnabadaeuessAt a lealedsodeeg det
73. Address is not 192 168 1 1 the Administrator needs to set the IP Address on the computer to be on the same subnet as the Content Security Gateway and restart the System to make the new IP address effective For example if the Content Security Gateway s new LAN IP Address is 172 16 0 1 then enter the new LAN IP Address 172 16 0 1 in the URL field of browser to connect to Content Security Gateway NetMask This is the subnet mask of the LAN network The default netmask of the device is 255 255 255 0 Ping Select this to allow the LAN network to ping the IP Address of the Content Security Gateway If set to enable the device will respond to ping packets from the LAN network HTTP Select this to allow the device WEBUI to be accessed from the LAN network 4 2 2 WAN Entering the Interface menu Click on Interface in the left menu bar Then click on WAN below it The current settings of the interface addresses will appear on the screen PLANET telas amp Loma pice Interface WAN WAN Interface PPPoE ADSL User O Dynamic IP Address Cable Modem User Static IP Address O PPTP European User Only 4 IP Address 192 168 99 95 PA Metmask 255 255 255 0 Defaut Gateway 192 168 99 253 DNS Server 1 65 95 11 DNS Server 2 Max Downstream Bandwidth 30000 F Kbps Max 30 Mbp Max Upstream Bandyidth 30000 Kbps Max 30 Mbps dd Ping HTTP f Cancel WAN Interface
74. Content Security Gateway User s Manua Content Security Gateway CS 500 User s Manual Content Security Gateway User s Manual Copyright Copyright C 2005 PLANET Technology Corp All rights reserved The products and programs described in this User s Manual are licensed products of PLANET Technology This User s Manual contains proprietary information protected by copyright and this User s Manual and all accompanying hardware software and documentation are copyrighted No part of this User s Manual may be copied photocopied reproduced translated or reduced to any electronic medium or machine readable form by any means by electronic or mechanical Including photocopying recording or information storage and retrieval systems for any purpose other than the purchaser s personal use and without the prior express written permission of PLANET Technology Disclaimer PLANET Technology does not warrant that the hardware will work properly in all environments and applications and makes no warranty and representation either implied or expressed with respect to the quality performance merchantability or fitness for a particular purpose PLANET has made every effort to ensure that this User s Manual is accurate PLANET disclaims liability for any inaccuracies or omissions that may have occurred Information in this User s Manual is subject to change without notice and does not represent a commitment on the part of PLANET PLANE
75. E 37 A T LAN A E ROE A E AA OA A AE 37 AL WAN AA A AA A A E AA 38 A DMZ aE cace aa nla deni seep aa ee atia duane aden Anta ao aa OHA Oa ea 42 Content Security Gateway User s Manual AS POLICY OBJEC dad evades na 43 e OMA O IN II A ts 43 A A hiss is 44 de LAN di dae deca 46 74 Bo Md TN 49 LAWAN GOUD MAA II II ne Ua fee as sleet ae Laren E 51 A IVIL O Puente desta OON E op adates 53 4310 DMZ NGIOUD ca dic 55 ES A a dee een 58 Ea E A a Ubi Miobbaite a e a Gcimelsaedvesiess 59 A UI A te tallaaihncddae Mates MoaMtve Rede E A E AS A 59 4323 GOUD corris ac ede E ee AarePaesededtiel NS 62 AG sO CHOCOUIC in ads 64 Aaa OO ee eon REE a TR ea EE Or en A E ree eee ere eee ae 66 BAG FAI o AA A vieithcnedeacs ease O sdscchannieedeetacsigs cascscee ulmi 70 43 IS AULD SEUNG a 70 L RIL AI SAA AAA AA AAA iia 71 Aa S A AS A A 75 43 5A A stash A E AEA E A 77 DDO PFOP A O O E 78 430 CONTENT BICI A ia 79 TIO DALE O CV AA AA AE Pee 79 EN PPP RN 81 E P2P kga a e dca ede nenaeh and a A aceeeten 82 ASO IVA aces tak at ate et ni tara cea ae dae oe ae 83 dE OW TIO AO tess nadine darn UE 0 ound asd eae sa al ead A neces 83 4 BAO LO HOI OAC hich tds Nock hind se Sete Stace Nea ie dando o Saeed haat eae Medien tae sala a atin a sa hits cha 84 IS MM Ad ias 84 Lea l MAPPE A A ee 85 BDI SS AAA O ohne Gan tre a E ace aL i ES 88 A OVE O eit 94 4 30 3 IP SEC ALIKE 94 dE cal gl cain NS A A A TA Y 97 4 3 0 3 PPTP Old e dis re 100 OF O A II A setteeedide 102 A
76. External IP of Mail Relay Modify IP Address IP Address ex 202 24 193 138 nH a al al a Ty UIs w S 2 s 3 E Sjal a fy a Configure nti Spam OK l f Cancel F Setting Mail Relay D la i nti Virus E Anti Attack onitor 4 5 2 Anti Spam it can reduce the burden of mail server Also can prevent the users to pick up the message he she needs from a mass of useless mails or delete the needed mail mistakenly while deleting mails It will raise the work 170 Content Security Gateway User s Manual efficiency of the employees and will not lose the important information of enterprise In this chapter we will have the detailed illustration about Anti Spam 4 5 2 1 Setting The Administrator can choose the inspection way of the mails where the mail server is placed in Internal LAN or DMZ or External WAN CS 500 also can inspect all of the mails that are sent to the enterprise and add a score tag or message to the subject line of Soam mail while it exceeds the standard Meanwhile it supports to check sender address in blacklist of anti spam website to determine if it is spam mail or not PLANET Matilla A Cosenestrelios Mail Security gt Anti Spam Setting System micros Spam Setting F Policy Object Enable Anti Spam The Mail Server is placed in Internal LAN or DMZ Please set Mail Relay first External QAAN The threshold score
77. Max 32 characters Modity Policy Inside_ Any Outgoing Outside_Any Incoming ANY we An To Oh one s LAN To DMZ DMZ To WAN DMZ To LAN E tail Security E Anomaly Flow IF Mone Outgoing Policy Policy Outgoing Source Destination Service Ay Configure hove Inside_Any Qutside_Any VEN Modify j Remove 1 v Inside Any Outside_Any A Modify Remove Pause 2 Incoming Policy Policy Incoming Source Destination service Action Option Configure howe Outside Any Inside_Any Routing Modify Remove The Gateway of Company B is 192 168 20 1 The settings of company B are as the following 145 Content Security Gateway User s Manual Step 1 Enter the default IP of Company B s Content Security Gateway 192 168 20 1 Click VPN in the menu bar on the left hand side and then select the sub select IPSec Autokey Click Add Step 2 Enter the VPN name VPN_B in IPSec Autokey window Mecessary ltem Step 3 In To Destination table choose Remote Gateway Fixed IP or Domain Name enter the IP address desired to be connected To Destination Remote Gateway 61 11 11 11 Fixed IP or Domain Mame Remote Gateway or Client Dynamic IP Step 4 In Authentication Method Table enters the Preshared Key Authentication Method Preshared Key 123456709 Step 5 Enable Aggressive mode For communication
78. N Tunnel Mame Source Subnet Destination Subnet IPSec fPPTP Configure IPSecTunnel 182 168 1 0 182168 0 C5500 Microsoft Internet Explorer e r Are you sure you want bo remove IPsecTunnel Virtual Server PSec Autokey PPTP Server PPTP Client Tunnel Click OK to remove the PPTP client or click Cancel to exit without removal Pausing a Tunnel Step 1 Select VPN gt Tunnel Step 2 Inthe Tunnel window find the Tunnel that you want to modify and click Pause 104 Content Security Gateway User s Manual PLANET Policy Object VPM Tunnel Address Schedule Microsoft Internet Explorer Authentication P Content Blocking Virtual Server 2 4re you sure you want to pause This entry will mot be effective OK Cancel PSec Autokey ok PPTP Server PPTP Client Tunnel Step 3 When There are 5 examples of VPN setting Example 1 Create a VPN connection between two Content Security Gateways Example 2 Create a VPN connection between the Content Security Gateway and Windows XP Professional VPN Client Example 3 Create a VPN connection between two Content Security Gateways using Aggressive mode Algorithm 3DES and MD5 and data encryption for IPSec Algorithm 3DES and MD5 Example 4 Create a VPN connection between Content Security Gateway and PLANET VRT 311 VPN Router Example 1 Create a VPN connection between two Content Security Gateways Prep
79. NET o Metelo A Comreal Monitor Log Connection May 3 02 45 05 Connection Log E Interface Back eee o Ime May 3 02 45 05 ipcp returning Contiqure NAkK day 3 02 45 05 MPPE 126 hit stateless compression enabled y 3 02 45 05 ipep returning Contigure 4SCK Trafic Event 23 192 235 6 Connection amp amp 5 233 LCP terminated by peer k i C i Log Backup Way 3 02 45 35 pop down Accounting Report Way 3 a db_store failed Invalid tdi context Statistics Way 3 33 message repeated 2 times GRE read error Bad file descriptor Definition Time The start and end time of connection Connection Log Event description during connection 196 Content Security Gateway User s Manual Download Logs Step 1 Click Log in the menu bar on the left hand side and then select the sub selection Connection Log Step 2 In Connection Log window click the Download Logs button Step 3 Inthe Download Logs window save the logs to the specified location Step 1 Click Log in the menu bar on the left hand side and then select the sub selection Connection Logs Step 2 In Connection Log window click the Clear Logs button Step 3 In Clear Logs window click OK to clear the logs or click Cancel to discard changes F Interface E Policy Object Connection Log Jan 1 00 08 44 lincluding NAT Traversal patch Version 0 6 Jun 29 07 15 50 time moved backwards 89 seconds
80. N_A in IPSec Autokey window Mecessary ltem cS Max 12 characters 148 Content Security Gateway User s Manual Step 3 In To Destination table choose Remote Gateway Fixed IP or Domain Name enter the IP address desired to be connected To Destination O Ml ada o 210 66 155 92 Fixed IP or Domain Mame Remote Gateway or Client Dynamic IP Step 4 In Authentication Method Table enters the Preshared Key Authentication Method Preshared Key 12345670 Step 5 In Encapsulation or Authentication table choose ISAKMP Algorithm For communication via VPN we choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm And select Group 2 to connect Encapsulation BAKMP Algorithm ENC Algorithm AUTH Algorithm Step 6 In IPSec Algorithm Table choose Data Encryption Authentication We choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm IPSec Algorithm Data Enc ryption Authentication ENC Algorithm AUTH Algorithm Authentication nly Step 7 Choose GROUP 2 as the Perfect Forward Secrecy setting and leave the default setting with 28800 seconds in IPSec Lifetime and 3600 seconds for ISAKMP Lifetime Optional Item Perfect Forward Secrecy GROUP 2 4 ISAKMP Lifetime 3600 Seconds IPSec Lifetime 25500 Seconds Step 8 Select main mode as the algorithm Step 9 Click OK to finish the IPSec Aotukey setting of Company A 149 Content Security Gateway User s M
81. Name that apply from ISP planet com tw to DNS Server IP setup MX record is Mail Server IP When external sender sends mail to the recipient account of the planet com tw domain add the following Mail Relay setting STEP 1 Add the following setting in Mail Relay function of Configure NW Select Domain Name of Internal Mail Server Domain Name of Mail Server Enter the Domain Name m IP Address of Mail Server Enter the IP address that Mail Server s domain name mapped to 167 Content Security Gateway User s Manual Mail Relay setting is complete The external mails send to planet com tw that will be received by CS 500 and redirect to the mail server after filtering i Metros d Cosmic Mail Security gt Configure gt Mail Relay E System Domain Name of Internal Mail Server Allowed External IP of Mail Relay Policy Object alt ame erve planet com tw ex mail my_domain com E Setting ar 61 11 1119 ex 61 217 22 30 Mail Relay 4 E oK Cancel E E E Monitor Example 2 To setup CS 500 between the original Gateway and Mail Server Mail Server in DMZ Transparent Mode Preparation The Original Gateway s LAN Subnet 172 16 1 0 16 WAN Port IP 61 11 11 11 CS 500 s WAN Port IP 172 16 1 12 Mail Server IP 172 16 1 13 Map the DNS Domain Name planet com tw to DNS Server IP setup MX record is Mail Server IP When LAN 172 16 1 0 16 users send mail from th
82. Ny a WAN To DMZ Schedule Mone e LAN To DMZ Authentication User Mone Oh To War DMZ To LAN Mail Security Traffic Log Mone PERMIT e Caan M Enable E Anomaly Flow IP M Enable M Enable M Enable Removing a DMZ To WAN Policy Step 1 In the DMZ To WAN window locate the name of policy desired to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation dialogue box click OK 165 Content Security Gateway User s Manual erone PR source Destination service Action Option Configure Move a ny ANY TI TIT Modify Remove E F Policy Object Outgoing Incoming Microsoft Internet Explorer WAN To DMZ s LAN To DMZ k Are vou sure you want to remove DMZ To WAN DMZ To LAN 4 5 Mail Security This section provides the Administrator to configure Mail Security rule for protecting client PC from virus and spam mail attacking Meanwhile CS 500 provides the ability to update virus pattern by schedule or manually and it also provides auto learning system to raise the rate of spam mail judging For more detail information please check the related chapter 4 5 1 Configure About the Mail Security Configure function it means the dealing standard towards mail of CS 500 In this chapter it is defined as Setting and Mail Relay Setting Define the required fields of
83. O Enable 802 1x RADIUS Server Authentication Cancel Auth Setting Auth User Auth Group RADIUS POPS Definition Enable RADIUS Server Enable RADIUS Server Authentication RADIUS Server IP Enter RADIUS Server IP address RADIUS Server Port Enter RADIUS Server Port The default port is 1812 Shared Secret The Password for CS 500 to access RADIUS Server Enable 802 1x RADIUS Server Authentication Enable 802 1x RADIUS Server Authentication 4 3 5 5 POPS Click Authentication on the left side menu bar then click POP3 below it The following window is shown a o Wawin A Corra pha Policy Object gt Authentication gt POP3 E System POP3 Server Interface Enable POP3 Server Authentication POP3 Server IP or Domain Name po Address POP3 Server Port 110 Service Schedule f OK f Cancel Qos Authentication Auth Setting Auth User Auth Group RADIUS POP3 Definition Enable POP3 Server Enable POP3 Server Authentication POPS Server Enter POP3 Server IP address or domain name POP3 Server Port Enter POP3 Server Port The default port is 110 78 Content Security Gateway User s Manual 4 3 6 Content Blocking Content Blocking includes URL Scripts P2P IM Download and Upload URL The administrator can use a complete domain name or key word to make rules for specific websites Scripts To
84. OK to save change or click Cancel to cancel Wining amp Coma vice Policy Object gt Virtual Server gt Mapped IP WAN IP Map To Virtual IP System Interface 210 66 155 91 192 168 1 12 New Entry a Address Service Schedule QoS Authentication Content Blocking Virtual Server Mapped IP Server 1 NOTE A Mapped IP cannot be modified if it has been assigned used as a destination address of any Incoming policies Removing a Mapped IP Step 1 Inthe Mapped IP table locate the Mapped IP desired to be removed and click its corresponding Remove option in the Configure field Step 2 Inthe Remove confirmation pop up window click OK to remove the Mapped IP or click Cancel to cancel 87 PLANET Hethecrilng Coma crio System Address Service Schedule QoS Authentication Content Blocking Virtual Server Mapped IP Server 1 Server 2 Mm 4 mmh m m m TTT Content Security Gateway User s Manual Policy Object gt Virtual Server gt Mapped IP C WaNip O Map To Virtual IP 210 66 155 91 192 168 1 12 Modify Remove JavaScript Application ARE YOU sure you Wank bo remove E Cancel 4 3 7 2 Virtual Server Virtual server is a one to many mapping technique which maps a real IP address from the WAN interface to private IP addresses of the LAN network This function provides services or applications
85. OU sure YOU want fo remove Host Table e ad E Interface 4 1 10 Host Table The Content Security Gateway s Administrator may use the Host Table function to make the Content Security Gateway act as a DNS Server for the LAN and DMZ network All DNS requests to a specific Domain Name will be routed to the Content Security Gateway s IP address For example let s say an organization has their mail server i e mail planet com tw in the DMZ network i e 192 168 10 10 The outside Internet world may access the mail server of the organization easily by its domain name providing that the Administrator has set up Virtual Server or Mapped IP settings correctly However for the users in the LAN network their WAN DNS server will assign them a public IP address for the mail server So for the LAN network to access the mail server mail planet com tw they would have to go out to the Internet then come back through the Content Security Gateway to access the mail server Essentially the LAN network is accessing the mail server by a real public IP address while the mail server serves their request by a NAT address and not a real one This odd situation occurs when there are servers in the DMZ network and they are bound to real IP addresses To avoid this set up Host Table so all the LAN network computers will use the Content Security Gateway as a DNS server which acts as the DNS proxy If you want to use the Host Table function of the device
86. S 67 Content Security Gateway User s Manual Modify QoS Step 1 Click QoS in the menu bar on the left hand side e Policy Object gt QoS gt Setting Name WAN Downstream Bandwidth Upstream Bandwidth Priority Configure G Bandwidth G Bandwidth 64Kbps mer E Policy Object M Bandwidth MBandwidth 128 Kbps Rek Jve QoS OOOO O L Setting 7 Authentication Click the Modify button to modify QoS Definition Name The name of the QoS you want to configure Downstream Bandwidth To configure the Guarateed Bandwidth and Maximum Bandwidth Upstream Bandwidth To configure the Guarateed Bandwidth and Maximum Bandwidth QoS Priority To configure the priority of distrubuting Upstream Downstream and unused bandwidth Click the OK button to modify QoS Delete QoS Step 1 Inthe QoS window find the QoS you want to change and click Delete in the Configure column Step 2 Inthe Delete QoS window click OK to delete the QoS or click Cancel to discard the change PLANET Policy Object gt QoS gt Setting Name WAN DownstreamBandwidth Upstream Bandwidth Priority Configure GBandwidth 128kbps G Bandwidth 64 Kbps Modify M Bandwidth 512Kbps M Bandwidth 128 Kbps Remove JavaScript Application Gi Are you sure You Wank to remove La Setting 17 Example about how to install QoS correctly Step 1 Select and configure the correct connection type including downstream upst
87. Setting Route Table z am DHCP System Mame Setting Dynamic DNS Device Name Content security Gat ex Content Security Gateway Host Table E mail Setting Language E Enable E mail Alert Notification Interface sender Address Required by some ISPs ex sender mydomain com E Policy Object SMTP server ex mail mydomain com E mail Address 1 ex user amydomain com E mail Address 2 ex User2amydomain com i Mail Test ai E Anomaly Flow IF Mail Test F Monitor Web Management MAN Interface HTTP Port ag MTU Setting MTL 1500 Bytes Link Speed Duplex Mode Setting WAN Auto blode ka Dynamic Routing RIPYZ Enable CL Lan LJ wan O omz Routing information update timer 30 Seconds Routing information timeout 180 Seconds To Appliance Packets Log Enable To 4ppliance Packets Log system Reboot Reboot Content Security Gateway Appliance OK Jf Cancel Exporting Content Security Gateway settings Step 1 Under Backup Restore Configuration click on the Download button next to Export System Settings to Client Step 2 When the File Download pop up window appears choose the destination place to save the exported file The Administrator may choose to rename the file if preferred af Content Security Gateway User s Manual Wrong amp borra celos System Configure Setting a Backup i Restore Configuration Setting uo Date Time Mult
88. System Add New Authentication User Password esses Address a TN lt Schedule 7 QoS E ok Cancel Authentication A mmh m p T m Auth Setting Auth User Auth Group RADIUS POPS 2 Content Security Gateway User s Manual NOTE When the LAN user access to WAN network and do not use for a while the connection will be time out User has to re login again The default time is 30 minutes and you can configure this time by Authentication gt Auth Setting page In the form of controlling the Outgoing Policy enable the Authentication User Function PLANET Hatecriing amp Loma pi Policy Outgoing Interface Comment 0 O F Policy Object Outgoing Destination Address Outside Any Source Address Inside_Any Incoming AMY w ae WAN To DMZ Schedule Mone e LAM To DMZ Authentication User planet dh OM To wap Mone a CN E Mail Security PERMIT ka M Enable E Anomaly Flow IF M Enable M Enable M Enable OK Cancel User Login Page Definitions User Name The name of the Authentication you want to configure Password The input carries on the authentication the password 3 Authentication Microsoft Internet Explorer SEE File Edit View Favorites Tools Help Address User Authentication User Mame Paste vword E Done Internet dE e Content Secu
89. T assumes no responsibility for any inaccuracies that may be contained in this User s Manual PLANET makes no commitment to update or keep current the information in this User s Manual and reserves the right to make improvements to this User s Manual and or to the products described in this User s Manual at any time without notice If you find information in this manual that is incorrect misleading or incomplete we would appreciate your comments and suggestions CE mark Warning This is a class B device in a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures Trademarks The PLANET logo is a trademark of PLANET Technology This documentation may refer to numerous hardware and software products by their trade names In most if not all cases these designations are claimed as trademarks or registered trademarks by their respective companies Customer Service For information on customer service and support for the Content Security Gateway please refer to the following Website URL http www planet com tw Before contacting customer service please take a moment to gather the following information Content Security Gateway serial number and MAC address Any error messages that displayed when the problem occurred Any software running when the problem occurred Steps you took to resolve the problem on your own Revision User s Manual for PLANET Content
90. TCP and UDP protocols support varieties of services and each service consists of a TCP Port or UDP port number such as TELNET 23 SMTP 21 POP3 110 etc The Content Security Gateway defines two services pre defined service and custom service The common use services like TCP and UDP are defined in the pre defined service and cannot be modified or removed In the custom menu users can define other TCP port and UDP port numbers that are not in the pre defined menu according to their needs When defining custom services the client port ranges from 1024 to 65535 58 Content Security Gateway User s Manual and the server port ranges from 0 to 1023 How do use Service The Administrator can add new service group names in the Group option under Service menu and assign desired services into that new group Using service group the Administrator can simplify the processes of setting up control policies For example there are 10 different computers that want to access 5 different services on a server such as HTTP FTP SMTP POP3 and TELNET Without the help of service groups the Administrator needs to set up 50 10x5 control policies but by applying all 5 services to a single group name in the service field it takes only one control policy to achieve the same effect as the 50 control policies 4 3 2 1 Pre defined Entering a Pre defined window Step 1 Click Pre defined under it A window will appear with a list of services and their
91. This should be unique and can not be the same as the name of IPSec Autokey rule From Source Specify the VPN source to LAN or DMZ site From Source Subnet Mask Specify the source LAN network subnet and Mask To Destination To Destination Subnet Mask Specify the destination LAN network subnet and Mask Remote Client Select Remote Client if there is only one user and dials up to Internet with PPPoE or cable modem IPSec PPTP Setting Select the specific VPN tunnel for this Tunnel rule you need to pre define IPSec or PPTP setting first Keep Alive IP Specify Remote Gateway s LAN IP address to keep alive the VPN tunnel Show remote Network Neighborhood Select the remote Network Neighborhood enable to show 103 Content Security Gateway User s Manual Modifying a Tunnel Step 1 Select VPN Tunnel Step 2 Inthe Tunnel window find the Tunnel that you want to modify and click Modify Step 3 Enter appropriate settings PLANET Hatworking Comenescalion Policy Object YPN Tunnel Mame source Subnet Destination Subnet Pacer like Configure IPSec Tunnel 192 165 1 0 192 165 0 0 Schedule Cos Authentication Content Blocking Virtual Server PSec Autokey PPTP Server PPTP Client Tunnel Removing Tunnel Step 1 Select VPN gt Tunnel Step 2 Inthe Tunnel window find the Tunnel that you want to modify and click Remove PLANET ironidog amp Comos lion Policy Object PA
92. Veda bere En ged a Pere BA ld TOO EE PA bra Gre 40 Cercle emp cant py cal e fee 2S Le airm ba pi Bed Pen a rel in PA A lich Arn paa i Hifi al iier TY shake aire Tim A E F oo le man i ca Gh Yi 1 eee a ely edad eel ee Fe ud Ae MITE 1 10 1 There artes cortas lo deci Cha i onfaria da ere a contact STEP 4 To copy the route of SpamMail File in Outlook Express to convenient to upload the training to CS 500 Press the right key of the mouse in SpamMail file and select Properties function Copy the file address in SpamMail Properties WebUI 182 Content Security Gateway User s Manual Re Pal Pa bon at cal al the TF ar pi AE Mabel a Spammia Sr STEP 5 Paste the route of copied from SpamMail file to the Spam Mail for Training field in Training function of Anti Spam And press OK to deliver this file to CS 500 instantly and to learn the uploaded mail file as spam mail in the appointed time 183 Note Content Security Gateway User s Manual raining Database Export Training Database Import Training Database ae Reset Training Database Spam Mail for Training Free space for training 876 KBytes Import Spam Mail from Client Browse Ham Mail for Training Free space for training 876 KBytes Import Ham Mail from Client Browse 1 The training file that uploads to CS 500 can be any data file and not restricted in its sub name but
93. Wizard App mae Content Security Gateway User s Manual Step 57 Click the right button of mouse in IPSec choose Assign option iti Console a px File Action View Favorites Window Help AECE Mia Policy Assigned Fe Console RootMP Security Policies on Local Computer A Console Root El a IP Security Policies on Local Compute eA Description Communicate normally uns Mo a oner e F o For all IF traffic always req Mo Le Assign EA server Request Secu For all IP traffic always reg Mo All Tasks gt Delete Rename Properties Help AAA oix Pinging 192 168 10 1 with 32 bytes of data Hegotiating IP Security Request timed out 168 16 1 bytes 32 time 3ms A ES A hbytes 32 time J3ms 192 168 16 1 bytes 32 time 3ms 192 168 18 1 bytes 32 time 3ms Reply from 192 168 10 1 bytes 32 time 3ms Example 3 Create a VPN connection between two Content Security Gateways using Aggressive mode Algorithm 3 DES and MD5 and data encryption for IPSec Algorithm 3DES and MD5 Preparation Task Company A External IP is 61 11 11 11 Internal IP is 192 168 10 X 142 Content Security Gateway User s Manual Company B External IP is 211 22 22 22 Internal IP is 192 168 20 X To Allow Company A 192 168 10 100 create a VPN connection with company B 192 168 20 100 for downloading the sharing file T
94. Y gt OF Cancel 138 Content Security Gateway User s Manual Step 51 Select Traffic out and click next Security Rule Wizard IP Filter List Select the IF filter list for the type of IF traffic to which this security rule applies Foo IF filter in the following list matches your needs click Add to create a new one IF filter lists Description Add AINCHMP Traffic Matches all ICMP packets bet AIP Traffic Matches all IP packets from t EY O Traffic in Remove t Trafhie out Cancel Step 52 Select Security and click edit security Rule Wizard Filter Action Select the filter action for this security rule F no filter actions in the following list matches Your needs click Add to create a new one Select Use Add Wizard to create a filter action using the wizard Wo Use Add Wizard Description Add O Permit Permit unsecured IP packets t Filter Actions E dit O Require Security Accepts unsecured communi Remove Request Security Optional Accepts unsecured communi Security 139 Content Security Gateway User s Manual Step 53 Enable Session key perfect forward secrecy PFS and click ok Security Properties Security Methods General Permit C Block f Negotiate security Security method preference order Type AH Integrity ESP Confidential ES Add Custom None gt SIDES ML Edit Remo
95. Z window Click DMZ under the Address menu to enter the DMZ window The current setting information such as the name of the LAN network IP and Netmask addresses will show on the screen 53 Content Security Gateway User s Manual 4 Hetwerting 4 Cosme crios Policy Object gt Address gt DMZ Name IP Netmask MAC Address A Address LAN LAN Group WAN WAN Group DMZ DMZ Group Configure F Interface i m E pl m 3 Adding a new DMZ Address Step 1 In the DMZ window click the New Entry button Step 2 In the Add New Address window enter the settings for a new DMZ address Step 3 Click OK to add the specified DMZ or click Cancel to discard changes E rics Policy Object gt Address gt DMZ Add New Address E Interface E Fs pA i IP Address 192 168 99 96 e MAC Address 00 0E A6 0F 86 00 f Clone MAC Address WAN i E Get static IP address from DHCP Server Address WAN Group DMZ DMZ Group E ok q Cancel Modifying a DMZ Address Step 1 In the DMZ window locate the name of the network to be modified and click the Modify option in its corresponding Configure field Step 2 In the Modify Address window fill in new addresses Step 3 Click OK on save the changes or click Cancel to discard changes 54 Content Security Gateway User s Manual O Mitroridng amp Gomma at ioe Policy Object gt Address gt
96. a a E 208 AOD ENAC SS A SA ENTE A AEE TA 208 AO AE AUN NICO A a aa a a 209 AOA AVAL O ei ae AAA A E EAE A 209 CORA O ASS or E E E tl mT EN ee 210 Content Security Gateway User s Manual Chapter 1 Introduction The innovation of the Internet has created a tremendous worldwide venue for e business and information sharing but it also creates network security problems so the security request will be the primary concerned for the enterprise Planet s Content Security Gateway CS 500 a special designed of security gateway for small business adopts Heuristics Analysis to filter soam and virus mail auto training system can raise identify rate of spam and built in Clam virus scan engine can detect viruses worms and other threats from email transfer Meanwhile Instant Messaging IM and peer to peer P2P are the fastest growing communications medium of all time the spread of IM and P2P has created a network security threats and consumed amount of bandwidth CS 500 also can prevent employees using varied IM and P2P like MSN Yahoo Messenger ICQ QQ and Skype CS 500 not only can filter soam and virus mail but also is a high performance VPN firewall The IDP and firewall function can defense hacker and blaster attack from Internet Moreover built in QoS feature can let you configure the traffic per specific protocol more flexibly The completely function in one device can offers an excellent security solution and the secure environment for
97. al PLANET Policy Object gt Authentication gt Auth Group E System New Authentication Group F Interface 7 Address lt Available Authentication User gt lt Selected Authentication User gt Service Schedule O05 Authentication Radius User FORS User Remove Auth Setting Auth User Auth Group RADIUS POPS Add y AA Cancel Modifying Auth Group Step 1 In the Auth Group window locate the Auth Group to be edited Click its corresponding Modify option in the Configure field Step 2 In the Modify Auth group window the following fields are displayed m Name Enter the new Auth Group name W Available auth user List all the available Auth User Selected auth user List Auth User to be assigned to the new group Step 3 To add new Auth User Select the Auth User desired to be added to the Available auth user list and then click the Add gt gt button to add them to the group Step 4 To remove Auth User Select Auth User desired to be removed from the Available auth user list and then click the lt lt Remove button to remove them from the group Step 5 Click OK to modify the Group 76 PLANET Hetworting A lomera eine F System F Interface Address Service Schedule QoS Authentication Auth Setting Auth User Auth Group RADIUS POPS Content Blocking Virtual Server VPN E Polic
98. and destination networks Step 2 In Service set services Step 3 In Virtual Server set names and addresses of mapped IP or virtual server only applied to Incoming policies Step 4 Set control policies in Policy 4 4 1 Outgoing This section describes steps to create policies for packets and services from the LAN network to the WAN network Entering the Outgoing window Click Policy on the left hand side menu bar then click Outgoing under it A window will appear with a table displaying currently defined Outgoing policies 153 Content Security Gateway User s Manual PLANET A Poses vine Policy Outgoing Configure E Policy Object E Outgoing New Entry The fields in the Outgoing window are a Source Source network addresses that are specified in the LAN section of Address menu or all the LAN network addresses E Destination Destination network addresses that are specified in the WAN section of the Address menu or all of the WAN network addresses Service Specify services provided by WAN network servers Action Control actions to permit or deny packets from LAN networks to WAN network travelling through the Content Security Gateway E Option Specify the monitoring functions on packets from LAN networks to WAN networks travelling through the Content Security Gateway Configure Modify settings Move This sets the priority of the policies number 1 being the highest priority Addin
99. anual Policy Object VPM gt PSec Autokey WANA 210 66 155 92 SDES MDS Step 10 Click Tunnel and press New Entry to configure the further setting Step 11 Enter Site Aas the new tunnel name and select LAN interface as the VPN source Fill LAN IP subnet 192 168 10 0 with subnet mask IP 255 255 255 0 Mew Entry Tunnel From Source OLan oz From Source Subnet Mask 192 165 10 0 7 255 2455 255 0 Step 12 In To Destination table fill company B s subnet IP and mask 192 168 20 0 and 255 255 255 0 respectively To Destination To Destination Subnet Mask 192 168 20 0 M 253 255 255 0 Remote Client Step 13 In IPSec PPTP Setting select CS as the available tunnel Step 14 Fill company B s gateway IP 192 168 20 1 in Keep alive IP to keep VPN tunnel connecting 192 168 20 1 IPSec PPTP Setting Keep alive IP Step 15 Click OK to finish the Tunnel setting of Company A Policy Object YPN Tunnel Mame Source Subnet Destination Subnet IFSec i mE configure 192 168 10 0 192 168 20 0 Step 16 If you want to configure bi direction VPN connection you should enable Tunnel setting in Outgoing and Incoming Policy Outgoing Policy 150 Content Security Gateway User s Manual Policy Outgoing Source estination l i Action Configure Move cee SEE men OVS Incoming Policy Policy Incoming source estination 1 Action Option Conf
100. aration Task Company A External IP is 61 11 11 11 Internal IP is 192 168 10 X Company B External IP is 211 22 22 22 Internal IP is 192 168 20 X To Allow Company A 192 168 10 100 create a VPN connection with company B 192 168 20 100 for downloading the sharing file The Gateway of Company A is 192 168 10 1 The settings of company A are as the following Step 1 Enter the default IP of Company A s Content Security Gateway 192 168 10 1 Click VPN in the menu bar on the left hand side and then select the sub select IPSec Autokey Click Add Step 2 Enter the VPN name VPN_A in IPSec Autokey window Necessary ltem Max 12 characters 105 Content Security Gateway User s Manual Step 3 In To Destination table choose Remote Gateway Fixed IP or Domain Name enter the IP address desired to be connected To Destination O Ml ada o 211 22 27 2 Fixed IP or Domain Mame Remote Gateway or Client Dynamic IP Step 4 In Authentication Method Table enters the Preshared Key Authentication Method Preshared Key 123456709 Step 5 In Encapsulation or Authentication table choose ISAKMP Algorithm For communication via VPN we choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm And select Group 1 to connect Encapsulation IS 4KMP Algorithm ENC Algorithm AUTH Algorithm Step 6 In IPSec Algorithm Table choose Data Encryption Authentication We choose 3DES for ENC Algorithm and MD5 for AUTH Algori
101. associated IP addresses This list cannot be modified Watworting amp Coser cline Policy Object gt Service gt Pre defined TCP TELNET oor e Real Media MP a F System Interface TCP AFPoverTcP Address RLOGIN unP UUCP Pro defined 4a 2 Custom Group loonie TCP SSH TCP WINFRAME chedule 30 MUP pm 23 UDP SSPD E X Windows ima OOF l Content Blocking TCP TEP ANY gt rtual Server Icons and Descriptions FigurDescripion TCP services e g AFPoverTCP AOL BGP FINGER FTP GOPHER HTTP HTTPS IMAP InterLocator IRC L2TP LDAP NetMeeting NNTP POPS PPTP Real Media RLOGIN SMTP SSH TCP ANY TELNET VDO Live WAIS WINFRAME X WINDOWS MSN etc UDP services e g DNS IKE NFS NTP PC Anywhere RIP SNMP SYSLOG TALK TFTP UDP ANY UUCP etc ICMP services i g PING TRACEROUTE etc 4 3 2 2 Custom Entering the Custom window 59 Content Security Gateway User s Manual Step 1 Click Custom under it A window will appear with a table showing all services currently defined by the Administrator i Wetworking amp Comm cali Policy Object gt Service gt Custom Client Port Pre defined Custom de te Group Definitions Service name The defined service name Protocol Network protocol used in the basic setting Such as TCP UDP or others Client
102. bUI to be accessed from the WAN network This will allow the WebUI to be configured from a user on the Internet Keep in mind that the device always requires a username and password to enter the WebUI PLANET gt Ewahing d Cosmic Interface WAN E System WAN Interface PPPoE ADSL User O Dynamic IP Address Cable Modem User static IP Address O PPTP European User Only Current Status Disconnected f Connecting IP Address 0 0 0 0 Disconnect iran aa User Name EF IP Address provided by ISP Dynamic Fixed IP Address DA hetmazk Max Downstream Bandwidth 30000 Kbps Max 30 Mbps Max Upstream Bandwidth 30000 Kbps Max 30 Mbps Service On Demand Auto Disconnect if idle o minutes 0 means always connected Enable O Ping O HTTP Cancel For Dynamic IP Address Cable Modem User This option is for users who are automatically assigned an IP address by their ISP such as cable modem users The following fields apply 39 a O Wing d Comerget ation System Content Security Gateway User s Manual IP Address The dynamic IP address obtained by the Content Security Gateway from the ISP will be displayed here This is the IP address of the WAN port of the device MAC Address This is the MAC Address of the device Hostname This will be the name assign to the device Some cable modem ISP assign a specific hostname in order to connect to their network Please en
103. ble DHCP Dynamic ONS Host Table Language E Interface Routing Mode System Configure Multiple Subnet configure 2 Are ou sure ou want to remove Multiple Subnet allows local port to set Multiple Subnet Routing Mode and connect with the internet through WAN IP address For example the leased line of a company applies several real IP Addresses 168 85 88 0 24 and the company is divided into R amp D Customer Service Sales Procurement and Accounting Department The company can distinguish each department by different sub network for the purpose of convenient management The settings are as the following R amp D Alias IP of LAN interface 168 85 88 1 Netmask 255 255 255 192 25 Content Security Gateway User s Manual Sales Alias IP of LAN interface 168 85 88 65 Netmask 255 255 255 192 Procurement Alias IP of LAN interface 168 85 88 129 Netmask 255 255 255 192 Accounting Alias IP of LAN interface 168 85 88 193 Netmask 255 255 255 192 Click System on the left side menu bar then click Multiple Subnet below Configure menu Enter Multiple Subnet window PLANET System Configure Multiple Subnet Administration WAM Interace IPS Forwarding EA Alias IP EA Netmask configure Setting Date Time New Entry Multiple Subnet Route Table Multiple Subnet functions WAN Interface IP Forwarding Mode Display WAN Port IP
104. cking The newest version 1 0 0 El eDonkey Blocking El Bit Torrent Blocking E wink Blocking Address Service Schedule 208 Authentication OK F Cancel Content Blocking URL Script P2P m Download CS 500 provides a feature that will auto detect the P2P program version When it detects a new version P2P program in the LAN site CS 500 will connect to Internet and download the pattern to update the P2P Blocking function and to keep the function working well to block new version P2P program The current pattern version 82 Content Security Gateway User s Manual will display at the top side 4 3 6 4 IM Step 1 Click IM below Content Blocking menu Step 2 Select IM detective functions MSN Messenger Blocking To select to block MSN Messenger login File Transfer Voice or Camera transferring Yahoo Messenger Blocking To select to block Yahoo Messenger login File Transfer Voice or Camera transferring ICQ Blocking Only to select to block ICQ login QQ Blocking Only to select to block ICQ login Skype Messenger Blocking To select to block Skype Messenger login File Transfer Voice or Camera transferring Step 3 After selecting each function click the OK button below PLANET toring amp ora li Policy Object Content Blocking IM E System instant Messaging Blocking E Interface The newest version 1 0 0 F MEN Messenger Blocking F
105. cquire the current version number of software in Version Number Administrators may visit distributor s web site to download the latest version and save it in server s hard disk Step 1 Click Browse to select the latest version of Software Step 2 Click OK to update software PLANET System Administration Software Update Software Update Administration ds Version Number a2 min Soft Updat B ne Pear di E Es 500_ 021 200 i Software Update ES z mg Fox 73 f Cancel NOTE It takes three minutes to update the software The system will restart automatically after updating the software 4 1 4 Setting The Administrator may use this function to backup Content Security Gateway configurations and export save them to an Administrator computer or anywhere on the network or restore a configuration file to the device or restore the Content Security Gateway back to default factory settings Entering the Settings window Click Setting in the Configure menu to enter the Settings window The Setting will be shown on the screen 16 Content Security Gateway User s Manual PLANET Hatworting amp errar E System O O Backups Restore Configuration Administration Configure Export System Setting to Client Download Setting E Import System Setting from Client AA Date Time ex CSsystem cont 4 Multiple Subnet F Reset Factory
106. ct fingerprinter system to distinguish spam mail you also can select Bayesian filtering system to scan spam mail 171 Content Security Gateway User s Manual Check sender account Select to allow CS 500 checking sender s account when it receives the mail if the sender s account is faked CS 500 will treat the mail as the spam Check sender IP address in RBL Realtime Blackhole List Select this function to allow CS 500 checking mail with RBL list Add score tag to the subject line If select this function all received mail will be added a score tag in the mail subject Action of Spam Mail When CS 500 filters the spam mail there are three kinds of actions for Internal Mail Server and one action for External Mail server to arrange the spam mail Delete the spam mail If select this option the spam mail will be deleted without any notification Deliver to the recipient Pass the mail to the recipient and add a SPAM in the mail subject This function is available for Internal and External Mail Server Forward to You can configure CS 500 to forward spam mail to a specific mail account it will be easily to manage the spam mail Configure an Anti Spam setting After setup the relevant settings in Mail Relay function of Configure add the following settings in this function The Mail Server is placed in Internal LAN or DMZ The threshold score Enter 5 Add the message to the subject line Enter spam Select Ad
107. ction Entering the Policy Statistics Step 1 Click Statistics in the menu bar on the left hand side and then select Policy Statistics Step 2 In Statistics window find the policy you want to view Step 3 Inthe Statistics window click Minute on the right hand side and then you will be able to view the Statistics figure every minute click Hour to view the Statistics figure every hour click Day to view the Statistics figure every day Y Coordinate There are three options Total Kbit sec Kbytes sec X Coordinate Time Hour Minute Day 207 Content Security Gateway User s Manual a PLANET Hatworting amp Comes alice Monitor gt Statistics gt Policy Inside_Any to Outside_Any Aran PERMIT cion AL E Policy Object Minute Hour Day Week Month Year Real time Down 0 0 Kbits sec Up 0 0 KBits sec E Mail Security ES 64 0 Statistics 48 0 Max i460 pases 3 m Policy 2 a i x hi A ha x E E y E E s A a x f ha A T Status T 32 0 ae E E oe E o EEE oe AAA 2 e i w co a ee ee ee ee ee ee ee ee ee E H i H x F 5 A A x E i i x a E d OF 220 OF 230 OF dg 07 50 08 00 08 10 PS deb CMinutes M Traffic stream M Maximum stream M Average stream 4 8 4 Status In this section the device displays the status information about the Content Security Gateway Status will display the network information from the Configuration menu T
108. d score tag to the subject line Select Deliver to the recipient Click OK Y 2 Pm E 4 5 2 2 Rule The Content Security Gateway s Administrator may use the rule setting to classify the spam mail based on a certain condition The rule also can allow CS 500 to record the mail type by auto learning system to judge the spam mail Click on Mail Security in the menu bar then click on Rule below the Anti Spam menu The Rule window will appear 172 Content Security Gateway User s Manual Networking amp Comm slion Mail Security gt Anti Spam gt Rule Rule Name Classification Action Comments Configure Move Interface F Policy Object f New Entry Setting Rule Whitelist Blacklist Training Spam Mail Below is the information needed for setting up the Rule e Rule Name The name of the custom spam mail determination rule e Comments To explain the meaning of the custom rule e Combination And lt must be fit in with all of the custom mail rules that would be considered as spam mail or ham mail Or Only be fit in with one of the custom mail rule that would be considered as spam mail or ham mail e Classification Spam It will classify the mails that correspond to the rule as spam mail Ham Non Spam It will classify the mails that correspond to the rule as ham mail e Action This function will be available only when Classification is set as Spam You can choose
109. dd Wizard Filters Mirrored Description Protocol Source Fort Destination 3 Cancel 122 Content Security Gateway User s Manual Step 19 Click next IP Filter Wizard Welcome to the IP filter wizard This wizard helps vou provide the source destination and traftic tyoe information needed to filter IF traffic This wizard creates mirrored filters that match on both Incoming and outgoing IP traffic fou can add multiple filters to build an IF filter list that matches on IF packets for multiple source or destination machines or for many different traffic types To continue click Next Step 20 In Source address click down the arrow to select the specific IP Subnet and fill Company A s IP Address 192 168 10 0 and Subnet mask 255 255 255 0 Filter Wizard IP Traffic Source Specify the source address of the IF traffic Source address la specific IP Subnet IPAddess 192 168 10 0 Subnet mask 255 255 255 O 123 Content Security Gateway User s Manual Step 21 In Destination address click down the arrow to select the My IP Address Filter Wizard IP Traffic Destination Speci the destination address of the IP traffic Destination address Step 22 Click next Filter Wizard IP Protocol Type Select the IP protocol type If this type 12 TCP or UDP you will also specify the source and destination ports Select a p
110. disabled Client IP Range Enter the IP range allocated for PPTP Clients when they connect to the PPTP server Allow remote client to connect to Internet Check to allow remote PPTP client accessing Internet via PP TP tunnel Auto Disconnect if idle 7 minutes Configure this device to disconnect to the PPTP Server when there is no activity for a predetermined period of time To keep the line always connected set the number to 0 Echo Request Configure the timing to detect the VPN status If failed CS 500 will disconnect the VPN tunnel Click OK to save modifications or click Cancel to cancel modifications Adding PPTP Server Step 1 Step 2 E Select VPN PPTP Server Click New Entry Enter appropriate settings in the following window User name Specify the PPTP client This should be unique Password Specify the PPTP client password Client IP assigned by IP Range check to enable auto allocating IP for PPTP client to connect 2 Fixed IP check and enter a fixed IP for PPTP client to connect 98 Content Security Gateway User s Manual PLANET Hetwerting A Corrida Policy Object gt VPM PPTP Server Add Mew PPTP Server User Mame Password Client IP assigned by OP Range A de Fixed IP Authentication Content Blocking OK Jf Cancel Virtual Server PSec Autokey PPTP Server PPTP Client Tunnel Step 3 Click OK to save modifications or click
111. dle minutes before disconnection Enter 0 if you do not want the PPPoE connection to disconnect at all For Dynamic IP Address Cable Modem User This option is for users who are automatically assigned an IP address by their ISP such as cable modem users The following fields apply MAC Address This is the MAC Address of the device Some ISPs require specified MAC address If the required MAC address is your PC s click Clone MAC Address Hostname This will be the name assign to the device Some cable modem ISP assign a specific hostname in order to connect to their network Please enter the hostname here If not required by your ISP you do not have to enter a hostname Domain Name You can specify your own domain name or leave it blank User Name The user name is provided by ISP Password The password is provided by ISP For Static IP Address This option is for users who are assigned a static IP Address from their ISP Your ISP will provide all the information needed for this section such as IP Address Netmask Gateway and DNS Use this option also if you have more than one public IP Address assigned to you IP Address Enter the static IP address assigned to you by your ISP This will be the public IP address of the WAN port of the device Netmask This will be the Netmask of the WAN network i e 255 255 255 0 8 Content Security Gateway User s Manual Default Gateway This will be the Gateway IP address Domain
112. drop down list The drop down list contains the names of all WAN networks defined in the WAN section of the Address menu To create a new source address please go to the LAN section under the Address menu Destination Address Select names of the LAN networks from the drop down list The drop down list contains the names of IP mapping addresses specified in the Mapped IP or the Virtual Server sections of Virtual Server menu To create a new destination address please go to the Virtual Server menu Service Specified services provided by LAN network servers These are services application that are allowed to pass from the network to the LAN network Choose ANY for all services Schedule Select the item listed in the schedule to enable the policy to automatically execute the function in a certain time and range Tunnel Select the specific VPN tunnel to enable the VPN traffic in Policy rule Action Select Permit or Deny ALL from the drop down list to allow or reject the packets travelling between the specified WAN network and Virtual Server Mapped IP Traffic Log Select Enable to enable flow monitoring Statistics Select Enable to enable flow statistics IDP Check to enable IDP feature Max Concurrent Sessions The maximum concurrent sessions that allows to pass through CS 500 0 means it is unlimited QoS Select the item listed in the QoS to enable the policy to automatically execute the function in a certain time and range NAT Sel
113. e IP Accounting Report Pull down the menu and select Source IP to show the inbound source IP accounting report PLANET Hatwcriing amp Comm cion Monitor Accounting Report Inbound Starting Time Thu Apr 6 11 16 10 2006 Accounting Report arer Y 21175417414 211 0 KB a oa 12 48 10 67 41 33 201 Upstream Downstream gt First Packet 0408 06 46 30 por 17 11 59 por 14 37 26 OWS 13 03 05 Last Packet OPD 13 10 23 OWS 13 29 13 0408 06 07 30 por 14 37 32 pog 13 03 06 Duration 06 42 43 Action 00 00 06 00 00 04 Setting Total Traffic E ES Reporting time Mon Apr 10 04 26 07 2006 Outbound nBound Statistics Reset Counters When WAN users connect to LAN service server through CS 500 all of the Downstream Upstream First Packet Last Packet Duration log of the source IP will be recorded Definitions Top Select the data type you want to check It presents 10 results in one page Source IP The IP address used by WAN host Downstream The percentage of Downstream and the statistic value of the connection from LAN host to WAN host via CS 500 Upstream The percentage of Upstream and the statistic value of the connection from WAN host to LAN host via CS 500 First Packet The time record of the first packet that was sent from WAN host to LAN host Last Packet The time record of the last packet that sent from WAN host to LAN host Duration The ti
114. e packets travelling from the specified DMZ network to the WAN network Traffic Log Select Enable to enable flow monitoring Statistics Select Enable to enable flow statistics IDP Check to enable IDP feature 164 Content Security Gateway User s Manual Content Blocking Select Enable to enable Content Blocking Max Concurrent Sessions The maximum concurrent sessions that allows to pass through CS 500 0 means it is unlimited QoS Select the item listed in the QoS to enable the policy to automatically execute the function in a certain time and range Step 3 Click OK to add new policy or click Cancel to cancel adding Modifying a DMZ To WAN policy Step 1 In the DMZ To WAN window locate the name of policy desired to be modified and click its corresponding Modify option in the Configure field Step 2 In the Modify Policy window fill in new settings NOTE To change or add selections in the drop down list go to the section where the selections are setup Source Address DMZ of Address Destination Address WAN Service Pre defined Service Custom or Group under Service Step 3 Click OK to save modifications or click Cancel to cancel modifications PLANET tering amp Cosmo Policy DMZ To Vahl Interface Comment Max 32 characters Modify Policy E Policy Object Policy O Outgoing Destination Address DMZ_Any Outside Any Incoming
115. e sender Address Required by some ISPs ex senderaimydomain com E mail Setting Restoring Factory Default Settings Step 1 Select Reset Factory Settings under Backup Restore Configuration Step 2 Click OK at the bottom right of the screen to restore the factory settings 18 Content Security Gateway User s Manual PLANET System Configure Setting Backup Restore Configuration Administration aan Export System Setting to Client Setting Import System Setting tram Client Date Time ex CSsystem cont Multiple Subnet Reset Factory Setting Route Table DHCP System Mame Setting Dynamic OMS Device Mame lc ex Content Security Gateway J Host Table E mail Setting Language Enable E mail Alert Motification System Name Setting Input the name you want into Device Name column to be the device name Email Setting Step 1 Select Enable E mail Alert Notification under E Mail Setting This function will enable the Content Security Gateway to send e mail alerts to the System Administrator when the network is being attacked by hackers or when emergency conditions occur Step 2 SMTP Server IP Enter SMTP server s IP address Step 3 E Mail Address 1 Enter the first e mail address to receive the alarm notification Step 4 E Mail Address 2 Enter the second e mail address to receive the alarm notification Optional Click OK on the bottom right o
116. e sender account of planet com tw mail server to the recipient account in external mail server the configuration should need to add the following mail relay setting STEP 1 Add the first setting in Mail Relay function of Configure E Select Domain Name of Internal Mail Server Domain Name of Mail Server Enter the Domain Name IP Address of Mail Server Enter the IP address that Mail Server s domain name mapped t O 168 PLANET Batecriing amp bemnpai pli E Interface F Policy Object yl D F Policy 1 Configure y Setting Mail Relay nti Spam T gt nti Virus nti Attack T E A Monitor Content Security Gateway User s Manual Mail Security gt Configure gt Mail Relay Domain Name of Internal Mail Server O Allowed External IP of Mail Relay Modify Domain Name Domain Name of Mail Server IP Address of Mail Server f ok f Cancel STEP 2 Add the second setting in Mail Relay function of Configure Select Allowed External IP of Mail Relay E IP Address Enter the IP Address of external sender m Enter the Netmask Complete Mail Relay setting k rt d Coral plia Mail Security gt Configure gt Mail Relay E System E Interface F Policy T me i a Configure F setting Mail Relay nti Spam nti Virus l gt E Anti Attack H onitor C Domain Mame of I
117. e setting Necessary Item and Optional Item PLANET Policy Object VPN IPSec Autokey E System Interface Necessary Item E Policy Object ad ad o F Preshare t F PSec Autokey DES E PPTP Server T PPTP Client Mos Tamel GROUP 1 w 2 DES w MoS w Optional term NO PFS w 3600 28800 o O Step 2 Configure Necessary Item paremeters Name Specify a name for the VPN rule To Destination mE Remote Gateway Fixed IP or Domain Name Specify the fixed IP address or domain name of the remote side VPN gateway 95 Content Security Gateway User s Manual E Remote Gateway or Client Dynamic IP Select Remote Gateway or Client if there is only one user or device and dials up to Internet with PPPoE or cable modem Preshared Key The IKE VPN must be defined with a Preshared Key The Key may be up to 128 bytes long Encapsulation ISAKMP Algorithm HENC Algorithm ESP Encryption Algorithm ESP Encapsulating Security Payload provides security for the payload data sent through the VPN tunnel Generally you will want to enable both Encryption and Authentication The available encryption algorithms including 56 bit DES CBC 168 bit 3DES CBC AES 128 bit AES 192 bit or AES 256 bit encryption algorithm The default algorithm 56 bit DES CBC WAUTH Method Authentication Method Selects MD5 128 bit hash or SHA 1 160 bit hash authentication algorithm In
118. e the setting and then you can configure Adding an WAN Group Step 1 In the WAN Group window click the New Entry button and the Add New Address Group 51 Content Security Gateway User s Manual window will appear Step 2 Inthe Add New Address Group window the following fields will appear Name enter the name of the new group Available address List the names of all the members of the WAN network Selected address List the names to assign to the new group Add members Select the names to be added in the Available address list and click the Add gt gt button to add them to the Selected address list m Remove members Select the names to be removed in the Selected address list and click the lt lt Remove button to remove them from the Selected address list Step 3 Click OK to add the new group or click Cancel to discard changes o Mitrtilas d omre Policy Object gt Address gt WAN Group Add New Address Group mi als m mo m m Address lt Available address gt A LAN ahoo LAN Group WAN WAN Group Pree DMZ ltz DMZ Group Service Schedule QoS 7 Authentication Content Blocking Virtual Server VPN BE a e f ok Jf Cancel Modifying a WAN Group Step 1 In the WAN Group window locate the network group to be modified and click its corresponding Modify button in the Configure field Step 2 A window displaying the in
119. e will list host computers on the LAN network that obtain its IP address from the Content Security Gateway s DHCP server function s Mtro 4 Cosemeatal ina Monitor gt Status gt DHCP Clients eee ene E System 192 168 1 11 88 17 20 00 01 80 2005 6 23 16 56 1 2005 6 24 16 56 1 Log Alarm Statistics MINIY O ps El a l E gt un 2123 e ols m g A S 4 T a Interface Authentication ARP Table DHCP Clients IP Address the IP address of the LAN host computer MAC Address MAC address of the LAN host computer Leased Time The Start and End time of the DHCP lease for the LAN host computer 210
120. e you sure to Reboot Language Logout Dynamic Routing RIPTZ Enable LAN e wan DMZ Routing information update timer 30 Seconds Routing information timeout 150 Seconds E Anomaly Flow IP To Appliance Packets Log E Enable To Appliance Packets Log System Reboot Reboot Content Security Gateway Appliance 4 1 5 Date Time Synchronizing the Content Security Gateway with the System Clock Administrator can configure the Content Security Gateway s date and time by either syncing to an Internet Network Time Server NTP or by syncing to your computer s clock Follow these steps to sync to an Internet Time Server Step 1 Enable synchronization by checking the box Step 2 Click the down arrow to select the offset time from GMT Step 3 Enter the Server IP Address or Server name with which you want to synchronize 22 Content Security Gateway User s Manual Step 4 Update system clock every minutes You can set the interval time to synchronize with outside servers If you set it to 0 it means the device will not synchronize automatically Follow this step to sync to your computer s clock Step 1 Click on the Sync button Click OK to apply the setting or click Cancel to discard changes PLANET io dor ic system Configure Date Time System time Wed Jan 1 05 07 16 2003 Synchronize system clock Enable synchronize with an Internet time Server Setting E Set off
121. ect enable to replace Internet user s IP address with LAN interface IP in order to allow Internet user to access LAN resource if the LAN server only allows to be accessed with the same IP subnet Step 3 Click OK to add new policy or click Cancel to cancel adding new incoming policy Modifying Incoming Policy Step 1 In the Incoming window locate the name of policy desired to be modified and click its corresponding Modify option in the Configure field Step 2 In the Modify Policy window fill in new settings Step 3 Click OK to save modifications or click Cancel to cancel modifications 158 Content Security Gateway User s Manual PLANET O Wiin A emnah Policy Incoming comment Max 32 characters bodite Policy Source Address Outside_Any Outgoing Destination Address mea Incoming E LAM To Ohiz OM To WAN None v la F Monitor ETA MAX Concurrent Sessions al Range 1 99999 0 means unlimited 1 E Wail Security T E Erone Removing an Incoming Policy Step 1 In the Incoming window locate the name of policy desired to be removed and click its corresponding Remove in the Configure field Step 2 In the Remove confirmation window click Ok to remove the policy or click Cancel to cancel removing i n Configure F Policy Object Outqoing Incoming Microsoft Internet Explorer WAN To DMZ LAN To DM YD Are You sure you want to remove DMZ To
122. eded Step 3 Click OK to save changes or click on Cancel to cancel modifications 235 Content Security Gateway User s Manual PLANET Winding Como cios System Configure Host Table TF Modify Host Table Administration i Setting Virtual IP Address 192 168 1010 ERES Date Time amp Multiple Subnet f OK Cancel Route Table DHCP Dinamic ONS Host Table Language Removing a Host Table Step 1 In the Host Table window find the policy to be removed and click the corresponding Remove option in the Configure field Step 2 A confirmation pop up box will appear click OK to remove the Host Table or click Cancel PLANET rieoridng Lora tio System Configure Host Table Administration Host Mame Virtual IF Address Configure Setting Date Time Multiple Subnet Route Table DHCP Microsoft Internet Explorer Dynamic ONS weenie Ly Are YOU sure YOU Want fo remove Language 4 1 11 Language Administrator can configure the Content Security Gateway to select the Language version Step 1 Select the Language version English Version Traditional Chinese Version or Simplified Chinese Version Step 2 Click OK to set the Language version or click Cancel to discard changes 4 1 12 Logout Step 1 Select this option to the device s Logout the Content Security Gateway This function protects your system while you are away
123. el action 61 Content Security Gateway User s Manual i ering amp Coma pia Policy Object gt Service gt Custom Client Por 0 65535 4661 4665 Modify Remove Pre defined Custom Group chedule 5 O05 4 3 2 3 Group Accessing the Group window Step 1 Click Group under it A window will appear with a table displaying current service group settings set by the Administrator Policy Object gt Service gt Group Pre defined Custom Group g Definitions Group name The Group name of the defined Service Service The Service item of the Group Configure Configure the settings of Group Click Modify to change the parameters of the Group Click Remove to delete the Group NOTE Inthe Group window if one of the Service Groups has been added to Policy In Use message will appear in the Configure column You are not allowed to modify or remove the settings Go to the Policy window remove the Service group first and then you are allowed to configure the setting Adding Service Groups Step 1 In the Group window click the New Entry button Step 2 Inthe Add Service Group window the following fields will appear W Available service list all the available services Selected service list services to be assigned to the new group 62 Content Security Gateway User s Manual Step 3 Enter the new group name in the group Name field This wi
124. es and Active X P2P eDonkey Bit Torrent WinMX and Foxy Instant Messaging MSN Yahoo Messenger ICQ QQ and Skype Download and Upload IDP CS 500 provides three kinds of the Signature to complete the intrusion detection system user can select to configure Anomaly Pre defined and Custom according to the current environment s request QoS You can control the outbound and inbound Upstream downstream Bandwidth by configuring the QoS based on the WAN bandwidth User Authentication Web based authentication allows users to be authenticated by web browser User database can be configured on the devices or through external RADIUS server Multiple NAT Multiple NAT allows local port to set multiple subnet works and connect to the Internet through different WAN IP addresses Content Security Gateway User s Manual 1 2 Package Contents The following items should be included CS 500 E Content Security Gateway E User s Manual CD ROM E This Quick Installation Guide E Power Adapter If any of the contents are missing or damaged please contact your dealer or distributor immediately 1 3 Content Security Gateway Front View CS 500 Front Panel Q PLANE Content Security Gateway Networking amp Communication O O CS 500 STATUS Power is supplied to this device STATUS Blinks to indicate this devise is being turned on and booting After one minute this LED indicator will stop blinking it means t
125. estination Address Inside Any Action Traffic Log Statistics M Enable MAX Concurrent Sessions A o Step 16 Click OK to finish the Policy setting of Company A 113 Content Security Gateway User s Manual Policy Incoming Source Destination Configuration of WinXP The IP of remote user is 210 66 155 91 The settings of remote user are as the following Step 1 Enter Windows XP click Start and click Execute function is A Administrator mT Pa 2 internet Fee Internet Explorer S E iiail ED My Pictures Outlook Express E My Music JS WinRAR EA My Computer windows Media Player ES Control Panel D Windows Movie Maker ESA Printers and Faxes R My Documents J Tour Windows XP Es Help and Support Files and Settings Transfer ro search SUS Wizard w Microsoft Word All Programs gt EP Log GFF 0 Turn OFF Computer Step 2 In the Execute window enter the command mmc in Open Type the name of a program Folder document or Sim Internet resource and Windows will open it For vou Qpen menc cancel Browse 24142 Content Security Gateway User s Manual Step 3 Enter the Console window click Console C option and click Add Remove Embedded Management Option ii Console Action view Favorites Window Help Mew Chrl h Open Chrl o Save Chrl 5 Save As dd Remowe
126. et Last Packet Action 192 168 10 2 3 3 MB 99 9 327 4 KB 99 9 ogir 01 41 45 0440 02 34 10 SD 00 52 24 2 emove 192 168 10 3 3 4 KB 470 0 B 04410 02 56 22 O40 02 57 23 60 04 01 Remove l Total Traffic EE ETS O ane ie eee Setting p Outbound amp amp InBound Outbound Source IP Accounting Report Pull down the menu and select Source IP to show the outbound source IP accounting report PLANET A Comercio Monitor Accounting Report gt Outbound Starting Time Thu Apr 6 11 16 10 2006 No Downstream Upstream First Packet Last Packet Duration Action 192 168 10 2 3 3 MB 99 9 327 4 KB 99 9 p 01 41 45 04490 02 34 10 3D 00 52 24 Remo i 192 168 10 3 3 4 KB 470 0 8 O40 0256 22 O40 02 57 23 00 01 04 Rem E Anomaly Flow IF Total Traffic O 33MB 327 8 KB Reporting time Wion Apr 10 04 23 45 2006 Reset Counters Accounting Report Setting amp Outbound InBound When LAN users connect to WAN service server through CS 500 all of the Downstream Upstream First Packet Last Packet Duration log of the source IP will be recorded Definition Top Select the data type you want to check It presents 10 results in one page Source IP The LAN user s IP address connects to CS 500 to access WAN service server Downstream The percentage of downstream and the statistic value of the connection from WAN server to LAN user Upstream The percentage of upstream and the stat
127. etwork Click Remove to delete the setting of WAN network NOTE In the WAN Network window if one of the members has been added to Policy or LAN Group the Configure column will show the message In Use In this case you are not allowed to modify or remove the settings Adding a new WAN Address Step 1 In the WAN window click the New Entry button 49 Content Security Gateway User s Manual Step 2 Inthe Add New Address window enter the settings for a new WAN network address Step 3 Click OK to add the specified WAN network or click Cancel to discard changes Metodos amp Cosmic lion Policy Object gt Address gt WAN Add New Address a IP Address LAN Group WAN E oK f Cancel WAN Group DMZ DM Group 7 an pl T 3 Modifying an WAN Address Step 1 In the WAN table locate the name of the network to be modified and click the Modify option in its corresponding Configure field Step 2 The Modify Address window will appear on the screen immediately In the Modify Address window fill in new addresses Step 3 Click OK to save changes or click Cancel to discard changes Mts A Comma Policy Object gt Address gt WAN P I Netmask Outside Any In Use E Interface 0 0 0 0 0 0 0 0 gt o 210 66 111 22 255 255 255 255 Modify Address Y gt Lan LAN Group WAN WAN Group Removing an WAN Address Step 1 In the WAN table locate the name o
128. f the network to be removed and click the Remove option in its corresponding Configure field Step 2 In the Remove confirmation pop up box click OK to remove the address or click Cancel to discard changes BO Content Security Gateway User s Manual 5 o Meterilos amp Comeneaicel ion Policy Object gt Address gt WAN System Name IP Netmask Configure E Interface 0 0 0 0 0 0 0 0 202 43 195 52 255 255 255 255 Address Ma New Entry LAN Group WAN Microsoft Internet Explorer Ed WAN Group DMZ DMZ Group Service 2 Are you sure you want to remove Schedule 4 3 1 4 WAN Group Entering the WAN Group window Step 1 Click the WAN Group under the Address menu bar to enter the WAN window The current settings for the WAN network group s will appear on the screen Wetworting d Comes ation Policy Object gt Address gt WAN Group a F System E Interface LAN LAN Group WAN WAN Group DMZ DMZ Group Definitions Name Name of the WAN group Member Members of the group Configure Configure the settings of WAN group Click Modify to change the parameters of WAN group Click Remove to delete the selected group NOTE In the WAN Group window if one of the members has been added to the Policy In Use message will appear in the Configure column You are not allowed to modify or remove the settings Go to the Policy window to remov
129. f the screen to enable E mail alert notification PLANET System Configure Setting a Backup Restore Configuration Configure Export System Setting to Client f Download Setting Import System Setting from Client DA DateTime ex CSsystem cont Route Table z DHCP system Mame Setting Dynamic ONS Device Mame i ex Content Security Gateway Host Table E mail Setting Language Enable E mail Alert Notification z sender Address Required by some ISPs SUpporti iplanet com ex senderaimydamain cam A SMTP Server planet corm tw ex mailmydomain com E mail Address 1 admingplanet comty ex useri imydamain cam 4 E mail Address 2 operatort planet con ex user2aimydomain cam Mail Test Mai Anomaly Flow IP Mail Test 19 Web Management WAN Interface The administrator can change the port number used by HTTP port1 anytime Remote Ul Management Step 1 by HTTP port anytime PLANET Hatworting amp Comores Hina a Administration Setting Date Time Multiple Subnet Route Table DHCP Dynamic ONS Host Table Language E Interface E Policy Object E Anomaly Flow IF System Configure gt Setting Backup Restore Configuration Export System Setting to Client f Download Import System Setting fram Client d Reset Factory Setting System Mame Sett
130. figure Modify dynamic DNS settings Click Modify to change the DNS parameters click Delete to delete the settings How to use dynamic DNS The Content Security Gateway provides many service providers users have to register prior to use this function For the usage regulations see the providers websites How to register Firstly Click Dynamic DNS in the System menu to enter Dynamic DNS window then click Add button on the right side of the service providers click Sign up the service providers website will appear please refer to the website for the way of registration PLANET Hatworting 4 Loma sine System Configure Dynamic DMS Administration Add Mew Dynamic DNS DynDNS www dyndns com USA E sign un Y Setting wae MPAA Route Table A DHCP Comin Nene Man el Dynamic DNS Host Table OK J Cancel Language Click to link to the website selected on the left Add Dynamic DNS settings Step 1 Click Add button Step 2 Click the information in the column of the new window 229 Content Security Gateway User s Manual Service providers Select service providers Sign up to the service providers website WAN IP Address IP Address of the WAN port Ol Automatically Check to automatically fill in the WAN IP User Name Enter the registered user name Password Enter the password provided by ISP Internet Service Prov
131. finitions every 120 minutes The newest version 0 0 7 Signature definitions updated at 05 0503 00 00 0004 Y Mail Security Update signature definitions immediately Use TCP port 80 and UDP port 53 Update NOW Test Enable Anti virus for HTTP FTP P2P IM NetBIOS ry Setting Canca DP Report set default action of all signatures E Anomaly Flow IP High Risk Log Fass recommended F Monitor AAA E Monitor Medium Risk Log Fass recommended Low Risk Pass Y Log Fass recommended STEP 2 Enter the following setting in Custom of Signature function Click New Entry m Name Enter Software _ Crack Website Protocol Select TCP Source Port Enter 0 65535 190 Content Security Gateway User s Manual Destination Port Enter 80 80 Risk Select High E Action Select Drop and enable Log function a Content Enter cracks PLANET il Wetworting amp Comers pli IDF gt Signature Custom E System Add Mew Signature E Interface Policy Object Sottware_Crack_Website F Policy o O O fail Security 065535 30 80 Higa El _ Anomaly Drop Pre defined cracks Custom Click OK to finish the IDP setting PLANET og amp Coser plipa Signature Custom Dist Port tisk Action Configure Modify j Remove Anomaly Pre defined Custom 3 STEP 3 Enter the following settings in Outgoing Polic
132. formation of the selected group appears Available address list the names of all the members of the WAN network Selected address list the names of the members that have been assigned to this group Step 3 Add members Select the names to be added in the Available address list and click the Add gt gt button to add them to the Selected address list Step 4 Remove members Select the names to be removed in the Selected address list and click the lt lt Remove button to remove them from the Selected address list Step 5 Click OK to save changes or click Cancel to discard changes 259 a Content Security Gateway User s Manual Aatecrting A Poses lion Policy Object gt Address gt WAN Group System Name Member Web Yahoo E Interface Configure Address LAN LAN Group WAN WAN Group DMZ Removing a WAN Group Step 1 In the WAN Group window locate the group to be removed and click its corresponding Modify option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the group or click Cancel to discard changes Hring amp Corra cali Policy Object gt Address gt WAN Group Name Member Configure F System ET E Interface a Address LAN LAN Group WAN Microsoft Internet Explorer WAN Group i 2 Are ou sure you want Eo remove DMZ T dl l OMZ Group Service Schedule Entering the DM
133. g a Schedule 65 Content Security Gateway User s Manual Step 1 Inthe Schedule window find the policy to be modified and click the corresponding Modify option in the Configure field Make needed changes Step 2 Click OK to save changes a diag A Cosa ion Policy Object gt Schedule gt Setting ae ew Ent Ly 5etting QoS Removing a Schedule Step 1 Inthe Schedule window find the policy to be removed and click the corresponding Remove option in the Configure field Step 2 A confirmation pop up box will appear click on OK to remove the schedule o Metelo amp Cosmenealcetion Policy Object gt Schedule gt Setting NIE Schedule L Setting D Are ou sure you want to remove y 005 7 Authentication Content Blocking E Cancel 4 3 4 QoS By configuring the QoS you can control the outbound Upstream downstream Bandwidth The administrator can configure the bandwidth according to the WAN bandwidth Downstream Bandwidth To configure the Guaranteed Bandwidth and Maximum Bandwidth Upstream Bandwidth To configure the Guaranteed Bandwidth and Maximum Bandwidth QoS Priority To configure the priority of distributing Upstream Downstream and unused bandwidth CS 500 configures the bandwidth by different QoS and selects the suitable QoS through Policy to control and efficiently distribute bandwidth CS 500 also makes it convenient for the administrator to use CS_500 with the bes
134. g a new Outgoing Policy Step 1 Click on the New Entry button and the Add New Policy window will appear PLANET Wetecting amp Comas eine Policy Outgoing E Policy Object Add New Policy Incoming Service amp VAN To DMZ Schedule a LAN To DMZ e ON To AN Oh To LAN F Mail Security 7 E Anomaly Flow IP 154 Step 2 Step 3 Content Security Gateway User s Manual Configure all the parameters Source Address Select the name of the LAN network from the drop down list The drop down list contains the names of all LAN networks defined in the LAN section of the Address menu To create a new source address please go to the LAN section under the Address menu Destination Address Select the name of the WAN network from the drop down list The drop down list contains the names of all WAN networks defined in the WAN section of the Address window To create a new destination address please go to the WAN section under the Address menu Service Specified services provided by WAN net work servers These are services application that are allowed to pass from the LAN network to the WAN network Choose ANY for all services Schedule Select the item listed in the schedule to enable the policy to automatically execute the function in a certain time and range Authentication User Select the item listed in the Authentication User to enable the policy to automatically execute the function in a cer
135. general SHA 1 is more secured than MD5 The default algorithm is MD5 E Group Selects Group 1 768 bit modulus Group 2 1024 bit modulus or Group 5 1536 bit modulus The larger the modulus the more secure the generated key is However the larger the modulus the longer the key generation process takes Both side of VPN tunnels must agree to use the same group The default algorithm is Group 1 IPSec Algorithm Select Data Encryption Authentication or Authentication Only Data Encryption Authentication E Encryption Algorithm Selects 56 bit DES CBC 168 bit 3DES CBC AES 128 bit AES 192 bit or AES 256 bit encryption algorithm The default algorithm is 56 bit DES CBC m Authentication Algorithm Selects MD5 128 bit hash or SHA 1 160 bit hash authentication algorithm In general SHA 1 is more secured than MD5 The default algorithm is MD5 Authentication Only Select this function the IPSec Algorithm will only be anthenticated with preshared key Step 3 Configure Optional Item paremeters if necessary Perfect Forward Secrecy Select Group 1 Group 2 or Group 5 to enhances security by changing the IPsec key at regular intervals and ensuring that each key has no relationship to the previous key The default is NO PFS ISAKMP Lifetime New keys will be generated whenever the lifetime of the old keys is exceeded The Administrator may enable this feature if needed and enter the lifetime in seconds to re key The default is 36
136. he active schedules 64 Content Security Gateway User s Manual PLANET Watworking amp Comm clica Policy Object gt Schedule gt Setting Configure System E Interface Address Service Ly Setting QoS The following items are displayed in this window Name the name assigned to the schedule Configure modify or remove Adding a new Schedule Step 1 Click on the New Entry button and the Add New Schedule window will appear a Schedule Name Fill in a name for the new schedule Period Configure the start and stop time for the days of the week that the schedule will be active Step 2 Click OK to save the new schedule or click Cancel to cancel adding the new schedule PLANET Hatworting A Corra cio Policy Object gt Schedule gt Setting Add New Schedule Schedule Name WorkTime Period Week Da A H StartTime StopTime E System Interface 7 Address Service Monday Tuesday NS AE Wednesday CEM CN Thursday To Y Friday Tw v Saturday Disable sunday A gt Ly Setting 005 Authentication Content Blocking Virtual Server VPN E Mail Security E Anti Attack H A g 5 5 2 F ok fF Cancel NOTE In setting a Schedule the value in Start time must be less than the value in Stop Time or you cannot add or configure the setting Modifyin
137. he Administrator may also use Status to check the DHCP lease time and MAC addresses for computers connected to the Content Security Gateway 4 8 4 1 Interface Status Entering the Interface Status window Click on Status in the menu bar then click Interface Status below it A window will appear providing information from the Configuration menu Interface Status will list the settings for LAN Interface WAN Interface and the DMZ Interface PLANET Mitos A Cosenesic etic Monitor gt Status gt Interface Active Sessions Number 14 System Uptime A E a Policy Object SELLE a SC Max Downstream Upsteam __ 10000 10000Kbps a PPPoE Con Time DAA O AS i MAC Address 00 30 4f 3d 9e 92 00 30 47 30d 9e 93 00 30 4f 3d 9e 94 IP Address 192 168 1 1 210 66 155 90 192 168 88 1 C Nemas O sasso 255 255255224 255 255 2550 Default Gateway O OSS O es S E o O OOOO o OO ooo S SSS Sa Se E Tx Pits Error Pkts A IEC A ene A A A Autl ticati A A A A AO ARP Table DHCP Clients 208 Content Security Gateway User s Manual 4 8 4 2 Authentication Entering the Auth Status window Click on Status in the menu bar then click Authentication below it A window will appear and provide information from the Auth User menu Authentication Status will list the settings for Auth User login status Monitor gt Status gt Authentication System IP Address Authen
138. he Administrator to set addresses of the LAN network LAN network group WAN network WAN group DMZ network and DMZ group What is the Address Table An IP address in the Address Table can be an address of a computer or a sub network The Administrator can assign an easily recognized name to an IP address Based on the network it belongs to an IP address can be an LAN IP address WAN IP address and DMZ IP address If the Administrator needs to create a control policy for packets of different IP addresses he can first add a new group in the LAN Network Group or the WAN Network Group and assign those IP addresses into the newly created group Using group addresses can greatly simplify the process of building control policies 43 Content Security Gateway User s Manual How to use Address Table With easily recognized names of IP addresses and names of address groups shown in the address table the Administrator can use these names as the source address or destination address of control policies The address table should be built before creating control policies so that the Administrator can pick the names of correct IP addresses from the address table when setting up control policies 4 3 1 1 LAN Entering the LAN window Step 1 Click LAN under the Address menu to enter the LAN window The current setting information such as the name of the LAN network IP and Netmask addresses will show on the screen PLANET Policy Objec
139. he Gateway of Company A is 192 168 10 1 The settings of company A are as the following Step 1 Enter the default IP of Company A s Content Security Gateway 192 168 10 1 Click VPN in the menu bar on the left hand side and then select the sub select IPSec Autokey Click Add Step 2 Enter the VPN name VPN_A in IPSec Autokey window Necessary ltem Step 3 In To Destination table choose Remote Gateway Fixed IP or Domain Name enter the IP address desired to be connected To Destination Remote Gateway 211222222 Fixed IP or Domain Mame Remote Gateway or Client Dynamic IP Step 4 In Authentication Method Table enters the Preshared Key Authentication Method Preshared Key 123456709 Step 5 Enable Aggressive mode For communication via VPN the Content Security Gateway will force you to choose 3DES for ENC Algorithm SHA 1 for AUTH Algorithm and select Group 2 to connect Local ID and Remote ID are optional parameters If we choose to enter Local ID Remote ID they couldn t be the same For instance Local ID is 11 11 11 11 and Remote ID is 22 22 22 22 If you want to use number or text add in the front for instance 123 and Wabc Encapsulation IS SKMP Algorithm EMC Algorithm SDES AUTH Algorithm SHAT pe Mode Main mode O Aggressive mode hiy ID Peer ID 143 Content Security Gateway User s Manual Step 6 In IPSec Algorithm Table choose Data Encryption Authentication We c
140. here e Spam Mail for Training The System Manager can import the file which is not determined as spam mail here To raise the judgment rate of spam mail after the CS 500 learning the file e Ham Mail for Training The System Manager can import the file which is determined as spam mail here To raise the judgment rate of ham mail after the CS 500 learning the file e Spam Account for Training You can specify a mail account in your mail server and redirect all the Spam mail to this account When the related configuration is set such as POP3 server User name and Password CS 500 will search the Spam mail in this account and update the Spam type to the database in a regular time e Ham Account for Training You can specify a mail account in your mail server and redirect all the Ham mail to this account When the related configuration is set such as POP3 server User name and Password CS 500 will search the Ham mail in this account and update the Ham type to the database in a regular time e Training Time The System Manager can set the training time for CS 500 to learn the import file each day here 178 Content Security Gateway User s Manual PLANET Heating d Compas aioe Mail Security gt Anti Spam gt Training F System raining Database Interface Export Training Database Download E Policy Object Import Training Database DO cos F Policy spam Mail for Training Free space for training 876 KBytes
141. his device is now ready to use WAN LAN Steady on indicates the port is connected to DMZ other network device Blink to indicates there is traffic on the port 1 4 Content Security Gateway Rear Panel CS 500 Rear Panel WAN LAN DME RESET pa 14 5V DC RESET Press this button to restore to factory default Content Security Gateway User s Manual ooo pe WAN Connect to your xDSL Cable modem or other Internet connection devices LAN Connect to your local PC switch or other local network device DMZ Connect to your server or other network device 1 5 Specification Content Security Gateway Model CS50 Hardware Ethernet LAN 1 x10 100Mbps RJ 45 WAN 1 x 10 100Mbps RJ 45 DMZ f4 x10 100Mbps RJ 45 ED POWER STATUS 10 100 and LNK ACT for each LAN and WAN port Power CSV 24A Operating Environment Temperature 0 50 C Relative Humidity 10 90 Dimension W x D x H mm 220 x 150 x 40 Regulatory FCC CE Mark Software Network Connection Transparent mode WAN to DMZ NAT Multi NAT Email Capacity per Day 90 000 Firewall 200 VPN PPTP server and client IPSec DES 3DES and AES encryption SHA 1 and MD5 authentication algorithm Remote access VPN client to Site and Site to Site VPN Ano Function Content Filtering URL P2P application Instant Message download amp upload blocking Popup Java Applet cookies and Active X blocking maly Flow IP Hacker Alert Sasser Code Red Syn Flood
142. hoose 3DES for ENC Algorithm and MD5 for AUTH Algorithm o 3DES w MDS o Step 7 Choose GROUP 1 as the Perfect Forward Secrecy setting and leave the default setting with 28800 seconds in IPSec Lifetime and 3600 seconds for ISAKMP Lifetime Optional Item GROUP 1 we 3600 28800 Step 8 Click OK to finish the setting of Company A Policy Object gt VPN I PGec Autokey NM Mame WAN Gateway IP IPSec Algorithm Configure Modify Remove Step 9 Click Tunnel and press New Entry to configure the further setting Step 10 Enter Site Aas the new tunnel name and select LAN interface as the VPN source Fill LAN IP subnet 192 168 10 0 with subnet mask IP 255 255 255 0 Mew Entry Tunnel Site_A Olan 192 168 10 0 255 255 255 0 Step 11 In To Destination table fill company B s subnet IP and mask 192 168 20 0 and 255 255 255 0 respectively 192 168 20 0 255 255 255 0 O Step 12 In IPSec PPTP Setting select VPN_A as the available tunnel VPN_A 144 Content Security Gateway User s Manual Step 13 Click OK to finish the Tunnel setting of Company A Policy Object VPN Tunnel Mame Source Subnet Destination Subnet IPSec PPLE Confiqure dE Step 14 If you want to configure bi direction VPN connection you should enable Tunnel setting in Outgoing and Incoming Policy A PLANET e Wetworting amp Comer plipa Policy Outgoing I Comment
143. ider Domain name Your host domain name provided by ISP Click OK to add dynamic DNS or click Cancel to discard changes PLANET Aatecriing amp Corro System Configure Dynamic OMS Add Mew Dynamic ONS Service Provicer Configure Date Time User Marne Multiple Subnet Paz weord Route Table gt Dynamic DMS Host Table f ok f Cancel 1 Language Modify dynamic DNS Step 1 Find the item you want to change and click Modify Step 2 Enter the new information in the Modify Dynamic DNS window Click OK to change the settings or click Cancel to discard changes PLANET A Cosme vine System Configure Dynamic ONS Modify Dynamic OMS Administration Ol ramil Configure Setting Date Time User Mame S Multiple Subnet Route Table DHEF Domain Mame Dynamic DNS Host Table f oK f Cancel Language Password Remove Dynamic DNS Step 1 Find the item you want to change and click Remove Step 2 Aconfirmation pop up box will appear click OK to delete the settings or click Cancel to discard changes Be Content Security Gateway User s Manual PLANET tiendo amp Comm plia System Configure Dynamic OMS Domain Mame Configure Language al El Setting DateTime f New Entry Multiple Subnet Route Table DHCP Microsoft Internet Explorer ES Dynamic OMS gt hd Are Y
144. ies number 1 being the highest priority Adding a new WAN To DMZ Policy Step 1 Click the New Entry button and the Add New Policy window will appear PLANET Aetecriing amp Corra tioa Policy WWAN To Oiz comment Max 2 characters Add Mew Policy Outgoing Destination Address a Incoming F WAR To Dz anes LAN To OM DMZ To WAN l DMZ To LAN Traffic Log d Enable 160 Content Security Gateway User s Manual Step 2 Configure the parameters Source Address Select names of the WAN networks from the drop down list The drop down list contains the names of all WAN networks defined in the WAN section of the Address menu To create a new source address please go to the LAN section under the Address menu Destination Address Select the name of the DMZ network from the drop down list The drop down list contains the names of the DMZ network created in the Address menu It will also contain Mapped IP addresses from the Virtual Server menu that were created for the DMZ network To create a new destination address please go to the Virtual Server menu Please refer to the sections entitled Address and Virtual Server for details Service Select a service from drop down list The drop down list will contain services defined in the Custom or Group section under the Service menu These are services application that are allowed to pass from the WAN network to the DMZ network Choose ANY for all
145. igure hove ra AS 151 Content Security Gateway User s Manual Step 2 Configure VRT 311 VPN policy as the following Name Enable Policy O Allow NetBIOS traffic Remote VPN endpoint Dynamic IF Fixed IP 210 66 155 Domain Name Local IF addresses Type P address 192 168 20 o 0 subnet Mask 255 255 255 o Remote IP addresses Type P address 192 168 10 o 0 Subnet Mask l255 255 255 0 Authentication amp Encryption DAR Authentication MDS w ESF Encryption Key Size n AES only MESP Authentication MOS w Manual Key Exchange IKE Internet Key Exchange Direction Local Identity Type Local Identity Data 2106615592 Remote Identity Type Remote WAN P w Remote Identity Data 210 66 15590 Authentication ORSA Signature requires certificate O Pre shared key Authentication Algorithm Encryption Key Size n AES only Exchange Mode IKE SA Life Time 180 secs IKE Keep Alive Ping IP Address 1192 168 10 a IPSec SA Life Time secs DH Group dl le Group 2 1024 Bit e Ses PFS Group 2 1024 Bit e 152 Content Security Gateway User s Manual 4 4 Policy This section provides the Administrator with facilities to sent control policies for packets with different source IP addresses source ports destination IP addresses and destination ports Control policies decide whether packets from different network objects network ser
146. il This item will show the top chart that represents the received and sent virus mail from recipient In Top Total Virus report you can choose to display the scanned mails that sent to Internal Mail Server or received from External Mail Server It also can sort the mail according to Recipient Total Virus and Total Mail 8 PLANET O E line Mail Security gt Anti Virus gt Virus Mail F System E Interface F Policy P Setting Virus Mail 4 6 IDP CS 500 can aim at abnormal traffic and packets content to inspect alert and handle by the obstructive separateness interference or alarm to administrator to prevent suspicious program invades the host So when CS 500 detects the attack behavior come from internal or external it can provide the protection to network and obstruct to the attack behavior let the network can still work normally and increase the information transmission security 4 6 1 Setting m It can update signature definitions for every 120 minutes Or update signature definitions immediately It will show the update time and version at the same time NW t can detect virus to the file which have no encryption and compression Note User can test if CS 500 can connect to IDP server to update the signature definitions on internet by Test function Set default action of all signatures m According to attack behavior s threat to divide High Risk Medium Risk and Low Risk The different r
147. ill provide all the information needed for this section such as IP address Netmask Gateway and DNS Use this option also if you have more than one public IP Address assigned to you IP Address Enter the static IP address assigned to you by your ISP This will be the public IP address of the WAN port of the device Netmask This will be the subnet mask of the WAN network i e 255 255 255 0 Default Gateway This will be the Gateway IP address Domain Name Server DNS This is the IP address of the DNS server Max Upstream Downstream Bandwidth The bandwidth provided by ISP 40 Content Security Gateway User s Manual Ping Select this to allow the WAN network to ping the IP Address of the Content Security Gateway This will allow people from the Internet to be able to ping the Content Security Gateway If set to enable the device will respond to echo request packets from the WAN network HTTP Select this to allow the device WebUl to be accessed from the WAN network This will allow the WebUI to be configured from a user on the Internet Keep in mind that the device always requires a username and password to enter the WebUI PLANET System Interface WAN WAM Interface PPPoE ADSL User O Dynamic IF Address Cable Modem User Static IP Address O PPTP European User Only IP Address 192 165 99 96 Metmask 255 255 255 0 Anomaly Flow IP Default Gateway 192 1
148. in 134 Content Security Gateway User s Manual Step 43 Enter the name of IP filter and click Add MM IP Filter List An P filter list is composed of multiple filters In this way multiple subnets IF addresses and protocols can be combined into one IP filter Mame Traffic oul Description Remove Filters M Use Add Wizard Mirrored Description Protocol Source Port Destination gt Cancel ee Step 44 Click next IP Filter Wizard n welcome to the IP filter wizard Al This wizard helps you provide the source destination and m traffic type information needed to filter 1P traffic This wizard creates mirrored filters that match on both incornng and outgoing IF traffic ou can add multiple filters to build an IF filter list that matches on IF packets for multiple source or destination machines or for many different traffic types To continue click Nest 135 Content Security Gateway User s Manual Step 45 In Source address click down the arrow to select the My IP Address Filter Wizard IP Traffic Source Specify the source address of the IF traffic Source address Step 46 In Destination address click down the arrow to select the specific IP Subnet and fill Company A s IP Address 192 168 10 0 and Subnet mask 255 255 255 0 Filter Wizard fx IP Traffic Destination Specify the destination address of the IF traffic Destination address
149. ing 192 168 20 1 Step 15 Click OK to finish the Tunnel setting of Company A Policy Object VPN Tunnel Mame Source Subnet Destination Subnet IPSec PPTP Configure 192 168 10 0 192 168 20 0 New Entry Step 16 If you want to configure bi direction VPN connection you should enable Tunnel setting in Outgoing 107 Content Security Gateway User s Manual and Incoming Policy A PLANET ar Wetworting amp Coser plipa Policy Outgoing Comment Max 32 characters Modity Policy Interface F Policy Object Inside Any amp Outgoing Qutside_Any Y Incoming ANY al amp VAN To DMZ LAM To OM OM To WAN OW To LAN E tail Security Outgoing Policy Policy Outgoing Source Destination Action Configure Move Inside Any Outside Any VEN Modify Remove Pause E vi Inside Any Outside _Any A Modify Remove Pause 2 Incoming Policy Policy Incoming Source Destination service Action Option Configure Wiove Outside Any Inside Any Routing Modify Remove The Gateway of Company B is 192 168 20 1 The settings of company B are as the following Step 1 Enter the default IP of Company B s Content Security Gateway 192 168 20 1 Click VPN in the menu bar on the left hand side and then select the sub select IPSec Autokey Click Add Step 2 Enter the VPN name VPN _B in IPSec Autokey window ssa
150. ing Content Security Gateway User s Manual Set Web Management WAN Interface The administrator can change the port number used O ex CSsystem cont 1 Device Mame 5 500 le ex Content Security Gateway j E mail Setting E Enable E mail Alert Notification Sender Address Required by some ISPs SMTP Server E mail Address 1 E mail Address 2 hail Test A ex senderfemydomain com ex mailmydomain com J ex usen aimydomain cam 4 ex Wser2ia imydomain cam Web Management Mad Interface HTTP Port gt MTU set networking packet length The administrator can modify the networking packet length Step 1 MTU Setting Modify the networking packet length PLANET Writing amp Coman Administration Setting Date Time Multiple Subnet Route Table DHCP Dynamic ONS Host Table System Configure Setting SMTP Server E mail Address 1 E mail Address 2 Mail Test ex mailmyedomain com J ex userd ic mydormain com J ex Userzimydomain com J Web Management Ah Interface HTTP Port MTU Setting MITU Link Speed Duplex Mode Setting 1500 ytes This function allows administrator to set the transmission speed and mode of WAN Port Ne Content Security Gateway User s Manual PLANET 3 kag E Commenicetloen e System Configure Setting
151. iple Subnet Route Table File Download Co wou want to save this file DHCP m Name Cosystem conf Dynamic DNS E Type Unknown File Type 2 00 MB ent Security Gateway Host Table From 192 165 1 1 Language Save Cancel Logout der mywdamain com Fave A mydomaln com G While files from the Internet can be useful some files can potentially harm your computer IF you do not trust the source do not save this file What s the risk E Anomaly Flow IF eee Mail Test rigimydomain com 1 rymy domain com 1 Importing Content Security Gateway settings Under Backup Restore Configuration click on the Browse button next to Import System Settings from Client When the Choose File pop up window appears select the file which contains the saved Content Security Gateway Settings then click OK Click OK to import the file into the Content Security Gateway or click Cancel to cancel importing PLANET Hetwcrting A Comrencation System Configure Setting Backup Restore Configuration Administration Export System Setting to Client Download Configure Setting Import System Setting from Client C Documents and Setting Date Time ex CSsystem cont Multiple Subnet d Reset Factory Setting Route Table DHCP System Mame Setting Dynamic ONS Device Mame ex Content Security Gateway Host Table Language Enable E mail Alert Motification E W interfac
152. isk attack behavior can be handled by the pass drop and log action Add the following settings in this function 1 Select Enable Anti Virus Disable Anti virus function will abate the IDP function in virus protection 187 A eo oe O PLANET ironia amp Loma ice E System La Setting IDP Report Click OK High Risk Select drop and log function Content Security Gateway User s Manual Medium Risk Select drop and log function Low Risk Select pass and log function Click OK Enable IDP function in policy DF Configure Setting IDF Setting The latest update time 06 04 0 02 23 03 Update signature definitions every 120 minutes The newest version 0 0 7 Signature definitione updated at 05 05 03 00 00 00 Update signature definitions immediately Use TCP port 80 and UDP port 53 f Update NOW Enable Anti Wirus for HTTP FTF P2P IM NEBIOS Cancel Set default action of all signatures High Risk Drop Log Pass recommended Medium Risk Drop gt Log Pass recommended Low Risk Pass Log Pass recommended F ok Cancel When the attack behavior matches the signature CS 500 will produce log as follows in Log function of IDP Report PLANET Hatworking amp Commentcation IDF Report L Lag 4 6 2 Signature Signature Class Interface Attack IP Victim IP P art Action IP IDF Report Log Provide
153. istic value of the connection from LAN user to WAN server First Packet The time record of the first packet that was sent to WAN service server from LAN user Last Packet The time record of the last packet sent from WAN server and received by the LAN user Duration The time statistic record that started from the first packet and end to the last packet Total Traffic CS 500 will record the sum of upstream downstream packets from LAN user to WAN service server Reset Counters Click Reset Counters button to refresh Accounting Report 200 Content Security Gateway User s Manual Outbound Destination IP Accounting Report Pull down the menu and select Destination IP to show the outbound destination IP accounting report PLANET Monitor Accounting Report OuiBournd E System F Interface Top Starting Time Thu Apr 6 11 16 10 2006 DN gt estraton v a Downstream Upstream First Packet Last Packet Action Reporting time Sun Apr A 02 38 22 2006 Reset Counters El Setting Outbound InBound When LAN user connect to WAN service server through CS 500 all of the Downstream Upstream First Packet Last Packet Duration log of the Destination IP will be recorded Definition Top Select the data type you want to check It presents 10 results in one page Destination IP The WAN Server s IP address Downstream The percentage of downstream and the statistic value of the connection from
154. ive functions All Types Block To block all types of the files uploading from web page Audio and Video Types block To block audio and video uploading from web page Extensions Block To block specific extensions name of the files from web page OK F Cancel Step 3 After selecting each function click the OK button below PLANET Aatecriing amp Lomo Policy Object Content Blocking Upload F System Liploac ocr mina Upload Blocking E All Types Blocking URL Script P2P mb ht Download Upload Virtual Server 4 3 7 Virtual Server Extension Blocking F Exe F iso F doc C por O bat F Ef C pit C reg Fi TIBI dl Far C rpm CI ppt O gz T ita Cl wps L COMI Cl mpeg f ok J Cancel The Content Security Gateway separates an enterprise s Intranet and Internet into LAN networks and WAN networks respectively Generally in order to allocate enough IP addresses for all computers an enterprise Content Security Gateway User s Manual assigns each computer a private IP address and converts it into a real IP address through Content Security Gateway s NAT Network Address Translation function If a server providing service to the WAN networks is located in the LAN networks outside users can t directly connect to the server by using the server s private IP address The Content Security Gateway s Virtual Server can solve this problem A virt
155. l Test DateTime Multiple Subnet Web Management WAN Interface Route Table HTTP Port 50 DHCP MTL Setting Dynamic DNS a 1500 Host Table i Language Link Speed Duplex Mode Setting wan rom il Dynamic Routing RIPVS Enable 1 Lan 4 wan E omz Routing information update timer so seconds Routing information timeout 180 Seconds 21 Content Security Gateway User s Manual To Appliance Packet Logging When the function is selected the CS 500 will record the packets that contain the IP address of CS 500 in source or destination the records will display in Traffic Log for administrator to inquire about System Reboot Once this function is enabled the Content Security Gateway will be rebooted Reboot Appliance Click Reboot A confirmation pop up box will appear Follow the confirmation pop up box click OK to restart Content Security Gateway or click Cancel to discard changes PLANET System Configure Setting SMTP Server C ex mail mydomain com 3 F 7 E mail Address 1 ex useri aimycomain com 4 a Configure o E mail Address 2 lc ex User2imydomain com Setting Mail Test Mail Test Date Time PX Mule cuna Web Management GWAN Interface E Route Table HTTP Port ai A Microsoft Internet Explorer X E OALE MTU Setting i Dynamic DNS gt aerobic a 4r
156. let Popup ActiveX Java Cookie in or keep them out P2P Block P2P program include eDonkey Bit Torrent and WinMX IM Block Internet Message program include MSN Yahoo Messenger ICQ QQ and Skype Download Block download connection audio and video transferring from web page You can select to block which type of extension name or all type of the file Upload Block upload connection audio and video transferring from web page You can select to block which type of extension name or all type of the file 4 3 6 1 URL Blocking The Administrator may setup URL Blocking to prevent LAN network users from accessing a specific website on the Internet Any web request coming from an LAN network computer to a blocked website will receive a blocked message instead of the website Entering the URL blocking window Step 1 Click on URL under the Content Blocking menu bar Step 2 Click on New Entry i tering amp oracion Policy Object gt Content Blocking gt URL System URL String E Interface System interface ad ad URL Script P2P 1M Download Definition URL String The domain name that is blocked to enter by Content Security Gateway 79 Content Security Gateway User s Manual Configure To change the settings of URL Blocking click Modify to change the parameters click Delete to delete the settings Adding a
157. lic IP address of WAN port to make Internet connection Please find the following two pictures for example 2 2 1 Transparent Mode Connection Example ISP P ADSL Modem 99999 m CS 500 WAN 61 11 11 11 i B LAN DMZ Transparent 192 168 1 1 o WAN y y LAN PC 1 LAN PC 2 DMZ PC 3 DMZ PC 2 192 168 1 2 192 168 1 3 61 11 11 12 61 11 11 13 Content Security Gateway User s Manual The WAN and DMZ side IP addresses are on the same subnet This application is suitable if you have a subnet of IP addresses and you do not want to change any IP configuration on the subnet 2 2 2 NAT Mode Connecting Example ISP gt P ADSL Modem 99999 m CS 500 WAN 61 11 11 11 y LAN 192 168 1 1 DMZ NAT 192 168 2 1 a a LAN PC 1 LAN PC 2 DMZ PC 3 DMZ PC 2 192 168 1 2 192 168 1 3 192 168 2 2 192 168 2 3 DMZ and WAN IP addresses are on the different subnet This provides higher security level then transparent mode Content Security Gateway User s Manual Chapter 3 Getting Started 3 1 Web Configuration STEP 1 Connect both the Administrator s PC and the LAN port of the Content Security Gateway to a hub or switch Make sure there is a link light on the hub switch for both connections The Content Security Gateway has an embedded web server used for management and configuration Use a web browser to display the configurations of the Content Security Gateway such as Internet Explorer 4 or above or
158. lick OK to save the policy or Cancel to cancel o MIN Mail Security gt Anti Spam gt Rule E System Rule Name Comments Policy Object Combination Classification Policy Action Delete semmai __ E Auto Training Enstle E AS ppm rr te Setting A aaa Rule a Whitelist Blacklist Training Spam Mail Modifying a Rule Step 1 In the Rule window find the policy to be modified and click the corresponding Modify option in the Configure field Step 2 Make the necessary changes needed Step 3 Click OK to save changes or click on Cancel to cancel modifications Removing a Rule Step 1 In the Rule window find the policy to be removed and click the corresponding Remove option in the Configure field Step 2 A confirmation pop up box will appear click OK to remove the Host Table or click Cancel a Mail Security gt Anti Spam gt Rule Ee TT Planet Spam Delete spam mail sl Anti Spam Microsoft Internet Explorer nb Setting 2 re you sure you Wank to remove Rule Whitelist Blacklist Training Spam Mail 174 Content Security Gateway User s Manual 4 5 2 3 Whitelist To determine the mail comes from specific mail address that can send to the recipient without being restricted Below is the information needed for setting up the Whitelist e Whitelist Specify the key word or with wildcard for the Whitelist field
159. ll be the name referencing the created group Step 4 To add new services Select the services desired to be added in the Available service list and then click the Add gt gt button to add them to the group Step 5 Toremove services Select services desired to be removed in the Available service and then click the lt lt Remove button to remove them from the group Step 6 Click OK to add the new group PLANET z Hatworting amp Comm plima Policy Object gt Service gt Group Address lt Available service gt A Sevice O OO OO Add Service Group Aly F Pre defined eS Custom BGP Group DNS QoS Mail Security InterLocator IRE ane Modifying Service Groups Step 1 Inthe Mod modify group window the following fields are displayed a Available service lists all the available services m Selected service list services that have been assigned to the selected group Step 2 Add new services Select services in the Available service list and then click the Add gt gt button to add them to the group Step 3 Remove services Select services to be removed in the Selected service list and then click the lt lt Remove button to remove theses services from the group Step 4 Click OK to save editing changes 63 Content Security Gateway User s Manual a Networking amp Commenication Policy Object gt Service gt Group iaa Pre defi
160. me statistic record that started from the first packet and end to the last packet Total Traffic CS 500 will record the sum of upstream downstream packets from WAN host to LAN host Inbound Destination IP Accounting Report 203 Content Security Gateway User s Manual Pull down the menu and select Destination IP to show the inbound destination IP accounting report PLANET iag d Gomak Hja Monitor Accounting Report InBound E System F Interface Starting Time Thu Apr 6 11 16 10 2006 No Last Packet Action Total Traffic Reset Counters i Setting Cuthound amp InBound When WAN host connect to LAN through CS 500 all of the Downstream Upstream First Packet Last Packet Duration log of the Destination IP will be recorded Definitions Top Select the data type you want to check It presents 10 results in one page Destination IP The IP address used by LAN host Downstream The percentage of Downstream and the statistic value of the connection from WAN host to LAN host via CS 500 Upstream The percentage of Upstream and the statistic value of the connection from LAN host to WAN host via CS 500 First Packet The time record of the first packet that was sent from LAN host to WAN host Last Packet The time record of the last packet that sent from LAN host to WAN host Duration The time statistic record that started from the first packet and end to the last packet Total
161. modify in Multiple Subnet menu then click Modify button on the right side of the service providers click OK Step 2 Enter the new IP address in Modify Multiple Subnet window Step 3 Click the OK button below to change the setting or click Cancel to discard changes PLANET Hatwecrilog amp Comm plio System Configure Multiple Subnet Modify Multiple Subnet IF Alias IP of Interface 168 55581 Administration Setting a etal AAN Route Table WAN Interface IP Forwarding Mode DHCP z a Dynamic ONS nat O Routing Host Table Language _OK if Cancel l Removing a Multiple Subnet Routing Mode Step 1 Find the IP Address you want to delete in Multiple Subnet menu then click Delete button on the right side of the service providers click OK Step 2 A confirmation pop up box will appear click OK to delete the setting or click Cancel to discard changes 297 Content Security Gateway User s Manual E ice System Configure Multiple Subnet WAN Interface IFP Forwarding Mode Interface Alias IP of Interface Metmask configure Configure peat Setting Date Time S Multiple Subnet Route Table DHCP Microsoft Internet Explorer El Dynamic ONS Ph Host Table re you sure You want Eo remove Language F Interface 4 1 7 Route Table In this section the Administrator can add static routes for the networks Entering the Route Table screen Step
162. move option in the Configure field Step 2 The Remove confirmation pop up box will appear Click OK to remove that Sub Admin or click Cancel to cancel PLANET Hetecrilng A Compas eine System Administration Admin Admin Mame Configure Administration Software Update New Sub Admin Microsoft Internet Explorer E ys Are vou sure you want to remove E Anomaly Flow IF 4 1 2 Permitted IPs Only the authorized IP address is permitted to manage the Content Security Gateway PLANET Hatworking amp Corra lio System Administration Permitted IPs system 0 Administration IF Address Wetmask configure Admin Permitted IPs New Entry Software Update Configure 14 Content Security Gateway User s Manual Add Permitted IPs Address F E Step 1 Click New Entry button Step 2 In IP Address field enter the LAN IP address or WAN IP address Name Enter the host name for the authorized IP address IP Address Enter the LAN IP address or WAN IP address Netmask Enter the netmask of LAN WAN Ping Select this to allow the external network to ping the IP Address of the Firewall HTTP Check this item Web User can use HTTP to connect to the Setting window of Content Security Gateway Step 3 Click OK to add Permitted IP or click Cancel to discard changes PLANET ef Mtorhling d Commit System Administration Permi
163. ned Custom Group OIT T Removing Service Groups In the Remove confirmation pop up box click OK to remove the selected service group or click Cancel to cancel removing i o etwerhing amp Coseneaicelion Policy Object gt Service gt Group New En Java5c ript Application Pre defined Custom i Are YOU sure you want bo remove Group E Cancel Schedule Gd dos 4 3 3 Schedule The Content Security Gateway allows the Administrator to configure a schedule for policies to take affect By creating a schedule the Administrator is allowing the Content Security Gateway policies to be used at those designated times only Any activities outside of the scheduled time slot will not follow the Content Security Gateway policies therefore will likely not be permitted to pass through the Content Security Gateway The Administrator can configure the start time and stop time as well as creating 2 different time periods in a day For example an organization may only want the Content Security Gateway to allow the LAN network users to access the Internet during work hours Therefore the Administrator may create a schedule to allow the Content Security Gateway to work Monday Friday 8AM 5PM only During the non work hours the Content Security Gateway will not allow Internet access Accessing the Schedule window Step 1 Click on Setting on the Schedule menu bar and the schedule window will appear displaying t
164. nless you have already removed this configuration of Policy 93 Content Security Gateway User s Manual 4 3 8 VPN The CS 500 adopts VPN to set up safe and private network service and combine the remote Authentication system in order to integrate the remote network and PC of the enterprise It also provides the remote users a safe encryption way to have best efficiency and encryption when delivering data CS 500 provides two kinds of VPN service and the PPTP client IPSec Autokey The system manager can create a VPN connection using Autokey IKE Autokey IKE Internet Key Exchange provides a standard method to negotiate keys between two security gateways It also can set up IPSec Lifetime and Preshared Key of the CS 500 PPTP Server The System Manager can set up VPN PPTP Server functions at CS 500 in this chapter PPTP Client The System Manager can set up VPN PPTP Client functions at CS 500 in this chapter Tunnel To define local and remote VPN device with related information then the Tunnel entry can be selected in Policy in order to submit the further function to the VPN traffic What is New CS 500 isolates the Tunnel setting in order to allow Policy rule controlling VPN traffic So user can filter the VPN packets with QoS IDP rule and record the connection in Traffic Log or Statistic Hence to set up a Virtual Private Network VPN you need to configure CS 500 with following setting 1 Configure IPSec Autokey for the encry
165. nternal Mail Server Allowed External lP of Mail Relay Modify IP Address E oK 4f Cancer Example 3 The Headquarters setup CS 500 as Gateway Mail Server in DMZ Transparent Mode to make the Branch office s employees can send mails via Headquarters Mail Server Preparation WAN Port IP of CS 500 61 11 11 11 169 Content Security Gateway User s Manual STEP 1 Add the first setting in Mail Relay function of Configure NW Select Domain Name of Internal Mail Server Domain Name of Mail Server Enter the Domain Name m IP Address of Mail Server Enter the IP address that Mail Server s domain name mapped t O PLANET A il e Mail Security gt Configure gt Mail Relay Domain Mame of Internal Mail Server Allowed External IP of Mail Relay Modify Domain Name Domain Name of Mail Server ex mail my domain Interface E Policy Object H un 4 E F Policy Configure IP Address of Mail Server F setting Mail Relay nti Spam Cancel nti Virus T H Ta E D nti Attack EM onitor STEP 2 Add the second setting in Mail Relay function of Configure Select Allowed External IP of Mail Relay IP Address Enter the IP Address of external sender E E E Enter the Netmask Complete Mail Relay setting O Weding amp Comenes tio Mail Security gt Configure gt Mail Relay Domain Name of Internal Mail Server Allowed
166. o add them to the Selected address list Step 4 Remove members Select names to be removed in the Selected Address list and click the lt lt Remove button to remove these members from Selected Address list Step 5 Click OK to add the new group or click Cancel to discard changes PLANET A Watering amp Compa wipe Policy Object Address LAN Group Add New Address Group m E O oOo s LAN LAN Group 2 Available address Selected address gt WAN ew WAR Group DMZ Dh Group Remove E Anomaly Flow IF OK At cae Modifying a LAN Group Step 1 In the LAN Group window locate the network group desired to be modified and click its corresponding Modify option in the Configure field 47 Content Security Gateway User s Manual Step 2 A window displaying the information of the selected group appears E Available address list names of all members of the LAN network a Selected address list names of members which have been assigned to this group Step 3 Add members Select names in Available address list and click the Add gt gt button to add them to the Selected address list Step 4 Remove members Select names in the Selected address list and click the lt lt Remove button to remove these members from the Selected address list Click OK to save changes or click Cancel to discard changes ea PLANET Hatworking amp Commenication Policy Object Addres
167. of spam mail is gt A Anti Add the message to the subject line pen Max 256 characters Setting Check spam fingerprint Use TCP port 2703 and UDP port 33 to connect database server Test Rule Enable Bayesian filtering Bayesian filtering works until database has at least 200 spams and 200 hams s Whitelist C check sender account Blacklist C check sender IP address in RBL Use UDP port 53 to connect DNS server Test Training C Add score tag to the subject line Spam Mail e E Anomaly Flow IF Action of Spam Mail Internal Mail Server Delete the spam mail Deliver to the recipient Forward to Max 125 characters ex Userc myedomain com 1 External Mail Server Deliver to the recipient Always enable Cancel Definition Enable Anti Spam Select to enable Anti Spam function The Mail Server is placed in Internal LAN or DMZ or External WAN Select to choose the location of the mail server The threshold score of spam mail is CS 500 allows the Administrator to decide the threshold to be the standard of judging the spam mail Add the message to the subject line If the mail has been judged to the spam mail CS 500 will add a message in the mail s subject You can configure the message you want by default it will be add SPAM in the subject Check spam fingerprint Select to allow CS 500 checking spam mail with Fingerprint system Enable Bayesian filtering Except to sele
168. olicy Object Authentication Auth Setting E System Authentication Management Authentication Port F Re Login if Idle Minutes F Re Login after user login successfully lo Hours 0 means unlimited O EI a paseo sd O Disallow Re Login if the auth user has login E URL to redirect when authentication succeed id lea Messages to display when user login s Auth User ss Auth Group RADIUS POPS ad ad E Mail Security Cancel Authentication Port The port number used for user login page Generally when user want to access WAN network and the authentication Policy gt Outgoing is enabled the user only need to open a web page and the User Login page will pop up But if user does not need to open the web page and also want to access Internet resource such as FTP then the user has to send http request with this port number and CS 500 will send a User Login page for user to input user name and password For example if the gateway IP address is 192 168 1 1 and authentication port is 82 user have to open a web browser and input http 192 168 1 1 82 on the address file to have the user login page Re Login if Idle When the LAN users access to WAN network and do not use for a while the connection will be time out User has to re login again The default time is 30 minutes Re Login after user login successfully You can limit the access time for the LAN user when time is up LAN user will need to re login again If
169. on IP Select to record the statistic based on Destination IP address Service Select to record the statistic based on Service Inbound Accounting Report the statistics of downstream and upstream for all kinds of communication services the Inbound Accounting report will be shown when WAN host connects to LAN host via CS 500 Source IP Select to record the statistic based on Source IP address Destination IP Select to record the statistic based on Destination IP address Service Select to record the statistic based on Service Administrator can use this Accounting Report to inquire the LAN IP users and WAN IP users and to gather the statistics of Downstream Upstream First packet Last packet Duration and the service for all of the user s IP that passes through CS 500 PLANET Monitor Accounting Report Setting E system interface Accounting Report Setting Outbound Accounting Report Source IF Destination IP Service Inbound Accounting Report Source IP Destination IP Ej Service Setting p Outbound InBourid 4 8 2 2 Outbound Click the Accounting Report function and then select Outbound There are three options for outbound acounting report Source IP Destination IP and Services 199 Content Security Gateway User s Manual PLANET Hatworting amp Lora pia Monitor Accounting Report gt Outbound Top 1 2 Starting Time Thu Apr 6 11 16 10 2006 Downstream Upstream First Pack
170. on i Backdoor F Policy Object E wail Security Cancel ss Anomaly Pre defined Y Custom Custom Custom signatures can allow user to create the signature according to their requirement works to detect and prevent the internal and external attack behavior which are not including in Pre defined signatures Definition 189 Content Security Gateway User s Manual Name The System Manager can name the signature Protocol Select the protocol which wants to be detected and prevented it can be divided TCP UDP ICMP and IP Source Port Configure the port number that is used to attack the PC The range can be from 0 to 65535 Destination Port Configure the port number that the client PC is used to be attacked Risk Define the threat about attack packets Action Select Pass to pass the packets or select Drop to discard the packets Log Check Log function to record the log in IDP Report Content Define the attack packets content PLANET Watworting amp Loma cline IDP Signature Custom F Interface F Policy Object E hail Security Configure Anomaly p Pre defined Custom EX Use Pre defined and Custom signature settings to detect and prevent attack behaviors STEP 1 Enter the following setting in Setting of Configure function PLANET o ietworking Aca eine IDP Configure Setting IDF Setting The latest update time 0604 06 08 13 44 Update signature de
171. onding Remove option in the Configure field Step 2 A confirmation pop up box will appear click OK to remove the Host Table or click Cancel PLANET ET Whitelist Policy Object Mail Security gt Anti Spam gt Whitelist Auto Training f New Entry Ti E g7 2 e SELL Microsoft Internet Explorer EJ Setting 2 4re you sure you want Eo remove Rule Whitelist Blacklist Training Spam Mail 4 5 2 4 Blacklist To determine the mail comes from specific mail address that will be filtered or restricted Below is the information needed for setting up the Blacklist e Blacklist Specify the key word or with wildcard for the Blacklist field e Direction From To judge the sending address of the mail To To judge the receiving address of the mail e Auto Training Select enable to allow Auto Training system updating the CS 500 s database 176 Content Security Gateway User s Manual Adding a new Blacklist Step 1 Click on the New Entry button and the Blacklist window will appear Step 2 Fill in the appropriate settings for the related information Step 3 Click OK to save the policy or Cancel to cancel Mail Security gt Anti Spam gt Blacklist zee Blacklist Auto Training E Interface F Policy F Policy Object Configure Setting Rule Whitelist Blacklist Training Spam Mail Modifying a Blacklist Step 1 In the Blacklist
172. ons PLANET Matworting amp Commenitation P olicy TA To OWS F Interface Comment Max 32 characters Mod ify Polic Y Source Address Outside Any Outgoing Destination Address DMZ _ Any F Policy Object Incoming O Schedule Y LAM To OMZ Y OMZ To WAN s Diz To LAN E hail Security T eor v wew 2 Wew OoOO F Anomaly Flow IF M Enable WAX Concurrent sessions a Range 1 99999 0 means unlimited mee i CTO Removing a WAN To DMZ Policy Step 1 In the WAN To DMZ window locate the name of policy desired to be removed and click its corresponding Remove option in the Configure field Step 2 Inthe Remove confirmation pop up box click OK to remove the policy Maier A Com plia Policy gt WAN To DMZ To Mb E sytem OO Te Policy Object i New Entry Outqoing Incoming Microsoft Internet Explorer E WAN To DMZ LAN To DMZ YD Are you sure you want to remove Y DMZ To WAN DMZ To LAN Mail Se 4 4 4 DMZ To WAN amp DMZ To LAN This section describes steps to create policies for packets and services from DMZ networks to WAN networks Please follow the same procedures for DMZ networks to LAN networks 162 Content Security Gateway User s Manual Entering the DMZ To WAN window Click DMZ To WAN under Policy menu and the DMZ To WAN table appears displaying currently defined DMZ To WAN policies
173. p Comenges lips Interface OMZ DMZ Interface IF Address Netmask Biers C Pina O HTTP f Cancel DMZ Interface Display DMZ NAT Mode DMZ TRANSPARENT Mode functions of DMZ to show if they are enabled or disabled IP Address The private IP address of the Content Security Gateway s DMZ interface This will be the IP address of the DMZ port If it is in NAT mode the IP address the Administrator chooses will be a private IP address and cannot use the same network as the WAN or LAN network NetMask This will be the subnet mask of the DMZ network Ping Select this to allow the DMZ network to ping the IP Address of the Content Security Gateway This will allow people from the Internet to be able to ping the Content Security Gateway If set to enable the device will respond to echo request packets from the DMZ network HTTP Select this to allow the device WebUl to be accessed from the DMZ network This will allow the WebUI to be configured from a user on the Internet Keep in mind that the device always requires a username and password to enter the WebU l 4 3 Policy Object The Policy Object is the pre setting item for Policy editing The administrator can configure all necessary items here before he wants to configure Content Security Gateway Policy The contents include Address Service Schedule QoS Authentication Content Blocking Virtual server and VPN 4 3 1 Address The Content Security Gateway allows t
174. packets to traverse a public or private internetiwwork with the security level of a direct private connection between bo computers Specify the tunnel endpoint for the IF Security rule C This rule does not specify a tunnel f The tunnel endpoint is specified by this IP address 210 66 155 30 Cancel Step 40 Select All network connections and click next security Rule Wizard Network Type The security rule must be applied to a network type Select the network type f All network connections Local area network LAN Remote access 133 Content Security Gateway User s Manual Step 41 Choose Use this string to protect the key exchange Preshared Key And enter the key 123456789 security Rule Wizard Authentication Method To add multiple authentication methods edit the secunty rule after completing the IF Security rule wizard Set the initial authentication method for this security rule Active Directory default Kerberos 5 protocol C Use a certificate from this certification authority CA f Use this string to protect the key exchange preshared key 123456789 Step 42 Click Add Security Rule Wizard IP Filter List Select the F filter list for the type of IF traffic to which this security rule applies Eno IF filter in the following list matches pour needs click Add to create a new one IP filter lists O AIP Traffic Matches all IF packets from t Traffic
175. pam mails that do not judge correctly and press the right key of the mouse and move to the folder n Move WebUI select SpamMail Folder and click OK 180 Content Security Gateway User s Manual cs DD paa iki inba 001 EH Cutten A Gent be gt F boleta ira 131 N sarita es Cea REJ mai TA ma BTE EN F 0 aa P Hare ici ro areta de decia a i atutu da eee Co ct Move the item s to the selected folder Outlook Express Cancel E Local Folders lg Inbox New Folder E Outbox a A Sent Items H a Deleted Items ha Drafts STEP 3 Compress the SpamMail Folder in Outlook Express to shorten the data and upload to CS 500 for training Select SpamMail Folder E Select Compact function in selection of the folder 181 Content Security Gateway User s Manual bf Doers Ghubba pa Viim for ba EILH PS 3 55 a ain i airia ep a para Tiei b h ejar lan Chg Um ad pi 00 hb wih at ib iig a A AT pa Sp Hal Pio gees Hada 1 70 7000 HAL AH a Curbera j Prey Sheet mm pa tala Seed sohen t Dick here 4 70 Edi AM eo el GET tn arta ipan Oni ordering la ide reabre TO TA AL PA 2 tert bren ld ee ja Phal hiar ijj ee rd 0700 1533 Fe OF Daleted themes 701 A spam Miuflephe warps be ged bene isere 270 TODA tee iH BS tows Eiti imise pan lEpa TTO tE AH ii ven af Geer linia apa ji there 5 1110 4 Bd Se vel apio pa
176. parameters are setup when setting up control policies Traffic logs record the details of packets such as the start and stop time of connection the duration of connection the source address the destination address and services requested for each control policy Event logs record the contents of System Configuration changes made by the Administrator such as the time of change settings that change the IP address used to log on etc How to use the Log The Administrator can use the log data to monitor and manage the device and the networks The Administrator can view the logged data to evaluate and troubleshoot the network such as pinpointing the source of traffic congestions 4 8 1 1 Traffic The Administrator queries the Content Security Gateway for information such as source address destination address start time and Protocol port of all connections Entering the Traffic Log window Step 1 Click the Traffic option under Log menu to enter the Traffic Log window 193 Content Security Gateway User s Manual PLANET tomo Monitor Log gt Traffic May 3 06 58 20 Y Source Destination ES F May 3 06 58 20 192 168 1 2 192 168 1 1 F Mail Security May 3 06 58 20 192 168 1 2 192 168 1 1 aan May 3 06 58 17 19216512 67 87 113 253 AGP E Monitor o May 3 06 58 17 67 87 113 253 182 168 1 2 i J gt 3 i 3 5 Y E E 2 E T REG 3 25 i May 3 06 58 16 192 168 1 2 67 87 113 253 gt Traffic May 3
177. port The range of Client port in defined service If the number of ports entered in the two fields of Client port is different it means that the port numbers between these two numbers are opened If the number of ports entered in the two fields of Client port is identical it means that the entered port number is opened Service port The range of Service port in defined service If the number of ports entered in the two fields of Service port is different it means that the port numbers between these two numbers are opened If the number of ports entered in the two fields of Service port is identical it means that the entered port number is opened Configure Configure the settings in Service table Click Modify to change the parameters in Service table Click Remove to delete the selected setting NOTE In the Custom window if one of the services has been added to Policy or Group In Use message will appear in the Configure column In this case you are not allowed to modify or remove the settings Go to the Policy or Group window to delete the setting and then you can configure the settings Adding a new Service In the Custom window click the New Entry button and a new service table appears In the new service table m New Service Name This will be the name referencing the new service Protocol Enter the network protocol type to be used such as TCP UDP or Other please enter the number for the protocol type Client Port
178. port to set multiple subnet works and connect with the internet through WAN IP Addresses Route Table Use this function to enable the Administrator to add static routes for the networks when the dynamic route is not efficient enough 11 Content Security Gateway User s Manual DHCP Administrator can configure DHCP Dynamic Host Configuration Protocol settings for the LAN LAN network Dynamic DNS The Dynamic DNS require Dynamic DNS Service allows you to alias a dynamic IP address to a static hostname allowing your device to be more easily accessed by specific name When this function is enabled the IP address in Dynamic DNS Server will be automatically updated with the new IP address provided by ISP Host Table The Content Security Gateway Administrator may use the Host Table function to make the Content Security Gateway act as a DNS Server for the LAN and DMZ network All DNS requests to a specific Domain Name will be routed to the Content Security Gateway s IP address For example lets say an organization has their mail server i e mail planet com tw in the DMZ network i e 192 168 10 10 The outside Internet world may access the mail server of the organization easily by its domain name providing that the Administrator has set up Virtual Server or Mapped IP settings correctly However for the users in the LAN network their WAN DNS server will assign them a public IP address for the mail server So for the LAN network to
179. ption and authentication or PPTP Server Client setting 2 Configure Tunnel for the information of local and remote VPN device 3 Configure Incoming Policy Rule to combine VPN traffic with QoS IDP and the other function 4 3 8 1 IPSec Autokey This chapter describes steps to create a VPN connection using Autokey IKE Autokey IKE Internet Key Exchange provides a standard method to negotiate keys between two security gateways For example with two Content Security Gateway devices IKE allows new keys to be generated after a set amount of time has passed or a certain threshold of traffic has been exchanged Accessing the Autokey IKE window Click IPSec Autokey under the VPN menu to enter the IPSec Autokey window The IPSec Autokey table displays current configured VPNs PLANET Ing amp Corra wine Policy Object VPN gt IPSec Autokey Mame Gateway IP IPSec Algorithm Configure PSec Autokey 94 Content Security Gateway User s Manual The fields in the IPSec Autokey window are m Name The VPN name to identify the VPN tunnel definition The name must be different for the two sites creating the tunnel m Gateway IP The other side WAN interface IP address of VPN Gateway E IPSec Algorithm The display the Algorithm way E Configure Modify and Delete Adding the Autokey IKE Step 1 Click the New Entry button and the VPN Auto Keyed Tunnel window will appear It divides into two parts of th
180. r IP address mapped by the virtual server Four computer IP addresses can be set at most and the load can be maintained in a balance by round robin algorithm Step 3 Enter the IP address of the LAN network server s to which the virtual server will be mapped Up to four IP addresses can be assigned at most Step 4 Click OK to save the settings of the Virtual Server NOTE _ The services in the drop down list are all defined in the Pre defined and Custom section of the Service menu PLANET Hatworting amp Comm lips Policy Object gt Virtual Server gt Server 1 Virtual Server Configuration Sevice A 06535 gt NM External Service Port loess3s Mapped IP Server 1 Server 2 Adding New Virtual Server Service Configuration Step 1 Select Virtual Server in the menu bar on the left hand side and then select Server 1 2 3 4 sub selections Step 2 In Server 1 2 3 4 Window click New Entry button Step 3 Enter the parameters in the Virtual Server Configuration column 91 PLANET Hatwecriing amp Coma pli Address Service Schedule 005 Authentication Content Blocking Virtual Server Mapped IP Server 1 Server 2 RE SE m gt m E m TTT Content Security Gateway User s Manual Policy Object gt Virtual Server gt Server 1 Virtual Server Configuration sevice i External Service Por lt 2 ce 120 A A INEA ee 1
181. ration window will appear i Airing amp emra pia Policy Object gt Virtual Server gt Mapped IP II Map To Virtual IP Now Enty Bb E ETE E EE Mapped IP amp Server 1 Server 2 Server 3 Server 4 Definition WAN IP WAN IP Address Map to Virtual IP The IP address which WAN maps to the virtual network in the server Configure To change the setting click Configure to modify the parameters click delete to delete the setting Adding a new IP Mapping Step 1 In the Mapped IP window click the New Entry button The Add New Mapped IP window will appear m WAN IP select the WAN public IP address to be mapped m Internal IP enter the LAN private IP address will be mapped 1 to 1 to the WAN IP address Step 2 Click OK to add new IP Mapping or click Cancel to cancel adding 86 Content Security Gateway User s Manual Matworking amp Commenication Policy Object gt Virtual Server gt Mapped IP Add New Mapped IP WAN IP Map To Virtual IP System Interface Address Service f OK Jf Cancel Schedule QoS Authentication Content Blocking Virtual Server Mapped IP Server 1 Server 2 Canrar 1 Modifying a Mapped IP Step 1 In the Mapped IP table locate the Mapped IP you want it to be modified and click its corresponding Modify option in the Configure field Step 2 Enter settings in the Modify Mapped IP window Step 3 Click
182. ream bandwidth 68 PLANET i Hiro amp Comoras eine E System LAN WAN DMZ olicy Object Policy Mail Security Anti Attack E Monitor Step 2 Interface gt WAN PPPoE ADSL User WAN Interface Content Security Gateway User s Manual Dynamic IP Address Cable Modem User Static IP Address PPTP European User Only IP Address Netmask Default Gateway DNS Server 1 DNS Server 2 Max Downstream Bandwidth Max Upstream Bandwidth Enable 210 66 155 90 Ml 055 255 255 224 210 66 155 94 1168 95 11 Kbps Max 30 Mbps 672 Kbps Max 30 Mbps HTTP Ping f OK 1 Cancel Configure the LAN host or WAN host IP address that need to filter with QoS feature Be aware that the Netmask must set to 255 255 255 255 if you only want to configure a single IP address PLANET ae Watworklng amp Comennadc ation Address LAN LAN Group WAN ee WAR Group DMZ Ohi Group Policy Object Address LAN Add Mew Address Metmask MAC Address 1192168120 955 255 255 255 d Get static IF address trom DHEP Server Step 3 Setup the QoS rule PLANET Hatwerting amp owes glio e Address L Setting Authentication Policy Object Qos gt Setting G Bandwidth MW Bandwidth Alice Gos Downstream Bandwidth
183. rity Gateway User s Manual Modifying the Authentication User Step 1 In the Authentication window locate the Auth User name you want to edit and click on Modify in the Configure field Step 2 The Modify Auth User Password window will appear Enter in the required information m Auth User show original authentication user Password show original password New Password enter new password E Confirm Password enter the new password again Step 3 Click OK to confirm authentication user change or click Cancel to cancel it PLANET Policy Object gt Authentication gt Auth User E System Modify Authentication User Password Authentication UserNamefplanet SOS ES A O E Interface Service Schedule QoS f ok Jf Cancel Authentication Auth Setting Auth User Auth Group Removing a Authentication User Step 1 In the Authentication table locate the Auth User name you want to edit and click on the Remove option in the Configure field Step 2 The Remove confirmation pop up box will appear Step 3 Click OK to remove that Authentication User or click Cancel to cancel PLANET Heronidog amp omo los Policy Object gt Authentication gt Auth User E System Authentication User Name Configure Address f New User Service Schedule QoS Authentication Microsoft Internet Explorer EJ z m p m m YD Are ou sure
184. rotocol type lr 124 Content Security Gateway User s Manual Step 23 Please enable edit properties and click finish IP Filter Wizard Completing the IP filter wizard You have successfully completed the IP filter wizard To edit your IP filter now select the Edit properties check box and then click finish M Edit properties To close this wizard click Finish Step 24 Please don t enable Mirrored and click OK Filter Properties Addressing Protocol Description Source address la specific IP Subnet E IP Address 192 168 10 0 g 168 Subnet mask 25 x Destination address My IF Address Mirrored Also match packets with the exact opposite source and destination addresses Cancel 125 Content Security Gateway User s Manual Step 25 Click OK MM IP Filter List An F filter list i composed of multiple filters ln this way multiple subnets IF addresses and protocols can be combined into one IP filter Mame Trafficin Add Description Edit Remove Filters W Use Add Wizard Mirrored Description Protocol Source Port _ Destination Hao ANY ANY ANY 3 OF Cancel Step 26 Select Traffic in and click next Security Rule Wizard IP Filter List Select the IF filter list for the type of IF traffic to which this security rule applies IF no IF filter in the following list matches your needs click Add to
185. ry Iter VPN B Step 3 In To Destination table choose Remote Gateway Fixed IP or Domain Name enter the IP address desired to be connected 108 Content Security Gateway User s Manual To Destination Remote Gateway 61 11 11 11 Fixed IP or Domain Mame Remote Gateway or Client Dynamic IP Step 4 In Authentication Method Table enters the Preshared Key Authentication Method Preshared Key 123456709 Step 5 In Encapsulation or Authentication table choose ISAKMP Algorithm For communication via VPN we choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm And select Group 1 to connect Encapsulation IS 4SKMP Algorithm ENC Algorithm AUTH Algorithm Step 6 In IPSec Algorithm Table choose Data Encryption Authentication We choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm IPSec Algorithm O Data Enc ryption Authentication ENC Algorithm AUTH Algorithm Authentication nly Step 7 Choose GROUP 1 as the Perfect Forward Secrecy setting and leave the default setting with 28800 seconds in IPSec Lifetime and 3600 seconds for ISAKMP Lifetime Optional Item Perfect Forward Secrecy GROUP 4 ISAKMP Lifetime 3600 Seconds IPSec Lifetime 20000 Seconds Step 8 Select main mode as the algorithm Step 9 Click OK to finish the IPSec Aotukey setting of Company B 109 Content Security Gateway User s Manual Policy Object YPN IPSec Autokey
186. s LAN Group Modify Address Group e LAM Available address a Selected address Y LAN Group sebazstien sebastien VAL Remove Add ar E F F ag 24 0K Cancel Removing a LAN Group Step 1 Inthe LAN Group window locate the group to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the group or click Cancel to discard changes 48 Content Security Gateway User s Manual PLANET it Corra rion Policy Object Address LAN Group E System Mec Remove co ti Address e LAN LAM Group WAN AAN Group s Oh DMZ Group Service Schedule 205 LY Are you sure you want to remove t E oo gt Z Entering the WAN window Step 1 Click WAN under the Address menu to enter the WAN window The current setting information such as the name of the WAN network IP and Netmask addresses will show on the screen ato riiinig amp Corman Policy Object gt Address gt WAN F System E Interface Name IP I Netmask Configure interface 0 0 0 070 0 0 0 Address LAN LAN Group wan WAN Group DMZ DMZ Group Definitions Name Name of WAN network address IP Netmask IP address Netmask of WAN network Configure Configure the settings of WAN network Click Modify to change the settings of WAN n
187. s Step 1 Inthe LAN window locate the name of the network to be modified Click the Modify option in its corresponding Configure field The Modify Address window appears on the screen immediately Step 2 Inthe Modify Address window fill in the new addresses Step 3 Click OK to save changes or click Cancel to discard changes PLANET Watwcriing amp Corra piia Policy Object Address LAN Modify Address a IP Address 19216812 Address gt LAN 255255255255 LAN Group _ MAC Address 00 0E 46 0F 86 92 f Clone MAC Address a VED E Alone MAL Address amp WAN Group IM cet static IP address from DHCP Server sm Ci OM2 Group f OK l f Cancel Service Removing a LAN Address Step 1 Inthe LAN window locate the name of the network to be removed Click the Remove option in its corresponding Configure field Step 2 In the Remove confirmation pop up box click OK to remove the address or click Cancel to discard changes 45 Content Security Gateway User s Manual PLANET Manring amp Commaaicatioa Policy Object Address LAN F System PA IP r Metmask MAC Address Configure 1921681 2 255 255 255 255 00 06 46 0F 8B 92 a LAN LAM Group me AN SANA Group OME p gt DMZ Group sy Are you sure ou wank to remove Servite Schedule 4 3 1 2 LAN Group Entering the LAN Group window The LAN Addresses may be combined
188. security rule must be applied to a network type Select the network type f All network connections Local area network LAN Remote access Step 16 Choose Use this string to protect the key exchange Preshared Key And enter the key 123456789 Security Rule Wizard El Ed Authentication Method To add multiple authentication methods edit the security rule after completing the IF Security rule wizard Set the initial authentication method for this security rule Active Directory default Kerberos 5 protocol Use a certificate from this certification authority CA TBs f Use this string to protect the key exchange preshared key 1123456789 121 Content Security Gateway User s Manual Step 17 Click Add Security Rule Wizard lai IP Filter List Select the IP filter list for the type of IF traffic to which this security rule applies IF no IF titer in the following list matches pour needs click Add to create a new one ANCHMP Traffic Matches all ICMP packets bet z O AIP Traffic Matches all IP packets from t Edit Remove Step 18 Enter the name of IP filter and click Add EE IP Filter List An IF filter list i composed of multiple filters In this way multiple subnets IF addresses and protocols can be combined into one IF filter Mame Traffic in Description M Use A
189. server service configuration Configuring a Real IP for a Virtual Server Step 1 Step 2 Step 3 Step 4 Click an available virtual server from Server 1 2 3 4 in the Virtual Server menu bar to enter the virtual server configuration window Click the click here to configure button and the Add new Virtual Server IP window appears and asks for an IP address from the WAN network Select an IP address from the drop down list of available WAN network IP addresses Click OK to add new Virtual Server or click Cancel to cancel adding i rta amp Coma plia Policy Object gt Virtual Server gt Server 1 Add New Virtual Server IP Server f OK if Cancel Mapped IP Server 1 Modifying a Virtual Server IP Address Step 1 Step 2 Step 3 Step 4 Click the Server 1 2 3 4 to modify the configuration under the Virtual Server menu bar A new window appears displaying the IP address and service of the specified virtual server Click on the Virtual Server s IP Address button at the top of the screen Choose a new IP address from the drop down list Click OK to save new IP address or click Cancel to discard changes 89 Content Security Gateway User s Manual k o Wording amp Comnpai ya Policy Object gt Virtual Server gt Server 1 E System Virtual Server Real IP WAN Port Server Virtual IP Address Service Schedule QoS Authentication Content
190. services To add or modify these services please go to the Service menu Please refer to the section entitled Services for details Schedule Select the item listed in the schedule to enable the policy to automatically execute the function in a certain time and range Tunnel Select the specific VPN tunnel to enable the VPN traffic in Policy rule Action Select Permit or Deny ALL from the drop down list to allow or reject the packets travelling from the specified WAN network to the DMZ network Traffic Log Select Enable to enable flow monitoring Statistics Select Enable to enable flow statistics IDP Check to enable IDP feature Max Concurrent Sessions The maximum concurrent sessions that allows to pass through CS 500 0 means it is unlimited QoS Select the item listed in the QoS to enable the policy to automatically execute the function in a certain time and range NAT Select enable to replace Internet user s IP address with DMZ interface IP in order to allow Internet user to access DMZ resource if the DMZ server only allows to be accessed with the same IP subnet Step 3 Click OK Modifying a WAN To DMZ policy Step 1 In the WAN To DMZ window locate the name of policy desired to be modified and click its corresponding Modify option in the Configure field 161 Content Security Gateway User s Manual Step 2 In the Modify Policy window fill in new settings Step 3 Click OK to do save modificati
191. set O hours from GMT Assist Date Time E ol A Multiple Subnet Server IP Mame 1591 100 3 220 Assist Foute Table Update system clock every bo minutes 0 means update at booting time A E a O MA Dynamic DNS Synchronize system clock with this client Sync l Host Table Language f ok Jf Cancel El ad 4 1 6 Multiple Subnet NAT mode Multiple Subnet allows local port to set multiple subnet works and connect with the Internet through WAN IP Addresses For instance The lease line of a company applies several real IP Addresses 168 85 88 0 24 and the company is divided into R amp D department service sales department procurement department accounting department the company can distinguish each department by different subnet works for the purpose of convenient management The settings are as the following 1 R amp D department sub network 192 168 1 11 24 LAN lt gt 168 85 88 253 WAN 2 Service department sub network 192 168 2 11 24 LAN gt 168 85 88 252 WAN 3 Sales department sub network 192 168 3 11 24 LAN gt 168 85 88 251 WAN 4 Procurement department sub network 192 168 4 11 24 LAN gt 168 85 88 250 WAN 5 Accounting department sub network 192 168 5 11 24 LAN gt 168 85 88 249 WAN The first department R amp D department was set while setting interface IP the other four ones have to be added in Multiple Subnet after completing the settings each department
192. stination table fill company A s subnet IP and mask 192 168 10 0 and 255 255 255 0 respectively 192 166 10 0 295 204 255 0 e Step 12 In IPSec PPTP Setting select VPN_B tunnel as the available tunnel E Step 13 Click OK to finish the Tunnel setting of Company B 147 Content Security Gateway User s Manual Policy Object VPN Tunnel Mame source Subnet Destination Subnet IFSec PPTF Configure 192 168 20 0 192 165 10 0 Step 14 If you want to configure bi direction VPN connection you should enable Tunnel setting in Outgoing and Incoming Policy Outgoing Policy Policy Outgoing Source Destination Action Configure ee Incoming Policy Policy Incoming Source Destination service Action Configure hove Example 4 Create a VPN connection between Content Security Gateway and PLANET VRT 311 VPN Router Preparation Task Company A External IP is 210 66 155 90 Internal IP is 192 168 10 X Company B External IP is 210 66 155 92 Internal IP is 192 168 20 X To Allow Company A 192 168 10 100 create a VPN connection with company B 192 168 20 100 for downloading the sharing file The Gateway of Company A is 192 168 10 1 The settings of company A are as the following Step 1 Enter the default IP of Company A s Content Security Gateway 192 168 10 1 Click VPN in the menu bar on the left hand side and then select the sub select IPSec Autokey Click Add Step 2 Enter the VPN name VP
193. stream and the statistic value of the connection from LAN user to WAN server First Packet The time record of the first packet that was sent to WAN service server from LAN user Last Packet The time record of the last packet sent from WAN server and received by the LAN user Duration The time statistic record that started from the first packet and end to the last packet Total Traffic CS 500 will record the sum of upstream downstream packets from LAN user to WAN service server NOTE To correctly display the pizza chart please install the latest java VM for http www java com 4 8 2 3 Inbound Click the Accounting Report function and then select Inbound There are three options for Inbound acounting report Source IP Destination IP and Service 202 Content Security Gateway User s Manual PLANET Hatworting amp Corra clio Monitor Accounting Report Inbound Top 1 6 gt Starting Time Thu Apr 6 11 16 10 2006 Source IP Upstream Downstream Duration 211 75 117 114 13 6 MB 100 0 211 0 KB 276 135 163 1 0 kB 0 0 675 0 B 0408 06 46 30 First Packet Last Packet Action oor 12 43 10 Oo 13 10 23 04 08 13 20 13 0408 06 07 30 ewe ETC Total Traffic 4 OF 14 37 32 E Accounting Report Setting OuiBound InBound Statistics 0408 13 03 05 0408 13 03 06 0408 13 11 O08 13 11 29 Reporting time Mon Apr 10 04 26 07 2006 Reset Counters Inbound Sourc
194. sure your network meets the following requirements Mechanical Requirements The Content Security Gateway is to be installed between your Internet connection and local area network The Content Security Gateway can be placed on the table or rack Locate the unit near the power outlet Electrical Requirements The Content Security Gateway is a power required device it means the Content Security Gateway will not work until it is powered If your networked PCs will need to transmit data all the time please consider use an UPS Uninterrupted Power Supply for your Content Security Gateway It will prevent you from network data loss In some area installing a surge suppression device may also help to protect your Content Security Gateway from being damaged by unregulated surge or current to the Content Security Gateway Network Requirements In order for Content Security Gateway to secure your network traffic the traffic must pass through Content Security Gateway at a useful point in a network In most situations the Content Security Gateway should be placed behind the Internet connection device 2 2 Operation Mode CS 500 DMZ port supports three operation modes Disable NAT and Transparent In Disable mode the DMZ port is not active In transparent mode CS 500 works as proxy with forward DMZ packet to WAN and forward WAN packet to DMZ the DMZ and WAN side IP addresses are in the same subnet In NAT mode DMZ side user will share one pub
195. t the Tunnel entry in Policy rule for combining the further function Entering the Tunnel window Step 1 Select VPN gt Tunnel PLANET Herring 4 Common Policy Object gt YPN Tunnel Mame Source Subnet Destination Subnet IPSec PPTP Configure Address Schedule Authentication Content Blocking VER PSec Autokey PPTP Server PPTP Client Tunnel 102 Content Security Gateway User s Manual Step 2 Configure the parameters Adding a Tunnel Step 1 Select VPN Tunnel PLANET Hatecriing amp Compay ia PSec Autokey PPTP Server PPTP Client Tunnel Name Specify the Tunnel name This should be unique and can not be the same as the name of IPSec Autokey rule Source Subnet Specify the source LAN network subnet Destination Subnet Specify the destination LAN network subnet IPSec PPTP Indicate the Tunnel type for IPSec or PPTP Configure Click Modify to modify the PPTP Client settings Pause to stop the VPN tunnel or Remove to remove the item Policy Object VPM Tunnel Mew Entry Tunnel PsecTunnel From Source OLan DMZ From Source Subnet Mask 19246840 i 255 255 2550 To Destination Subnet Mask 192468 0 0 00 i 255 255 2550 0O Remote Client CI Keep alive IP 18216801 0 e Show remote Network Neighborhood f_ok_1 Cancel Step 2 Configure the parameters Name Specify the Tunnel name
196. t Address LAM E System Mame IP Metrask WAC Address Configure E Interface seal n use uN LAM Group VAN BAN Group Definition Name Name of LAN network address IP Netmask IP address and subnet mask of LAN network MAC Address MAC address corresponded with LAN IP address Configure You can configure the settings in LAN network Click Modify to change the parameters in LAN network Click Remove to delete the settings In the LAN window if one of the members has been added to Policy or LAN Group the Configure column will show the message In Use In this case you are not allowed to modify or remove the setting Adding a new LAN Address Step 1 In the LAN window click the New Entry button Step 2 Inthe Add New Address window enter the settings of a new LAN network address Step 3 Click OK to add the specified LAN network or click Cancel to cancel the changes 44 Content Security Gateway User s Manual PLANET 4 Mts dora ion Policy Object Address LAM Add Mew Address E Interface ee LAN Metmask 255 255 255 255 a LAN Grau p WAC Address 00 OE 46 0F 58 92 ia me VAL a WAN Group M Get static IP address from DHCP Server OZ DMZ Group f OK if Cancel l Service If you want to enable Get Static IP address from DHCP Server function enter the MAC Address then check the Get Static IP address from DHCP Server Modifying an LAN Addres
197. t Utility 66 Content Security Gateway User s Manual Configuration of QoS Click QoS in the menu bar on the left hand side 2 PA Policy Object QoS gt Setting Downstream Bandwidth Upstream Bandwidth E Interface New Entry Address E Service Schedule QoS Ly Setting Definitions Name The name of the QoS you want to configure WAN Display WAN interface Downstream Bandwidth To configure the Guaranteed Bandwidth and Maximum Bandwidth Upstream Bandwidth To configure the Guaranteed Bandwidth and Maximum Bandwidth Priority To configure the priority of distributing Upstream Downstream and unused bandwidth Add New QoS Step 1 Click QoS in the menu bar on the left hand side Step 2 Click the New Entry button to add new QoS Policy Object gt QoS gt Setting Add New QoS Name OO AA a NP a WAN Downstream Bandwidth Upstream Bandwidth QoS Priority G Bandwidth E Kbps G Bandwidth EN Kbps MBandwidth GERI bps M Bandwicth ERR Kbps L Setting TRN f ok f Cancel Content Blocking Definition Name The name of the QoS you want to configure Downstream Bandwidth To configure the Guarateed Bandwidth and Maximum Bandwidth Upstream Bandwidth To configure the Guarateed Bandwidth and Maximum Bandwidth QoS Priority To configure the priority of distrubuting Upstream Downstream and unused bandwidth Click the OK button to add new Qo
198. tain time and range Tunnel Select the specific VPN tunnel to enable the VPN traffic in Policy rule Action Select Permit or Deny ALL from the drop down list to allow or reject the packets travelling between the source network and the destination network Traffic Log Select Enable to enable flow monitoring Statistics Select Enable to enable flow statistics IDP Check to enable IDP feature Content Blocking Select Enable to enable Content Blocking Max Concurrent Sessions The maximum concurrent sessions that allows passing through CS 500 O means it is unlimited QoS Select the item listed in the QoS to enable the policy to automatically execute the function in a certain time and range Click OK to add a new outgoing policy or click Cancel to cancel adding a new outgoing policy Modifying an Outgoing policy Step 1 In the Outgoing policy section locate the name of the policy desired to be modified and click its corresponding Modify option under the Configure field Step 2 NOTE Step 3 In the Modify Policy window fill in new settings To change or add selections in the drop down list for source or destination address go to the section where the selections are setup Source Address gt LAN of Address menu Destination Address gt WAN of Address menu Service Pre defined Custom or Group under Service Click OK to do confirm modification or click Cancel to cancel it 155 Content Security
199. tep 2 Goto LOG gt Log Backup Check to enable Log Mail Support Click OK System Settings Enable Syslog Message Step 1 Check to enable Syslog Message Enter the Host IP Address and Host Port number to receive the Syslog message Step 2 Click OK E System Log Mail Configuration O Enable Log Mail Support Policy Object When Log Full 300Kbytes Content Security Gateway Appliance sends Log You must enable the E mail Alarm E Mail Security E Anti Attack Syslog Setting Enable Syslog Messages Syslog Host IP Address 192168110 ex 192 168 1 61 Traffic Syslog Host Port 514 ex 514 Event Connection OK f Cancel Log Backup i o Disable Log Mail Support 8 Syslog Message Step 1 GotoLOG gt Log Backup Uncheck to disable Log Mail Support Click OK Step 2 GotoLOG gt Log Backup Uncheck to disable Settings Message Click OK 4 8 2 Accounting Report Accounting Report can be divided into three parts Setting Outbound and Inbound 198 Content Security Gateway User s Manual 4 8 2 1 Setting Select Setting to configure what type of Accounting Report will be logged at CS 500 There are three types of report can be select Source IP Destination IP and Service Outbound Accounting Report the statistics of the downstream and upstream for the LAN WAN and all kinds of communication services Source IP Select to record the statistic based on Source IP address Destinati
200. ter the hostname here If not required by your ISP you do not have to enter a hostname Domain Name You can specify your own domain name or leave it blank User Name The user name is provided by ISP Password The password is provided by ISP Max Upstream Downstream Bandwidth The bandwidth provided by ISP Ping Select this to allow the WAN network to ping the IP Address of the Content Security Gateway This will allow people from the Internet to be able to ping the Content Security Gateway If set to enable the device will respond to echo request packets from the WAN network HTTP Select this to allow the device WEBUI to be accessed from the WAN network This will allow the WebUI to be configured from a user on the Internet Keep in mind that the device always requires an username and password to enter the WebuUI PLANET Interface WAM WAN Interface PPPoE ADSL User Dynamic IF Address Cable Modem User O Static IP Address O PPTP European User Only IP Address 0 0 0 0 Renew Release MAC Address 00 30 4F 44 4 2 F5 f Clone MAC Address i Hostname Domain Hame User Mame Required by DHEP protocol Password Required by GDHOP protocol Max Downstream Bandwidth 300010 Kbps Max 30 Mbps Max Upstream Bandwidth 30000 Kbps hax 30 Mbps Enable C ring O atte f Cancel For Static IP Address This option is for users who are assigned a static IP address from their ISP Your ISP w
201. ters IP Security rules IP Filter List Authentication Tu O lt 0 amic Default Response kerberos Remove IW Use Add Wizard 119 Content Security Gateway User s Manual Step 13 Click next Security Rule Wizard Welcome to the Create IP Security Rule Wizard A security le governs How and when security is invoked based upon entera such as the source destination and type of IP traffic in the security rule s IF filter ist A security rule contains a collection of security actions that are activated when a communication matches the criteria in the IF filter list Security actions IF tunneling attributes Authentication methods Filter actions To continue click Next oe Step 14 Enter the WAN IP of Remote user 210 66 155 91 security Rule Wizard Tunnel Endpoint The tunnel endpoint i the tunneling computer closest to the IF traffic destination as specified by the security rule s IP filter list An 1PSec tunnel allows packets to traverse a public or private internetiwwork with the security level of a direct private connection between two computers Specify the tunnel endpoint for the IF Security rule This rule does not specify a tunnel The tunnel endpoint is specified by this IP address 210 66 155 91 Comes 120 Content Security Gateway User s Manual Step 15 click all network connections security Rule Wizard Network Type The
202. the DNS name e g example microsoft com A C Another computer Step 6 Finish the setting of Add jm Console1 Console RootWP Security Policies on Local Computer Na File Action View Favorites Window Help l x e gt am 2 ae C Console Root Name eseription Policy Assigned 2 IP Security Policies on Local Compute 24 client Respond Only Communicate normally unsecured Use the default response rule to negotiat No BA secure Server Require Security For all IP traffic always require security using Kerberos trust Do NOT allow u No EA server Request Security For all IP traffic always request security using Kerberos trust Allow unsecur No lt tay Eng FW400 Manual im Console Console Qs O E 6 31PM 116 Content Security Gateway User s Manual Step 7 Click the right button of mouse in IP Security Policies on Local Machine and choose Create IP Security Policy C option it Console File Action View Favorites Window Help e 182 iti Console Root MEA console Rot 3 IP Security Po Manage IF Filter lists and filter actions All Tasks New Window From Here Refresh Help lt iit Create an IP Security policy Step 8 Click Next IP Security Policy Wizard Welcome to the IP Security policy wizard This wizard helps You create an IF Security policy You will specify the level of security to use when communicating with
203. the SMB or SOHO users 1 1 Features Anti Spam Filtering Multiple defense layers Head Analysis Text Analysis Blacklist amp Whitelist Bayesian Filtering and Heuristics Analysis to block over 95 spam mail Customizable notification options and spam mail report are provided for administrator Varied actions toward spam mail include Delete Deliver and Forward Built in auto training system to rise identify rate of soam mail substantially Anti Virus Protection Built in Clam virus scan engine can detect viruses worms and other threats from email transfer Scan mission critical content protocols SMTP POP in real time as traffic enters the network to provide maximum protection Customizable notification options and virus mail report are provided for administrator Varied actions toward spam mail include Delete Deliver and Forward Policy based Firewall The built in policy based firewall prevent many known hacker attack including SYN attack ICMP flood UDP flood Ping of Death etc The access control function allowed only specified WAN or LAN users to use only allowed network services on specified time VPN Connectivity The security gateway support PPTP server client and IPSec VPN With DES 3DES and AES encryption and SHA 1 MD5 authentication the network traffic over public Internet is secured Content Filtering The security gateway can block network connection based on URLs Scripts The Pop up Java Applet cooki
204. the time setting sets to 0 that means unlimited Select Disallow Re login if the auth user has login will disable this feature URL to redirect when authentication succeed You can set up the default webpage to force user to access it first when user passes the authentication Messages to display when user login You can specify a message to display at user s login page when user passes the authentication 4 3 5 2 Auth User Click Authentication in the menu bar on the left hand side and click Auth User 71 Content Security Gateway User s Manual PLANET Policy Object gt Authentication gt Auth User System Authentication User Name Interface f New User 7 Address Service Schedule 7 QoS Authentication Auth Setting Auth User Auth Group RADIUS POP3 Content Blocking Definitions Name The name of the Authentication you want to configure Configure modify settings or remove users Adding a new Auth User Step 1 In the Authentication window click the New User button to create a new Auth User Step 2 In the Auth User window m Auth User Name enter the username of new Authentication m Password enter a password for the new Authentication E Confirm Password enter the password again Step 3 Click OK to add the user or click Cancel to cancel the addition PLANET i Matweerlilng d emrys Policy Object gt Authentication gt Auth User E
205. thm IPSec Algorithm Data Enc ryption Authentication ENC Algorithm AUTH Algorithm Authentication nly Step 7 Choose GROUP 1 as the Perfect Forward Secrecy setting and leave the default setting with 28800 seconds in IPSec Lifetime and 3600 seconds for ISAKMP Lifetime Optional Item Perfect Forward Secrecy GROUP 4 ISAKMP Lifetime 3600 Seconds IPSec Lifetime 25500 Seconds Step 8 Select main mode as the algorithm Step 9 Click OK to finish the IPSec Aotukey setting of Company A 106 Content Security Gateway User s Manual Policy Object YPN IPSec Autokey pif Name Gateway IP IPSec Algorithm Configure eee SDES MD Step 10 Click Tunnel and press New Entry to configure the further setting Step 11 Enter Site Aas the new tunnel name and select LAN interface as the VPN source Fill LAN IP subnet 192 168 10 0 with subnet mask IP 255 255 255 0 Mew Entry Tunnel From Source Ocvan imz From Source Subnet Mask 192 165 10 0 7 255 255 255 0 Step 12 In To Destination table fill company B s subnet IP and mask 192 168 20 0 and 255 255 255 0 respectively To Destination Oo To Destination Subnet Maszk 192 165 20 0 I 255 255 255 0 Remote Client Step 13 In IPSec PPTP Setting select VPN_A as the available tunnel IPsec PPTP Setting VPA A Mw Step 14 Fill company B s gateway IP 192 168 20 1 in Keep alive IP to keep VPN tunnel connect
206. tication User Name E Interface EXE 200516129 8 24 12 F Policy Object E Mail Security E Anti Attack Statistics Status Interface Authentication ARP Table DHCP Clients IP Address The IP address of the host computer Auth User Name The Auth User Name of that host computer Login time The Auth User login in time 4 8 4 3 ARP Table Entering the ARP Table window Click on Status in the menu bar then click ARP Table below it A window will appear displaying a table with IP addresses and their corresponding MAC addresses For each computer on the LAN WAN and DMZ network that replies to an ARP packet the device will list them in this ARP table 209 Content Security Gateway User s Manual A O O IP Address MAC Address 210 66 155 94 00 A0 C5 11 89 C9 E System Policy Log Alarm 7 Statistics TN i ie HIJ PIS 2 2 3 dl ME A D un 2 F ow ola Qin m alz JZ cl E mi e a Interface Authentication ARP Table DHCP Clients IP Address The IP address of the host computer MAC Address The MAC address of that host computer Interface The port that the host computer is connected to LAN WAN DMZ 4 8 4 4 DHCP Clients Entering the DHCP Clients window Click on Status in the menu bar then click on DHCP Clients below it A window will appear displaying the table of DHCP clients that are connected to the device The tabl
207. together to become a group Step 1 Click LAN Group under the Address menu to enter the LAN Group window The current setting information for the LAN network group appears on the screen PLANET Wrong amp Corra Policy Object Address LAN Group F System Now Entry f s LAM e LAN Group E amp a WAN BAAM Group Definitions Name Name of the LAN group Member Members of the group Configure Configure the settings of LAN group Click Modify to change the settings of LAN group Click Remove to delete the group In the LAN Group window if one of the LAN Group has been added to Policy the Configure column will show the message In Use In this case you are not allowed to modify or remove the LAN group Configure You have to delete or pause the Group in Policy window and then you are allowed to configure the LAN 46 Content Security Gateway User s Manual Group Source Destination Action Configure Move Adding a LAN Group Step 1 In the LAN Group window click the New Entry button to enter the Add New Address Group window Step 2 Inthe Add New Address Group window Available address list the names of all the members of the LAN network Selected address list the names to be assigned to the new group Name enter the name of the new group in the open field Step 3 Add members Select names to be added in Available address list and click the Add gt gt button t
208. try Outgoing Incoming Step 2 The fields of the Incoming window are NH Source Source networks which are specified in the WAN section of the Address menu or all the WAN network addresses E Destination Destination networks which are IP Mapping addresses or Virtual server network addresses created in Virtual Server menu E Service Services supported by Virtual Servers or Mapped IP E Action Control actions to permit or deny packets from WAN networks to Virtual Server Mapped IP travelling through the device Option Specify the monitoring functions on packets from WAN networks to Virtual Server Mapped IP travelling through the Content Security Gateway E Configure Modify settings or remove incoming policy E Move This sets the sequence of the policies number 1 being the first policy to proceed Adding an Incoming Policy Step 1 Under Incoming of the Policy menu click the New Entry button PLANET Hanning amp Cora ation Policy Incoming E E Interface Comment E Max 32 characters Y Policy Object Add New Policy Ane Outside_Any MI Outgoing Destination Address Er LAN To OMZ OM To WAN None il a JE Statistics M Enable E honitor MAX Concurrent Sessions Range 1 99999 0 means unlimited 4 Step 2 Configure the parameters 157 Content Security Gateway User s Manual Source Address Select names of the WAN networks from the
209. tted IPs Add Mew Permitted IPs Administration s Admin Permitted IPs IP Address deis Configure 192 168 4110 255255255255 v Fing HTTP SErvice MEIEN Cancel F Policy Object Modify Permitted IPs Address ua E Step 1 In the table of Permitted IPs highlight the IP you want to modify and then click Modify Step 2 In Modify Permitted IPs enter new IP address Step 3 Click OK to modify or click Cancel to discard changes PLANET Hateceing amp Comercio System Administration Permitted IPs a Modity Permitted IPs Permitted IPs IP Address 182468110 Sofware Update an 255 255 255 255 Service Configure za Ul Ping EA HTTP nterface OK l Cancel F Policy Object Remove Permitted IPs Addresses Step 1 Inthe table of Permitted IPs highlight the IP you want to remove and then click Remove Step 2 Inthe confirm window click OK to remove or click Cancel to discard changes 15 Content Security Gateway User s Manual s Milly dido 3 System Administration Permitted IPs Mame IF Address Netmask Administration AA 192 768 1710 1255255 255 255 Permitted IPs Software Update E Interface Microsoft Internet Explorer 2 re you sure You want to remove 4 1 3 Software Update Under Software Update the admin may update the device s software with a newer software You may a
210. ual server has set the real IP address of the Content Security Gateway s WAN network interface to be the Virtual Server IP Through the virtual server feature the Content Security Gateway translates the virtual server s IP address into the private IP address of physical server in the LAN network When outside users on the Internet request connections to the virtual server the request will be forwarded to the private LAN server Virtual Server owns another feature known as one to many mapping This is when one virtual server IP address on the WAN interface can be mapped into 4 LAN network server private IP addresses This option is useful for Load Balancing which causes the virtual server to distribute data packets to each private IP addresses which are the real servers By sending all data packets to all similar servers this increases the server s efficiency reduces risks of server crashes and enhances servers stability How to use Virtual Server and mapped IP Virtual Server and Mapped IP are part of the IP mapping also called DMZ De Militarization Zone scheme By applying the incoming policies Virtual Server and IP mapping work similarly They map real IP addresses to the physical servers private IP addresses which are opposite to NAT but there are still some differences Virtual Server can map one real IP to several LAN physical servers while Mapped IP can only map one real IP to one LAN physical server 1 to 1 Mapping
211. ut Administration Admin has control of user access to the Content Security Gateway He she can add remove users and change passwords Permitted IPs Enables the Administrator to authorize specific internal external IP address es for Managing Gateway Software Update The administrator can update the device s software with the latest version Administrators may visit distributor s web site to download the latest firmware Administrators may update the device firmware to optimize its performance and keep up with the latest fixes for intruding attacks Configure Setting The Administrator may use this function to backup Content Security Gateway configurations and export save them to an Administrator computer or anywhere on the network or restore a configuration file to the device or restore the Content Security Gateway back to default factory settings Under Setting the Administrator may enable e mail alert notification This will alert Administrator s automatically whenever the Content Security Gateway has experienced unauthorized access or a network hit hacking or flooding Once enabled an IP address of a SMTP Simple Mail Transfer protocol Server is required Up to two e mail addresses can be entered for the alert notifications Date Time This function enables the Content Security Gateway to be synchronized either with an Internet Server time or with the client computer s clock Multiple Subnet This function allows local
212. ve iW Accept unsecured communication but always respond using IPSec Allow unsecured communication with non lPSec aware computer M Session key perfect forward secrecy PFS Step 54 Select Security and click next Security Rule Wizard Filter Action Select the filter action for this security rule F no filter actions in the following list matches Your needs click Add to create a new one Select Use Add Wizard to create a filter action using the wizard Filter Actions W Use Add Wizard Mame Description Ada O Permit Permit unsecured IP packets t Request Security Optional Accepts unsecured communi Edit O Require Security Accepts unsecured communi a Security 140 Content Security Gateway User s Manual Step 55 Please don t enable Edit properties and click finish security Rule Wizard Completing the New Rule Wizard fou have successfully completed specitying the properties for your new rule To edit pour security role now select the Edit properties check box and then click Finish To close this wizard click Finish Step 56 Click apply first and then click ok IPSec Properties Rules General Security rules for communicating with other computers IF Security rules Authentication Tu Traffic out Security Preshared Kep Trathic iri Security Preshared Kep O lt Dynamic Default Response kerberos gt Add Edit Remove W Use Add
213. ver E System PPTP Server Disable 1 Client IP Range 192 238 6 1 254 Modify al J a User Mame Client IP Configure al f New Entry ad ad ad Zj PSec Autokey FPTP Sever E PPTP Client Tunnel PPTP Server Click Modify to select Enable or Disable Client IP Range Display the IP addresses range for PPTP Client connection User Namel Displays the PPTP Client user s name for authentication Client IP Displays the PPTP Client s IP address for authentication Uptime Displays the connection time between PPTP Server and Client Configure Click Modify to modify the PPTP Client settings or click Remove to remove the item Modifying PPTP Server Design Step 1 Select VPN gt PPTP Server Step 2 Click Modify after the Client IP Range Step 3 Inthe Modify Server Design Window enter appropriate settings 97 PR PSec Autokey E Pele Seal Step 4 Content Security Gateway User s Manual Policy Object gt VPM PPTP Server hodity Server Design Disable PPTP Enable PPTF Encryption Client IP Range 19223861 254 Allow remote client ta connect to Internet Auto Disconnect if idle ios Range 0 999999 0 means always connected Echo Fequest Retry a A Timeout Second Retry Range O 9 0 means disable Timeout Range 1 60 1 Disable PPTP Check to disable PPTP Server Enable PPTP Check to enable PPTP Server Encryption the default is set to
214. ver 2 LAN interface Client IP Address Range 1 Enter the starting and the ending IP address dynamically assigning to DHCP clients Client IP Address Range 2 Enter the starting and the ending IP address dynamically assigning to DHCP clients Optional DMZ interface Client IP Address Range 1 Enter the starting and the ending IP address dynamically assigning to DHCP clients Client IP Address Range 2 Enter the starting and the ending IP address dynamically assigning to DHCP clients Optional Leased Time Enter the leased time for DHCP Step 2 Click OK to enable DHCP support 4 1 9 Dynamic DNS The Dynamic DNS require Dynamic DNS Service allows you to alias a dynamic IP address to a static hostname allowing your device to be more easily accessed by specific name When this function is enabled the IP address in Dynamic DNS Server will be automatically updated with the new IP address provided by ISP 31 Content Security Gateway User s Manual PLANET ati A ora piia system Configure Dynamic ONS Setting Date Time S Multiple Subnet Route Table DHCP Dynamic DNS E E Host Table Comain Marne Configure Click Dynamic DNS in the System menu to enter Dynamic DNS window The icons in Dynamic DNS window Update Status F Connecting Update succeed Update fail Unidentified error Domain name Enter the password provided by ISP WAN IP Address IP address of the WAN port Con
215. vices and applications are able to pass through the Content Security Gateway What is Policy The device uses policies to filter packets The policy settings are source address destination address services permission packet log packet statistics and flow alarm Based on its source addresses a packet can be categorized into 1 Outgoing a client is in the LAN networks while a server is in the WAN networks 2 Incoming a client is in the WAN networks while a server is in the LAN networks 3 To DMZ a client is either in the LAN networks or in the WAN networks while server is in DMZ 4 4 From DMZ a client is in DMZ while server is either in the LAN networks or in the WAN networks How do I use Policy The policy settings are source addresses destination addresses services permission log statistics and flow alarm Among them source addresses destination addresses and IP mapping addresses have to be defined in the Address menu in advance Services can be used directly in setting up policies if they are in the Pre defined Service menu Custom services need to be defined in the Custom menu before they can be used in the policy settings If the destination address of an incoming policy is a Mapped IP address or a Virtual Server address then the address has to be defined in the Virtual Server section instead of the Address section Policy Directions Step 1 In Address set names and addresses of source networks
216. y E Mail Security Removing Auth Group Content Security Gateway User s Manual Policy Object gt Authentication gt Auth Group Modify Authentication User lt Available Authentication ser gt lt Selected Authentication User gt planet planet Radius User POP User Remove OK l f Cancel Step 1 In the Auth Group window locate the Auth Group to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the selected service group or click Cancel to cancel removing PLANET i Hamoriing amp Comoras glipa F System Address Service Schedule QoS Authentication T E J m iii m Mm Auth Setting Auth User Auth Group RADIUS TIT Leg ES Policy Object gt Authentication gt Auth Group Pame Member Radius POP3 em e A fF New Entry Configre Microsoft Internet Explorer EJ 2 re you sure you Want to remove 4 3 5 4 Radius Serve Click Authentication on the left side menu bar then click Radius Server below it The following window is shown iff Content Security Gateway User s Manual Metodos amp Commence Policy Object gt Authentication gt RADIUS RADIUS Server Enable RADIUS Server Authentication RADIUS Server IP RADIUS Server Port 1612 Shared Secret id
217. y to enable the IDP function PLANET Ketecriing amp Compa plia Policy Outgoing F System Comment hModife Policy F Policy Object Inside_Any e saa Outside_Any Incoming AMY k amp WAN To DMZ oe mU LAM To OM ace F s OMZ To AN DMZ To LAN ore _ E Mail Security PERMIT ALL vi L F Anomaly Flow IF d o Mone Content Security Gateway User s Manual 4 6 3 IDP Report CS 500 can make intrusion detection and prevention record to a Log report and allow administrator to know the network security status for the overall network STEP 1 In Log of IDP Report function it will display the situation about intrusion detection and prevention of CS 500 PLANET Maori d Comercio IDF IDF Report Log E System E Interface signature Class terface Attack IP Victim IP Port Action E tail Security IDF Report L Log Icon Definition High Risk Medium Risk 4 7 Anomaly Flow IP The Administrator can enable the device s auto detect functions for Anomaly Flow IP attacking the local network When abnormal conditions occur CS 500 will send an e mail alert to notify the Administrator and also display warning messages in the Virus infected IP window PLANET Anomaly Flow IF Setting E System Birner Anomaly Flow IF Setting F Policy Object The threshold sessions of anomaly flows per source IP is 30 Sessions Sec Enable Anomaly
218. you can disable the DMZ port make DMZ port transparent to WAN or enable NAT function on it To configure the DMZ port select the Interface tab on the left menu then click on DMZ the following page is shown PLANET O Ating amp Cores lic Interface DMZ IF Address Metmask eli O Ping O arte Cancel E Anama y 3 4 Configure Policy STEP 1 Click on the Policy tab from the main function menu and then click on Outgoing LAN to WAN from the sub function list STEP 2 Click on New Entry button STEP 3 When the New Entry option appears enter the following configuration Source Address select Inside_Any Content Security Gateway User s Manual Destination Address select Outside_Any Service select ANY Action select Permit Click on OK to apply the changes PLANET Hatworting amp Comm aioe Policy Outgoing comment OO O Modity Policy Source Address Inside Any e Outgoing Destination Address Outside Any v e Schedule ALtnenticaton Uze ka DMF To WAN EMC AION F one DMZ To LAN Incoming Service E Wail Security PERMIT 8 HE Traffic Log M Enable d Enable E Anomaly Flow IF Statistics Content Blocking M Enable MAX Concurrent Sessions eee 0 means unlimited ES y FC OK if Cancel STEP 4 The configuration is successful when the screen below is displayed PLANET
Download Pdf Manuals
Related Search