manualshive.com logo in svg

Planet Content Security Gateway CS-500, User Manual

Share
Download
Planet Content Security Gateway CS-500 User Manual Download Page 193

Content Security Gateway User’s Manual 

2. Click 

OK

3. 

High Risk

: Select drop and log function. 

4. 

Medium Risk

: Select drop and log function. 

5. 

Low Risk

: Select pass and log function. 

6. Click 

OK

7. Enable 

IDP

 function in policy. 

 

‹

  When the attack behavior matches the signature, CS-500 will produce log as follows in 

Log

 

function of 

IDP Report.

 

 

 

4.6.2 Signature 

Provide relative compare rule to different attack behavior, include three sections: 

Anomaly,

 

Pre-defined

 and 

Custom

 

Anomaly: 

Anomaly

 signature can allow user to define the signature, in order to detect and prevent the irregular attack 

behavior. Take 

Syn Flood

 as the example: 

Definition: 

Enable: 

Check to enable the protection for Syn Flood signature. 

 

 

 

 

- 188 -

Summary of Contents for Content Security Gateway CS-500

Page 1: ...Content Security Gateway User s Manual Content Security Gateway CS 500 User s Manual ...

Page 2: ...he part of PLANET PLANET assumes no responsibility for any inaccuracies that may be contained in this User s Manual PLANET makes no commitment to update or keep current the information in this User s Manual and reserves the right to make improvements to this User s Manual and or to the products described in this User s Manual at any time without notice If you find information in this manual that i...

Page 3: ...de Connection Example 5 2 2 2 NAT Mode Connecting Example 6 CHAPTER 3 GETTING STARTED 7 3 1 WEB CONFIGURATION 7 3 2 CONFIGURE WAN INTERFACE 8 3 3 CONFIGURE DMZ INTERFACE 9 3 4 CONFIGURE POLICY 9 CHAPTER 4 WEB CONFIGURATION 11 4 1 SYSTEM 11 4 1 1 Admin 12 4 1 2 Permitted IPs 14 4 1 3 Software Update 16 4 1 4 Setting 16 4 1 5 Date Time 22 4 1 6 Multiple Subnet 23 4 1 7 Route Table 28 4 1 8 DHCP 30 4...

Page 4: ...ion 70 4 3 5 1 Auth Setting 70 4 3 5 2 Auth User 71 4 3 5 3 Auth Group 75 4 3 5 4 Radius Serve 77 4 3 5 5 POP3 78 4 3 6 Content Blocking 79 4 3 6 1 URL Blocking 79 4 3 6 2 Scripts 81 4 3 6 3 P2P 82 4 3 6 4 IM 83 4 3 6 5 Download 83 4 3 6 6 Upload 84 4 3 7 Virtual Server 84 4 3 7 1 Mapped IP 85 4 3 7 2 Virtual Server 88 4 3 8 VPN 94 4 3 8 1 IPSec Autokey 94 4 3 8 2 PPTP Server 97 4 3 8 3 PPTP Clien...

Page 5: ...irus Mail 187 4 6 IDP 187 4 6 1 Setting 187 4 6 2 Signature 188 4 6 3 IDP Report 192 4 7 ANOMALY FLOW IP 192 4 8 MONITOR 193 4 8 1 Log 193 4 8 1 1 Traffic 193 4 8 1 2 Event 195 4 8 1 3 Connection 196 4 8 1 4 Log Backup 197 4 8 2 Accounting Report 198 4 8 2 1 Setting 199 4 8 2 2 Outbound 199 4 8 2 3 Inbound 202 4 8 3 Statistic 205 4 8 3 1 WAN Statistics 206 4 8 3 2 Policy Statistics 206 4 8 4 Statu...

Page 6: ...nd Forward Built in auto training system to rise identify rate of spam mail substantially Anti Virus Protection Built in Clam virus scan engine can detect viruses worms and other threats from email transfer Scan mission critical content protocols SMTP POP in real time as traffic enters the network to provide maximum protection Customizable notification options and virus mail report are provided fo...

Page 7: ...teway Front View CS 500 Front Panel LED Description PWR Power is supplied to this device STATUS Blinks to indicate this devise is being turned on and booting After one minute this LED indicator will stop blinking it means this device is now ready to use WAN LAN DMZ Steady on indicates the port is connected to other network device Blink to indicates there is traffic on the port 1 4 Content Security...

Page 8: ...3DES Throughput 15Mbps Firewall Policy based firewall rule with schedule NAT NAPT SPI firewall VPN Tunnels 200 VPN Function PPTP server and client IPSec DES 3DES and AES encryption SHA 1 and MD5 authentication algorithm Remote access VPN client to Site and Site to Site VPN Content Filtering URL P2P application Instant Message download upload blocking Popup Java Applet cookies and Active X blocking...

Page 9: ...ment Guaranteed and maximum bandwidth Scheduled in unit of 30 minutes 3 Priorities User Authentication Built in user database with up to 500 entries Support local database RADIUS and POP3 authentication Logs Log and alarm for event and traffic Log can be saved from web sent by e mail or send to syslog server Statistics Traffic statistics for WAN interface and policies Graphic display Others Dynami...

Page 10: ...t your Content Security Gateway from being damaged by unregulated surge or current to the Content Security Gateway Network Requirements In order for Content Security Gateway to secure your network traffic the traffic must pass through Content Security Gateway at a useful point in a network In most situations the Content Security Gateway should be placed behind the Internet connection device 2 2 Op...

Page 11: ... do not want to change any IP configuration on the subnet 2 2 2 NAT Mode Connecting Example Internet ADSL Modem CS 500 WAN 61 11 11 11 LAN PC 1 192 168 1 2 LAN PC 2 192 168 1 3 DMZ PC 3 192 168 2 2 DMZ PC 2 192 168 2 3 DMZ NAT 192 168 2 1 LAN 192 168 1 1 ISP DMZ and WAN IP addresses are on the different subnet This provides higher security level then transparent mode 6 ...

Page 12: ...en the Administrator must change his her PC IP address to be within the same range of the LAN subnet i e 172 16 0 2 Reboot the PC if necessary By default the Content Security Gateway is shipped with its DHCP Server function enabled This means the client computers on the LAN network including the Administrator PC can set their TCP IP settings to automatically obtain an IP address from the Content S...

Page 13: ...ss Cable Modem User This option is for users who are automatically assigned an IP address by their ISP such as cable modem users The following fields apply MAC Address This is the MAC Address of the device Some ISPs require specified MAC address If the required MAC address is your PC s click Clone MAC Address Hostname This will be the name assign to the device Some cable modem ISP assign a specifi...

Page 14: ...PPoE connection to disconnect at all Ping Select this to allow the WAN network to ping the IP Address of the Content Security Gateway This will allow people from the Internet to be able to ping the Content Security Gateway If set to enable the device will respond to echo request packets from the WAN network WebUI Select this to allow the device WEBUI to be accessed from the WAN network This will a...

Page 15: ...below is displayed Please make sure that all the computers that are connected to the LAN port have their Default Gateway IP Address set to the Content Security Gateway s LAN IP Address i e 192 168 1 1 At this point all the computers on the LAN network should gain access to the Internet immediately If a Content Security Gateway filter function is required please refer to the Policy section in chapt...

Page 16: ...re Update The administrator can update the device s software with the latest version Administrators may visit distributor s web site to download the latest firmware Administrators may update the device firmware to optimize its performance and keep up with the latest fixes for intruding attacks Configure Setting The Administrator may use this function to backup Content Security Gateway configuratio...

Page 17: ...me providing that the Administrator has set up Virtual Server or Mapped IP settings correctly However for the users in the LAN network their WAN DNS server will assign them a public IP address for the mail server So for the LAN network to access the mail server mail planet com tw they would have to go out to the Internet then come back through the Content Security Gateway to access the mail server...

Page 18: ... Sub Admin password and click Remove to delete a Sub Admin Changing the Main Sub Admin s Password Step 1 The Modify Admin Password window will appear Enter in the required information Password enter original password New Password enter new password Confirm Password enter the new password again Step 2 Click OK to confirm password change or click Cancel to cancel it Adding a new Sub Admin Step 1 In ...

Page 19: ...e Admin name you want to edit and click on the Remove option in the Configure field Step 2 The Remove confirmation pop up box will appear Click OK to remove that Sub Admin or click Cancel to cancel 4 1 2 Permitted IPs Only the authorized IP address is permitted to manage the Content Security Gateway ÍÍ 14 ...

Page 20: ...his item Web User can use HTTP to connect to the Setting window of Content Security Gateway Step 3 Click OK to add Permitted IP or click Cancel to discard changes Modify Permitted IPs Address Step 1 In the table of Permitted IPs highlight the IP you want to modify and then click Modify Step 2 In Modify Permitted IPs enter new IP address Step 3 Click OK to modify or click Cancel to discard changes ...

Page 21: ...re Step 2 Click OK to update software ÍÍ NOTE It takes three minutes to update the software The system will restart automatically after updating the software 4 1 4 Setting The Administrator may use this function to backup Content Security Gateway configurations and export save them to an Administrator computer or anywhere on the network or restore a configuration file to the device or restore the ...

Page 22: ...gs Step 1 Under Backup Restore Configuration click on the Download button next to Export System Settings to Client Step 2 When the File Download pop up window appears choose the destination place to save the exported file The Administrator may choose to rename the file if preferred 17 ...

Page 23: ...File pop up window appears select the file which contains the saved Content Security Gateway Settings then click OK Click OK to import the file into the Content Security Gateway or click Cancel to cancel importing Restoring Factory Default Settings Step 1 Select Reset Factory Settings under Backup Restore Configuration Step 2 Click OK at the bottom right of the screen to restore the factory settin...

Page 24: ...ateway to send e mail alerts to the System Administrator when the network is being attacked by hackers or when emergency conditions occur Step 2 SMTP Server IP Enter SMTP server s IP address Step 3 E Mail Address 1 Enter the first e mail address to receive the alarm notification Step 4 E Mail Address 2 Enter the second e mail address to receive the alarm notification Optional Click OK on the botto...

Page 25: ...Set Web Management WAN Interface The administrator can change the port number used by HTTP port anytime MTU set networking packet length The administrator can modify the networking packet length Step 1 MTU Setting Modify the networking packet length Link Speed Duplex Mode Setting This function allows administrator to set the transmission speed and mode of WAN Port 20 ...

Page 26: ...tocol again The default timer is 80 seconds Dynamic Routing RIPv2 Enable Dynamic Routing RIPv2 CS 500 will advertise an IP address pool to the specific network so that the address pool can be provided RIP protocol supporting Routing information update timer CS 500 will routing table the default timer is 30 seconds Routing information timeout If CS 500 does not receive the RIP protocol from the oth...

Page 27: ...ck Cancel to discard changes System Reboot Once this function is enabled the Reboot Appliance Click Reboot x will appear ock nfigure the Content Security Gateway s date and time by either syncing to an Internet s clock Step 3 Enter the Server IP Address or Server name with which you want to synchronize 4 1 5 Date Time Synchronizing the Content Security Gateway with the System Cl Administrator can ...

Page 28: ...ny applies several real IP Addresses 168 85 88 0 24 and the company is divided into R D department service sales department procurement department accounting department the company can distinguish each department convenient management The settings are as the following 1 R D department sub network 192 168 1 11 24 LAN ÅÆ 168 85 88 253 WAN 2 Service department sub network 192 168 2 11 24 LAN ÅÆ 168 8...

Page 29: ...scard changes Multiple Subnet functions WAN Interface IP Forwarding Mode Display WAN Port IP addres Interface Indicate the multiple subnet location in LAN or DMZ site Alias IP of Int Interface Netmask Local port IP address and subnet Mask Configure Modify the settings of M o Add a Multiple Subnet NAT Mode Step 1 Click the New Entry button below to add Multiple Subnet 2 Enter the IP address in the ...

Page 30: ...k OK to delete the setting or click Cancel to discard changes Routing Mode Multiple Subnet allows local port to set Multiple Subnet Routing Mode and connect with the internet through istinguish each department by different sub network for the purpose of convenient WAN IP address For example the leased line of a company applies several real IP Addresses 168 85 88 0 24 and the company is divided int...

Page 31: ...e Subnet Click Modify to modify the parameters of Multiple Subnet r click Delete to delete settings Step rt IP Address t Mask Step 3 Click OK to add Multiple Subnet or click Cancel to discard changes Mode or Routing Mode Interface Indicate the multiple subnet location in LAN or DMZ site Alias IP of Int Interface Netmask Local port IP address and subnet Mask Configure Modify the settings of M o Add...

Page 32: ...ck the OK button below to change the setting or click Cancel to discard changes side of the service providers click OK Step 2 Enter the new IP address in Modify Multiple Subnet window Removing a Multiple Subnet Routing Mode Step 1 Find the IP Address you want to delete in Multiple Subnet menu then click Delete button on the right confirmation pop up box will appear click OK to delete the setting o...

Page 33: ...s are shown ÍÍ Route Table functions Interface Destination network LAN or WAN networks Destination IP Netmask IP address and subnet mask of destination network Gateway Gateway IP address for connecting to destination network Configure Change settings in the route table Adding a new Static Route Step 1 In the Route Table window click the New Entry button Step 2 In the Add New Static Route window en...

Page 34: ...option in the Configure field Step 2 In the Modify Static Route window modify the necessary routing addresses Step 3 Click OK to apply changes or click Cancel to cancel it Removing a Static Route Step 1 In the Route Table window find the route to remove and click the corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to confirm removing or clic...

Page 35: ... can configure DHCP Dynamic Host Configuration Protocol settings for the LAN LAN network Entering the DHCP window Click System on the left hand side menu bar then click DHCP below the Configure menu The DHCP window appears in which current DHCP settings are shown on the screen ÍÍ 30 ...

Page 36: ...S Server 2 LAN interface Client IP Address Range 1 Enter the starting and the ending IP address dynamically assigning to DHCP clients Client IP Address Range 2 Enter the starting and the ending IP address dynamically assigning to DHCP clients Optional DMZ interface Client IP Address Range 1 Enter the starting and the ending IP address dynamically assigning to DHCP clients Client IP Address Range 2...

Page 37: ... How to use dynamic DNS The Content Security Gateway provides many service providers users have to register prior to use this function For the usage regulations see the providers websites How to register Firstly Click Dynamic DNS in the System menu to enter Dynamic DNS window then click Add button on the right side of the service providers click Sign up the service providers website will appear pl...

Page 38: ...e Provider Domain name Your host domain name provided by ISP Click OK to add dynamic DNS or click Cancel to discard changes Modify dynamic DNS Step 1 Find the item you want to change and click Modify Step 2 Enter the new information in the Modify Dynamic DNS window Click OK to change the settings or click Cancel to discard changes Remove Dynamic DNS Step 1 Find the item you want to change and clic...

Page 39: ...em a public IP address for the mail server So for the LAN network to access the mail server mail planet com tw they would have to go out to the Internet then come back through the Content Security Gateway to access the mail server Essentially the LAN network is accessing the mail server by a real public IP address while the mail server serves their request by a NAT address and not a real one This ...

Page 40: ...ep 1 Click on the New Entry button and the Add New Host Table window will appear Step 2 Fill in the appropriate settings for the domain name and virtual IP address Step 3 Click OK to save the policy or Cancel to cancel Modifying a Host Table Step 1 In the Host Table window find the policy to be modified and click the corresponding Modify option in the Configure field Step 2 Make the necessary chan...

Page 41: ...Table or click Cancel 4 1 11 Language Administrator can configure the Content Security Gateway to select the Language version Step 1 Select the Language version English Version Traditional Chinese Version or Simplified Chinese Version Step 2 Click OK to set the Language version or click Cancel to discard changes 4 1 12 Logout Step 1 Select this option to the device s Logout the Content Security Ga...

Page 42: ...e LAN network the WAN network and the DMZ network The netmask and gateway IP addresses are also configured in this section 4 2 1 LAN Entering the Interface menu Click on Interface in the left menu bar Then click on LAN below it The current settings of the interface addresses will appear on the screen Configuring the Interface Settings Using the LAN Interface the Administrator sets up the LAN netwo...

Page 43: ...e device is 255 255 255 0 Ping Select this to allow the LAN network to ping the IP Address of the Content Security Gateway If set to enable the device will respond to ping packets from the LAN network HTTP Select this to allow the device WEBUI to be accessed from the LAN network 4 2 2 WAN Entering the Interface menu Click on Interface in the left menu bar Then click on WAN below it The current set...

Page 44: ...es before disconnection Enter 0 if you do not want the PPPoE connection to disconnect at all Ping Select this to allow the WAN network to ping the IP address of the Content Security Gateway This will allow people from the Internet to be able to ping the Content Security Gateway If it sets to enable the device will respond to echo request packets from the WAN network HTTP Select this to allow the d...

Page 45: ... able to ping the Content Security Gateway If set to enable the device will respond to echo request packets from the WAN network HTTP Select this to allow the device WEBUI to be accessed from the WAN network This will allow the WebUI to be configured from a user on the Internet Keep in mind that the device always requires an username and password to enter the WebUI For Static IP Address This optio...

Page 46: ...he password is provided by ISP IP Address Enter the static IP address assigned to you by your ISP or obtain an IP address automatically from ISP PPTP Gateway Enter the PPTP server IP address assigned to you by your ISP Connect ID This is the ID given by ISP This is optional Max Upstream Downstream Bandwidth The bandwidth provided by ISP BEZEQ ISRAEL Select this item if you are using the service pr...

Page 47: ... WebUI 4 2 3 DMZ The Administrator uses the DMZ Interface to set up the DMZ network The DMZ network consists of server computers such as FTP SMTP and HTTP web These server computers are put in the DMZ network so they can be isolated from the LAN LAN network traffic Broadcast messages from the LAN network will not cross over to the DMZ network to cause congestions and slow down these servers This a...

Page 48: ...lways requires a username and password to enter the WebUI 4 3 Policy Object The Policy Object is the pre setting item for Policy editing The administrator can configure all necessary items here before he wants to configure Content Security Gateway Policy The contents include Address Service Schedule QoS Authentication Content Blocking Virtual server and VPN 4 3 1 Address The Content Security Gatew...

Page 49: ... the LAN network IP and Netmask addresses will show on the screen ÍÍ Definition Name Name of LAN network address IP Netmask IP address and subnet mask of LAN network MAC Address MAC address corresponded with LAN IP address Configure You can configure the settings in LAN network Click Modify to change the parameters in LAN network Click Remove to delete the settings In the LAN window if one of the ...

Page 50: ...option in its corresponding Configure field The Modify Address window appears on the screen immediately Step 2 In the Modify Address window fill in the new addresses Step 3 Click OK to save changes or click Cancel to discard changes Removing a LAN Address Step 1 In the LAN window locate the name of the network to be removed Click the Remove option in its corresponding Configure field Step 2 In the...

Page 51: ...screen ÍÍ Definitions Name Name of the LAN group Member Members of the group Configure Configure the settings of LAN group Click Modify to change the settings of LAN group Click Remove to delete the group In the LAN Group window if one of the LAN Group has been added to Policy the Configure column will show the message In Use In this case you are not allowed to modify or remove the LAN group You h...

Page 52: ...a LAN Group In the LA window the Add New Address Group window Available address list the names of all the members of the LAN net Selected address list the names to be assigned to the ne Name enter the name of the new group in the open field Add members Select names to be adde Remove members Select names to be removed in the Selected Addre Remove button to remove these members from Selected Addres ...

Page 53: ...ers of the LAN network Selected address list names of members which have been assigned to this group Add members Select names in A them to the Selected address list Remove members Select names in the Selected address to remove these members from the Selected add Re Step 1 te the group to be removed and click its corresponding Remove Step 2 onfirmation pop up box click OK to remove the group or cli...

Page 54: ...work address IP Netmask IP address Netmask of WAN network Configure Configure the settings of WAN network Click Modify to change the settings of WAN network Click Remove to delete the setting of WAN network NOTE In the WAN Network window if one of the members has been added to Policy or LAN Group the Configure column will show the message In Use In this case you are not allowed to modify or remove...

Page 55: ...the Modify option in its corresponding Configure field Step 2 The Modify Address window will appear on the screen immediately In the Modify Address window fill in new addresses Step 3 Click OK to save changes or click Cancel to discard changes Removing an WAN Address Step 1 In the WAN table locate the name of the network to be removed and click the Remove option in its corresponding Configure fiel...

Page 56: ...up Configure Configure the settings of WAN group Click Modify to change the parameters of WAN group Click Remove to delete the selected group NOTE In the WAN Group window if one of the members has been added to the Policy In Use message will appear in the Configure column You are not allowed to modify or remove the settings Go to the Policy window to remove the setting and then you can configure A...

Page 57: ...dd the new group or click Cancel to discard changes Modifying a WAN Group Step 1 In the WAN Group window locate the network group to be modified and click its corresponding Modify button in the Configure field Step 2 A window displaying the information of the selected group appears Available address list the names of all the members of the WAN network Selected address list the names of the members...

Page 58: ...ify option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the group or click Cancel to discard changes 4 3 1 5 DMZ Entering the DMZ window Click DMZ under the Address menu to enter the DMZ window The current setting information such as the name of the LAN network IP and Netmask addresses will show on the screen 53 ...

Page 59: ...w DMZ address Step 3 Click OK to add the specified DMZ or click Cancel to discard changes Modifying a DMZ Address Step 1 In the DMZ window locate the name of the network to be modified and click the Modify option in its corresponding Configure field Step 2 In the Modify Address window fill in new addresses Step 3 Click OK on save the changes or click Cancel to discard changes 54 ...

Page 60: ...Remove option in its corresponding Configure field Step 2 In the Remove confirmation pop up box click OK to remove the address or click Cancel to discard changes 4 3 1 6 DMZ Group Entering the DMZ Group window Click DMZ Group under the Address menu to enter the DMZ window The current settings information for the DMZ group appears on the screen 55 ...

Page 61: ... to assign to a new group Step 3 Name enter a name for the new group Step 4 Add members Select the names to be added from the Available address list and click the Add button to add them to the Selected address list Step 5 Remove members Select names to be removed from the Selected address list and click the Remove button to remove them from the Selected address list Step 6 Click OK to add the new ...

Page 62: ...t the names of all the members of the DMZ Selected address list the names of the members that have been assigned to this group Step 3 Add members Select names to be added from the available Address list and click the Add button to add them to the Selected address list Step 4 Remove members Select names to be removed from the Selected address list and click the Remove button to remove them from Sel...

Page 63: ... port numbers for network communication applications Users then can connect to servers and other computers through these available network services What is Service TCP and UDP protocols support varieties of services and each service consists of a TCP Port or UDP port number such as TELNET 23 SMTP 21 POP3 110 etc The Content Security Gateway defines two services pre defined service and custom servi...

Page 64: ...by applying all 5 services to a single group name in the service field it takes only one control policy to achieve the same effect as the 50 control policies 4 3 2 1 Pre defined Entering a Pre defined window Step 1 Click Pre defined under it A window will appear with a list of services and their associated IP addresses This list cannot be modified ÍÍ Icons and Descriptions Figur Description TCP se...

Page 65: ...it means that the entered port number is opened Configure Configure the settings in Service table Click Modify to change the parameters in Service table Click Remove to delete the selected setting NOTE In the Custom window if one of the services has been added to Policy or Group In Use message will appear in the Configure column In this case you are not allowed to modify or remove the settings Go ...

Page 66: ...ed service appears on the screen Step 2 Enter the new values Step 3 Click OK to accept editing or click Cancel Removing Custom Services Step 1 Click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the selected service or click Cancel to cancel action 61 ...

Page 67: ... the Group Click Remove to delete the Group NOTE In the Group window if one of the Service Groups has been added to Policy In Use message will appear in the Configure column You are not allowed to modify or remove the settings Go to the Policy window remove the Service group first and then you are allowed to configure the setting Adding Service Groups Step 1 In the Group window click the New Entry...

Page 68: ...on to remove them from the group Step 6 Click OK to add the new group Modifying Service Groups Step 1 In the Mod modify group window the following fields are displayed Available service lists all the available services Selected service list services that have been assigned to the selected group Step 2 Add new services Select services in the Available service list and then click the Add button to a...

Page 69: ...ity Gateway policies therefore will likely not be permitted to pass through the Content Security Gateway The Administrator can configure the start time and stop time as well as creating 2 different time periods in a day For example an organization may only want the Content Security Gateway to allow the LAN network users to access the Internet during work hours Therefore the Administrator may creat...

Page 70: ...w Schedule window will appear Schedule Name Fill in a name for the new schedule Period Configure the start and stop time for the days of the week that the schedule will be active Step 2 Click OK to save the new schedule or click Cancel to cancel adding the new schedule NOTE In setting a Schedule the value in Start time must be less than the value in Stop Time or you cannot add or configure the set...

Page 71: ...oS By configuring the QoS you can control the outbound Upstream downstream Bandwidth The administrator can configure the bandwidth according to the WAN bandwidth Downstream Bandwidth To configure the Guaranteed Bandwidth and Maximum Bandwidth Upstream Bandwidth To configure the Guaranteed Bandwidth and Maximum Bandwidth QoS Priority To configure the priority of distributing Upstream Downstream and...

Page 72: ...Priority To configure the priority of distributing Upstream Downstream and unused bandwidth Add New QoS Step 1 Click QoS in the menu bar on the left hand side Step 2 Click the New Entry button to add new QoS Definition Name The name of the QoS you want to configure Downstream Bandwidth To configure the Guarateed Bandwidth and Maximum Bandwidth Upstream Bandwidth To configure the Guarateed Bandwidt...

Page 73: ...Guarateed Bandwidth and Maximum Bandwidth QoS Priority To configure the priority of distrubuting Upstream Downstream and unused bandwidth Click the OK button to modify QoS Delete QoS Step 1 In the QoS window find the QoS you want to change and click Delete in the Configure column Step 2 In the Delete QoS window click OK to delete the QoS or click Cancel to discard the change Example about how to i...

Page 74: ...s Manual Step 2 Configure the LAN host or WAN host IP address that need to filter with QoS feature Be aware that the Netmask must set to 255 255 255 255 if you only want to configure a single IP address Step 3 Set up the QoS rule 69 ...

Page 75: ...hentication according to the authentication account and password CS 500 configures the authentication of LAN s user by setting account and password to identify the privilege 4 3 5 1 Auth Setting The administrator can specify the port number and authentication time of authentication management system for LAN user to access WAN network Configuration of Authentication Click Authentication in the menu...

Page 76: ...he address file to have the user login page Re Login if Idle When the LAN users access to WAN network and do not use for a while the connection will be time out User has to re login again The default time is 30 minutes Re Login after user login successfully You can limit the access time for the LAN user when time is up LAN user will need to re login again If the time setting sets to 0 that means u...

Page 77: ...a new Auth User Step 1 In the Authentication window click the New User button to create a new Auth User Step 2 In the Auth User window Auth User Name enter the username of new Authentication Password enter a password for the new Authentication Confirm Password enter the password again Step 3 Click OK to add the user or click Cancel to cancel the addition 72 ...

Page 78: ...re login again The default time is 30 minutes and you can configure this time by Authentication Auth Setting page In the form of controlling the Outgoing Policy enable the Authentication User Function User Login Page Definitions User Name The name of the Authentication you want to configure Password The input carries on the authentication the password 73 ...

Page 79: ... authentication user Password show original password New Password enter new password Confirm Password enter the new password again Step 3 Click OK to confirm authentication user change or click Cancel to cancel it Removing a Authentication User Step 1 In the Authentication table locate the Auth User name you want to edit and click on the Remove option in the Configure field Step 2 The Remove confi...

Page 80: ... Name Enter the new Auth Group name Available auth user List all the available Auth User Selected auth user List Auth User to be assigned to the new group Step 2 Enter the new group name in the group Name field This will be the name referencing the created group Step 3 To add new Auth User Select the Auth User desired to be added in the Available auth user list and then click the Add button to add...

Page 81: ...Group name Available auth user List all the available Auth User Selected auth user List Auth User to be assigned to the new group Step 3 To add new Auth User Select the Auth User desired to be added to the Available auth user list and then click the Add button to add them to the group Step 4 To remove Auth User Select Auth User desired to be removed from the Available auth user list and then click...

Page 82: ...d and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the selected service group or click Cancel to cancel removing 4 3 5 4 Radius Serve Click Authentication on the left side menu bar then click Radius Server below it The following window is shown 77 ...

Page 83: ...t The Password for CS 500 to access RADIUS Server Enable 802 1x RADIUS Server Authentication Enable 802 1x RADIUS Server Authentication 4 3 5 5 POP3 Click Authentication on the left side menu bar then click POP3 below it The following window is shown Definition Enable POP3 Server Enable POP3 Server Authentication POP3 Server Enter POP3 Server IP address or domain name POP3 Server Port Enter POP3 S...

Page 84: ...You can select to block which type of extension name or all type of the file Upload Block upload connection audio and video transferring from web page You can select to block which type of extension name or all type of the file 4 3 6 1 URL Blocking The Administrator may setup URL Blocking to prevent LAN network users from accessing a specific website on the Internet Any web request coming from an ...

Page 85: ...ing window will appear Step 2 Enter the URL of the website to be blocked Step 3 Click OK to add the policy Click Cancel to discard changes Modifying a URL String Policy Step 1 In the URL window find the policy to be modified and click the corresponding Modify option in the Configure field Step 2 Make the necessary changes needed Step 3 Click on OK to save changes or click on Cancel to discard chan...

Page 86: ...cy or click on Cancel to discard changes 4 3 6 2 Scripts To let Popup ActiveX Java or Cookies in or keep them out Step 1 Click Scripts below Content Blocking menu Step 2 Select Scripts detective functions Popup Blocking Prevent pop up boxes from appearing ActiveX Blocking Prevent ActiveX packets Java Blocking Prevent Java packets Cookie Blocking Prevent Cookie packets Step 3 After selecting each f...

Page 87: ...t Blocking Prevent Bit Torrent connection built up WinMX Blocking Prevent WinMX connection built up Step 3 After selecting each function click the OK button below ÍÍ CS 500 provides a feature that will auto detect the P2P program version When it detects a new version P2P program in the LAN site CS 500 will connect to Internet and download the pattern to update the P2P Blocking function and to keep...

Page 88: ...g each function click the OK button below ÍÍ CS 500 provides a feature that will auto detect the IM program version When it detects a new version IM program in the LAN site CS 500 will connect to Internet and download the pattern to update the IM Blocking function and to keep the function working well to block new version IM program The current pattern version will display at the top side 4 3 6 5 ...

Page 89: ... Types block To block audio and video uploading from web page Extensions Block To block specific extensions name of the files from web page Step 3 After selecting each function click the OK button below 4 3 7 Virtual Server The Content Security Gateway separates an enterprise s Intranet and Internet into LAN networks and WAN networks respectively Generally in order to allocate enough IP addresses ...

Page 90: ...s risks of server crashes and enhances servers stability How to use Virtual Server and mapped IP Virtual Server and Mapped IP are part of the IP mapping also called DMZ De Militarization Zone scheme By applying the incoming policies Virtual Server and IP mapping work similarly They map real IP addresses to the physical servers private IP addresses which are opposite to NAT but there are still some...

Page 91: ...r menu bar and the Mapped IP configuration window will appear ÍÍ Definition WAN IP WAN IP Address Map to Virtual IP The IP address which WAN maps to the virtual network in the server Configure To change the setting click Configure to modify the parameters click delete to delete the setting Adding a new IP Mapping Step 1 In the Mapped IP window click the New Entry button The Add New Mapped IP windo...

Page 92: ...P window Step 3 Click OK to save change or click Cancel to cancel NOTE A Mapped IP cannot be modified if it has been assigned used as a destination address of any Incoming policies Removing a Mapped IP Step 1 In the Mapped IP table locate the Mapped IP desired to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up window click OK to ...

Page 93: ...nto the LAN network Unlike a mapped IP which binds a WAN IP to a LAN IP virtual server binds WAN IP ports to LAN IP ports ÍÍ Definition Virtual Server Real IP The WAN IP address configured by the virtual server Click Click here to configure button to add a real IP address Service The service names that provided by the virtual server WAN Port The TCP UDP ports that present the service items provide...

Page 94: ...m Server 1 2 3 4 in the Virtual Server menu bar to enter the virtual server configuration window Step 2 Click the click here to configure button and the Add new Virtual Server IP window appears and asks for an IP address from the WAN network Step 3 Select an IP address from the drop down list of available WAN network IP addresses Step 4 Click OK to add new Virtual Server or click Cancel to cancel ...

Page 95: ...ver s IP Address button at the top of the screen Step 3 Delete the IP address Step 4 Click OK to remove the virtual server Setting the Virtual Server s services Step 1 For the Virtual Server which has already been set up with an IP address click the New Service button in the table Step 2 In the Virtual Server Configurations window Virtual Server Real IP displays the WAN IP address assigned to the ...

Page 96: ...Step 3 Enter the IP address of the LAN network server s to which the virtual server will be mapped Up to four IP addresses can be assigned at most Step 4 Click OK to save the settings of the Virtual Server NOTE The services in the drop down list are all defined in the Pre defined and Custom section of the Service menu Adding New Virtual Server Service Configuration Step 1 Select Virtual Server in ...

Page 97: ...addresses can be set at most and the load can be maintained in a balance by round robin algorithm Click OK to execute adding new virtual server service or click Cancel to discard adding Remember to configure the service items of virtual server before you configure Policy or the service names will not be shown in Policy Modifying the Virtual Server configurations Step 1 In the Virtual Server window...

Page 98: ...dification or configuration Removing the Virtual Server service Step 1 In the Virtual Server window s service table locate the name of the service desired to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the service or click Cancel to cancel removing NOTE If the destination Network in Policy has set a vir...

Page 99: ...er to submit the further function to the VPN traffic What is New CS 500 isolates the Tunnel setting in order to allow Policy rule controlling VPN traffic So user can filter the VPN packets with QoS IDP rule and record the connection in Traffic Log or Statistic Hence to set up a Virtual Private Network VPN you need to configure CS 500 with following setting 1 Configure IPSec Autokey for the encrypt...

Page 100: ...ay IPSec Algorithm The display the Algorithm way Configure Modify and Delete Adding the Autokey IKE Step 1 Click the New Entry button and the VPN Auto Keyed Tunnel window will appear It divides into two parts of the setting Necessary Item and Optional Item Step 2 Configure Necessary Item paremeters Name Specify a name for the VPN rule To Destination Remote Gateway Fixed IP or Domain Name Specify t...

Page 101: ...tion or Authentication Only Data Encryption Authentication Encryption Algorithm Selects 56 bit DES CBC 168 bit 3DES CBC AES 128 bit AES 192 bit or AES 256 bit encryption algorithm The default algorithm is 56 bit DES CBC Authentication Algorithm Selects MD5 128 bit hash or SHA 1 160 bit hash authentication algorithm In general SHA 1 is more secured than MD5 The default algorithm is MD5 Authenticati...

Page 102: ...ation 4 3 8 2 PPTP Server This function allows the remote client dialup to your local network and access local resources by PPTP Point to Point Tunnel Protocol client software Entering the PPTP Server window Select VPN PPTP Server ÍÍ PPTP Server Click Modify to select Enable or Disable Client IP Range Display the IP addresses range for PPTP Client connection User Name Displays the PPTP Client user...

Page 103: ... is no activity for a predetermined period of time To keep the line always connected set the number to 0 Echo Request Configure the timing to detect the VPN status If failed CS 500 will disconnect the VPN tunnel Step 4 Click OK to save modifications or click Cancel to cancel modifications Adding PPTP Server Step 1 Select VPN PPTP Server Click New Entry Step 2 Enter appropriate settings in the foll...

Page 104: ...ver that you want to modify Click Configure and click Modify Step 3 Enter appropriate settings Step 4 Click OK to save modifications or click Cancel to cancel modifications Removing PPTP Server Step 1 Select VPN PPTP Server Step 2 In the PPTP Server window find the PPTP server that you WAN t to modify Click Configure and click Remove Step 3 Click OK to remove the PPTP server or click Cancel to exi...

Page 105: ...Client window Step 1 Select VPN PPTP Client ÍÍ User Name Displays the PPTP Client user s name for authentication Server IP or Domain Name Displays the PPTP Server s IP address or Domain name Encryption Displays the PPTP Client Encryption ON or OFF Uptime Displays the connection time between PPTP Server and Client Configure Click Modify to modify the PPTP Client settings or click Remove to remove t...

Page 106: ...erver IP or Domain Name Enter the PPTP Server s IP address Encryption Enable or Disabled the Encryption NAT Connect to Windows PPTP Server Select this function to setup the connection with PPTP VPN Client of CS 500 and Windows PPTP Server Modifying PPTP Client Step 1 Select VPN PPTP Client Step 2 In the PPTP Client window find the PPTP server that you want to modify and click Modify Step 3 Enter a...

Page 107: ...indow find the PPTP client that you want to modify and click Remove Step 3 Click OK to remove the PPTP client or click Cancel to exit without removal 4 3 8 4 Tunnel This function allows to be configured the related information for local and remote VPN device then to select the Tunnel entry in Policy rule for combining the further function Entering the Tunnel window Step 1 Select VPN Tunnel 102 ...

Page 108: ...s Name Specify the Tunnel name This should be unique and can not be the same as the name of IPSec Autokey rule From Source Specify the VPN source to LAN or DMZ site From Source Subnet Mask Specify the source LAN network subnet and Mask To Destination To Destination Subnet Mask Specify the destination LAN network subnet and Mask Remote Client Select Remote Client if there is only one user and dials...

Page 109: ...fy Step 3 Enter appropriate settings Removing Tunnel Step 1 Select VPN Tunnel Step 2 In the Tunnel window find the Tunnel that you want to modify and click Remove Click OK to remove the PPTP client or click Cancel to exit without removal Pausing a Tunnel Step 1 Select VPN Tunnel Step 2 In the Tunnel window find the Tunnel that you want to modify and click Pause 104 ...

Page 110: ...he VPN name VPN_A in IPSec Autokey window T Example 1 Create a VPN connection betw Example 2 Create a VPN connection between the Content Security Gateway an VPN Client Create a VPN Algorithm 3DES and MD5 and data encryption for IPSec Algorithm 3DES and MD5 Create a VPN connection between Content Security Gateway and PLANET VRT 3 Router E P Company A Externa Internal IP is 192 168 10 X Company B Ex...

Page 111: ...tion via VPN we hoose 3DES for ENC Algorithm and MD5 for AUTH Algorithm And select Group 1 to connect c Step 6 In IPSec Algorithm Table choose Data Encryption Authentication We choose 3DES for ENC lgorithm and MD5 for AUTH Algorithm A Step 7 Choose GROUP 1 as the Perfect Forward Secrecy setting and leave the default setting with 28800 econds in IPSec Lifetime and 3600 seconds for ISAKMP Lifetime s...

Page 112: ...5 255 255 0 Step 12 In To Destination table fill company B s subnet IP and mask 192 168 20 0 and 255 255 255 0 respectively Step 13 In IPSec PPTP Setting select VPN_A as the available tunnel Step 14 Fill company B s gateway IP 192 168 20 1 in Keep alive IP to keep VPN tunnel connecting Step 15 Click OK to finish the Tunnel setting of Company A Step 16 If you want to configure bi direction VPN conn...

Page 113: ...lowing Step 1 Enter the default IP of Company B s Content Security Gateway 192 168 20 1 Click VPN in the menu okey Click Add Step 2 Enter the VPN name VPN_B in IPSec Autokey window bar on the left hand side and then select the sub select IPSec Aut Step 3 In To Destination table choose Remote Gateway Fixed IP or Domain Name enter the IP address desired to be connected 108 ...

Page 114: ...UTH Algorithm And select Group 1 to connect Step 6 In IPSec Algorithm Table choose Data Encryption Authentication We choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm Step 7 Choose GROUP 1 as the Perfect Forward Secrecy setting and leave the default setting with 28800 seconds in IPSec Lifetime and 3600 seconds for ISAKMP Lifetime Step 8 Select main mode as the algorithm Step 9 Click OK to f...

Page 115: ...5 255 255 0 Step 12 In To Destination table fill company B s subnet IP and mask 192 168 10 0 and 255 255 255 0 respectively Step 13 In IPSec PPTP Setting select VPN_B as the available tunnel Step 14 Fill company A s gateway IP 192 168 10 1 in Keep alive IP to keep VPN tunnel connecting Step 15 Click OK to finish the Tunnel setting of Company B Step 16 If you want to configure bi direction VPN conn...

Page 116: ... 1 The settings of company A are as the following Professional VPN C Preparation Task Company A External IP is 210 66 155 90 In R Remote user with an external IP wants to crea 1 T Configuration of CS 500 Step 1 Enter the default IP of Company A s Content Security Gateway 192 168 10 1 Click VPN in the menu ar on the left hand side and then select the sub select IPSec Autokey Click Add Step 2 Enter ...

Page 117: ...hoose 3DES for ENC Algorithm and MD5 for AUTH Algorithm Step 7 Choose GROUP 2 as the Perfect Forward Secrecy setting and leave the default setting with 28800 seconds in IPSec Lifetime and 3600 seconds for ISAKMP Lifetime Step 8 Select main mode as the algorithm Step 9 Click OK to finish the IPSec Aotukey setting of Company A Step 10 Click Tunnel and press New Entry to configure the further setting...

Page 118: ...0 Step 12 In To Destination table select Remote Client Step 13 In IPSec PPTP Setting select VPN_A as the available tunnel Step 14 Click OK to finish the Tunnel setting of Company A Step 15 Enable Tunnel setting in Incoming Policy Step 16 Click OK to finish the Policy setting of Company A 113 ...

Page 119: ...l Configuration of WinXP The IP of remote user is 210 66 155 91 The settings of remote user are as the following Step 1 Enter Windows XP click Start and click Execute function Step 2 In the Execute window enter the command mmc in Open 114 ...

Page 120: ...he Console window click Console C option and click Add Remove Embedded Management Option Step 4 Enter Add Remove Embedded Management Option window and click Add In Add Remove Embedded Management Option window click Add to add Create IP Security Policy 115 ...

Page 121: ...Content Security Gateway User s Manual Step 5 Choose Local Machine L for finishing the setting of Add Step 6 Finish the setting of Add 116 ...

Page 122: ...Content Security Gateway User s Manual Step 7 Click the right button of mouse in IP Security Policies on Local Machine and choose Create IP Security Policy C option Step 8 Click Next 117 ...

Page 123: ...Content Security Gateway User s Manual Step 9 Enter the Name of this VPN and optionally give it a brief description Step 10 Disable Activate the default response rule And click Next 118 ...

Page 124: ...Content Security Gateway User s Manual Step 11 Completing the IP Security Policy setting and click Finish Enable Edit properties Step 12 In window click Add and click Use Add Wizard 119 ...

Page 125: ...Content Security Gateway User s Manual Step 13 Click next Step 14 Enter the WAN IP of Remote user 210 66 155 91 120 ...

Page 126: ...Content Security Gateway User s Manual Step 15 click all network connections Step 16 Choose Use this string to protect the key exchange Preshared Key And enter the key 123456789 121 ...

Page 127: ...Content Security Gateway User s Manual Step 17 Click Add Step 18 Enter the name of IP filter and click Add 122 ...

Page 128: ... Security Gateway User s Manual Step 19 Click next Step 20 In Source address click down the arrow to select the specific IP Subnet and fill Company A s IP Address 192 168 10 0 and Subnet mask 255 255 255 0 123 ...

Page 129: ...Content Security Gateway User s Manual Step 21 In Destination address click down the arrow to select the My IP Address Step 22 Click next 124 ...

Page 130: ...Content Security Gateway User s Manual Step 23 Please enable edit properties and click finish Step 24 Please don t enable Mirrored and click OK 125 ...

Page 131: ...Content Security Gateway User s Manual Step 25 Click OK Step 26 Select Traffic in and click next 126 ...

Page 132: ...Content Security Gateway User s Manual Step 27 Enable User Add Wizard and click add Step 28 Click next 127 ...

Page 133: ...Content Security Gateway User s Manual Step 29 Enter the name of filter action and click next Step 30 Select Negotiate security and click next 128 ...

Page 134: ...Content Security Gateway User s Manual Step 31 Click next Step 32 Select Custom and click settings 129 ...

Page 135: ... Security Gateway User s Manual Step 33 Click Data Integrity and Encapsulation and choose MD5 and 3DES Click Generate a New key after every 28800 seconds And click 3 times OK to return Step 34 Click finish 130 ...

Page 136: ...Content Security Gateway User s Manual Step 35 Select security and click next Step 36 Click finish 131 ...

Page 137: ...Content Security Gateway User s Manual Step 37 Click Add Step 38 Click next 132 ...

Page 138: ...Content Security Gateway User s Manual Step 39 Enter the WAN IP of company A 210 66 155 90 Step 40 Select All network connections and click next 133 ...

Page 139: ...Content Security Gateway User s Manual Step 41 Choose Use this string to protect the key exchange Preshared Key And enter the key 123456789 Step 42 Click Add 134 ...

Page 140: ...Content Security Gateway User s Manual Step 43 Enter the name of IP filter and click Add Step 44 Click next 135 ...

Page 141: ... Step 45 In Source address click down the arrow to select the My IP Address Step 46 In Destination address click down the arrow to select the specific IP Subnet and fill Company A s IP Address 192 168 10 0 and Subnet mask 255 255 255 0 136 ...

Page 142: ...Content Security Gateway User s Manual Step 47 Click next Step 48 Please enable Edit properties and click finish 137 ...

Page 143: ...Content Security Gateway User s Manual Step 49 Please don t enable Mirrored and click ok Step 50 Click ok 138 ...

Page 144: ...Content Security Gateway User s Manual Step 51 Select Traffic out and click next Step 52 Select Security and click edit 139 ...

Page 145: ...Content Security Gateway User s Manual Step 53 Enable Session key perfect forward secrecy PFS and click ok Step 54 Select Security and click next 140 ...

Page 146: ...Content Security Gateway User s Manual Step 55 Please don t enable Edit properties and click finish Step 56 Click apply first and then click ok 141 ...

Page 147: ...e remote gateway of Company A the VPN tunnel is created successfully Example 3 Create a VPN connection between two Content Security Gateways using Aggressive mode Algorithm 3 DES and MD5 and data encryption for IPSec Algorithm 3DES and MD5 Preparation Task Company A External IP is 61 11 11 11 Internal IP is 192 168 10 X 142 ...

Page 148: ...k Add Step 2 Enter the VPN name VPN_A in IPSec Autokey window Step 3 In To Destination table choose Remote Gateway Fixed IP or Domain Name enter the IP address desired to be connected Step 4 In Authentication Method Table enters the Preshared Key Step 5 Enable Aggressive mode For communication via VPN the Content Security Gateway will force you to choose 3DES for ENC Algorithm SHA 1 for AUTH Algor...

Page 149: ... and 3600 seconds for ISAKMP Lifetime Step 8 Click OK to finish the setting of Company A Step 9 Click Tunnel and press New Entry to configure the further setting Step 10 Enter Site_A as the new tunnel name and select LAN interface as the VPN source Fill LAN IP subnet 192 168 10 0 with subnet mask IP 255 255 255 0 Step 11 In To Destination table fill company B s subnet IP and mask 192 168 20 0 and ...

Page 150: ...nel setting of Company A Step 14 If you want to configure bi direction VPN connection you should enable Tunnel setting in Outgoing and Incoming Policy Outgoing Policy Incoming Policy The Gateway of Company B is 192 168 20 1 The settings of company B are as the following 145 ...

Page 151: ...ation Method Table enters the Preshared Key Step 5 Enable Aggressive mode For communication via VPN the Content Security Gateway will force you to choose 3DES for ENC Algorithm SHA 1 for AUTH Algorithm and select Group 2 to connect Local ID and Remote ID are optional parameters If we choose to enter Local ID Remote ID they couldn t be the same For instance Local ID is 11 11 11 11 and Remote ID is ...

Page 152: ...ick Tunnel and press New Entry to configure the further setting Step 10 Enter Site_B as the new tunnel name and select LAN interface as the VPN source Fill LAN IP subnet 192 168 20 0 with subnet mask IP 255 255 255 0 Step 11 In To Destination table fill company A s subnet IP and mask 192 168 10 0 and 255 255 255 0 respectively Step 12 In IPSec PPTP Setting select VPN_B tunnel as the available tunn...

Page 153: ...0 Internal IP is 192 168 10 X Company B External IP is 210 66 155 92 Internal IP is 192 168 20 X To Allow Company A 192 168 10 100 create a VPN connection with company B 192 168 20 100 for downloading the sharing file The Gateway of Company A is 192 168 10 1 The settings of company A are as the following Step 1 Enter the default IP of Company A s Content Security Gateway 192 168 10 1 Click VPN in ...

Page 154: ...cation via VPN we choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm And select Group 2 to connect Step 6 In IPSec Algorithm Table choose Data Encryption Authentication We choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm Step 7 Choose GROUP 2 as the Perfect Forward Secrecy setting and leave the default setting with 28800 seconds in IPSec Lifetime and 3600 seconds for ISAKMP Lifetime ...

Page 155: ...12 In To Destination table fill company B s subnet IP and mask 192 168 20 0 and 255 255 255 0 respectively Step 13 In IPSec PPTP Setting select CS as the available tunnel Step 14 Fill company B s gateway IP 192 168 20 1 in Keep alive IP to keep VPN tunnel connecting Step 15 Click OK to finish the Tunnel setting of Company A Step 16 If you want to configure bi direction VPN connection you should en...

Page 156: ...Content Security Gateway User s Manual Incoming Policy 151 ...

Page 157: ...Content Security Gateway User s Manual Step 2 Configure VRT 311 VPN policy as the following 152 ...

Page 158: ...y settings are source addresses destination addresses services permission log statistics and flow alarm Among them source addresses destination addresses and IP mapping addresses have to be defined in the Address menu in advance Services can be used directly in setting up policies if they are in the Pre defined Service menu Custom services need to be defined in the Custom menu before they can be u...

Page 159: ...rvice Specify services provided by WAN network servers Action Control actions to permit or deny packets from LAN networks to WAN network travelling through the Content Security Gateway Option Specify the monitoring functions on packets from LAN networks to WAN networks travelling through the Content Security Gateway Configure Modify settings Move This sets the priority of the policies number 1 bei...

Page 160: ... tunnel to enable the VPN traffic in Policy rule Action Select Permit or Deny ALL from the drop down list to allow or reject the packets travelling between the source network and the destination network Traffic Log Select Enable to enable flow monitoring Statistics Select Enable to enable flow statistics IDP Check to enable IDP feature Content Blocking Select Enable to enable Content Blocking Max ...

Page 161: ...lick its corresponding Remove option in the Configure field Step 2 In the Remove confirmation dialogue box click OK to remove the policy or click Cancel to cancel removing 4 4 2 Incoming This section describes steps to create policies for packets and services from the WAN network to the LAN network including Mapped IP and Virtual Server Enter Incoming window 156 ...

Page 162: ...irtual server network addresses created in Virtual Server menu Service Services supported by Virtual Servers or Mapped IP Action Control actions to permit or deny packets from WAN networks to Virtual Server Mapped IP travelling through the device Option Specify the monitoring functions on packets from WAN networks to Virtual Server Mapped IP travelling through the Content Security Gateway Configur...

Page 163: ...VPN traffic in Policy rule Action Select Permit or Deny ALL from the drop down list to allow or reject the packets travelling between the specified WAN network and Virtual Server Mapped IP Traffic Log Select Enable to enable flow monitoring Statistics Select Enable to enable flow statistics IDP Check to enable IDP feature Max Concurrent Sessions The maximum concurrent sessions that allows to pass ...

Page 164: ...o cancel removing 4 4 3 WAN To DMZ LAN To DMZ This section describes steps to create policies for packets and services from the WAN networks to the DMZ networks Please follow the same procedures for LAN networks to DMZ networks Enter WAN To DMZ or LAN To DMZ window Click WAN To DMZ under Policy menu to enter the WAN To DMZ window The WAN To DMZ table will show up displaying currently defined polic...

Page 165: ...menu Service Services supported by servers in DMZ network Action Control actions to permit or deny packets from WAN networks to DMZ travelling through the Content Security Gateway Option Specify the monitoring functions of packets from WAN network to DMZ network travelling through Content Security Gateway Configure Modify settings or remove policies Move This sets the priority of the policies numb...

Page 166: ...fy these services please go to the Service menu Please refer to the section entitled Services for details Schedule Select the item listed in the schedule to enable the policy to automatically execute the function in a certain time and range Tunnel Select the specific VPN tunnel to enable the VPN traffic in Policy rule Action Select Permit or Deny ALL from the drop down list to allow or reject the ...

Page 167: ...ow locate the name of policy desired to be removed and click its corresponding Remove option in the Configure field Step 2 In the Remove confirmation pop up box click OK to remove the policy 4 4 4 DMZ To WAN DMZ To LAN This section describes steps to create policies for packets and services from DMZ networks to WAN networks Please follow the same procedures for DMZ networks to LAN networks 162 ...

Page 168: ...work address Service Services supported by Servers of WAN networks Action Control actions to permit or deny packets from the DMZ network to WAN networks travelling through the Content Security Gateway Option Specify the monitoring functions on packets from the DMZ network to WAN networks travelling through the Content Security Gateway Configure Modify settings or remove policies Move This sets the...

Page 169: ...roup section under the Service menu These are services application that are allowed to pass from the DMZ network to the WAN network Choose ANY for all services To add or modify these services please go to the Service menu Schedule Select the item listed in the schedule to enable the policy to automatically execute the function in a certain time and range Authentication User Select the item listed ...

Page 170: ... of policy desired to be modified and click its corresponding Modify option in the Configure field Step 2 In the Modify Policy window fill in new settings NOTE To change or add selections in the drop down list go to the section where the selections are setup Source Address DMZ of Address Destination Address WAN Service Pre defined Service Custom or Group under Service Step 3 Click OK to save modif...

Page 171: ...lated chapter 4 5 1 Configure About the Mail Security Configure function it means the dealing standard towards mail of CS 500 In this chapter it is defined as Setting and Mail Relay Setting Define the required fields of setting Scanned Mail Setting Setup to deal with the mail size in order to judge the mail should be scanned or not Unscanned Mail Setting If the mail does not be scanned via CS 500 ...

Page 172: ... 500 as Gateway Mail Server in DMZ Transparent Mode Preparation WAN Port IP 61 11 11 11 Mail Server IP 61 11 11 12 Map the DNS Domain Name that apply from ISP planet com tw to DNS Server IP setup MX record is Mail Server IP When external sender sends mail to the recipient account of the planet com tw domain add the following Mail Relay setting STEP 1 Add the following setting in Mail Relay functio...

Page 173: ... Port IP 172 16 1 12 Mail Server IP 172 16 1 13 Map the DNS Domain Name planet com tw to DNS Server IP setup MX record is Mail Server IP When LAN 172 16 1 0 16 users send mail from the sender account of planet com tw mail server to the recipient account in external mail server the configuration should need to add the following mail relay setting STEP 1 Add the first setting in Mail Relay function ...

Page 174: ... in DMZ Transparent Mode to make the Branch office s employees can send mails via Headquarters Mail Server Preparation WAN Port IP of CS 500 61 11 11 11 Mail Server IP 61 11 11 12 WAN Port IP of the Branch office s Firewall 211 22 22 22 Map the DNS Domain Name planet com tw to DNS Server IP setup MX record is Mail Server IP When the branch office s users send mail to the external mail server s rec...

Page 175: ...ternal IP of Mail Relay IP Address Enter the IP Address of external sender Enter the Netmask Complete Mail Relay setting 4 5 2 Anti Spam CS 500 can filter the e mails that are going to send to the mail server of enterprise in order to make sure the e mail account that communicates with outside won t receive a mass advertisement or Spam mail Meanwhile it can reduce the burden of mail server Also ca...

Page 176: ...ne if it is spam mail or not Definition Enable Anti Spam Select to enable Anti Spam function The Mail Server is placed in Internal LAN or DMZ or External WAN Select to choose the location of the mail server The threshold score of spam mail is CS 500 allows the Administrator to decide the threshold to be the standard of judging the spam mail Add the message to the subject line If the mail has been ...

Page 177: ...l to the recipient and add a SPAM in the mail subject This function is available for Internal and External Mail Server Forward to You can configure CS 500 to forward spam mail to a specific mail account it will be easily to manage the spam mail Configure an Anti Spam setting After setup the relevant settings in Mail Relay function of Configure add the following settings in this function 1 The Mail...

Page 178: ...nable this function the mails that correspond to this rule will be trained to identify as spam mail or if Classification is set as Ham Non Spam and enable this function the mails correspond to this rule will be trained to identify as ham non spam mail according to the setting in Training function Item The items use to judge the spam mail according to Header Body and Size of the mail The packet Hea...

Page 179: ...p 1 In the Rule window find the policy to be modified and click the corresponding Modify option in the Configure field Step 2 Make the necessary changes needed Step 3 Click OK to save changes or click on Cancel to cancel modifications Removing a Rule Step 1 In the Rule window find the policy to be removed and click the corresponding Remove option in the Configure field Step 2 A confirmation pop up...

Page 180: ...s of the mail Auto Training Select enable to allow Auto Training system updating the CS 500 s database Adding a new Whitelist Step 1 Click on the New Entry button and the Whitelist window will appear Step 2 Fill in the appropriate settings for the related information Step 3 Click OK to save the policy or Cancel to cancel Modifying a Whitelist Step 1 In the Whitelist window find the policy to be mo...

Page 181: ...able or click Cancel 4 5 2 4 Blacklist To determine the mail comes from specific mail address that will be filtered or restricted Below is the information needed for setting up the Blacklist Blacklist Specify the key word or with wildcard for the Blacklist field Direction From To judge the sending address of the mail To To judge the receiving address of the mail Auto Training Select enable to allo...

Page 182: ...cy or Cancel to cancel Modifying a Blacklist Step 1 In the Blacklist window find the policy to be modified and click the corresponding Modify option in the Configure field Step 2 Make the necessary changes needed Step 3 Click OK to save changes or click on Cancel to cancel modifications Removing a Blacklist Step 1 In the Blacklist window find the policy to be removed and click the corresponding Re...

Page 183: ...rt the file which is determined as spam mail here To raise the judgment rate of ham mail after the CS 500 learning the file Spam Account for Training You can specify a mail account in your mail server and redirect all the Spam mail to this account When the related configuration is set such as POP3 server User name and Password CS 500 will search the Spam mail in this account and update the Spam ty...

Page 184: ...al Example How to train mail into CS 500 STEP 1 Create a new folder SpamMail in Outlook Express Press the right key of the mouse and select New Folder In Create Folder WebUI and enter the Folder s Name as SpamMail and then click on OK 179 ...

Page 185: ...EP 2 In Inbox Outlook Express move spam mail to SpamMail Folder In Inbox select all of the spam mails that do not judge correctly and press the right key of the mouse and move to the folder In Move WebUI select SpamMail Folder and click OK 180 ...

Page 186: ...rity Gateway User s Manual STEP 3 Compress the SpamMail Folder in Outlook Express to shorten the data and upload to CS 500 for training Select SpamMail Folder Select Compact function in selection of the folder 181 ...

Page 187: ...TEP 4 To copy the route of SpamMail File in Outlook Express to convenient to upload the training to CS 500 Press the right key of the mouse in SpamMail file and select Properties function Copy the file address in SpamMail Properties WebUI 182 ...

Page 188: ...5 Paste the route of copied from SpamMail file to the Spam Mail for Training field in Training function of Anti Spam And press OK to deliver this file to CS 500 instantly and to learn the uploaded mail file as spam mail in the appointed time 183 ...

Page 189: ...Outlook exporting file pst it has to close Microsoft Office Outlook first to start Importing STEP 6 Remove all of the mails in SpamMail File in Outlook Express so that new mails can be compressed and upload to CS 500 to training directly next time Select all of the mails in SpamMail File and press the right key of the mouse to select Delete function Make sure that all of the mails in SpamMail file...

Page 190: ...nt In Top Total Spam report you can choose to display the scanned mails that sent to Internal Mail Server or received from External Mail Server It also can sort the mail according to Recipient Total Spam and Total Mail 4 5 3 Anti Virus CS 500 built in Clam virus scanning engine can protect your LAN network from being infected virus 4 5 3 1 Setting 185 ...

Page 191: ...0 filters the infected mail there are three kinds of actions for Internal Mail Server and one action for External Mail server to arrange the infected mail Delete the virus mail If select this option the virus mail will be deleted without any notification Deliver to the recipient This action is available for Internal Mail Server and External Mail Server setting Deliver a notification mail instead o...

Page 192: ... the protection to network and obstruct to the attack behavior let the network can still work normally and increase the information transmission security 4 6 1 Setting It can update signature definitions for every 120 minutes Or update signature definitions immediately It will show the update time and version at the same time It can detect virus to the file which have no encryption and compression...

Page 193: ...tches the signature CS 500 will produce log as follows in Log function of IDP Report 4 6 2 Signature Provide relative compare rule to different attack behavior include three sections Anomaly Pre defined and Custom Anomaly Anomaly signature can allow user to define the signature in order to detect and prevent the irregular attack behavior Take Syn Flood as the example Definition Enable Check to ena...

Page 194: ...ion to record the log in IDP Report Pre defined Pre defined signatures can detect and prevent to intrusive pattern which can be discovered at present These signatures can not be modified and deleted Definition Action Select Pass to pass the packets or select Drop to discard the packets Log Check Log function to record the log in IDP Report Custom Custom signatures can allow user to create the sign...

Page 195: ... used to be attacked Risk Define the threat about attack packets Action Select Pass to pass the packets or select Drop to discard the packets Log Check Log function to record the log in IDP Report Content Define the attack packets content EX Use Pre defined and Custom signature settings to detect and prevent attack behaviors STEP 1 Enter the following setting in Setting of Configure function STEP ...

Page 196: ...nual Destination Port Enter 80 80 Risk Select High Action Select Drop and enable Log function Content Enter cracks Click OK to finish the IDP setting STEP 3 Enter the following settings in Outgoing Policy to enable the IDP function 191 ...

Page 197: ...play the situation about intrusion detection and prevention of CS 500 Icon Definition 1 Action Pass Drpo 2 Risk High Risk Medium Risk Low Risk 4 7 Anomaly Flow IP The Administrator can enable the device s auto detect functions for Anomaly Flow IP attacking the local network When abnormal conditions occur CS 500 will send an e mail alert to notify the Administrator and also display warning messages...

Page 198: ...es the Log menu to monitor the traffic passing through the Content Security Gateway What is Log Log records all connections that pass through the Content Security Gateway s control policies Traffic log s parameters are setup when setting up control policies Traffic logs record the details of packets such as the start and stop time of connection the duration of connection the source address the des...

Page 199: ... or Deny Downloading the Traffic Logs The Administrator can backup the traffic logs regularly by downloading it to the computer Step 1 In the Traffic Log window click the Download Logs button at the bottom of the screen Step 2 Follow the File Download pop up window to save the traffic logs into a specified directory on the hard drive Clearing the Traffic Logs The Administrator may clear on line lo...

Page 200: ... Logs Entering the Event Log window Step 1 Click the Event Log option under the Log menu and the Event Log window will appear ÍÍ Step 2 The table in the Event Log window displays the time and description of the events Time time when the event occurred Event description of the event Downloading the Event Logs Step 1 In the Event Log window click the Download Logs button at the bottom of the screen ...

Page 201: ...e most updated logs on the screen Step 1 In the Event Log window click the Clear Logs button at the bottom of the screen Step 2 In the Clear Logs pop up box click OK to clear the logs or click Cancel to cancel it 4 8 1 3 Connection Click Log in the menu bar on the left hand side and then select the sub selection Connection Log ÍÍ Definition Time The start and end time of connection Connection Log ...

Page 202: ...load Logs button Step 3 In the Download Logs window save the logs to the specified location Clear Logs Step 1 Click Log in the menu bar on the left hand side and then select the sub selection Connection Logs Step 2 In Connection Log window click the Clear Logs button Step 3 In Clear Logs window click OK to clear the logs or click Cancel to discard changes 4 8 1 4 Log Backup Click Log ÆLog Backup Í...

Page 203: ...ort Syslog Message Log Mail Configuration Enable Log Mail Support Step 1 Firstly go to Admin Select Enable E mail Alert Notification under E Mail Settings Enter the e mail address to receive the alarm notification Click OK Step 2 Go to LOG ÆLog Backup Check to enable Log Mail Support Click OK System Settings Enable Syslog Message Step 1 Check to enable Syslog Message Enter the Host IP Address and ...

Page 204: ...atistics of downstream and upstream for all kinds of communication services the Inbound Accounting report will be shown when WAN host connects to LAN host via CS 500 Source IP Select to record the statistic based on Source IP address Destination IP Select to record the statistic based on Destination IP address Service Select to record the statistic based on Service Administrator can use this Accou...

Page 205: ...server Downstream The percentage of downstream and the statistic value of the connection from WAN server to LAN user Upstream The percentage of upstream and the statistic value of the connection from LAN user to WAN server First Packet The time record of the first packet that was sent to WAN service server from LAN user Last Packet The time record of the last packet sent from WAN server and receiv...

Page 206: ...ownstream and the statistic value of the connection from LAN user to WAN server Upstream The percentage of upstream and the statistic value of the connection from WAN server to LAN user First Packet The time record of the first packet that was sent to LAN user from WAN service server Last Packet The time record of the last packet sent from LAN user and received by the WAN server Duration The time ...

Page 207: ... The percentage of upstream and the statistic value of the connection from LAN user to WAN server First Packet The time record of the first packet that was sent to WAN service server from LAN user Last Packet The time record of the last packet sent from WAN server and received by the LAN user Duration The time statistic record that started from the first packet and end to the last packet Total Tra...

Page 208: ...WAN host Downstream The percentage of Downstream and the statistic value of the connection from LAN host to WAN host via CS 500 Upstream The percentage of Upstream and the statistic value of the connection from WAN host to LAN host via CS 500 First Packet The time record of the first packet that was sent from WAN host to LAN host Last Packet The time record of the last packet that sent from WAN ho...

Page 209: ... statistic value of the connection from WAN host to LAN host via CS 500 Upstream The percentage of Upstream and the statistic value of the connection from LAN host to WAN host via CS 500 First Packet The time record of the first packet that was sent from LAN host to WAN host Last Packet The time record of the last packet that sent from LAN host to WAN host Duration The time statistic record that s...

Page 210: ...First Packet The time record of the first packet that was sent to LAN host from WAN host Last Packet The time record of the last packet sent to LAN host from WAN host Duration The time statistic record that started from the first packet and end to the last packet Total Traffic CS 500 will record the sum of upstream downstream packets from WAN host to LAN host NOTE To correctly display the pizza ch...

Page 211: ...ork The administrator needs to go to the Policy to set the network IP of the statistics By the WAN statistics you can obtain the status of the network 4 8 3 1 WAN Statistics Step 1 Click Statistics in the menu bar on the left hand side and then select WAN Statistics Step 2 The WAN Statistics will be displayed It displays statistics of WAN network connections downstream and upstream as well in a to...

Page 212: ...go to Policy to enable Statistics function Entering the Policy Statistics Step 1 Click Statistics in the menu bar on the left hand side and then select Policy Statistics Step 2 In Statistics window find the policy you want to view Step 3 In the Statistics window click Minute on the right hand side and then you will be able to view the Statistics figure every minute click Hour to view the Statistic...

Page 213: ...strator may also use Status to check the DHCP lease time and MAC addresses for computers connected to the Content Security Gateway 4 8 4 1 Interface Status Entering the Interface Status window Click on Status in the menu bar then click Interface Status below it A window will appear providing information from the Configuration menu Interface Status will list the settings for LAN Interface WAN Inter...

Page 214: ...r login status IP Address The IP address of the host computer Auth User Name The Auth User Name of that host computer Login time The Auth User login in time 4 8 4 3 ARP Table Entering the ARP Table window Click on Status in the menu bar then click ARP Table below it A window will appear displaying a table with IP addresses and their corresponding MAC addresses For each computer on the LAN WAN and ...

Page 215: ...Status in the menu bar then click on DHCP Clients below it A window will appear displaying the table of DHCP clients that are connected to the device The table will list host computers on the LAN network that obtain its IP address from the Content Security Gateway s DHCP server function IP Address the IP address of the LAN host computer MAC Address MAC address of the LAN host computer Leased Time ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands