Planet CS-2001 Uživatelský manuál Strana 1

CS-2001 UTM Content Security Gateway User’s Manual 0 User’s Manual CS-2001 UTM Content Security Gateway

9 Hardware Installation Front panel: Figure 1a. Front Panel of the CS-2001 Rear panel: Figure 1b. Rear Panel of the CS-2001  Power Indi

89 Figure 3-4 Configuring the Static IP Address Figure 3-5 Setting Completed

90 Figure 3-6 Configuring the Dynamic IP Address Figure 3-7 Setting Completed

91 Figure 3-8 Configuring the PPPoE Figure 3-9 Setting Completed

92 Note： 1. The DNS Settings may be configured under Network > Settings. 2. When Ping, HTTP and HTTPS are enabled, the users may access the CS

93 3.1.3 Using CS-2001 as a Gateway for Users on Two Subnets to Access the Internet (NAT/Routing) Prerequisite Setup (Note: IP Addresses used as ex

94 Figure 3-10 Configuring the LAN Interface

95 Step 2. Go to Network > Interface and then set as below:（Figure 3-11）  Click Port3’s Modify button.  Select LAN for Interface Type.  Sele

96 Step 3. LAN1 and LAN2 users will connect to WAN1(61.11.11.11) and use WAN1’s IP address to access the Internet. You may create the policy to estab

97 3.1.4 Using CS-2001 as a Gateway for the Internal Users to Access the Internet and Configure the DMZ for the External Users to Access the Network

98 Figure 3-13 Configuring the LAN Interface

CS-2001 UTM Content Security Gateway User’s Manual 0 LED / Port Description WAN LAN DMZ LED1(Left) Orange Steady on indicates the port is connec

99 Step 2. Go to Network > Interface and then set as below:（Figure 3-14）  Click Port3’s Modify button.  Select DMZ for Interface Type.  Sele

100 Step 3. The external users may connect to the web server (61.11.11.12) to access the network resource. The LAN users may connect to WAN1 (61.11.1

101 3.1.5 Deploying the CS-2001 between the Gateway and LAN (configuring two subnets, one using Transparent Routing, the other one using NAT/Routing

102 Step 1. Go to Network > Interface and then set as below:（Figure 3-16）  Click Port2’s Modify button.  Select LAN for Interface Type.  Sel

103 nterface Settings Step 3. LAN1 users (192.168.1.x/24) and LAN2 users (192.168.2.x/24) may use their original IP addresses to access the Internet

104 Figure 3-18 The deployment of LAN Using Transparent Routing and NAT/ Routing

105 3.1.6 Deploying the CS-2001 between the Gateway and the LAN (LAN1 and DMZ1), connecting LAN1 to the user’s PC (using NAT/Routing mode) and then

106 Step 1. Go to Network > Interface and then set as below:（Figure 3-19）  Click Port1’s Modify button.  Select LAN for Interface Type.  Sel

107 Figure 3-20 DMZ Interface Settings Step 3. Go to Network > Interface Group and then set as below:（Figure 3-21）  Configure Port2(WAN1) and Po

108 Step 4. PCs (IP range: 172.16.x.x/16) on DMZ may use the original address to access the Internet through CS-2001. PCs on LAN will connect to WAN1

1 Basic System Configuration Step 1. Connect both the IT administrator’s PC and the device’s LAN port to the same hub / switch, and launch a browser

109 Note： 1. PCs in DMZ will access the Internet via the original firewall. 2. If Port4 is configured as WAN2 (211.22.22.22) and connected to the

110 3. Configure a router to connect different subnets in LAN for the PCs to access the Internet through the original firewall. PCs in DMZ may using

111 4. Configure two Firewall to connect the Internet and the CS-2001 and then configure a router to connect the CS-2001 and DMZ (192.168.2.1/24 and

112 3.1.7 Deploying CS-2001 between the Gateway and LAN (LAN1 and DMZ1) for LAN Users and DMZ Users to Access the Internet Prerequisite Setup (Note

113 Step 1. Go to Network > Interface and then set as below:（Figure 3-26）  Click Port1’s Modify button.  Select WAN for Interface Type.  Sel

114 Step 2. Under Network > Interface, set as below:（Figure 3-27）  Click Port2’s Modify button.  Select LAN for Interface Type.  Select Tran

115 Step 3. Under Network > Interface and then set as below:（Figure 3-28）  Click Port3’s Modify button.  Select WAN for Interface Type.  Sel

116 Step 4. Under Network > Interface, set as below:（Figure 3-29）  Click Port4’s Modify button.  Select DMZ for Interface Type.  Select Tran

117 Step 6. Users connecting to Port2(LAN1) will use 192.168.1.x/24 to access the Internet. Users on Port4(DMZ1) will use the IP address that distrib

118 3.1.8 Using the CS-2001 Device as the Gateway and Connecting it to the LAN (There are Two LAN Interface, One Use NAT/Routing, the Other One Use

2 Step 3. The user interface consists of the following two panels:  Menu Panel: Presents all the available system configurations in a tree direct

119 Step 1. Go to Network > Interface and set as below:（Figure 3-32）  Click Port1’s Modify button.  Select WAN for Interface Type.  Select t

120 Step 2. Go to Network > Interface and then set as below:（Figure 3-33）  Click Port2’s Modify button.  Select LAN for Interface Type.  Sel

121 Step 4. Go to Network > Interface Group and then set as below:（Figure 3-35）  Configure Port1(WAN1), Port2(LAN1) and Port3(LAN2) as Group 1.

122 Step 5. PCs under sales department (LAN1) and PCs under support department (LAN2) are on 192.168.1.x/24. They will connect to WAN1 and use WAN1’s

123

124 Policy Object

125 Chapter 4 Address In Address, the IT administrator may configure network settings of LAN, WAN and DMZ, as well as designate specific addresses

126 Terms in Address Name  An easily identifiable name to represent the IP address or addresses. Address type  Used to designate the IP range a

CS-2001 UTM Content Security Gateway User’s Manual 127 FQDN（Fully Qualified Domain Name）  The FQDN consists of two parts: the hostname and the dom

128 4.1 Example No. Settings Scenario Page 4.1.1 LAN Using DHCP to Grant Only FTP Access to a LAN User with Specific IP Address 129 4.1.2

3 Step 4. If it’s the first time you’ve logged into the management interface, an install wizard will appear to guide you through setting some of the

129 4.1.1 Using DHCP to Assign an IP to a Specific User and only Permitting FTP Access Step 1. Under Policy Object > Address > LAN, set as bel

130 Note: 1. To save the configured data from Policy Object > Address > WAN / LAN / DMZ as a file for storage or modification, use Export da

131 Step 2. Go to Policy > Outgoing and configure as below:（Figure 4-3）  Source Address: Select the source address.  Service : Select FTP. 

132 4.1.2 Creating a Policy for Certain Users to Connect to a Specific IP Address Step 1. Create several addresses under Policy Object > Address

133 Step 2. Under Policy Object > Address > LAN Group, set as below:（Figure 4-6）  Click New Entry.  Name: Designate a name for the group. 

134 Step 3. Go to Policy Object > Address > WAN and configure as below:（Figure 4-8）  Click New Entry.  Name: Designate a name for the group

135 Step 4. Go to Policy > Outgoing and configure as below:（Figure 4-10）  Source Address: Select the LAN address group.  Destination Address:

136 Chapter 5 Service TCP and UDP protocols provide different services. These services have an associated port number, for example Telnet = 23, FTP

137 Terms of Service Pre-Defined Symbol Description Any service Services using the TCP protocol: AFPoverTCP, AOL, BGP, FINGER, FTP, GOPH

138 5.1 Example of Pre-defined 5.1.1 Creating a Policy to Permit WAN Users Using VoIP Technology to Communicate with LAN Users (Using VoIP Port Num

4 Important： 1. Any data saved on the interface will be saved as the selected default character encoding if the device is unable to recognize the

139 Step 2. Go to Policy Object > Service > Custom and then configure as below:（Figure 5-3）  Name: Type in a name for the service.  In row

140 Step 3. Go to Policy Object > Virtual Server > Port Mapping and use settings you created in Policy Object > Service > Custom. (Figure

141 Step 5. Go to Policy > Outgoing and configure as below:（Figure 5-8）  Source Address: Select the LAN group.  Service: Select the custom ser

142 5.2 Example of Service Group 5.2.1 Creating a Policy with a Service Group to Limit Specific LAN Users to Access Only Certain Internet Service

143 Figure 5-11 The Added Service Group

144 Step 2. Go to Policy Object > Address > LAN Group and create a LAN Group of specific LAN users that are only permitted to access certain se

145 Figure 5-14 The Completed Policy Settings

146 Chapter 6 Schedule Schedule is used for regulating the activation time of policies. With its help, the IT administrator may determine a specifi

147 Terms in Schedule Name  Designates the name of the schedule. Type  Two modes are provided:  Recurring: Based upon a weekly schedule,

148 6.1 Example 6.1.1 Assigning Daily Internet Access Time Slots for LAN Users Step 1. Under Policy Object > Schedule > Settings, set as belo

5 Step 7. Configure theWAN Interface (please refer to your ISP for the settings).  Setting: Select Port2(WAN1)  Interface: Select WAN  Connecti

149 Step 2. Under Policy > Outgoing, set as below:（Figure 6-3）  Select the pre-defined schedule for Schedule.  Click OK.（Figure 6-4） Figure 6

150 Chapter 7 QoS QoS provides bandwidth management for LAN users accessing the Internet via the CS-2001. When applied with a Policy, it ensures us

151 Terms in Settings Name  The name of the QoS setting. Port  The WAN port to apply QoS. Downstream Bandwidth  Determines the guaranteed ba

152 7.1 Example 7.1.1 Creating a Policy to Limit Upload and Download Bandwidth Step 1. Under Policy Object > QoS > Settings, set as below:（F

153 Figure 7-4 The Completed QoS Settings

154 Step 2. Under Policy > Outgoing, set as below:（Figure 7-5）  Select the pre-configured QoS setting.  Click OK.（Figure 7-6） Figure 7-5 Appl

155 Figure 7-6 The Completed Policy Setting Note： 1. Under Policy Object > QoS > Settings, the available bandwidth range, such as G. Bandw

156 Chapter 8 Authentication Authentication regulates users access to the Internet. CS-2001 offers five authentication modes, namely User, Group, R

157 Terms in Authentication Authentication Management  Provides basic settings for managing authentication:  Authentication Port Number: The por

158 Figure 8-1 Authentication Management Settings

6 Step 8. Tick the Synchronize to an NTP Server box to ensure the system is provided with the accurate time. Figure9. Time Settings Step 9. Enab

159  The authentication login screen appears after a user attempts to access a web site:（Figure 8-2） Figure 8-2 The Authentication Login Screen 

160 Note： 1. The Allow password modification mechanism is only applicable to authenticated users. 2. The authentication login screen appears afte

CS-2001 UTM Content Security Gateway User’s Manual 161 LDAP User Name Lists the LDAP User Name from LDAP server. The user name may be grouped for au

162 8.1 User / Group Authentication 8.1.1 Regulating Internet Access with a Policy Step 1. Go to Policy Object > Authentication > Account, a

163 Step 2. Under Policy Object > Authentication > Group, set as below:（Figure 8-5）  Click New Entry.  Group Name: Type a name for the gr

164 Step 3. Go to Policy > Outgoing and configure as below:（Figure 8-6）  Authentication: Select the group name that was configured in the previo

165 Step 4. The authentication login screen is displayed in the web browser when a LAN user tries to access the Internet. Internet access will be ava

166 8.2 RADIUS Authentication 8.2.1 Regulating Internet Access with a Policy – An Example using the RADIUS Server from Windows Server 2003 ※ Th

167 Step 3. The Internet Authentication Service.（Figure 8-11） Figure 8-11 Selecting the Internet Authentication Service Step 4. Go to Start >

168 Step 5. Right-click RADIUS Clients and then click New RADIUS Client.（Figure 8-13） Figure 8-13 Adding a RADIUS Client Step 6. Type a name and th

7 Note： 1. Go to Policy > Outgoing and configure as below:  Source Address: Select Inside_Any  Destination Address: Select Outside_Any  S

169 Figure 8-14 Typing a Friendly Name and the Management Address

170 Step 7. Select RADIUS Standard from the Client-Vendor dorp-down list, and then configure the Shared secret and Confirm shared secret as same as t

171 Figure 8-16 Adding a Remote Access Policy

172 Step 9. Select Use the wizard to set up a typical policy for a common scenario and then type a name in the Policy name field.（Figure 8-17） Figur

173 Step 10. Select Ethernet.（Figure 8-18） Figure 8-18 Selecting the Access Method

174 Step 11. Select User.（Figure 8-19） Figure 8-19 Selecting User or Group Access Step 12. Select MD5-Challenge from the drop-down list.（Figure 8-

175 Step 13. Right-click the newly added policy name and then click Properties.（Figure 8-21） Figure 8-21 Configuring the Properties of a Policy

176 Step 14. Select Grant remote access permission and then remove the existing settings. Next, click Add….（Figure 8-22） Figure 8-22 Configuring th

177 Step 15. Select Service-Type to add.（Figure 8-23） Figure 8-23 Select the Attribute Type Step 16. Select Authenticate Only and Framed from the

178 Step 17. Click on the Edit Profile…, then click the IP tab and then tick Server settings determine IP address assignment.（Figure 8-25） Figure 8

8 Step 11. Settings complete. Figure13. Installation Wizard Completed

179 Step 18. Click on the Edit Profile… button then click on the Authentication tab. Tick Microsoft Encrypted Authentication version 2 (MS-CHAP v2),

180 Step 19. Click on the Edit Profile…, click the Advanced tab and then click Add….（Figure 8-27） Figure 8-27 Configuring the Advanced Settings

181 Step 20. Select Framed-Protocol and click Add.（Figure 8-28） Figure 8-28 Adding the Attribute

182 Step 21. For Framed-Protocol, select PPP from the Attribute value drop-down list.（Figure 8-29） Figure 8-29 Attribute Setting 1 Step 22. For S

183 Step 23. Go to Start > Settings > Control Panel > Administrative Tools, then select Computer Management.（Figure 8-31） Figure 8-31 Sele

184 Figure 8-32 Adding a User

185 Step 25. Settings completed. Step 26. Under Policy Object > Authentication > RADIUS, configure each field to be the same as the settings

186 Step 28. Under Policy > Outgoing, set as below:（Figure 8-35）  Select the defined user group for Authentication User.  Click OK.（Figure 8-

187 8.3 POP3 Authentication 8.3.1 Regulating Internet Access with a Policy – An Example of POP3 Step 1. Under Policy Object > Authenticat

188 Figure 8-39 Adding POP3 User to an Authenticated Group

1 Copyright Copyright© 2012 by PLANET Technology Corp. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed,

9 S.1 Overview of Functions Category Configurable Settings Description Index System Administration Admin Creates, modifies or removes adminis

189 Step 3. Under Policy > Outgoing, set as below:（Figure 8-40）  Authentication: Select the user group.  Click OK.（Figure 8-41） Figure 8-40 U

190 8.4 LDAP Authentication 8.4.1 Regulating Internet Access with a Policy － An Example of Windows Server 2003 Built-in LDAP Server ※ The Con

191 Step 3. In the Preliminary Steps window, click Next.（Figure 8-44） Figure 8-44 Preliminary Steps Step 4. In the Server Role window, select Dom

192 Step 5. In the Summary of Selections window, click Next.（Figure 8-46） Figure 8-46 Summary of Selections Step 6. In the Active Directory Insta

193 Step 7. In the Operating System Compatibility window, click Next.（Figure 8-48） Figure 8-48 Operating System Compatibility Step 8. In the Domain

194 Step 9. In the Create New Domain window, select Domain in a new forest and click Next.（Figure 8-50） Figure 8-50 Creating a New Domain Step 10.

195 Step 11. In the NetBIOS Domain Name window, type a Domain NetBIOS name and then click Next.（Figure 8-52） Figure 8-52 The NetBIOS Domain Name St

196 Step 13. In the Shared System Volume window, specify the Folder location and then click Next.（Figure 8-54） Figure 8-54 The Shared System Volume

197 Step 15. In the Permissions window, select Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems and then click

198 Step 17. In the Summary window, click Next. (Figure 8-58) Figure 8-58 The Summary Step 18. Settings completed.（Figure 8-59） Figure 8-59 Sett

10 LAN and DMZ users. Installation Wizard For quick installation and configuration. Language Available languages include Traditional Chinese, Simp

199 Step 19. Go to Start > Programs > Administrative Tools > Active Directory Users and Computers.（Figure 8-60） Figure 8-60 Navigating to

200 Step 21. In the New Object–User window, apply your information to the fields, and then click Next.（Figure 8-62） Figure 8-62 New Object – User S

201 Step 23. User has been successfully created.（Figure 8-64） Figure 8-64 User Successfully Created Step 24. Go to Policy Object > Authenticat

202 Step 25. Go to Policy Object > Authentication > Group, then add LDAP User.（Figure 8-66） Figure 8-66 Adding the LDAP User

203 Step 26. Under Policy > Outgoing, set as below:（Figure 8-67）  Select the defined user group for Authentication User.  Click OK.（Figure 8-

204 Chapter 9 Application Blocking Application Blocking regulates the control of Instant Messenger Login, File Transfer over IM, Peer-to-Peer Shari

205 Terms in Application Blocking Application Signatures Settings  The application signatures are updated hourly. Alternatively, they can be manua

206 VPN Tunneling  Regulates the online usage of VNN Client, Ultra-Surf, Tor, Hamachi, HotSpot Shield and FreeGate. Remote Controlling  Regulate

207 9.1 Example No. Example Scenario Page 9.1.1 IM Regulating the Use of IM Software ─ Messaging and File Transferring 208 9.1.2 P2P

208 9.1.1 Regulating the Use of IM Software ─ Messaging and File Transferring Step 1. Go to Policy Object > Application Blocking > Settings

11 Web-based mail, online gaming, VPN Tunneling, and remote controlling. Virtual Server Mapped IPs Maps an internal host to an external IP address

209 Figure 9-2 Settings Completed

210 Step 1. Under Policy > Outgoing, set as below:（Figure 9-3）  Application Blocking: Select the name of the Application Blocking setting.  Cl

211 9.1.2 Regulating the Use of P2P Software － Downloading and Uploading Step 1. Under Policy Object > Application Blocking > Settings, set

212 Figure 9-6 Settings Completed

213 Step 2. Under Policy > Outgoing, set as below:（Figure 9-7）  Application Blocking: Select the name of the Application Blocking Setting.  Cl

214 Chapter 10 Virtual Server Virtual server provides services to external users by mapping a real IP address from a WAN port on the CS-2001 to a p

215 Terms in Virtual Server WAN IP  The real IP address of the WAN. Map to Virtual IP  The private network address of a server in the LAN.

216 10.1 Example No. Settings Scenario Page 10.1.1 Mapped IPs Using a Server to Provide FTP, Web and Mail Services through the Regulation of a

217 10.1.1 Using a Server to Provide FTP, Web and Mail Services through the Regulation of a Policy Step 1. Setup a server in the LAN which provides

218 Step 4. Go to Policy Object > Service > Group, and create a group called Main_Service containing all of the server’s services e.g. DNS, FTP

12 Personal Rule spam filtering is applied in the following order: Greylist Filtering > Personal Rule, Global Rule > Whitelist > Blacklist

219 Step 6. Under Policy > Outgoing, set as below: (Figure 10-6)  Source Address: Select the LAN address.  Service: Select Mail_Service.  Cl

220 Step 7. The completed settings.（Figure 10-8） Figure 10-8 The Server Providing Multiple Services Note: 1. It is strongly recommended not to s

221 10.1.2 Using Multiple Virtual Servers to Host a Web Site through the Regulation of a Policy Step 1. Set up multiple web servers in the LAN us

222 Figure 10-9 Setting Virtual IP Figure 10-10 The Completed Virtual IP Settings

223 Step 3. Under Policy > Incoming, set as below:（Figure 10-11）  Destination IP: Select the Virtual IP setting.  Service: Select HTTP(8080) 

224 Step 4. Settings completed.（Figure 10-13） Figure 10-13 Multiple Servers Hosting a Single Website

225 10.1.3 A VoIP Session Between an External and Internal User (VoIP Ports: TCP 1720, TCP 15321-15333 and UDP 15321-15333) Step 1. Configure inter

226 Step 4. Under Policy Object > Virtual Server > Port Mapping, set as below:（Figure 10-16）  Name : Enter the name for the Virtual IP settin

227 Step 5. Under Policy > Incoming, set as below:（Figure 10-18）  Destination IP: Select the vitual server setting.  Service: Select the custo

228 Step 6. Under Policy > Outgoing, set as below:（Figure 10-20）  Source IP: Select the address setting.  Service: Select the service setting.

13 IDP Reports Settings Provides statistics in the form of graphs and logs. Statistics can be sent to the specific recipient periodically and logs

229 Step 7. A VoIP session created between an internal and external user.（Figure 10-22） Figure 10-22 The Completed VoIP Setup

230 10.1.4 Using Multiple Virtual Servers to Provide HTTP, POP3, SMTP and DNS Services through the Regulation of a Policy Step 1. Set up multiple s

231 Figure 10-25 A Created Group Service

232 Step 4. Under Policy Object > Virtual Server > Port Mapping, set as below:（Figure 10-26）  Name: Enter the name for the setting.  Server

233 Step 5. Go to Policy > Incoming and then set as below:（Figure 10-28）  Select the virtual server setting for Destination IP.  Select Main_S

234 Step 6. Go to Policy > Outgoing and set as below:（Figure 10-30）  Select the defined rule from the Source Address drop-down list.  Select M

235 Step 7. Settings completed.（Figure 10-32） Figure 10-32 Settings Completed

236 Chapter 11 VPN To obtain a private and secure network link, the CS-2001 is capable of establishing VPN connections. When used in combination wi

237 Terms in VPN Diffie-Hellman  A cryptographic protocol that allows two parties that have no perior knowledge of each other to establish a share

238 AH ( Authentication Header )  The Authentication Header guarantees connectionless integrity and data origin authentication of IP datagrams.

14 Virus-infected IP Displays a list of IP addresses detected as having an anomaly flow. Advanced Inbound Balancing Settings For distributing inbo

239 Extended Authentication (XAuth)  XAuth provides an additional level of authentication. It uses a Request/ Reply mechanism to provide the extend

240 Terms in One-Step IPSec One-Step IPSec  One-Step IPSec merely takes one step to complete settings  Go to Policy Object > VPN > One-Ste

241 Figure 11-3 The Automatically Created IPSec Policy Figure 11-4 The Corresponding Outgoing Policy Figure 11-5 The Corresponding Incoming Poli

242 Terms in VPN Wizard： VPN Wizard  It simplifies the settings of a VPN connection.  Under Policy Object > VPN > VPN Wizard, set as below

243 Figure 11-9 Applying Available VPN Trunk to the Policy Figure 11-10 Setting Completed Figure 11-11 An Outgoing Policy Completed Figure 11

244 Terms in IPSec Autokey Status  The symbol and its description used in the VPN connection status. Symbol Description Disconnected Connect

245 Terms in PPTP Server PPTP Server  The status of PPTP server that shows enable or disable.  The range of IP address, DNS server, WINS serve

246 Terms in PPTP Client Status  The symbol and its description used in the VPN connection status. Symbol Description Disconnected Connecting

247 Terms in Trunk Status  The symbol and its description used in the VPN connection status. Symbol Description Disconnected Connecting Nam

248 Terms in Trunk Name  The description for VPN trunk. Note: the name has to be exclusive from any other. Group Member  The groups that are su

15 Historical Top Chart Traffic Grapher WAN Traffic Displays the usage statistics from the WAN interfaces. Chapter 31 Policy-Based Traffic Displa

249 11.1 Example No. Settings Scenario Page 11.1.1 IPSec Autokey Using Two CS-2001 Devices to Mutually Access the Resources of Two Subnets

250 11.1.1 Using Two CS-2001 Devices to Mutually Access the Resources of Two Subnets via an IPSec VPN Connection Prerequisite Setup (Note: IP addres

251 Step 3. Select Remote Gateway (Static IP or Hostname) for Remote Settings, and enter the management address of B Company.（Figure 11-20） Figure 1

252 Step 4. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. (The maximum length of Pre-Shared Key String is 103

253 Step 8. Settings completed.（Figure 11-25） Figure 11-25 IPSec Autokey Settings Completed Step 9. Under Policy Object > VPN > Trunk, set as

254 Figure 11-26 VPN Trunk Settings Figure 11-27 VPN Trunk Created Step 10. Under Policy > Outgoing, set as below:（Figure 11-28）  Select th

255 Step 11. Under Policy > Incoming, set as below:（Figure 11-30）  Select the defined trunk for VPN Trunk.  Click OK.（Figure 11-31） Figure 1

256 For B Company, set as below: Step 1. Under System > Configuration > Multiple Subnets, set as below:（Figure 11-32） Figure 11-32 Multiple S

257 Step 5. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. ( The maximum length of Pre-Shared Key String is 10

258 Step 9. Settings completed.（Figure 11-40） Figure 11-40 IPSec Autokey Settings Completed Step 10. Under Policy Object > VPN > Trunk, clic

16 System

259 Figure 11-41 VPN Trunk Settings Figure 11-42 VPN Trunk Created

260 Step 11. Under Policy > Outgoing, click New Entry and then set as below:（Figure 11-43）  Select the defined Trunk for VPN Trunk.  Click OK

261 Step 12. Under Policy > Incoming, click New Entry and then set as below:（Figure 11-45）  Select the defined trunk for VPN Trunk.  Click OK

262 Step 13. Settings completed.（Figure 11-47） Figure 11-47 Deployment of IPSec VPN

263 11.1.2 Creating an IPSec VPN Connection under Windows 2000 by a CS-2001 Device Prerequisite Setup (Note: IP addresses used as examples only) A

264 11-50） Figure 11-50 Remote Settings Step 4. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. (The maximum

265 Figure 11-54 Advanced Settings of IPSec Autokey Step 8. Settings completed.（Figure 11-55） Figure 11-55 IPSec Autokey Settings Completed Ste

266 Figure 11-56 VPN Trunk Settings Figure 11-57 VPN Trunk Created

267 Step 10. Under Policy > Outgoing, set as below:（Figure 11-58）  Select the defined trunk for VPN Trunk.  Click OK.（Figure 11-59） Figure 1

268 Step 11. Under Policy > Incoming, set as below:（Figure 11-60）  Select the defined trunk for VPN Trunk.  Click OK.（Figure 11-61） Figure 1

17 Chapter 1 Administration This chapter mainly explains the authorization settings for accessing the CS-2001. It covers the subjects of Admin,

269 For B Company, set as below: Step 1. Select Start > Run on the Start menu in Windows 2000.（Figure 11-62） Figure 11-62 Selecting “Run…” o

270 Step 3. In the Console 1 window, click Console on the menu bar, and then click Add/Remove Snap-in.（Figure 11-64） Figure 11-64 Selecting “Add / R

271 Step 5. Select Local Computer, and then click Finish.（Figure 11-66） Figure 11-66 Selecting Local Computer Step 6. Settings completed.（Figure 1

272 Step 7. Right-click the IP Security Policies on Local Machine, and then click Create IP Security Policy.（Figure 11-68） Figure 11-68 Creating an

273 Step 9. Type the Name and Description and then click Next.（Figure 11-70） Figure 11-70 Name and Description Settings Step 10. Disable Activate

274 Step 11. In the IP Security Policy Wizard window, tick Edit properties and click Finish.（Figure 11-72） Figure 11-72 Settings Completed Step 12

275 Figure 11-73 VPN_B Properties

276 Step 13. In the New Rule Properties window, click Add.（Figure 11-74） Figure 11-74 New Rule Properties Step 14. In the IP Filter List window,

277 Figure 11-75 Adding an IP Filter

278 Step 15. In the Filter Properties window, select “A specific IP Address” for Source address, and then apply B Company’s WAN IP address “211.22.2

18 Terms in Admin Admin Name  The authentication name to log in the system.  The IT administrator’s name and password are assigned as admin whic

279 Figure 11-77 IP Filter Added

280 Step 17. In the New Rule Properties window, click Filter Action tab and then tick Require Security. Next, click Edit.（Figure 11-78） Figure 11-7

281 Figure 11-79 Ticking the “Session Key Perfect Forward Secrecy”

282 Step 19. Select the security method (Custom / None / 3DES / MD5), and then click Edit.（Figure 11-80） Figure 11-80 Selecting a Security Method t

283 Figure 11-81 Modifying Security Method

284 Step 21. Tick Data integrity and encryption, and select “MD5” for Integrity algorithm and “3DES” for Encryption algorithm. Tick Generate a new k

285 Figure 11-83 Selecting the Connection Type

286 Step 23. In the New Rule Properties window, click Tunnel Setting tab. After that, tick The tunnel endpoint is specified by this IP Address, and

287 Figure 11-85 Authentication Methods Settings

288 Step 25. Select Use this string to protect the key exchange (preshared key), and then enter the preshared key “123456789” in the field.（Figure 1

2 interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used i

19 1.1 Admin 1.1.1 Adding a Sub-Administrator Step 1. Go to System > Administration > Admin, set as below:（Figure 1-1）  Click the New Sub-

289 Step 26. Click Apply, and then click Close to close the window.（Figure 11-87） Figure 11-87 Authentication Methods Settings

290 Step 27. Settings completed.（Figure 11-88） Figure 11-88 Settings Completed

291 Step 28. In the VPN_B Properties window, disable Use Add Wizard; click Add to create the second IP security rule.（Figure 11-89） Figure 11-89 VP

292 Step 29. In the New Rule Properties window, click Add.（Figure 11-90） Figure 11-90 Clicking “Add…” to Add an IP Filter

293 Step 30. In the IP Filter List window, disable Use Add Wizard. Change the Name into “VPN_B LAN TO WAN”, and then click Add.（Figure 11-91） Figur

294 Step 31. In the Filter Properties window, select “A specific IP Subnet” for Source address, and then type “192.168.10.0” as A Company‘s subnet a

295 Step 32. Settings completed.（Figure 11-93） Figure 11-93 IP Filter Added

296 Step 33. In the New Rule Properties window, click Filter Action tab; tick Required Security and then click Edit.（Figure 11-94） Figure 11-94 Fil

297 Figure 11-95 Ticking the “Session Key Perfect Forward Secrecy”

298 Step 35. Select the security method (Custom / None / 3DES / MD5), and then click Edit.（Figure 11-96） Figure 11-96 Security Methods Settings St

20 1.1.2 Modifying the Password Step 1. Go to System > Administration > Admin and then set as below:（Figure 1-2）  Click the Modify button o

299 Figure 11-97 Modifying Security Method

300 Step 37. Check Data integrity and encryption, and select “MD5” for Integrity algorithm and “3DES” for Encryption algorithm. Tick Generate a new

301 Step 38. In the New Rule Properties window, click Connection Type tab and tick All network connections.（Figure 11-99） Figure 11-99 Selecting th

302 Step 39. In the New Rule Properties window, click Tunnel Setting tab. After that, tick The tunnel endpoint is specified by this IP Address, and

303 Step 40. In the New Rule Properties window, click Authentication Methods tab. Next, select the method “Kerberos” and then click Edit on the righ

304 Step 41. Select Use this string to protect the key exchange (preshared key), and then enter the preshared key “123456789” in the field.（Figure 1

305 Step 42. Click Apply, and then click Close to close the window.（Figure 11-103） Figure 11-103 New Authentication Method Created

306 Step 43. Settings completed.（Figure 11-104） Figure 11-104 Settings Completed

307 Step 44. In the VPN_B Properties window, click General tab and then click Advanced.（Figure 11-105） Figure 11-105 General Settings of VPN_B Prop

308 Step 45. Tick Master Key Perfect Forward Secrecy and then click Methods.（Figure 11-106） Figure 11-106 Key Exchange Settings Step 46. Click Mo

21 1.2 Permitted IPs 1.2.1 Adding a Permitted IP Step 1. Under System > Administrator > Permitted IPs, click the New Entry button and then s

309 Step 47. Settings completed.（Figure 11-108） Figure 11-108 IPSec VPN Settings Completed Step 48. Right-click VPN_B and move to Assign, and the

310 Step 49. Select Start > Settings > Control Panel on the Start menu, and then click it. （Figure 11-110） Figure 11-110 Selecting “Control

311 Step 51. In the Administrative Tools window, double-click Services.（Figure 11-112） Figure 11-112 The Services Window Step 52. In the Services

312 Step 53. Settings completed.（Figure 11-114） Figure 11-114 Deployment of IPSec VPN Using CS-2001 and Windows 2000

313 11.1.3 Creating an IPSec VPN Connection between Two CS-2001 Devices (An Aggressive Mode Example) Prerequisite Setup (Note: IP addresses used as

314 and enter the management address of B Company.（Figure 11-117） Figure 11-117 Remote Settings

315 Step 4. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. (The maximum length of Pre-Shared Key String is 103

316 Step 8. Select “Aggressive mode” for Mode. Enter 11.11.11.11 in the My ID field and then enter @abc123 in the Peer ID field.（Figure 11-122） Figu

317 Step 10. Under Policy Object > VPN > Trunk, set as below:（Figure 11-124）  Name: Type a name.  Local Settings: Select “LAN”. Local IP /

318 Step 11. Under Policy > Outgoing, click New Entry and then set as below:（Figure 11-126）  Select the defined trunk from the VPN Trunk drop-

22 1.3 Logout 1.3.1 Logging out the System Step 1. Click Logout to protect the system from any unauthorized modification while being away.（Figure

319 Step 12. Under Policy > Incoming, click New Entry and then set as below:（Figure 11-128）  Select the defined trunk from the VPN Trunk drop-d

320 For B Company, set as below: Step 1. Under Policy Object > VPN > IPSec Autokey, click New Entry and then set as below:（Figure 11-130） Fig

321 Step 5. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm; select “SHA1” for Authentication Algorithm; selec

322 Step 6. Configure the settings under IPSec Algorithm. Select “3DES” for Encryption Algorithm and “MD5” for Authentication Algorithm.（Figure 11-13

323 Step 10. Select Policy Object > VPN > Trunk, click New Entry and then set as below:（Figure 11-139）  Name: Type a name.  Local Settings

324 Figure 11-140 VPN Trunk Created

325 Step 11. Under Policy > Outgoing, click New Entry and then set as below:（Figure 11-141）  Select the defined trunk for VPN Trunk.  Click O

326 Step 12. Under Policy > Incoming, click New Entry and then set as below:（Figure 11-143）  Select the defined trunk for VPN Trunk.  Click O

327 Step 13. Settings completed.（Figure 11-145） Figure 11-145 Deployment of IPSec VPN Using Aggressive Mode

328 11.1.4 Using Two CS-2001 Devices to Connect Outbound Load Balance with IPSec VPN (Using GRE/IPSec Package Algorithm) Prerequisite Setup (Note:

23 Step 2. Click OK and then the logout message appears.（Figure 1-6） Figure 1-6 The Logout Message

329 For A Company, set as below: Step 1. Go to Policy Object > VPN > IPSec Autokey, and then click New Entry.（Figure 11-146） Figure 11-146 IPS

330 Step 6. Select Use both algorithms below the IPSec Algorithm, or tick Use authentication algorithm only. If ticked Use both algorithms, please se

331 Step 9. Setting completed.（Figure 11-154） Figure 11-154 IPSec Autokey Settings Completed Step 10. Select Policy Object > VPN > IPSec Aut

332 Step 14. Under the ISAKMP Algorithm section, select “3DES” for Encryption Algorithm; select “MD5” for Authentication Algorithm; select “DH 1” fo

333 Step 18. Settings completed.（Figure 11-163） Figure 11-163 IPSec Autokey Settings Completed Step 19. Under Policy Object > VPN > Trunk, s

334 Figure 11-164 VPN Trunk Settings Figure 11-165 VPN Trunk Created

335 Step 20. Under Policy > Outgoing, click New Entry and then set as below:（Figure 11-166）  Select the defined trunk for VPN Trunk.  Click O

336 Step 21. Under Policy > Incoming, click New Entry and then set as below:（Figure11-168）  Select the defined trunk for VPN Trunk.  Click OK

337 For B Company, set as below: Step 1. Go to Policy Object > VPN > IPSec Autokey, and then click New Entry.（Figure 11-170） Figure 11-170 IP

338 Figure 11-174 ISAKMP Algorithm Settings

24 1.4 Updating Software Step 1. To run a software update, go to System > Administration > Software Update and follow the steps below:  Cli

339 Step 6. Select Use both algorithms below the IPSec Algorithm, or tick Use authentication algorithm only. If ticked Use both algorithms, please se

340 Step 10. Under Policy Object > VPN > IPSec Autokey, click New Entry again. Step 11. Type VPN_02 in the Name field and then select Port3

341 Algorithm.（Figure 11-184） Figure 11-184 IPSec Algorithm Settings Step 16. Select “Group 1” for PFS Key Group. Enter “3600” in the ISAKMP SA Li

342 Step 19. Under Policy Object > VPN > Trunk, set as below: （Figure 11-188）  Name: Type a name.  Local Settings: Select “LAN”. Local IP

343 Step 20. Under Policy > Outgoing, click New Entry and then set as below:（Figure 11-190）  Select the defined trunk for VPN Trunk.  Click O

344 Step 21. Select Policy > Incoming, click New Entry and then set as below:（Figure 11-192）  Select the defined trunk for VPN Trunk.  Click

345 Step 22. Settings completed.（Figure 11-194） Figure 11-194 Deployment of IPSec VPN Using GRE/IPSec

346 11.1.5 Establishing an IPSec VPN Connection by Three CS-2001 Devices Prerequisite Setup (Note: IP addresses used as examples only) A Company: C

CS-2001 UTM Content Security Gateway User’s Manual 347 For A Company, set as below: Step1. Go to Policy Object > VPN > IPSec Autokey and the

348 Figure 11-199 Configuring the IPSec Algorithm Step6. Under the IPSec Algorithm section, select 3DES for Encryption Algorithm and then select

25 Chapter 2 Configuration Configuration includes the following system settings: System Settings, Date / Time, Multiple Subnets, Route Table, DHCP,

349 Step8. Policy Created.（Figure 11-202） Figure 11-202 Policy Created Step9. Go to Policy Object > VPN > Trunk, click New Entry and then s

350 Figure 11-204 First Trunk Completed Step10. Go to Policy Object > VPN > IPSec Autokey and then click the New Entry button again.（Figure

351 1 for Key Group.（Figure 11-209） Figure 11-209 Configuring ISAKMP Algorithm

352 Step15. Under the IPSec Algorithm section, select Use both algorithms. Select 3DES for Encryption Algorithm and MD5 for Authentication Algorithm

353 Step18. Go to Policy Object > VPN > Trunk, click New Entry and then set as below:（Figure 11-213）  Type the name in the Name field.  Lo

354 Step19. Go to Policy Object > VPN > Trunk Group, click New Entry and then set as below:（Figure 11-215）  Type the name in the Name field.

355 Step20. Under Policy > Outgoing, click New Entry and then set as below:（Figure 11-217）  Select the defined Trunk from the VPN Trunk drop-do

356 Step21. Go to Policy > Incoming, click New Entry and then set as below:（Figure 11-219）  Select the defined Trunk from the VPN Trunk drop-do

357 For B Company, set as below: Step 1. Go to Policy Object > VPN > IPSec Autokey and then click the New Entry button.（Figure 11-221） Figure

358 Step 6. Under the IPSec Algorithm section, select Use both algorithms. Select 3DES for Encryption Algorithm and then select MD5 for Authenticatio

26 Terms in Setting System Settings  Allows the IT administrator to import / export system settings, perform a factory reset and format the built-

359 Step 9. Under Policy Object > VPN > Trunk, click the New Entry button and then set as below:（Figure 11-229）  Type the name in the Name fi

360 Step 10. Go to Policy Outgoing, click the New Entry button and then set as below:（Figure 11-231）  Select the defined Trunk from the VPN Trunk

361 Step 11. Go to Policy > Incoming, click the New Entry button and then set as below:（Figure 11-233）  Select the defined Trunk from the VPN T

362 For C Company, set as below: Step 1. Under Policy Object > VPN > IPSec Autokey, click the New Entry button and then set as below:（Figure 1

363 Step 6. Under the IPSec Algorithm section, select Use both algorithms. Select 3DES for Encryption Algorithm and then select MD5 for Authenticatio

364 Step 9. Go to Policy Object > VPN > Trunk, click the New Entry button and then set as below:（Figure 11-243）  Type the name in the Name fi

365 Step 10. Go to Policy > Outgoing, click New Entry and then set as below:（Figure 11-245）  Select the defined Trunk from the VPN Trunk drop-d

366 Step 11. Go to Policy > Incoming, click New Entry and then set as below:（Figure 11-247）  Select the defined Trunk from the VPN Trunk drop-d

367 Step 12. Setting completed.（Figure 11-249） Figure 11-249 The Deployment of IPSec VPN

368 11.1.6 Using Two CS-2001 Devices to Establish PPTP VPN Connection (Outbound Load Balancing) Prerequisite Setup (Note: IP address used as exampl

27 device can block their IP address for the specified amount of time. This helps to prevent any unauthorized tampering of the device.

369 Step 1. Go to Policy Object > VPN > PPTP Server and then set as below:（Figure 11-250）  Click the Modify button.  Tick Enable PPTP.  T

370 3. Using RADIUS Server (refer to chapter 8 for RADIUS authentication) to establish PPTP VPN connection, go to Policy Object > VPN > PPTP S

371 Figure 11-253 Configuring the Second PPTP Server

372 Figure 11-254 Second PPTP Server Completed

373 Step 3. Go to Policy Object > VPN > Trunk, click New Entry and then set as below:（Figure 11-255）  Type the name in the Name field.  Loc

374 Note： 1. When Remote IP / Netmask is selected for Remote Settings, you may select only one tunnel to establish the PPTP VPN connection. Ste

375 Step 5. Go to Policy > Incoming, click New Entry and then set as below:（Figure 11-259）  Select the defined VPN from the VPN Trunk drop-down

376 For B Company, set as below: Step 1. Go to Policy Object > VPN > PPTP Client and then set as below:  Click New Entry.（Figure 11-261） 

377 Figure 11-263 Second PPTP Client Setting Completed Figure 11-264 Second PPTP Client Setting Completed Note： 1. When CS-2001 PPTP Client es

378 Step 2. Go to Policy Object > VPN > Trunk, click New Entry and then set as below:（Figure 11-265）  Enter the name in the Name field.  Lo

28 Important: 1. If the HTTP or HTTPS port number is modified then the number has to to be appended to the management IP address, such as http://6

379 Figure 11-266 Settings Completed Note: 1. When Remote IP / Netmask is selected for Remote Settings, the number of the PPTP_Client tunnel sho

380 Step 3. Go to Policy > Outgoing and then set as below:（Figure 11-267）  Select the defined Trunk from the VPN Trunk drop-down list.  Click

381 Step 4. Go to Policy > Incoming, click New Entry and then set as below:（Figure 11-269）  Select the defined Trunk from the VPN Trunk drop-dow

382 Step 5. Settings completed.（Figure 11-271） Figure 11-271 The Deployment of PPTP VPN

383 11.1.7 Using Two CS-2001 Devices to Establish PPTP VPN Connection Prerequisite Setup (Note: IP addresses used as examples only) A Company: Con

384 Step 1. Go to Policy Object >VPN > PPTP Server and then set as below:（Figure 11-272）  Click Modify.  Click Enable PPTP.  Click Encryp

385 Step 2. Go to Policy Object > VPN > PPTP Server, click New Entry and then set as below:（Figure 11-273）  Type PPTP_Connection in the Usern

386 For B Company, set as below; Step 1. Go to Policy Object > VPN > PPTP Client, click New Entry and then set as below:（Figure 11-275）  Typ

387 Step 2. Go to Policy Object > VPN > Trunk, click New Entry and then set as below:（Figure 11-277）  Enter the name in the Name field.  Lo

388 Step 3. Go to Policy > Outgoing, click New Entry and then set as below:（Figure 11-279）  Select the defined Trunk from the VPN Trunk drop-dow

3 Before contacting customer service, please take a moment to gather the following information: ♦ UTM Content Security Gateway serial number and

29  Specifies the subnets IP range. Interface  Denotes in which network, i.e. LAN or DMZ, the subnet resides. VLAN ID  Permits the interface

389 Step 4. Setting Completed.（Figure 11-281） Figure 11-281 Deployment of PPTP VPN Connection

390 11.1.8 Establishing PPTP VPN Connection by One CS-2001 Device and One PC Running Windows 2000 Prerequisite Setup (Note: IP addresses used as ex

391 Step 1. Go to Policy Object > VPN > PPTP Server and then set as below:（Figure 11-282）  Click Modify.  Click Enable PPTP.  Click Encry

392 3. If the external user wants to connect to IPSec VPN subnet via PPTP VPN connection, the Client IP Allocation/ IP Range must be on the LAN1 (19

393 Step 3. Go to Policy Object > VPN > Trunk, click New Entry and then set as below:（Figure 11-285）  Type the name in the Name field.  Loc

394 Note： 1. If the external users want to connect to the IPSec VPN subnet, the Local IP/ Netmask must be configured as the IPSec VPN subnet.

395 Step 4. Go to Policy > Outgoing, click New Entry and then set as below:（Figure 11-287）  Select the defined trunk from the VPN Trunk drop-dow

396 Step 5. Go to Policy > Incoming, click New Entry and then set as below:（Figure 11-289）  Select the defined Trunk from the VPN Trunk drop-dow

397 For B Company, set as below: Step 1. Right-click on My Network Places and then click Properties.（Figure 11-291） Figure 11-291 Selecting “Proper

398 Figure 11-292 Double-Clicking on “Make New Connection”

30 Note： 1. Dynamic Routing Protocols can be categoried into the following two categories:  Distance-Vector Routing Protocol: Uses the Bellman-F

399 Step 3. In the Location Information window, specify the country / region, area code and phone system accordingly, and then click OK.（Figure 11-29

400 Figure 11-294 Phone and Modem Options

401 Step 5. In the Network Connection Wizard window, click Next.（Figure 11-295） Figure 11-295 Network Connection Wizard Step 6. In the Network Conn

402 Step 7. In the Destination Address window, type the host name or IP address in the blank field and then click Next.（Figure 11-297） Figure 11-297

403 Step 9. In the Completing the New Connection Wizard window, type a Connection Name and then click Finish.（Figure 11-299） Figure 11-299 New Conne

404 Step 10. In the Connect Virtual Private Connection window, set as below:（Figure 11-300）  User Name: Type “PPTP_Connection”.  Password: Enter

405 Figure 11-302 PPTP VPN Connection Successfully Connected

406 Step 11. Settings completed.（Figure 11-303） Figure 11-303 Deployment of PPTP VPN

407 Mail Security

408 Chapter 12 Configuration Mail configuration refers to the processing basis of mail services. In this chapter, it will be covering the functiona

31 private purposes.  In 2007 30-bit AS numbers were introduced. These numbers are written either as simple integers, or in the form x.y, where x a

409 Terms in Settings Log Storage Time  Quarantined spam / virus emails can be designate a storage time and deleted when due.  You may also deci

410  Tag spam email’s subject with: --Spam--.  Tag virus-infected emails with: --Virus--.  Type the subject and the content of the mail notice.

411 Figure 12-1 Configuring the Settings of Mail Security

412  A notice with customized subject and message.（Figure 12-2） Figure 12-2 A Notice Shows Customized Subject and Message  An unscanned email is

413  The spam mail’s subject tagged with warning message.（Figure 12-4） Figure 12-4 The Spam Mail’s Subject Tagged with “Spam”  The virus mail’s

414 Terms in Account Manager Account Learning Settings  Disabled: Accounts added manually.  Accounts added automatically: the email account will

415 12.1 Mail Domains 12.1.1 Using Mail Domains to Filter Emails Step 1. Apply to a local ISP for several domain names, “planet.com.tw”, “suppor

416 Step 2. Under Mail Management > Configuration > Mail Domains, set as below:  Click the New Entry button to create the first entry.  Typ

417 Figure 12-8 Modifying the First Entry Figure 12-9 Typing the Domain Alias Figure 12-10 Settings Completed Figure 12-11 Creating the Second

418 Figure 12-12 The Second Entry Completed Figure 12-13 Modifying the Second Entry Figure 12-14 Typing the Domain Alias Figure 12-15 Se

32 Terms in DHCP Static IP Assignment  DHCP can allocate IP addresses based upon the MAC address of PCs in the LAN or DMZ. Terms in Dynamic DDN

419 Step 3. Emails sent to the internal account “alex”, depending on the domain name, will be handled as follows:  Emails that go to alex@planet.

420 12.2 Account Manager 12.2.1 Using CS-2001 to Filter Mail Accounts Step1. Go to Mail Security > Configuration > Account Manager and then

421 Step3. Go to Mail Security > Configuration > Account Manager, import the accounts into the system:  Click the Browse... button. In the C

422 Step4. Go to Mail Security > Configuration > Account Manager, add or remove the accounts.  Click the Add button.  Enter the account

423 Figure 12-20 Removing the Account Note： 1. Once Accounts added automatically is selected, the CS-2001 will varify the existence of the accou

424 Step5. Users may be given permission to access Personal Email Viewer under Mail Security > Configuration > Account Manager.  To permit

425 12.2.2 Accessing Personal Email Viewer Step 1. Type the management address together with the HTTP port (8080) or HTTPS port (1443) in the addre

426 Step 2. Users will be requested to configure user preferences during their first login.  Click Continue.（Figure 12-24）  Configure the User Pr

427 Figure 12-25 The User Preferences Settings Figure 12-26 User Preferences Settings Completed

428 Step 3. Below shows the CS-2001’s user-friendly, web-based mailbox.（Figure 12-27） Figure 12-27 The Web Mail User Interface

33 Terms in SNMP SNMPv3  SNMP is a protocol specially designed to monitor network-attached devices such as servers, switches, routers, workstati

429 12.2.3 Using Whitelist and Blacklist to Filter Emails Supposed the domain name “planet.com.tw” is registered to your organization, and you ar

430 Figure 12-29 Creating the Second Entry of Whitelist Figure 12-30 Settings Completed

431 Step 2. Click Preference in the Personal Email Viewer main screen and then a pop-up window appears. Click the Blacklist button under the User Pre

432 Figure 12-32 Creating the Second Entry of Blacklist Figure 12-33 Blacklist Created

433 Step 3. When [email protected] receives an email from a yahoo account:  If the mail is from [email protected], then [email protected] will

434 12.3 Mail Relay 12.3.1 Using CS-2001 as a Gateway (Set the Mail Server in DMZ under Transparent Mode) Prerequisite Setup Configure Port1

435 Step 2. Go to Mail Security > Configuration > Mail Relay and then set as below:（Figure 12-35）  Select Sender’s IP Address.  Type the IP

436 12.3.2 Deploying the CS-2001 Device between the Gateway and Mail Server (Mail Server is in DMZ under Transparent Mode) Prerequisite Setup LAN

437 Step 2. Go to Mail Security > Configuration > Mail Relay and then set as below:  Click New Entry.（Figure 12-37）  Select Sender’s IP

438 12.3.3 Using CS-2001 as Gateway to Enable Branch’s Employees to Send Emails via Headquarters’ Mail Server (Set the Mail Server under DMZ Transpa

34 Auth Password  The NMS uses this password to access information from the CS-2001. Privacy Protocol  Supports the cipher Data Encryption Stan

439 Step 2. Go to Mail Security > Configuration > Mail Relay and then set as below:（Figure 12-40）  Select Sender’s IP Address.  Enter the I

440 12.4 Mail Notice 12.4.1 Retrieving Spam or Virus Emails from the Mail Notice (An Outlook Exparess Example) Step 1. All the accounts are listed

441 Step 2. Go to Mail Security > Configuration > Mail Notice and then set as below:  Tick Notice for, then select “Both Spam and Viruses” fr

442 Note： 1. Accounts in the Selected Accounts column will receive a mail notice based upon schedules when emails sent from or to them are classif

443 12.5 Queued Mail 12.5.1 Monitoring Email Delivery Status Step 1. Go to Mail Security > Configuration > Settings and then set as below: 

444 Step 2. Go to Mail Security > Configuration > Queued Mail to obtain the delivery status.  A symbol, under the Reason column, indicates

445 12.6 Mail Signatures Step 1. Go to Mail Security > Configuration > Mail Signatures and then set as below:  Tick Add signatures to all o

446 Step 2. Any email sent from the CS-2001 will now have the signature message appended to the body of the email for the recipient to view.（Figure 1

447 Chapter 13 Anti-Spam Users will no longer be disturbed by large influxes of spam. The Anti-Spam mechanism prevents the users from wasting their

448 Terms in Settings Anti-Spam Filter Settings  Incoming and outgoing emails can be inspected.  Emails exceeding the threshold score can have

35 2.1 Settings 2.1.1 Exporting System Settings Step 1. Under System > Configuration > Settings, click next to Export System Settings und

449 Spam Actions (Sending)  The action of outbound spam mail can be set to delete, deliver as normal or store the quarantine. Spam Actions (Receiv

450  The figure below shows that an email’s subject is tagged with the score (optional).（Figure 13-3） Figure 13-3 An Email’s Subject Tagged with t

451 Comment  The description of the rule’s name. Classification  When Spam is selected, emails that meet the inspection criteria will be classif

452 “joe” typed as a pattern, it means emails from whosever email account contained the word “joe” will be considered as spam or ham.

453 Terms in Whitelist Email Address/ Domain Name  Used to designate specific email addresses as ham. Direction  From: Inspects emails sent fro

454 Training Schedule  CS-2001 can be scheduled a daily time for spam or ham training.  CS-2001 can be set to immediately train. An Overview on

455 The Three Key Elements of Email Transmission An email transmission is achieved by using an MUA, MTA and MDA.  MUA（Mail User Agent）：Whether

456 How an Email is Processed Composing and sending an email:  Email delivery from an MUA to an MTA: Run a MUA client (email program) and follow t

457  Email retrieval: signifies MUA is using POP (Post Office Protocol) to communicate with the MTA by which users may have the access to emails. C

458 13.1 Example No. Scenario Page 13.1.1 Detecting Whether Emails are Spam 459 13.1.2 Using CS-2001 in Accordance with Whitelist and Bla

36 2.1.2 Importing System Settings Step 1. Under System > Configuration > Settings, click Browse… next to Import System Settings under the Sy

459 13.1.1 Detecting Whether Emails are Spam Prerequisite Setup Configure Port1 as LAN1(192.168.1.1, NAT/ Routing mode) and connect it to the LAN w

460 Step 3. Under Policy Object > Address > DMZ, set as below:（Figure 13-4） Figure 13-4 Creating an Address Setting Corresponding to the Mail

461 Step 5. Go to Policy > Outgoing and then set as below: （Figure 13-6）  Select the defined group (Mail_Service_02) from the Service drop-down

462 Figure 13-6 Configuring an Outgoing Policy with Group Service and POP3 Anti-Spam

463 Figure 13-7 Policy Created

464 Step 6. Under Policy > WAN to DMZ, set as below:（Figure 13-8）  Select the defined rule from the Destination Address drop-down list.  Selec

465 Figure 13-9 Policy Created

466 Step 7. Go to Policy > DMZ to WAN and then set as below:（Figure 13-10）  Select the defined group from the Source Address drop-down list. 

467 Figure 13-10 Creating a DMZ to WAN Policy with Group Service and POP3 Anti-Spam

468 Figure 13-11 Policy Created

37 2.1.3 Resetting the System to Factory Default Settings and Formatting the Hard Drive Step 1. Under System > Configuration > Settings, tick

469 Step 8. Under Mail Security > Anti-Spam > Settings, set as below:（Figure 13-12） Figure 13-12 Anti-Spam Filter Settings and Action Settings

470 Note： 1. By default, Anti-Spam is enabled. Therefore, the IT administrator merely has to configure the settings under Mail Security > Confi

471 13.1.2 Using CS-2001 in Accordance with Whitelist and Blacklist to Filter Spam (Mail Server Is Deployed in DMZ under Transparent Mode) Prerequis

472 Step 3. Go to Policy Object > Service > Group and then set as below:（Figure 13-15） Figure 13-15 Creating Service Groups to Include POP3, S

473 Step 4. Go to Policy > WAN to DMZ and then set as below:（Figure 13-16）  Select the defined rule from the Destination Address drop-down list.

474 Figure 13-17 Policy Created

475 Step 5. Under Policy > DMZ To WAN, set as below:（Figure 13-18）  Select the defined rule for Source Address.  Select the defined service (M

476 Figure 13-18 Creating a DMZ to WAN Policy

477 Figure 13-19 Policy Created

478 Step 6. Go to Mail Security > Configuration > Mail Domains and then set as below:（Figure 13-20） Figure 13-20 Mail Domain Settings Step 7.

38 2.1.4 Enabling Email Alert Notification Step 1. Go to System > Configuration > Settings. Under the Name Settings section, configure the fo

479 Step 8. Go to Mail Security > Anti-Spam > Whitelist and then set as below:  Click New Entry.  Type [email protected] in the Mail

480 Figure 13-25 Creating the Fourth Entry on Whitelist Figure 13-26 Whitelist Setting Completed Note: 1. Whitelist can be exported as a fil

481 Step 9. Go to Mail Security > Anti-Spam > Blacklist and then set as below:  Click New Entry.  Type *yahoo* in the Mail Account fiel

482 3. Whitelist overrides Blacklist, thus, email inspection will firstly act on Whitelist and then Blacklist. Step 10. Provided that joe@supportp

483 13.1.3 Deploying CS-2001 in between Gateway and Mail Server and Filtering Spam with Global Rule (Mail Server Is Deployed in DMZ under Transparen

484 Figure 13-31 Creating Service Groups

485 Step 4. Under Policy > WAN To DMZ, set as below:（Figure 13-32）  Select the defined DMZ for Destination Address.  Select the defined servic

486 Figure 13-33 Policy Completed

487 Step 5. Under Policy > DMZ To WAN, set as below:（Figure 13-34）  Select the defined DMZ for Source Address.  Select the defined service (Ma

488 Figure 13-34 Creating a DMZ to WAN Policy with Service and SMTP Anti-Spam

4 Table of Contents Quick Installation Guide ... 8 Hardware Installation ...

39 2.1.5 Rebooting the CS-2001 Step 1. To reboot the CS-2001, go to System > Configuration > Settings. Under the Device Reboot section click

489 Figure 13-35 Policy Created

490 Step 6. Under Mail Security > Configuration > Mail Domains, set as below:（Figure 13-36） Figure 13-36 Mail Domain Settings Step 7. Under M

491 Step 8. Under Mail Security > Anti-Spam > Settings, set as below:（Figure 13-38） Figure 13-38 Anti-Spam Settings Note: 1. An email th

492 Step 9. Go to Mail Security > Anti-Spam > Global Rule and then set as below:  Click New Entry.  Type HamMail in the Rule Name field

493 Note: 1. The Action setting of a Global Rule will be unavailable if Classification selected as Ham (Non-Spam). It is because normal emails do

494 Step 10. Go to Mail Security > Anti-Spam > Global Rule and then set as below:  Click New Entry.  Type SpamMail in the Rule Name fi

495 Email header can be used as a reference when configuring Condition and Item of Global Rule. Figure 13-43 shows the header of an email. To view he

496 Step 11. Provided that [email protected] and [email protected] both receive an email from a Yahoo account:  If the sender’s ac

497 13.1.4 Improving Bayesian Filtering Accuracy by Training Spam Filtering / Ham-Filtering (An Outlook Express Example) To train spam filtering:

498 Figure 13-45 Naming the Folder as Spam Mail

40 2.2 Date / Time 2.2.1 CS-2001 Time Settings Step 1. Go to System > Configuration > Date/Time and configure the following settings:（Figu

499 Step 2. Click Inbox in Outlook Express, and then move the spam to the Spam Mail folder:  In Inbox, select all the spam, right-click them, and t

500 Figure 13-47 Selecting the “Spam Mail” Folder

501 Step 3. Compact the Spam Mail folder to make it easier importing spam messages onto CS-2001 for spam filtering training:  Click the Spam Mail f

502 Figure 13-49 Compacting the Spam Mail Folder

503 Step 4. Copy the pathname of the Spam Mail folder to CS-2001 device for training use:  Right-click Spam Mail folder, and then click Propertie

504 Figure 13-51 Copying the Pathname of the Spam Mail Folder

505 Step 5. Go to Mail Security > Anti-Spam > Training and then configure the settings under the Spam Training Using Importing section:  Pa

506 Step 6. Delete all spam emails in the Spam Mail folder; since they have been compressed and uploaded to CS-2001, they are of no use any longer: 

507 Figure 13-54 All Spam Emails Have Been Deleted To train ham filtering: Step 7. In Outlook Express, create a new folder called “Ham Mail”: 

508 Figure 13-55 Creating a New Folder Figure 13-56 Naming the Folder as Ham Mail

41 2.3 Multiple Subnet 2.3.1 Using NAT / Routing Mode For LAN Users to Access the Internet Prerequisite Setup (Note: IP addresses used as examples

509 Step 8. Click Inbox in Outlook Express, and then move normal emails to the Ham Mail folder:  In Inbox, select all the hams, right-click them, a

510 Figure 13-58 Selecting the Ham Mail Folder

511 Step 9. Compact the Ham Mail folder for the easy of importing normal email messages onto CS-2001 for ham filtering training:  Click the Ham Mai

512 Figure 13-60 Compacting the Ham Mail Folder

513 Step 10. Copy the pathname of the Ham Mail folder to CS-2001 device for training use:  Right-click the Ham Mail folder, and then click Prope

514 Figure 13-62 Copying the Pathname of the Ham Mail Folder

515 Step 11. Go to Mail Security> Anti-Spam > Training, configure the settings under the Ham Training Using Importing section.  Paste the pa

516 Step 12. Delete all emails in the Ham Mail folder; since they have been compressed and uploaded to CS-2001, they are of no use any longer:  In

517 Figure 13-65 All Normal Emails Have Been Deleted

518 13.1.5 Improving Bayesian Filtering Accuracy by Training Spam Filtering / Ham-Filtering Step 1. On you mail server, create an email account, su

42 Figure 2-8 Configuring Multiple Subnet Figure 2-9 Settings Completed Important: 1. When the PCs’ subnets or IP addresses are not on the same

519 Step 4. In Mail Security > Anti-Spam > Training, configure the Ham Training Using Forwarded Mail setting according to the relevant informat

520 To train spam filtering: Step 5. In Outlook Express, forward all spam emails in the Inbox as attachment to [email protected]:  In In

521 Figure 13-68 Forwarding the Selected Spam Emails as Attachment

522 To train ham filtering: Step 6. In Outlook Express, forward all normal emails in the Inbox as attachment to [email protected]:  In Inbo

523 Figure 13-70 Forwarding the Selected Normal Emails as Attachment

524 Step 7. CS-2001 will retrieve emails in [email protected] and [email protected] periodically and use them for training on schedule

525

526 Chapter 14 Anti-Virus Due to its inbound and outbound email anti-virus scanning capabilities, CS-2001 guards against the extensive damage that

527 Terms in Setting Anti-Virus Settings  Scans inbound and outbound emails for viruses.  Virus definitions can be updated periodically or can b

528 Figure 14-1 Anti-Virus Settings Note: 1. Three virus-scanning modes available for users are ClamAV, Sophos and ClamAV+Sophos.

43 Step 2. Under Network > Interface, set as below:（Figure 2-10）  Click on Port 2’s Modify button.  For Interface Type select WAN, and enter a

529 14.1 Example No. Scenario Page 14.1.1 Filtering Out the Virus Emails on Mail Server the Virus Emails on Mail Server 530 14.1.2 Using

530 14.1.1 Filtering Out the Virus Emails on Mail Server Prerequisite Setup Configure Port1 as LAN1 (192.168.1.1, NAT/ Transparent Routing mode)

531 Step 4. Go to Policy Object > Service > Group, set as below:（Figure 14-3） Figure 14-3 Creating Service Groups to Include the POP3, SMTP a

532 Step 5. Under Policy > Outgoing, set as below:（Figure 14-4）  Select the defined service (Mail_Service_02) for Service.  Select POP3 for An

533 Figure 14-4 Creating an Outgoing Policy with Service and POP3 Anti-Virus Figure 14-5 Policy Created

534 Step 6. Under Policy > WAN To DMZ, set as below:（Figure 14-6）  Select the defined DMZ for Destination Address.  Select the defined service

535 Figure 14-7 Policy Created

536 Step 7. Under Policy > DMZ To WAN, set as below:（Figure 14-8）  Select the defined DMZ for Source Address.  Select the defined service (Mai

537 Figure 14-8 Creating a DMZ to WAN Policy with Service and POP3 Anti-Virus

538 Figure 14-9 Policy Created

CS-2001 UTM Content Security Gateway User’s Manual 44 Step 3. Under Policy Object > Address > LAN, set as below:（Figure 2-11） Figure 2-11 A

539 Step 8. Go to Mail Security > Anti-Virus > Settings and then set as below:（Figure 14-10） Figure 14-10 Anti-Virus Settings

540 Note： 1. By default, Anti-Virus is enabled. Therefore, the IT administrator merely has to configure the Mail Domains to scan all the incoming

541 14.1.2 Using CS-2001 as a Gateway to Filter Out Virus Emails (Mail Server Is Deployed in LAN under NAT Mode) Prerequisite Setup Configure Port

542 Figure 14-13 Creating Service Groups to Include POP3, SMTP and DNS Service Step 4. Under Policy Object > Virtual Server > Port Mapping, s

543 Step 5. Under Policy > Incoming, set as below:（Figure 14-15）  Select the defined virtual server for Destination Address.  Select the defin

544 Figure 14-16 Policy Completed

545 Step 6. Under Policy > Outgoing, set as below:（Figure 14-17）  Select the defined LAN address for Source Address.  Select the defined servi

546 Figure 14-17 Creating an Outgoing Policy with Service and SMTP Anti-Virus

547 Figure 14-18 Settings Completed

548 Step 7. Go to Mail Security > Configuration > Mail Domains and then set as below:（Figure 14-19） Figure 14-19 Mail Domain Settings Step 8.

45 Step 4. Go to Policy > Outgoing and configure the following settings:  Click on New Entry.  Source Address: Select the name of the LAN addr

549 Step 9. When “Joe”, an internal user at supportplanet.com.tw, receives emails from external mail accounts at yahoo.com.tw:  The virus mail from

550 Chapter 15 Mail Reports CS-2001 provides you with email reports in the form of statistics and logs, presenting you with a thorough insight into

551 Terms in Setting Periodic Report Scheduling Settings  It can generate and send out the periodic report to the designated recipient(s) on sched

552 Figure 15-2 Periodical Report Sent as an Attachment

553 Terms in Logs Search  Available searching criteria are: date, sender, sender IP, recipient, attachment, subject, attribute and process. 

554 Figure 15-3 Searching for a Specific Log Note： 1. How to open an “.mbx” file (exported from quarantined or archived emails) on your local c

555  Run IMAPSize, go to Tools > mbox2eml on the menu bar, and then click it.（Figure 15-26）  In the mbox2eml window, click the Select mbox fil

556 Figure 15-26 Navigating to Tools > Mbox2eml on the Menu Bar Figure 15-27 Locating the “.mbx” File to be Converted

557 Figure 15-28 Converting the “.mbx” File into an “.eml” File Figure 15-29 File Conversion Completed

558 Figure 15-30 Clicking and Dragging the “.eml” File into Outlook Express to Open It

46 Figure 2-13 The Second Outgoing Policy Settings

559 15.1 Statistics Step 1. Mail Security > Mail Reports > Statistics shows a comprehensive statistical report. Step 2. In the upper left cor

560 15.2 Logs Step 1. Under Mail Security > Mail Reports > Logs, it shows how emails are processed.

561 The symbols used in Logs:  Attribute： Symbol Description Regular Spam Virus Unscanned  Process: Symbol Description Deleted Notif

562 Web Filter

563 Chapter 16 Configuration Regulating the websites that employees may access improves profuctivity, and protects the network from the damage caus

564 Terms in Setting URL Blocking License  To activate the Category feature for URL Blocking, the license key must be imported into the device her

565 Figure 16-1 Web Filter Settings Note： 1. Before enabling syslog, please configure the syslog setting under System > Configuration > Se

566  The alert message displays when an internal user tries to access the blocked web page.（Figure 16-2） Figure 16-2 The Alert Message Terms in W

567 URL  Specifies any URLs required to be blocked.  The asterisk character (“*”) blocks any websites. Terms in Category Name  The name for

568 Terms in MIME/Script Name  The name of MIME/Script. Script  Window Popup：Blocking the popup window.  Microsoft ActiveX：Disallowing the

47 Figure 2-14 Policy Settings Completed

569  video/mpeg  application/octet-stream  application/pdf  application/msword Important: 1. To apply the Whitelist, Blacklist, Category,

570 16.1 Example No. Settings Scenario Page 16.1.1 Whitelist Blacklist Group Regulating User’s Access to Specific Websites Using Blacklist an

571 16.1.1 Regulating User’s Access to Specific Websites Using Blacklist and Whitelist Step 1. Go to Web Filter > Configuration > Whitelist a

572 Note： 1. Whitelist can be exported as a file for storage, which can be used for restoring the list later on. Step 2. Go to Web Filter > C

573 Step 3. Go to Web Filter > Configuration > Group, click New Entry and then set as below:（Figure 16-8）  Type the name in the Name field. 

574 Figure 16-8 Group Settings for URL Blocking

575 Figure 16-9 The Completed Group Settings

576 Step 4. Go to Policy > Outgoing, click New Entry and then set as below:（Figure 16-10）  Select the defined group from the Web Filter drop-dow

577 16.1.2 Regulating User’s access to Specific Website, Downloading or Uploading Specific File Extension via HTTP or FTP or the Access to Specific

578 Step 2. Go to Web Filter > Configuration > File Extensions, click New Entry and then set as below:（Figure 16-14）  Type the name in the Na

48 Step 5. The configuration of LAN1 to the Internet is now complete.（Figure 2-15） Figure 2-15 The LAN Configured Using Multiple Subnet Note： 1

579 Figure 16-16 Adding a New Extension Figure 16-17 Typing a New Extension Figure 16-18 File Extension Added

580 Step 3. Go to Web Filter > Configuration > MIME/Script, click New Entry and then set as below:（Figure 16-19）  Type the name in the Name f

581  Click Modify and then click Add.（Figure 16-21）  Enter the MIME Types in the field.  Click OK.（Figure 16-22, 16-23） Figure 16-21 Configuri

582 Step 4. Go to Web Filter > Configuration > Group, click New Entry and then set as below:（Figure 16-24）  Type the name in the Name field.

583 Figure 16-24 Configuring the URL Group

584 Figure 16-25 Setting Completed

585 Step 5. Go to Policy > Outgoing, click New Entry and then set as below:（Figure 16-26）  Select the defined group from the Web Filter drop-dow

586 Chapter 17 Reports Reports delivers the IT administrator with detailed statistics and logs regarding the access of websites made by users.

587 Terms in Setting Periodic Report Scheduling Settings  Generates and sends out a periodic report to the designated recipient(s) based on a sc

588 Figure 17-2 A Daily Report Sent through an Email Message

5 8.2 RADIUS Authentication ... 166 8.3 POP3 Authentication ...

49 2.3.2 Using Multiple Subnets to Establish a VLAN Gateway to Regulate VLAN Users to Access the Internet Prerequisite Setup (Note: IP addresses

589 Terms in Logs Search  Category: Available searching criteria are time, souce IP address, website, classification and action.  Upload: Availa

590 Figure 17-13 Searching for the Specific Logs Note: 1. Under Web Filter > Reports > Logs, the Category reports can be sorted by the t

591 17.1 Statistics Step 1. Under Web Filter > Reports > Statistics, bar charts shows the report of URL blocking. Step 2. In the upper left c

592 Step 4. Below it shows the statistics report.（Figure 17-15）  Y-axis indicates the amount of scanned URL.  X-axis indicates the time.

593

594 Figure 17-15 Statistics Report

595 17.2 Logs Step 1. Under Web Filter > Reports > Logs, there it shows the URL blocking logs.（Figure 17-16） Figure 17-16 URL Blocking Logs

596 IDP

597 Chapter 18 Configuration In order to protect your network from various security threats, the device produces timely alerts and blocking mecha

598 Terms in Settings IDP Settings  IDP signature definitions update automatically everyday or updated by the IT administrator manually. After eac

50 Figure 2-16 First Multiple Subnet Setting

599  Type 60 in the Storage Lifetime field.  Click OK.（Figure 18-1） Figure 18-1 IDP Settings Note: 1. To enable Syslog, the IT administr

600  When detecting attacks, the IT administrator will receive both an email notification and a NetBIOS Notification, Also, a corresponding log wil

601 Note: 1. The IDP log is generated upon the “Log”setting under IDP > Signatures > Anomaly / Pre-defined / Custom.

602 Chapter 19 Signatures To protect your company's network from malicious intrusions and attacks, the CS-2001 provides alerts and blocking me

603 Terms in Signatures Anomaly  Available signatures are syn flood, udp flood, icmp flood, portscan and http insptct.（Figure 19-1）  You may s

604 Pre-defined  Available signatures are Attack Responses, Backdoor, Bad Traffic, Chat, DDoS, DNS, DoS, Exploit, Finger, FTP, ICMP, IMAP, Info, Mi

605 Figure 19-2 Pre-Defined Settings

606 Note: 1. All the signatures under the IDP > Signatures > Pre-defined are processed according to the Default Settings for Each Risk Lev

607 Name  The name of the signature. Protocol  Determine of which IP Version (IPv4, IPv6) and Communication Protocol to detect and protect. S

608 19.1 Example 19.1.1 Adopting Packets Inspection along with Custom and Pre-Defined Signatures to Detect and Prevent the Intrusion Step 1. Under

51 Figure 2-17 Second Multiple Subnet Setting Figure 2-18 Multiple Subnet Settings Completed Note： 1. The device’s interface settings permits

609 Step 2. Go to IDP > Signatures > Anomaly and then set as below:（Figure 19-4）  Enable the signatures and configure the settings.  Click

610 Step 3. Under IDP > Signatures > Pre-defined, set as below:（Figure 19-5）  Select the signatures.  Click OK. Figure 19-5 Pre-Defined Se

611 Step 4. Go to IDP > Signatures > Custom and set as below:（Figure 19-6）  Type the name in the Name field.  Select IPv4 for IP Version an

612 Note: 1. You may type a word string in the Content Pattern field; or convert it to hexadecimal ASCII code and then paste it into the field.

613 Figure 19-8 Applying the IDP to the Policy

614 Figure 19-9 Policy Created

615 Chapter 20 IDP Report CS-2001 provides you with a comprehensive IDP report in both statistics and logs. With the help of them, you could have a

616 Terms in Settings Periodic Report Scheduling Settings  It can generates and send out the periodic report to the designated recipient(s) on sch

617 Figure 20-2 Periodic Report Received

618 Terms in Logs Search  Available search criteria are date, event, signature category, attacker IP, victim IP, interface and risk level.  G

52 Step 2. Go to Policy Object > Address > LAN, and set as below:（Figure 2-19） Figure 2-19 Address Settings for the LAN

CS-2001 UTM Content Security Gateway User’s Manual 619 20.1 Statistics Step 1. Go to IDP > IDP Reports > Statistics, to view a full-scale ID

620 20.2 Logs Under IDP > IDP Reports > Logs, it shows the IDP status. Note: 1. The symbol used in Logs:  Process: Symbol Description

621 Web VPN / SSL VPN

622 Chapter 21 Web VPN / SSL VPN Since the Internet is in widespread use these days, the demand for secure remote connections is increasing. To mee

623 Terms in VPN DES  DES, an acronym for Data Encryption Standard, is a cipher that was selected by NIST (National Institute of Standard and Te

624 Hardware Auth.  The IT administrator may enable the PCs listed under Web VPN/ SSL VPN > Hardware Auth by adding them to the Selected Hardw

625 Terms in Hardware Auth Hardware Authentication Users  The list of the devices that have been established SSL VPN connection to the CS-2001 d

626 21.1 Example 21.1.1 Configuring Web / SSL VPN Connection settings for External Clients Step 1. Go to Interface > WAN, activate the HTTPS fu

627 Figure 21-4 User Group Entries

628 Step 3. Go to Web VPN / SSL VPN > Settings and then set as below:  Click Modify.（Figure 21-5）  Tick Enable Web VPN / SSL VPN.  Select th

53 Step 3. Go to Policy Object > Address > LAN Group and then set as below: (Figure 2-20) Figure 2-20 LAN Group Settings Step 4. Go to Poli

629 Figure 21-6 Web VPN / SSL VPN Setting Completed

630 Figure 21-7 Web VPN / SSL VPN Authentication Settings Figure 21-8 Web VPN / SSL VPN Authentication Completed

631 Step 4. Go to Policy > Incoming and then set as below:（Figure 21-9）  Select the defined Web VPN / SSL VPN from the VPN Trunk drop-down list.

632 Step 5. Configure the setting from a browser:  In the URL field, type the CS-2001 interface address plus sslvpn or webvpn. For example, https:/

633 Figure 21-12 Warning-Security Window

634 Figure 21-13 Warning-Security Window Figure 21-14 The Authentication Window Figure 21-15 Web VPN / SSL VPN Connection

635 Figure 21-16 Web VPN / SSL VPN Connection Established

636 Step 6. Under Web VPN/ SSL VPN > Status, it shows the connection status: (Figure 21-17) Figure 21-17 Web VPN / SSL VPN Connection Status S

637 Step 8. Go to Web VPN / SSL VPN > Settings and then set as below:（Figure 21-19）  Click Modify.  Move the hardware from the Available Hardw

638 Figure 21-20 Setting Completed Step 9. When a user establishes an SSL VPN connection through the CS-2001, their hardware can be directly authen

54 Step 5. The internal network’s VLAN. (Figure 2-23) Figure 2-23 The Completed Mulitple Subnet VLAN Settings

639 Note： 1. When hardware authentication and user/group authentication are both enabled, the device will first try to authenticate by hardware au

640 Figure 21-22 Installing Java Runtime Environment Plug-in

CS-2001 UTM Content Security Gateway User’s Manual 641 IM Recording

642 Chapter 22 Configuration IM Recording can help you record and monitor the use of MSN and QQ messenger. This can prevent productivity losses fro

643 Terms in QQ Account Manager IM Logging Setting  Configures the storage lifetime of IM logging. Enable Block QQ access with an invalid passwor

644 22.1 Example 22.1.1 Recording the Use of MSN / QQ Messenger Step 1. Users may log into the Web User Interface to add their own account. (Enter

645 Figure 22-2 Account Added Note: 1. IT administrator may add new users under IM Recording > Configuration > QQ Account Manager.

646 Step 2. The added user is listed under IM Recording > Configuration > QQ Account Manager:  Tick Block QQ access with an invalid password.

647 Note: 1. Users may go to the Web user interface to change their password on their own. (Enter the management IP address appended with qq. E.g.

648 Step 3. Go to Policy > Outgoing and set as below:（Figure 22-6）  Enable IM Recording.  Click OK.（Figure 22-7） Figure 22-6 Creating an Outg

55 2.4 Route Table 2.4.1 Enabling Two Networks Connected by a Router to Access the Internet via the CS-2001 Prerequisite Setup (Note: IP addresses

649 Figure 22-7 Policy Created

650 Chapter 23 Reports The records of MSN and QQ messengers are shown in the form of easy-to-read log and statistics. Terms in Settings Periodic Re

651 Figure 23-1 Periodic Report Settings Figure 23-2 Daily IM Statistics Report

652 Figure 23-3 Daily IM Statistics Report Figure 23-4 Historical Report Scheduling Settings

653 Figure 23-5 Historical Report Received

654 Figure 23-6 Weekly IM Statistics Report Terms in Message History Search  Available search criteria are date, time range, IM type, username,

655  Click Search.（Figure 23-7）  Click Send Report.  The report is sent to the designated recipient(s). （Figure 23-8, 23-9）  To store the se

CS-2001 UTM Content Security Gateway User’s Manual 656 Figure 23-8 Receiving the Search Results Figure 23-9 The Searching Results Note: You m

657 Figure 23-10 Downloading the Searching Results 23.1 Statistics Step 1. IM Recording > Reports > Statistics shows a comprehensive stat

658 Figure 23-11 IM Recording Statistical Report

56 Step 1. Go to System > Configuration > Route Table and set as below:  Click on New Entry.  IP Version : Select IPv4.  IP Address: Ty

659 23.2 Message History Step 1. IM Recording > Reports > Message History shows the logs of users’ conversation.（Figure 23-12） Figure 23-12

660 Chapter 24 Policy CS-2001 inspects each packet passing through the device to see if it meets the criteria of any policy. Every packet is proces

661  DMZ to LAN : The packet is from the DMZ and heading to the LAN. IT administrators can customize the policy for DMZ-to-LAN packets.  LAN to L

662 Terms in Policy Source Address & Destination Address  Source address and Destination address is based around using the device as a point o

663 Authentication  This requires users to be authenticated to create a connection. VPN Trunk  This is where you apply the policy to regulate th

CS-2001 UTM Content Security Gateway User’s Manual 664 Web App Firewall  It can regulate and filter all the web application. Anti-Virus  It

665 Note: 1. Max. Concurrent Sessions overrides Max. Concurrent Sessions per IP in a policy. When the setting value of Max. Concurrent Sessions ex

666 24.1 Example No. Settings Scenario Page 24.1.1 Outgoing Creating a Policy to Monitor the Internet Access of LAN User 667 24.1.2 Ou

667 24.1.1 Creating a Policy to Monitor the Internet Access of LAN Users Step 1. Go to Policy > Outgoing and then set as below:（Figure 22-1） 

668 Step 2. Click the Log icon of a policy to see the log.（Figure 22-3）  In the upper-left corner, click the Refresh button or select a refresh

57 Figure 2-26 Static Route Setttings Figure 2-27 The Completed Static Route Settings Important: 1. To enable the LAN to LAN connection, go to

669 Figure 22-4 Traffic Shown in Log Screen

670 Step 3. Under Monitoring > Traffic Grapher > Policy-Based Traffic, the traffic flow is displayed in graphics, giving you an instant insight

671

672 Figure 22-5 Statistics Screen

673 24.1.2 Creating a Policy to Restrict the Access to Specific Web Sites Step 1. Go to Web Filter > Configuration > Whitelist/ Blacklist/ Fi

674 Figure 22-9 MIME / Script Settings Figure 22-10 Group Settings

675 Step 2. Go to Policy Object > Application Blocking > Settings and then set as below:（Figure 22-11, 22-12） Figure 22-11 Application Blockin

676 2. Application Blocking is used for blocking Instant Messenger, Peer-to-Peer Application, Video/ Audio Application, Webmail, Game Application, T

677 Step 3. Go to Policy Object > Address > WAN / WAN Group and then set as below:（Figure 22-13, 22-14） Figure 22-13 WAN Interface Setting F

678 Step 4. Go to Policy > Outgoing and then set as below:（Figure 22-15）  Select the defined group from the Destination Address field.  Select

58 Step 2. The subnets 192.168.10.x/24,192.168.20.x/24 and 192.168.1.x/24 can now communicate with each other. In addition, these subnets may also ac

679 Step 5. Go to Policy > Outgoing and then set as below:（Figure 22-16）  Select the defined group from the Web Filter drop-down list.  Select

680 24.1.3 Creating a Policy to Grant Internet Access to Only Authenticated Users on Schedule Step 1. Go to Policy Object > Schedule > Settin

681 Figure 22-20 Applying the Schedule and Authentication to the Policy Figure 22-21 Policy Completed

682 24.1.4 Creating a Policy to Enable a Remote User to Control a LAN PC with Remote Control Software (pcAnywhere) Step 1. Set up a computer to be

683 Step 3. Under Policy > Incoming, set as below:（Figure 22-23）  Select the defined Virtual Server for Destination Address.  Select PC-Anywhe

684 24.1.5 Creating a Policy to Limit the Bandwidth, Daily Total Traffic Amount and Maximum Concurrent Sessions of an Incoming Session to a FTP Serv

685 Step 4. Go to Policy > WAN to DMZ and then set as below（Figure 22-27）  Select the defined rule from the Destination Address drop-down list.

686 Figure 22-28 A WAN-to-DMZ Policy Created

687 24.1.6 Creating a Policy to Enable LAN / WAN Users to Have Email Access (A Transparent Mode Example) Step 1. Set up a mail server in DMZ. Next,

688 Step 4. Under Policy > WAN To DMZ, set as below:（Figure 22-31）  Select the defined DMZ rule for Destination Address.  Select the defined s

6 Chapter 21 Web VPN / SSL VPN ... 622 21.1 Example ...

59 2.5 DHCP 2.5.1 Using an External DHCP Server to Allocate IP Addresses to Internal PCs Step 1. Go to System > Configuration > DHCP, and se

689 Step 5. Under Policy > LAN To DMZ, set as below:（Figure 22-33）  Select the defined DMZ entry for Destination Address.  Select the defined

690 Step 6. Under Policy > DMZ To WAN, set as below:（Figure 22-35）  Select the defined rule for Source Address.  Select the defined rule for S

691 Anomaly Flow IP

692 Chapter 25 Anomaly Flow IP Once an anomaly traffic flow is detected, CS-2001 will take action to block the flow of packets. This protection ens

693 25.1 Example 25.1.1 Configuration for Alerts and the Blocking of Internal DDoS Attacks Step 1. Go to System > Configuration > Settings

694 Step 3. Go to Anomaly Flow IP > Settings and then set as below:（Figure 23-2）  Enter the Traffic Threshold per IP. (The default value is 100)

695 Step 4. When a DDoS attack occurs, CS-2001 generates a corresponding log under Anomaly Flow IP > Virus-infected IP, and if NetBIOS Notificatio

696 Step 6. Internal users will see an alert message upon opening a web browser after being infected by a computer virus. CS-2001 limits virus-infect

697 Advance

698 Chapter 26 Inbound Balancing The CS-2001 provides enterprises with Inbound Load Balancing. It ensures uninterrupted access for external users t

60 Note: 1. When Enable DHCP Relay Support is enabled, internal PCs can obtain an IP address from the server through the specified interface (WAN1

699 Terms in Inbound Balancing Domain Name  Refers to an address that is registered at an ISP. An IP address like 198.68.20.78 is not easy to me

700 Domain Name Type IP Address host1.nu.net.tw A 61.11.11.12 host2.nu.net.tw A 61.11.11.13 host2.nu.net.tw A 211.22.22.23 Table 24-1 Domain Name

701  Supposing a user wants to send an email to [email protected]. The user is using test.com.tw as its SMTP server. The DNS records will be quer

702 pointer records of the reverse database, this IP address is stored as the domain name 12.11.11.61.in-addr.arpa pointing back to its designated ho

703  IPv6 uses PTR record as well. For example, host33.nu.net.tw points to FEC0::2AA:FF:FE3F:2A1C (FEC0:0000:0000:0000:02AA:00FF:FE3F:2A1C), in poi

704 Further Description DNS pointers are used to indicate which DNS server holds all the associated DNS records for a domain. Any specific informati

705 Note: 1. The DNS must point to the fixed IPs.

706 Under Advance > Inbound Balancing > Settings, configure DNS settings as listed below:（Table 24-6） Domain Name Type IP Address Reverse

707 Configure DNS settings as listed below:（Table 24-7） Domain Name Type IP Address Weighting Priority web.nu.net.tw A 61.11.11.11 1 1 web.nu

708 As seen from table 24-7, it can be inferred that when browsing www.nu.net.tw, visitors are directed to different servers according to their brows

61 2.5.2 Using the CS-2001 to Allocate IP Addresses to LAN PCs Step 1. Go to System > Configuration > DHCP and set as below:（Figure 2-30） 

709 26.1 Example No. Application Environment Page 26.1.1 Creating an A Record to Load Balance a Web Server Using the Backup Mode 710 26.1.2

710 26.1.1 Creating an A Record to Load Balance a Web Server Using the Backup Mode Step 1. Go to Advance > Inbound Balancing > Settings and p

711 Figure 24-3 The First Inbound Balance Configuration

712 Figure 24-4 The Second Inbound Balance Configuration Figure 24-5 The Completed Settings Note: 1. If @ is entered in the Hostname field, th

713 Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below:（Figure 24-6, 24-7） Figure 24-6 Server 1 Settings Figu

714 Step 3. Go to Policy > Incoming and then set as below:  Click New Entry.（Figure 24-8）  For Destination Address select [Virtual Server IP]

715 Figure 24-9 Configuring the First Settings of an Incoming Policy Settings Figure 24-10 The Completed Policy Settings

716 Step 4. Settings complete. If WAN 1 goes down, WAN 2 ensures user’s access to the web server remains uninterrupted.（Figure 24-11） Figure 24-11 W

717 26.1.2 Creating an A Record to Load Balance a Web Server Using the Round-Robin Mode Step 1. Go to Advance > Inbound Balancing > Settings

718 Figure 24-13 The First Inbound Balance Settings Figure 24-14 The Second Inbound Balance Configuration Figure 24-15 Setting Completed

62 Figure 2-30 DHCP Settings

719 Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below:（Figure 24-16, 24-17） Figure 24-16 Server 1 Settings Fi

720 Step 3. Go to Policy > Incoming and proceed with the following settings:  Click New Entry.（Figure 24-18）  Select the defined rule ([Virtua

721 Figure 24-19 Configuring the Second Policy Settings Figure 24-20 Policy Completed

722 Step 4. Setting completed.（Figure 24-21） Figure 24-21 The Round-Robin Deployment Note: 1. Inbound Balance Settings:（Table 24-9） Name Type

723 cycle restarted)  The 5th user accesses the server via 211.22.22.22.  The 6th user accesses the server via 211.22.22.22.

724 26.1.3 Creating a CNAME Record to Load Balance a Web Server Using the Round-Robin Mode Step 1. Go to Advance > Inbound Balancing > Settin

725 Figure 24-23 The First Inbound Balance Settings Figure 24-24 The Second Inbound Balance Settings Figure 24-25 CNAME(Alias) Settings

726 Figure 24-26 Completed CNAME(Alias) Settings

727 Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below:（Figure 24-27, 24-28） Figure 24-27 Server 1 Settings F

728 Step 3. Go to Policy > Incoming and then set as below:  Click New Entry.（Figure 24-29）  Select the defined rule ([Virtual IP]Web_Server(61

63 Note: 1. Enabling Obtain DNS server address automatically is intended for LAN users whom access the Internet via the device’s authentication me

729 Figure 24-30 Configuring the Second Policy Settings Figure 24-31 Adding the Second Policy

730 Step 4. Setup completed.（Figure 24-32） Figure 24-32 Web Server Deployment Using CNAME Note: 1. The settings for Inbound Balancing:（Table 24-

731  The 4th user accesses the server via 61.11.11.11 (Round-Robin priority distribution cycle has restarted)  The 5th user accesses the server v

732 26.1.4 Creating a MX Record to Load Balance a Mail Server Using the Round-Robin Mode Step 1. Go to Advance > Inbound Balancing > Settings

733 Figure 24-34 The First Inbound Balance Settings Figure 24-35 The Second Inbound Balance Settings Figure 24-36 The MX(Mail eXchanger) Setting

734 Figure 24-37 MX(Mail eXchanger) Settings Completed

735 Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below:（Figure 24-38, 24-39, 24-40, 24-41） Figure 24-38 The Fir

736 Figure 24-40 The Third Setting of Server Figure 24-41 The Fourth Setting of Server

737 Step 3. Go to Policy > Incoming and then set as below:  Click New Entry.（Figure 24-42）  Select the defined rule ([Virtual IP]Mail_Server_P

738 Figure 24-43 The Second Policy Settings Figure 24-44 The Third Policy Settings

64 2.6 DDNS Step 1. Go to System > Configuration > Dynamic DNS, and set as below:（Figure 2-31）  Click New Entry. Select a Service Provider

739 Figure 24-45 The Fourth Policy Settings Figure 24-46 Policy Completed

740 Step 4. Setup Completed.（Figure 24-47） Figure 24-47 The Mail Server Deployment Note: 1. Settings for Inbound Balancing: （Table 24-11） Name

741  The 2nd user accesses the server via 211.22.22.22.  The 3rd user accesses the server via 211.22.22.22 (Round-Robin priority distribution cyc

742 Chapter 27 High Availability When two CS-2001 devices are deployed in the network, the two devices can operate in active / standby mode. The ma

743 Terms in High Availability HA Mode  This mode is used to determine if the device will serve as the master or backup. Data Transmission P

744 27.1 Example 27.1.1 High Availability Deployment Preparation Configure Port1 as LAN1 (192.168.1.1, NAT/ Routing mode) and connect it to the L

745 Step 1. Assign one CS-2001 device as the master and connect it to the same switch that the LAN is connected to.（Figure 25-1） Figure 25-1 The Dep

746 Step 2. Using the master device, configure the following High Availability settings under Network > Interface.（Figure 25-2） Figure 25-2 The

747 Step 3. Using the master device, configure the following High Availability settings under Advance > High Availability > Settings:  Tick E

748 Step 4. To set up the backup device, be sure the backup device is turned off and then configure the interface. Backup device’s LAN port, WAN port

65 2.7 Host Table Step 1. Go to System > Configuration > Host Table and set as below:（Figure 2-33）  Configure the Host Name accordingly. 

749 Important: 1. After the high availability deployment, if the first time synchronization between the master device and backup device is interr

750 Figure 25-6 Backup Device Taking Over Operations When Master Device Fails 6. Note:  During backup, if the WAN port is using a dynamic IP a

751 Chapter 28 Co-Defense System The CS-2001 can work in cooperation with the network’s switch, to provide instant monitoring of the internal net

752 Terms in Core Switch Name  The name used to identify the switch. Switch Model  The switch model can be selected or it can be customized. I

753 Remove Blocking Command  This command instructs the core switch to discontinue blocking an IP/MAC address. Show Blocking Commands  This comm

754 28.1 Example 28.1.1 Quickly Isolating Any Anomaly Flow in the Internal Network by Utilizing the Core and Edge Switch Step 1. Go to Anomaly

755 Step 2. Under Advance > Co-Defense System > Core Switch, set as below:（Figure 26-3）  Enter the name to identify the switch.  Select the

756 Figure 26-4 Core Switch Settings Completed

757 Step 3. Under Advance > Co-Defense System > Edge Switch, click New Entry and then set as below:（Figure 26-9）  Type the name in the Name f

758 Step 4. Go to Advance > Co-Defense System > MAC ADDR Table. Using SNMP, the CS-2001 can obtain the MAC addresses of any packets that pass t

66 2.8 SNMP 2.8.1 SNMP Agent Settings Step 1. Go to System > Configuration > SNMP. Under the SNMP Agent Settings section configure the fol

759 Monitoring

760 Chapter 29 Logs Log comprises logs of Traffic, Events, Connections, Viruses, Application Blocking, Concurrent Sessions and Quota. The system ma

761 Terms in Settings Logging Settings  Logs are sent to the designated recipient once the file size reaches 300 KB.  Logs can be backed up onto

762 Figure 27-1 Searching for a Specific Log

763 Figure 27-2 Downloading the Search Results

764 Terms in Events Search  Available search criteria are date, admin name, IP address, event type and event log with detailed content.  Unde

765 Terms in Connection Search  PPPoE : Available search criteria are date and keyword.  Dynamic IP Address: Available search criteria are date

766 Figure 27-4 Searching for a Specific Log

767 Terms in Virus Search  Available search criteria are date, source IP, destination IP, application, infected file and virus name.  Under Mo

768 29.1 Traffic 29.1.1 Viewing the Protocols and Port Numbers Used during an Access to CS-2001 Step 1. Go to Policy> DMZ To WAN and set as bel

67 2.8.2 SNMP Trap Settings Step 1. Go to System > Configuration > SNMP. Under the SNMP Trap Settings section, configure the following settin

769 Step 2. Under Monitoring > Logs > Traffic, it shows the traffic status of a policy.（Figure 27-7） Figure 27-7 Traffic Log Step 3. Click an

770 Figure 27-8Monitoring the Traffic Flow of Each IP Address

771 Step 4. To clear the logs, click the Clear button and then click OK in the confirmation window.（Figure 27-9） Figure 27-9 Deleting all the Traffi

772 29.2 Event 29.2.1 Viewing System History Access and the Status of WAN Step 1. Under Monitoring > Logs > Events, there it shows the sys

773 Figure 27-11 Specific Details of a History Event

774 29.3 Connection 29.3.1 Viewing the Connection Logs of WAN Interface Step 1. Under Monitoring > Logs > Connections, it shows the logs o

775 Step 2. To delete the logs, click the Clear button and then click OK in the confirmation window.（Figure 27-13） Figure 27-13 Deleting all the Con

776 29.4 Viruses 29.4.1 Viewing the Detected Viruses from Internal Users Using HTTP / Web Mail / FTP Protocol to Transfer Files Step 1. Go to Po

777 Figure 27-14 A Policy with HTTP/ WebMail and FTP

778 Figure 27-15 Policy Completed

CS-2001 UTM Content Security Gateway User’s Manual 68 2.9 Bulletin Board 2.9.1 Using CS-2001 to Announce the Information to LAN Users and DMZ User

779 Step 2. Under Monitoring > Logs > Viruses, it shows the logs of detected virus from the Internal users using HTTP/ WebMail and FTP protocol

780 29.5 Application Blocking 29.5.1 Viewing the Logs Step 1. Under Policy > Outgoing, set as below: （Figure 27-16）  Select the defin

781 Step 2. Under Monitoring > Logs > Application Blocking, it shows the logs of applicatons that have been blocked.（Figure 27-18） Figure 27-1

782 29.6 Concurrent Sessions 29.6.1 Viewing the Logs of Concurrent Sessions that have been Exceeded the Configured Value Step 1. Go to Policy &g

783 Figure 27-20 A Policy with Limitation of Concurrent Sessions

784 Figure 27-21 Policy Completed Step 2. Under Monitoring > Logs > Concurrent Sessions, it shows the logs of the concurrent sessions that ha

785 29.7 Quota 29.7.1 Viewing the Logs of Quota that Has Been Reached Step 1. Go to Policy > Outgoing and then set as below:（Figure 27-22） 

786 Figure 27-22 A Policy with Limitation of Quota per Source IP

787 Figure 27-23 Policy Completed Step 2. Under Monitoring > Logs > Quota, it shows the logs of the quota that have reached the configured va

788 29.8 Log Backup 29.8.1 Archiving or Retrieving Logs Generated by CS-2001 Step 1. Go to System > Configuration > Settings and then set as

7 Chapter 32 Diagnostic Tools ... 816 32.1 Ping ...

69 Step 2. Under System > Configuration > Bulletin Board, configure the settings in the Bulletin Board Announcements section.  Click New Entr

789 Step 3. Go to Monitor > Log > Settings and then set as below:（Figure 27-27） Figure 27-27 Monitoring Settings

790 Note: 1. Once Email Notification is enabled, the logs will be sent to the IT administrator when the files size reaches 300KB. 2. When syslog

CS-2001 UTM Content Security Gateway User’s Manual 791 Chapter 30 Accounting Reports Accounting report gives the IT administrator an insight into

792 Terms in Setting Accounting Report Settings  The configuration to enable or disable the recording of inbound and outbound data access and co

793 Terms in Today Top-N Time Slider  Drag the two sliders to adjust the statistics’ time interval (represented by the red portion.) So

794 Figure 28-2 Searching for the Specific Log

795 Figure 28-3 Downloading the Accounting Reports

796 Figure 28-4 Deleting the Accounting Reprots

797 30.1 Flow Analysis Step 1. Under Monitoring > Accounting Reports > Flow Analysis, it shows the traffic of source IP and service through C

798 30.2 Today’s Top Chart Step 1. Under Monitoring > Accounting Reports > Today’s Top Chart, it shows the traffic from the source IP, destin

70 Step 3. The LAN users and DMZ users will see the announcement when they access the Internet.（Figure 2-39, 2-40） Figure 2-39 Clicking the Button

799 Figure 28-6 Today Top-N

800 Step 2. You may drag the two sliders to adjust the statistics’ time interval. The left one is the start time slider, the right one is the end tim

801 Figure 28-7 Today Top-N Report according to the Time Interval

802 Step 3. By clicking any source IP, a pop-up window will show its destination IP and service.（Figure 28-8） Figure 28-8 The Destination IP and Ser

803 Figure 28-9 The Source IP and Service

804 Step 5. By clicking any service, it will show its source IP and destination IP. （Figure 28-10） Figure 28-10 The Source IP and Destination IP

805 30.3 Historical Top Chart Step 1. Under Monitoring > Accounting Reports > Historical Top Chart, you may see the traffic of the source IP,

806 Chapter 31 Traffic Grapher Statistics delivers comprehensive information regarding network traffic, enabling the IT administrator to gain a tho

807 Traffic Grapher Charts  Vertical axis indicates the network traffic.  Horizontal axis indicates time. Type/ Source/ Destination/ Service/ A

808 31.1 WAN Traffic Step 1. In Monitoring > Traffic Grapher > WAN Traffic, it shows the statistics of upstream / downstream packets over the

71 172.19.1.254. You may enter http://172.19.1.254:84 in the web browser. (Figure 2-41, 2-42) Figure 2-41 Logging in the Bulletin Board Setting Pa

809 Step 2. Statistic charts（Figure 29-2）  Vertical axis indicates network stream.  Horizontal axis indicates time.

810

811 Figure 29-2 The Network Stream Chart Note: 1. You may configure the time duration to search for the statistics in a certain period of time.

812 31.2 Policy-Based Traffic Step 1. When creating a new policy, if the Statistics is enabled, the Policy statistics charts in the path of Monitor

813 Step 2. Statistics charts.（Figure 29-4）  Vertical axis indicates network traffic.  Horizontal axis indicates time.

814

815 Figure 29-4 Viewing the Policy Statistics Chart Note: 1. You may see the statistics of a certain time by using the time searching.

816 Chapter 32 Diagnostic Tools The device provides ping and traceroute utilities to help diagnose network issues with particular external nodes.

817 32.1 Ping Step 1. To test whether a host is reachable across an IP network, go to Monitoring > Diagnostic Tools > Ping and then configure

818 Figure 30-2 Ping Result Note: 1. If VPN is selected from the Interface drop-down list, the user must enter the local LAN IP address in the I

72 2.10 Language 2.10.1 Changing the Language Step 1. Under System > Configuration > Language, you may change the language of the user inter

819 Figure 30-3 Ping Results for a VPN Connection

820 32.2 Traceroute Step 1. Under Monitoring > Diagnostic Tools> Traceroute the Traceroute command can be used by the CS-2001 to send out pac

821 Figure 30-5 Traceroute Results

CS-2001 UTM Content Security Gateway User’s Manual 822 32.3 Packet Capture Capture packetfor debugging Step 1. Under Monitoring > Diagnostic T

823 Chapter 33 Wake-On-LAN Any wake-on-LAN supported PC can be remotely turned on by a “wake-up” packet sent from the CS-2001. By utilizing remote

824 33.1 Example 33.1.1 Remote Controlling a PC Step 1. Supposing the MAC address of the PC that is desired to be remotely controlled is 00:0C:76:

825 Chapter 34 Status Status provides current information about the device and the network including Interface, System Info, Authentication, ARP Ta

826 34.1 Interface Step 1. Under Monitoring > Status > Interface, it shows the status of all interface.（Figure 32-2） Figure 32-2 Status In

827 8. PPPoE / Dynamic IP Uptime: when the interface is connected using PPPoE, it displays the connection uptime. 9. MAC Address: displays the MAC

828 34.2 System Info Step 1. Under Monitoring > Status > System Info, it shows the current system information, such as CPU utilization, hard

73 Interface

829 Figure 32-3 System Information

830 34.3 Authentication Step 1. Under Monitoring > Status > Authentication, it shows the authentication status of the device.（Figure 32-4） F

831 34.4 ARP Table Step 1. Under Monitoring > Status > ARP Table, it shows NetBIOS Name, IP Address, MAC Address and Interface of any compute

832 Figure 32-6 Downloading the Anti-ARP Virus Software Figure 32-7 The Result of Executng the Anti-ARP Virus Software

833 Figure 32-8 The Anti-ARP Virus Software will Automatically Run when the System Startups

834 34.5 Sessions Info Step 1. Under Monitoring > Status > Sessions Info, it provides a list of all the sessions that have connected to the d

835 Step 2. By clicking on any source IP, it shows the port number and the traffic.（Figure 32-10） Figure 32-10 The System Info

836 34.6 DHCP Clients Step 1. Under Monitoring > Status > DHCP Clients, it shows the status of IP address distributed by the device’s DHCP se

CS-2001 UTM Content Security Gateway User’s Manual 837 34.7 Host Info Step1. Under Monitoring > Status > Host Info, the IT administrator ma

74 Chapter 3 Interface The Interface configuration allows you to configure the connection parameters separately for LAN, WAN and DMZ interfaces as

75 Terms in Settings DNS Settings  The DNS servers used for resolving domain names to IP addresses. MTU Setting  The Maximum Transmission Unit

76 Interface Designation  The system-assigned name based on the network interface type selected. Interface Type  The network interface is catego

77  IPv6 address represent itself as text string using the following three conventional forms:  Colon-hexadecimal form: This is the preferred for

78  The IPv6 prefix is the part of the address that indicates the bits that have fixed values. If it happens not to be a multiple of four such as 2

8 Quick Installation Guide

79  The result, 02-AA-00-FF-FE-3F-2A-1C, is converted to colon-hexadecimal notation, yielding the interface identifier 2AA:FF:FE3F:2A1C. Thus, in t

80 SSH  When ticked, the management interface is available for access via SSH protocol. Connection Type (As Interface Type set to WAN)  It has t

81 NAT Redirection  Translates private IP addresses into public addresses.  Auto-configuration: The public address is automatically designated b

82 Detection Mode  When Round-Robin or Active-Backup is selected for Bonding Mode, ARP detect can be selected to detect the connection. Saturate

83 Terms in Interface Group Interface Group  Allows you to group network interface while each group is isolated from one another. Note: This requ

84 3.1 Example No. Scenario Page 3.1.1 Modifying the LAN Interface (NAT / Routing) 85 3.1.2 Configuring the WAN Interface 87 3.1.3 Using

85 3.1.1 Modifying the LAN Interface (NAT / Routing) Prerequisite Setup (Note: IP addresses used as examples only) Port1 is configured as LAN1 by

86 2. Do not disable HTTP and HTTPS before configuring the settings under System > Administration > Permitted IPs, or the IT administrator may

87 3.1.2 Configuring the WAN Interface Step 1. Go to Network > Interface and then click Port2’s Modify button. Select WAN for Interface Type. St

88 Step 3. Select WAN for Interface Type:  Static IP Address:（Figure 3-4）  Enter the IP Address, Netmask and Default Gateway.  Enter the Max. D