Zyxel NXC5200 [249/720] Firewall

The nxc does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources 33

Features 35

Features and applications 35

Hapter 35

Anomaly detection and prevention adp 36

Anti virus scanner 36

Application patrol 36

Bandwidth management 36

Firewall 36

Intrusion detection and prevention idp 36

Ap management 37

Applications 37

Figure 7 ap management example 37

Wireless security 37

Captive portal 38

Dynamic channel selection 38

Figure 8 applications captive portal 38

Load balancing 38

Device ha 39

User aware access control 39

Access 41

Hapter 41

Overview 41

The web configurator 41

Figure 9 the web configurator s main screen 43

The main screen 43

Chapter 3 the web configurator 44

Figure 10 title bar 44

Figure 11 navigation panel 44

Label description 44

Navigation panel 44

Nxc5200 user s guide 44

Table 4 title bar web configurator icons 44

The icons provide the following functions 44

The title bar provides some useful links that always appear over the screens below regardless of how deep into the web configurator you navigate 44

Title bar 44

Use the menu items on the navigation panel to open screens to configure nxc features click the arrow in the middle of the right edge of the navigation panel to hide the navigation panel menus or drag it to resize them the following sections introduce the nxc s navigation panel menus and their screens 44

Chapter 3 the web configurator 45

Dashboard 45

Folder or link tab function 45

For details on the dashboard s features see chapter 6 on page 103 45

Monitor menu 45

Nxc5200 user s guide 45

Table 5 monitor menu screens summary 45

The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can re arrange to suit your needs 45

The monitor menu screens display status and statistics information 45

Chapter 3 the web configurator 46

Configuration menu 46

Folder or link tab function 46

Nxc5200 user s guide 46

Table 6 configuration menu screens summary 46

Use the configuration menu screens to configure the nxc s features 46

Chapter 3 the web configurator 47

Folder or link tab function 47

Nxc5200 user s guide 47

Table 6 configuration menu screens summary continued 47

Chapter 3 the web configurator 48

Folder or link tab function 48

Nxc5200 user s guide 48

Table 6 configuration menu screens summary continued 48

Chapter 3 the web configurator 49

Figure 12 warning message 49

Folder or link tab function 49

Maintenance menu 49

Nxc5200 user s guide 49

Table 7 maintenance menu screens summary 49

Use the maintenance menu screens to manage configuration and firmware files run diagnostics and reboot or shut down the nxc 49

Warning messages 49

Warning messages such as those resulting from misconfiguration display in a popup window 49

Figure 13 site map 50

Figure 14 object reference 50

Object reference 50

Site map 50

Chapter 3 the web configurator 51

Cli messages 51

Click clear to remove the currently displayed information 51

Click cli to look at the cli commands sent by the web configurator these commands appear in a popup window such as the following 51

Figure 15 cli messages 51

Label description 51

Note see the command reference guide for information about the commands 51

Nxc5200 user s guide 51

Table 8 object references 51

The fields vary with the type of object the following table describes labels that can appear in this screen 51

Console 52

Figure 16 console 52

Note to view the fuctions in the web configurator user interface that correspond directly to specific nxc cli commands use the cli messages window see section 3 on page 51 in tandem with this one 52

Table 9 console 52

Note you can log into the web configurator with a different account than used to log into the nxc through the console 53

Table 9 console continued 53

Manipulating table display 55

Tables and lists 55

Chapter 3 the web configurator 57

Here are descriptions for the most common table icons 57

Label description 57

Nxc5200 user s guide 57

Table 10 common table icons 57

Table 11 common table icons 57

The tables have icons for working with table entries a sample is shown next you can often use the shift or ctrl key to select multiple entries to remove activate or deactivate 57

Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time 57

Working with table entries 57

Chapter 3 the web configurator 58

Figure 17 working with lists 58

Label description 58

Nxc5200 user s guide 58

Table 11 common table icons continued 58

When a list of available entries displays next to a list of selected entries you can often just double click an entry to move it from one list to the other in some lists you can also use the shift or ctrl key to select multiple entries and then use the arrow button to move them to the other list 58

Working with lists 58

Configuration basics 59

Hapter 59

Object based configuration 59

Overview 59

Chapter 4 configuration basics 60

Ethernet interfaces are the foundation for defining other interfaces and network policies by 60

Interface types 60

Note by default all ethernet interfaces are placed into vlan0 allowing the nxc to function as a bridge device 60

Nxc5200 user s guide 60

Table 12 zones interfaces and physical ethernet ports 60

There are two types of interfaces in the nxc in addition to being used in various features interfaces also describe the network that is directly connected to it 60

Vlan interfaces recognize tagged frames the nxc automatically adds or removes the tags as needed each vlan can only be associated with one ethernet interface 60

Zones groups of interfaces simplify security settings here is an overview of zones interfaces and physical ports in the nxc 60

Zones interfaces and physical ports 60

Example interface and zone configuration 61

Figure 18 default network topology 61

Table 13 nxc sample topology 61

Chapter 4 configuration basics 62

Feature 62

Feature configuration overview 62

Licensing registration 62

Menu item s 62

Note prequisites or where used does not appear if there are no prerequisites or references in other features to this one for example no other features reference ap management entries so there is no where used entry 62

Nxc5200 user s guide 62

Prerequisites 62

This provides a brief description see the appropriate chapter s in this user s guide for more information about any feature 62

This section provides information about configuring the main features in the nxc the features are listed in the same sequence as the menu item s in the web configurator each feature description is organized as shown below 62

Use these screens to register your nxc and subscribe to services like anti virus idp and application patrol you must have internet access to myzyxel com 62

Where used 62

Interface 63

Licensing update 63

Note when you create an interface no security is applied to it until you assign it to a zone first 63

Policy routes 63

Wireless 63

Static routes 64

Anti virus 65

Application patrol 65

Captive portal 65

Firewall 65

Device ha 66

Objects 66

Table 14 objects overview 66

Ap profile 67

Chapter 4 configuration basics 67

Nxc5200 user s guide 67

Object where used 67

Table 14 objects overview 67

Table 15 user types 67

Table 16 ap profile types 67

Type abilities 67

Use these screens to configure preset profiles for the access points aps connected to your nxc s wireless network 67

Use these screens to configure the nxc s administrator and user accounts the nxc provides the following user types 67

User group 67

Dns www ssh telnet ftp and snmp 68

Logs and reports 68

Mon profile 68

System 68

Table 17 mon profile types 68

Diagnostics 69

File manager 69

Shutdown 69

Shutdown or the shutdown command before you turn off the nxc or remove the power not doing so can cause the firmware to become corrupt 69

Hapter 71

Overview 71

Tutorials 71

Figure 19 tutorial network topology 72

Note in this topology vlan 199 is managed by the router responsible for the upstream portion of the network such as a zywall 72

Sample network setup 72

Table 19 tutorial topology summary 72

Chapter 5 tutorials 73

Figure 20 tutorial guest vlan example 73

In this example the guest vlan 102 is highlighted with the connections that it may make over this particular network topology the staff vlan 101 is unhighlighted because it has access to all aspects of the network 73

In this tutorial you will 73

Nxc5200 user s guide 73

Table 20 tutorial tasks summary 73

Task see also 73

Tutorial tasks 73

Set the management vlan vlan99 74

Note you will use this procedure twice once for vlan 101 and the other time for vlan 102 vlan 101 is presented first while vlan 102 is presented second 75

Set the other vlans vlan101 vlan102 75

Configure the aaa object 77

Figure 21 tutorial vlans summary 77

Note unless your ad server is configured to explicitly handle these tutorial settings the test button may not work however it is handy know for future reference 78

Configure the auth method objects staff guest 79

Create the ap profiles staff guest 80

Create the guest user account 83

Configure the captive portal settings 84

Configure the guest firewall rules 85

Table 21 tutorial firewall rules 85

Blocking network protocols 87

Configuring the wlan zone 87

Note for the purposes of this tutorial the firewall rules can be created in any order just so long as they use the settings presented here 87

Configuring the firewall 88

Blocking sub protocols 90

Figure 22 rogue ap example a 92

Rogue ap detection 92

Figure 23 rogue ap example b 93

Figure 24 containing a rogue ap 96

Rogue ap containment 96

Load balancing 97

Dynamic channel selection 98

Technical reference 101

Dashboard 103

Hapter 103

Overview 103

What you can do in this chapter 103

Dashboard 104

Figure 25 dashboard 104

Table 22 dashboard 104

Chapter 6 dashboard 105

Label description 105

Nxc5200 user s guide 105

Table 22 dashboard continued 105

Chapter 6 dashboard 106

Label description 106

Nxc5200 user s guide 106

Table 22 dashboard continued 106

Chapter 6 dashboard 107

Label description 107

Nxc5200 user s guide 107

Table 22 dashboard continued 107

Chapter 6 dashboard 108

Label description 108

Nxc5200 user s guide 108

Table 22 dashboard continued 108

Cpu usage 109

Memory usage 110

Session usage 111

Chapter 6 dashboard 112

Dhcp table 112

Label description 112

Nxc5200 user s guide 112

The following table describes the labels in this screen 112

Use this screen to look at the ip addresses currently assigned to dhcp clients and the ip addresses reserved for specific mac addresses to access this screen click the icon beside dhcp table in the dashboard 112

Chapter 6 dashboard 113

Dhcp table continued 113

Label description 113

Number of login users 113

Nxc5200 user s guide 113

The following table describes the labels in this screen 113

Use this screen to look at a list of the users currently logged into the nxc to access this screen click the dashboard s number of login users icon 113

Hapter 115

Monitor 115

Overview 115

What you can do in this chapter 115

What you need to know 116

Chapter 7 monitor 117

Label description 117

Nxc5200 user s guide 117

Port statistics 117

The following table describes the labels in this screen 117

Chapter 7 monitor 118

Label description 118

Nxc5200 user s guide 118

Port statistics continued 118

Port statistics graph 118

Switch to graphic view 118

The following table describes the labels in this screen 118

Use the port statistics graph to look at a line graph of packet statistics for each physical port to view click port statistics in the status screen and then the switch to graphic view button 118

Chapter 7 monitor 119

Interface status 119

Interface status to access this screen 119

Label description 119

Nxc5200 user s guide 119

Switch to graphic view 119

Chapter 7 monitor 120

Each field is described in the following table 120

Interface status 120

Label description 120

Nxc5200 user s guide 120

Chapter 7 monitor 121

Interface status continued 121

Label description 121

Lan ip with heaviest traffic and how much traffic has been sent to and from each one 121

Most used protocols or service ports and the amount of traffic on each one 121

Most visited web sites and the number of times each one was visited this count may not be accurate in some cases because the nxc counts http get packets 121

Nxc5200 user s guide 121

Traffic statistics 121

Traffic statistics to display this screen this screen provides basic information about the different kinds of data traffic moving through the nxc for example 121

Chapter 7 monitor 122

Label description 122

Nxc5200 user s guide 122

There is a limit on the number of records shown in the report see table 32 on page 124 for more information the following table describes the labels in this screen 122

Traffic statistics 122

You use the traffic statistics screen to tell the nxc when to start and when to stop collecting information for these reports you cannot schedule data collection you have to start and stop it manually in the traffic statistics screen 122

Chapter 7 monitor 123

Label description 123

Nxc5200 user s guide 123

Traffic statistics continued 123

Chapter 7 monitor 124

Destination address 124

Duration so far 124

Label description 124

Number of bytes received so far 124

Number of bytes transmitted so far 124

Nxc5200 user s guide 124

Protocol or service port used 124

Session monitor 124

Source address 124

Table 32 maximum values for reports 124

The following table displays the maximum number of records shown in the report the byte count limit and the hit count limit 124

This screen displays information about active sessions for debugging or statistical analysis it is not possible to manage sessions in this screen the following information is displayed 124

Traffic statistics continued 124

User who started the session 124

You can look at all the active sessions by user service source ip address or destination ip address you can also filter the information by user protocol service or service group source address and or destination address and view it by user 124

Chapter 7 monitor 125

Label description 125

Nxc5200 user s guide 125

Session monitor 125

Session monitor to display the following screen 125

The following table describes the labels in this screen 125

Chapter 7 monitor 126

Label description 126

Nxc5200 user s guide 126

Session monitor continued 126

Chapter 7 monitor 127

Ip mac binding 127

Ip mac binding monitor 127

Ip mac binding to open the ip mac binding monitor screen this screen lists the devices that have received an ip address from nxc interfaces with ip mac binding enabled and have ever established a session with the nxc devices that have never established a session with the nxc do not display in the list 127

Label description 127

Nxc5200 user s guide 127

System status 127

The following table describes the labels in this screen 127

Chapter 7 monitor 128

Label description 128

Login users 128

Nxc5200 user s guide 128

The following table describes the labels in this screen 128

Ap list 129

Ap list icons 129

Chapter 7 monitor 129

Label description 129

Nxc5200 user s guide 129

The following table describes the icons in this screen 129

The following table describes the labels in this screen 129

Ap list icons continued 130

Station count of ap 130

Chapter 7 monitor 131

Label description 131

Nxc5200 user s guide 131

Radio list 131

Station count of ap 131

The following table describes the labels in this screen 131

Ap mode radio information 132

Radio list continued 132

Ap mode radio information 133

Chapter 7 monitor 133

Label description 133

Nxc5200 user s guide 133

Station info to access this screen 133

Station list 133

The following table describes the labels in this screen 133

Chapter 7 monitor 134

Detected device 134

Detected device to access this screen 134

Label description 134

Note at least one of the aps connected to the nxc must be set to monitor mode in order to detect other wireless devices in its vicinity 134

Nxc5200 user s guide 134

Station list 134

The following table describes the labels in this screen 134

Application patrol 135

Application patrol general settings 135

Apppatrol statistics general settings 135

Apppatrol statistics screen to configure what to display 135

Apppatrol statistics to open the following screens 135

Chapter 7 monitor 135

Detected device continued 135

Label description 135

Nxc5200 user s guide 135

The application patrol screens display bandwidth usage graphs and statistics for selected protocols 135

A solid line represents a protocol s incoming bandwidth usage this is the protocol s traffic that the nxc sends to the initiator of the connection 136

Application patrol bandwidth statistics 136

Apppatrol statistic 136

Apppatrol statistics bandwidth statistics 136

Apppatrol statistics general settings 136

Chapter 7 monitor 136

Label description 136

Nxc5200 user s guide 136

Screen displays a bandwidth usage line graph for the selected protocols 136

The following table describes the labels in this screen 136

The middle of the 136

The x axis shows the time period over which the bandwidth usage occurred 136

The y axis represents the amount of bandwidth used 136

A dotted line represents a protocol s outgoing bandwidth usage this is the protocol s traffic that the nxc sends out from the initiator of the connection 137

Application patrol protocol statistics 137

Apppatrol statistics protocol statistics 137

Apppatrol statistics screen displays statistics for each of the selected protocols 137

Chapter 7 monitor 137

Different colors represent different protocols 137

Label description 137

Nxc5200 user s guide 137

The following table describes the labels in this screen 137

Application patrol protocol statistics by rule 138

Apppatrol statistics protocol statistics continued 138

Apppatrol statistics screen displays statistics for each of the selected protocols click a service s name to display this screen with statistics for each of the service s application patrol rules 138

Chapter 7 monitor 138

Label description 138

Nxc5200 user s guide 138

Service 138

The following table describes the labels in this screen 138

Anti virus 139

Anti virus to display the following screen this screen displays anti virus statistics 139

Chapter 7 monitor 139

Label description 139

Nxc5200 user s guide 139

Service continued 139

The following table describes the labels in this screen 139

Anti virus continued 140

Anti virus destination ip 140

Anti virus source ip 140

Chapter 7 monitor 140

Label description 140

Nxc5200 user s guide 140

The statistics display as follows when you display the top entries by destination 140

The statistics display as follows when you display the top entries by source 140

Chapter 7 monitor 141

Idp to display the following screen this screen displays idp intrusion detection and prevention statistics 141

Label description 141

Nxc5200 user s guide 141

The following table describes the labels in this screen 141

Chapter 7 monitor 142

Idp continued 142

Idp destination 142

Idp source 142

Label description 142

Nxc5200 user s guide 142

The statistics display as follows when you display the top entries by destination 142

The statistics display as follows when you display the top entries by source 142

Note when a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first 143

View log 143

Chapter 7 monitor 144

Label description 144

Nxc5200 user s guide 144

The following table describes the labels in this screen 144

View log 144

Chapter 7 monitor 145

Label description 145

Nxc5200 user s guide 145

The web configurator saves the filter settings if you leave the view log screen and return to it later 145

View log continued 145

Chapter 7 monitor 146

Label description 146

Nxc5200 user s guide 146

The following table describes the labels in this screen 146

View ap log 146

View ap log to access this screen 146

Chapter 7 monitor 147

Label description 147

Note this criterion only appears when you show filter 147

Nxc5200 user s guide 147

View ap log 147

Chapter 7 monitor 148

Label description 148

Nxc5200 user s guide 148

View ap log 148

Hapter 151

Overview 151

Registration 151

What you can do in this chapter 151

What you need to know 151

Anti virus engines 152

Intrusion detection and prevention application patrol 152

Subscription services available on the nxc 152

Managed aps 153

Registration 153

Chapter 8 registration 154

Label description 154

Nxc5200 user s guide 154

Registration continued 154

Note if the nxc is registered already this screen is read only and indicates whether trial services are activated if any you can still select the unchecked trial service s to activate it after registration use the service screen to update your service subscription status 155

Registration registered device 155

Service 155

Chapter 8 registration 156

Label description 156

Nxc5200 user s guide 156

Service 156

The following table describes the labels in this screen 156

Hapter 157

Overview 157

Signature update 157

What you can do in this chapter 157

What you need to know 157

Anti virus 158

Anti virus to display the following screen 158

Chapter 9 signature update 158

Label description 158

Nxc5200 user s guide 158

The following table describes the labels in this screen 158

Anti virus continued 159

Chapter 9 signature update 159

Idp apppatrol 159

Idp apppatrol to display the following screen 159

Label description 159

Nxc5200 user s guide 159

The nxc comes with signatures for the idp and application patrol features these signatures are continually updated as new attack types evolve new signatures can be downloaded to the nxc periodically if you have subscribed for the idp apppatrol signatures service 159

You need to create an account at myzyxel com register your nxc and then subscribe for idp service in order to be able to download new packet inspection 159

Chapter 9 signature update 160

Idp apppatrol 160

Label description 160

Nxc5200 user s guide 160

Signatures from myzyxel com see the registration screens use the update idp apppatrol screen to schedule or immediately download idp signatures 160

The following table describes the fields in this screen 160

Idp apppatrol continued 161

System protect 161

Chapter 9 signature update 162

Label description 162

Nxc5200 user s guide 162

System protect 162

The following table describes the fields in this screen 162

Hapter 163

Overview 163

What you can do in this chapter 163

What you need to know 163

Wireless 163

Controller 164

Load balancing wireless 164

Note select the manual option for managing a specific set of aps this is recommended as the registration mechanism cannot automatically differentiate between friendly and rogue aps for details on how to handle rogue aps see section 7 2 on page 134 164

Ap management 165

Ap management to access this screen 165

Chapter 10 wireless 165

Controller screen you set the registration type to always accept then as soon as you remove an ap from this list it reconnects 165

Each field is described in the following table 165

Label description 165

Nxc5200 user s guide 165

Ap management table to display this screen 166

Chapter 10 wireless 166

Each field is described in the following table 166

Edit ap list 166

Label description 166

Nxc5200 user s guide 166

Chapter 10 wireless 167

Edit ap list continued 167

Label description 167

Mon mode 167

Mon mode to access this screen 167

Nxc5200 user s guide 167

Use this screen to assign aps either to the rogue ap list or the friendly ap list a rogue ap is a wireless access point operating in a network s coverage area that is not under the control of the network administrator and which can potentially open up holes in a network s security 167

Chapter 10 wireless 168

Each field is described in the following table 168

Label description 168

Mon mode 168

Nxc5200 user s guide 168

Add edit rogue friendly 169

Add edit rogue friendly list 169

Chapter 10 wireless 169

Each field is described in the following table 169

Label description 169

Mon mode table to display this screen 169

Nxc5200 user s guide 169

Chapter 10 wireless 170

Each field is described in the following table 170

Label description 170

Load balancing 170

Load balancing to access this screen 170

Nxc5200 user s guide 170

Chapter 10 wireless 171

Disassociating and delaying connections 171

For example here the ap has a balanced bandwidth allotment of 6 mbps if laptop r connects and it pushes the ap over its allotment say to 7 mbps then the ap 171

Label description 171

Load balancing continued 171

Note if you enable this function you should ensure that there are multiple aps within the broadcast radius that can accept any rejected or kicked wireless clients otherwise a wireless client attempting to connect to an overloaded ap will be kicked continuously and never be allowed to connect 171

Nxc5200 user s guide 171

When your ap becomes overloaded there are two basic responses it can take the first one is to delay a client connection this means that the ap withholds the connection until the data transfer throughput is lowered or the client connection is picked up by another ap if the client is picked up by another ap then the original ap cannot resume the connection 171

Figure 68 delaying a connection 172

Figure 69 kicking a connection 172

Chapter 10 wireless 173

Dcs to access this screen 173

Each field is described in the following table 173

Label description 173

Note generally speaking the higher the sensitivity level the more frequently the ap switches channels as a consequence anyone connected to the ap will experience more frequent disconnects and reconnects unless you select enable dcs client aware 173

Nxc5200 user s guide 173

Chapter 10 wireless 174

Dcs continued 174

Dynamic channel selection 174

Label description 174

Nxc5200 user s guide 174

Technical reference 174

The following section contains additional technical information about the features described in this chapter 174

When numerous aps broadcast within a given area they introduce the possibility of heightened radio interference especially if some or all of them are broadcasting on the same radio channel if the interference becomes too great then the network administrator must open his ap configuration options and manually change the channel to one that no other ap is using or at least a channel that has a lower level of interferrence in order to give the connected stations a minimum degree of interference dynamic channel selection frees the network administrator from this task by letting the ap do it automatically the ap can scan the area around it looking for the channel with the least amount of interference 174

Figure 71 an example three channel deployment 175

Figure 72 an example four channel deployment 175

Figure 73 an alternative four channel deployment 175

Load balancing 176

Hapter 177

Interface overview 177

Interfaces 177

What you can do in this chapter 177

What you need to know 177

Ethernet summary 178

Types of interfaces 178

Chapter 11 interfaces 179

Each field is described in the following table 179

Ethernet 179

Label description 179

Nxc5200 user s guide 179

Edit ethernet 180

Note if you create ip address objects based on an interface s ip address subnet or gateway the nxc automatically updates every rule or setting that uses the object whenever the interface s ip address settings change for example if you change lan s ip address the nxc automatically updates the corresponding interface based lan subnet address object 180

Chapter 11 interfaces 181

Edit continued 181

Label description 181

Nxc5200 user s guide 181

Chapter 11 interfaces 182

Edit continued 182

Label description 182

Nxc5200 user s guide 182

Chapter 11 interfaces 183

Edit continued 183

Label description 183

Nxc5200 user s guide 183

Chapter 11 interfaces 184

Edit continued 184

Label description 184

Nxc5200 user s guide 184

Chapter 11 interfaces 185

Edit continued 185

Figure 76 object references 185

Label description 185

Nxc5200 user s guide 185

Object references 185

When a configuration screen includes an object references icon select a configuration object and click object references to open the object references screen this screen displays which configuration settings reference the selected object the fields shown vary with the type of object 185

Figure 77 example before vlan 186

Note by default the nxc acts a bridge device this means all interfaces ge1 g8 are grouped together into a single vid vlan0 see section 4 on page 61 for more information on this configuration also note that vlan0 cannot be removed and the vid cannot be changed 186

Table 64 object references 186

Vlan interfaces 186

Figure 78 example after vlan 187

Between the router and vlan 3 188

Chapter 11 interfaces 188

Each field is explained in the following table 188

Label description 188

Nxc5200 user s guide 188

Vlan summary 188

Add edit 189

Add edit vlan 189

Vlan continued 189

Add edit continued 190

Chapter 11 interfaces 190

Label description 190

Nxc5200 user s guide 190

Add edit continued 191

Chapter 11 interfaces 191

Label description 191

Nxc5200 user s guide 191

Add edit continued 192

Chapter 11 interfaces 192

Label description 192

Nxc5200 user s guide 192

Add edit continued 193

Chapter 11 interfaces 193

Label description 193

Nxc5200 user s guide 193

Technical reference 193

The following section contains additional technical information about the features described in this chapter 193

Interface parameters 194

Ip address assignment 194

Table 67 example routing table entry for a gateway 194

Dhcp settings 195

Table 68 example assigning ip addresses from a pool 196

Hapter 197

Overview 197

Policy and static routes 197

What you can do in this chapter 197

What you need to know 197

Diffserv 198

Policy routes versus static routes 198

Static routes 198

Dscp marking and per hop behavior 199

Policy route 199

Chapter 12 policy and static routes 200

Ippr follows the existing packet filtering facility of ras in style and in implementation 200

Label description 200

Nxc5200 user s guide 200

Policy route 200

The following table describes the labels in this screen 200

Chapter 12 policy and static routes 201

Label description 201

Nxc5200 user s guide 201

Policy route continued 201

Add edit 202

Add edit policy route 202

Add edit continued 203

Chapter 12 policy and static routes 203

Label description 203

Nxc5200 user s guide 203

Add edit continued 204

Chapter 12 policy and static routes 204

Label description 204

Note you need to create a firewall rule to allow an incoming service before using a port triggering rule 204

Nxc5200 user s guide 204

Add edit continued 205

Chapter 12 policy and static routes 205

Label description 205

Nxc5200 user s guide 205

Chapter 12 policy and static routes 206

Label description 206

Nxc5200 user s guide 206

Static route 206

Static route to open the static route screen this screen displays the configured static routes 206

The following table describes the labels in this screen 206

Add edit 207

Chapter 12 policy and static routes 207

Label description 207

Nxc5200 user s guide 207

Select a static route index number and click add or edit the screen shown next appears use this screen to configure the required information for a static route 207

Static route setting 207

The following table describes the labels in this screen 207

Assured forwarding af phb for diffserv 208

Nat and snat 208

Table 73 assured forwarding af behavior group 208

Technical reference 208

Port triggering 209

Table 74 wmm to diffserv conversion on the nxc 209

Figure 85 trigger port forwarding example 210

Maximize bandwidth usage 211

Hapter 213

Overview 213

Effects of zones on different types of traffic 214

Extra zone traffic 214

Inter zone traffic 214

Intra zone traffic 214

What you can do in this chapter 214

What you need to know 214

Chapter 13 zones 215

Label description 215

Nxc5200 user s guide 215

The following table describes the labels in this screen 215

Add edit 216

Add edit zone 216

Chapter 13 zones 216

Label description 216

Nxc5200 user s guide 216

The following table describes the labels in this screen 216

This screen allows you to add or edit a zone to access this screen go to the zone screen and click the add icon or an edit icon 216

Hapter 217

Overview 217

What you can do in this chapter 217

Chapter 14 nat 218

Label description 218

Nat summary 218

Nat the following screen appears providing a summary of the existing nat rules 218

Nxc5200 user s guide 218

The following table describes the labels in this screen 218

Add edit 219

Add edit nat 219

Chapter 14 nat 219

Label description 219

Nat continued 219

Nxc5200 user s guide 219

The following table describes the labels in this screen 219

This screen lets you create new nat rules and edit existing ones to open this window open the nat summary screen then click on an add icon or edit icon to open the following screen 219

Add edit continued 220

Chapter 14 nat 220

Label description 220

Nxc5200 user s guide 220

Add edit continued 221

Chapter 14 nat 221

Label description 221

Nxc5200 user s guide 221

Add edit continued 222

Chapter 14 nat 222

Label description 222

Nat loopback 222

Nxc5200 user s guide 222

Suppose a nat 1 1 rule maps a public ip address to the private ip address of a lan smtp e mail server to give wan users access nat loopback allows other users to also use the rule s original ip to access the mail server 222

Technical reference 222

The following section contains additional technical information about the features described in this chapter 222

Hapter 225

Overview 225

What you can do in this chapter 225

Application layer gateway alg nat and firewall 226

Figure 96 h 23 alg example 226

Ftp alg 226

H 23 alg 226

What you need to know 226

Before you begin 227

Peer to peer calls and the nxc 227

Sip alg 227

Voip calls from the wan with multiple outgoing calls 227

Note if the nxc provides an alg for a service you must enable the alg in order to use the application patrol on that service s traffic 228

Chapter 15 alg 229

Label description 229

Nxc5200 user s guide 229

The following table describes the labels in this screen 229

Alg continued 230

Technical reference 230

Hapter 233

Ip mac binding 233

Overview 233

What you can do in this chapter 233

Interfaces used with ip mac binding 234

Ip mac binding summary 234

Summary 234

What you need to know 234

Chapter 16 ip mac binding 235

Edit ip mac binding 235

Edit to open this screen use this screen to configure an interface s ip to mac address binding settings 235

Label description 235

Nxc5200 user s guide 235

Summary 235

The following table describes the labels in this screen 235

Chapter 16 ip mac binding 236

Label description 236

Nxc5200 user s guide 236

The following table describes the labels in this screen 236

Add edit 237

Add edit static dhcp rule 237

Chapter 16 ip mac binding 237

Edit to open this screen click the add or edit icon to open the following screen use this screen to configure an interface s ip to mac address binding settings 237

Label description 237

Nxc5200 user s guide 237

The following table describes the labels in this screen 237

Chapter 16 ip mac binding 238

Exempt list 238

Exempt list to open the ip mac binding exempt list screen use this screen to configure ranges of ip addresses to which the nxc does not apply ip mac binding 238

Ip mac binding exempt list 238

Label description 238

Nxc5200 user s guide 238

The following table describes the labels in this screen 238

Captive portal 239

Hapter 239

Overview 239

Captive portal 240

Note you can configure the look and feel of the captive portal web page on the login page screen see section 17 on page 245 for details 240

What you can do in this chapter 240

Captive portal 241

Chapter 17 captive portal 241

Label description 241

Nxc5200 user s guide 241

The following table describes the labels in this screen 241

Add exceptional services 242

Captive portal continued 242

Chapter 17 captive portal 242

Label description 242

Note if you want 802 x to work properly you must set bootp_client and dns as exceptional services 242

Nxc5200 user s guide 242

The following table describes the labels in this screen 242

This screen allows you to manage exceptions to captive portal interception click the add button in the exceptional services table on the captive portal screen to access this screen 242

Add exceptional services continued 243

Auth policy add edit 243

Chapter 17 captive portal 243

Label description 243

Nxc5200 user s guide 243

The following table describes the labels in this screen 243

This screen allows you to add authentication policies to captive portal interception click the add or edit button for an existing policy in the authentication policy summary table on the captive portal screen to access this screen 243

Auth policy add edit 244

Chapter 17 captive portal 244

Label description 244

Nxc5200 user s guide 244

Login page 245

Chapter 17 captive portal 246

Label description 246

Login page 246

Nxc5200 user s guide 246

Firewall 249

Hapter 249

Overview 249

What you can do in this chapter 249

A zone is a group of interfaces group the nxc s interfaces into different zones based on your needs you can configure firewall rules for data passing between zones or even between interfaces in a zone 250

Chapter 18 firewall 250

Default firewall behavior 250

Firewall rules are grouped based on the direction of travel of packets to which they apply here is the default firewall behavior for traffic going through the nxc in various directions 250

From zone to zone behavior 250

Nxc5200 user s guide 250

Rules with nxc as the to zone apply to traffic going to the nxc itself by default 250

Stateful inspection 250

Table 88 default firewall behavior 250

The firewall allows only lan wan computers to access or manage the nxc 250

The following terms and concepts may help as you read this chapter 250

The nxc drops most packets from the wan zone to the nxc itself except for vrrp traffic for device ha and generates a log 250

The nxc has a stateful inspection firewall the nxc restricts access by screening data packets against defined access rules it also inspects sessions for example traffic from one zone is not allowed unless it is initiated by a computer in another zone first 250

To nxc rules 250

What you need to know 250

Firewall and application patrol 251

Firewall rule criteria 251

Global firewall rules 251

User specific firewall rules 251

Figure 111 blocking all lan to wan irc traffic example 252

Firewall rule example applications 252

Session limits 252

Table 89 blocking all lan to wan irc traffic example 252

Figure 112 limited lan to wan irc traffic example 253

Table 90 limited lan to wan irc traffic example 1 253

Table 91 limited lan to wan irc traffic example 2 254

Firewall rule configuration example 255

Asymmetrical routes 256

Firewall 257

Chapter 18 firewall 258

Firewall 258

Label description 258

Note allowing asymmetrical routes may let traffic from the wan go directly to the lan without passing through the nxc a better solution is to use virtual interfaces to put the nxc and the backup gateway on separate subnets 258

Nxc5200 user s guide 258

The following table describes the labels in this screen 258

The nxc applies nat destination nat settings before applying the firewall rules so for example if you configure a nat entry that sends wan traffic to a lan ip address when you configure a corresponding firewall rule to allow the traffic you need to set the lan ip address as the destination 258

The ordering of your rules is very important as rules are applied in sequence 258

Chapter 18 firewall 259

Firewall continued 259

Label description 259

Nxc5200 user s guide 259

Add edit 260

Add edit firewall screen 260

Chapter 18 firewall 260

Firewall continued 260

In the firewall screen click the edit or add icon to display this screen 260

Label description 260

Nxc5200 user s guide 260

The following table describes the labels in this screen 260

Add edit continued 261

Chapter 18 firewall 261

Label description 261

Note if you specified a source ip address group instead of any in the field below the user s ip address should be within the ip address range 261

Nxc5200 user s guide 261

Chapter 18 firewall 262

Label description 262

Nxc5200 user s guide 262

Session limit 262

Session limit to display the firewall session limit screen use this screen to limit the number of concurrent nat firewall sessions a client can use you can apply a default limit for all users and individual limits for specific users addresses or both the individual limit takes priority if you apply both 262

The following table describes the labels in this screen 262

Add edit 263

Add edit session limit 263

Chapter 18 firewall 263

Label description 263

Nxc5200 user s guide 263

Session limit and the add or edit icon to display the firewall session limit edit screen use this screen to configure rules that define a session limit for specific users or addresses 263

Session limit continued 263

The following table describes the labels in this screen 263

Add edit continued 264

Chapter 18 firewall 264

Label description 264

Note if you specified an ip address or address group instead of any in the field below the user s ip address should be within the ip address range 264

Nxc5200 user s guide 264

Application patrol 265

Hapter 265

Overview 265

What you can do in this chapter 265

Classification of applications 266

Configurable application policies 266

Note the nxc allows the first eight packets to go through the firewall regardless of the application patrol policy for the application the nxc examines these first eight packets to identify the application 266

Note the nxc checks firewall rules before it checks application patrol rules for traffic going through the nxc 266

What you need to know 266

Bandwidth management 267

Custom ports for sip and the sip alg 267

Diffserv and dscp marking 267

Note bandwidth management in policy routes has priority over application patrol bandwidth management it is recommended to use application patrol instead of policy routes to manage the bandwidth of tcp and udp traffic 267

Bandwidth management priority 268

Connection and packet directions 268

Figure 117 lan to wlan outbound 200 kbps inbound 500 kbps 268

Outbound and inbound bandwidth limits 268

Bandwidth management behavior 269

Bwm 1000 kbps 269

Configured rate effect 269

Figure 118 bandwidth management behavior 269

Maximize bandwidth usage 269

Note this section uses examples that assume the device is operating in routing mode not bridge mode 269

Table 96 configured rate effect 269

Maximize bandwidth usage effect 270

Priority and over allotment of bandwidth effect 270

Priority effect 270

Table 97 priority effect 270

Table 98 maximize bandwidth usage effect 270

Table 99 priority and over allotment of bandwidth effect 270

Application patrol bandwidth management examples 271

Bandwidth management is very useful when applications are competing for limited bandwidth for example say you have a wan zone interface connected to an adsl device with a 8 mbps downstream and 1 mbps upstream adsl connection the following sections give some simplified examples of using application patrol policies to manage applications competing for that 1 mbps of upstream bandwidth 271

Chapter 19 application patrol 271

Figure 119 application patrol bandwidth management example 271

Ftp traffic from the lan1 to the dmz can use more bandwidth since the interfaces support up to 1 gbps connections but it must be the lowest priority and limited so it does not interfere with sip and http traffic 271

Ftp traffic from the wan to the dmz must be limited so it does not interfere with sip and http traffic 271

Here is an overview of what the rules need to accomplish see the following sections for more details 271

Http traffic needs to be given priority over ftp traffic 271

Note the following examples assume the nxc is operating in routing mode not in bridge mode in bridge mode there are only two zones lan and wlan in routing mode you can configure any of the zones described here 271

Nxc5200 user s guide 271

Sip traffic from vip users must get through with the least possible delay regardless of if it is an outgoing call or an incoming call the vip users must be able to make and receive sip calls no matter which interface they are connected to 271

Chapter 19 application patrol 272

Highest priority 1 set policies for other applications to lower priorities so the sip traffic always gets the best treatment 272

Inbound traffic to the lan and dmz from the wan is also limited to 200 kbps the nxc applies this limit before sending the traffic to lan or dmz 272

Manage sip traffic going to the wan zone from a vip user on the lan or dmz 272

Nxc5200 user s guide 272

Outbound traffic to the wan from the lan and dmz is limited to 200 kbps the nxc applies this limit before sending the traffic to the wan 272

Setting the interface s bandwidth 272

Sip any to wan bandwidth management example 272

Use the interface screens to set the wan zone interface s upstream bandwidth to be equal to or slightly less than what the connected device can support this example uses 1000 kbps 272

Figure 120 sip any to wan bandwidth management example 273

Figure 121 http any to wan bandwidth management example 273

Http any to wan bandwidth management example 273

Inbound 200 kbps 273

Inbound 500 kbps 273

Outbound 200 kbps 273

Sip wan to any bandwidth management example 273

Bwm outbound 50 mbps 274

Figure 122 ftp wan to dmz bandwidth management example 274

Figure 123 ftp lan to dmz bandwidth management example 274

Ftp lan to dmz bandwidth management example 274

Ftp wan to dmz bandwidth management example 274

Inbound 100 kbps 274

Inbound 50 mbps 274

Outbound 300 kbps 274

Application patrol common applications 275

Chapter 19 application patrol 275

Common applications 275

Common to open the following screen 275

Label description 275

Nxc5200 user s guide 275

The following table describes the labels in this screen 275

Use the application patrol common instant messenger peer to peer voip or streaming screen to manage traffic of individual applications 275

Use the common screen shown here as an example to manage traffic of the most commonly used web file transfer and e mail protocols 275

Chapter 19 application patrol 276

Edit application 276

Figure 125 edit application 276

Label description 276

Nxc5200 user s guide 276

Table 101 edit application 276

The following table describes the labels in this screen 276

Use this screen to edit the settings for an application to access this screen go to the application patrol common instant messenger peer to peer voip or streaming screen and click an application s edit icon the screen displayed here is for the msn instant messenger service 276

Chapter 19 application patrol 277

Label description 277

Note the nxc checks conditions in the order they appear in the list while this sequence does not affect the functionality you might improve the performance of the nxc by putting more common conditions at the top of the list 277

Note the nxc checks ports in the order they appear in the list while this sequence does not affect the functionality you might improve the performance of the nxc by putting more commonly used ports at the top of the list 277

Nxc5200 user s guide 277

Table 101 edit application continued 277

Chapter 19 application patrol 278

Label description 278

Nxc5200 user s guide 278

Table 101 edit application continued 278

Add edit policy 279

Figure 126 add edit policy 279

Table 101 edit application continued 279

Table 102 add edit policy 279

Chapter 19 application patrol 280

Label description 280

Nxc5200 user s guide 280

Table 102 add edit policy continued 280

Chapter 19 application patrol 281

Label description 281

Nxc5200 user s guide 281

Other applications 281

Sometimes the nxc cannot identify the application for example the application might be a new application or the packets might arrive out of sequence the nxc does not reorder packets when identifying the application 281

Table 102 add edit policy continued 281

The other applications screen controls the default policy for tcp and udp traffic that the nxc cannot identify you can use source zone destination zone destination port schedule user source and destination information as criteria to create a sequence of specific conditions similar to the sequence of rules used by firewalls to specify what the nxc should do more precisely you can also control 281

Chapter 19 application patrol 282

Label description 282

Note the nxc checks conditions in the order they appear in the list while this sequence does not affect the functionality you might improve the performance of the nxc by putting more common conditions at the top of the list 282

Nxc5200 user s guide 282

Other to open the other screen 282

The bandwidth used by these other applications this screen also allows you to add edit and remove conditions to this default policy 282

The following table describes the labels in this screen 282

Chapter 19 application patrol 283

Label description 283

Nxc5200 user s guide 283

Other continued 283

Add edit 284

Add edit policy 284

Chapter 19 application patrol 284

Label description 284

Nxc5200 user s guide 284

Other continued 284

The following table describes the labels in this screen 284

This screen allows you to create a new condition or edit an existing one to access this screen go to the other protocol screen and click either the add icon or an edit icon 284

Add edit continued 285

Chapter 19 application patrol 285

Label description 285

Nxc5200 user s guide 285

Add edit continued 286

Chapter 19 application patrol 286

Label description 286

Nxc5200 user s guide 286

Anti virus 287

Hapter 287

Overview 287

What you can do in this chapter 287

Anti virus engines 288

How the nxc anti virus scanner works 288

Nxc anti virus scanner 288

Virus and worm 288

What you need to know 288

Before you begin 289

Note since the nxc erases the infected portion of the file before sending it you may not be able to open the file 289

Notes about the nxc anti virus 289

Anti virus summary 290

General 290

Chapter 20 anti virus 291

General continued 291

Label description 291

Nxc5200 user s guide 291

Chapter 20 anti virus 292

General continued 292

Label description 292

Nxc5200 user s guide 292

Add edit 293

Add edit rule 293

Chapter 20 anti virus 293

General screen to display this configuration screen 293

Label description 293

Nxc5200 user s guide 293

The following table describes the labels in this screen 293

Add edit continued 294

Chapter 20 anti virus 294

Label description 294

Note the nxc decompresses a zip file once the nxc does not decompress any zip file s within a zip file 294

Note the nxc s firmware package cannot go through the nxc with this option enabled the nxc classifies the firmware package as not being able to be decompressed and deletes it 294

Note when you select this option the nxc deletes zip files that use password encryption 294

Nxc5200 user s guide 294

Add edit continued 295

Black list 295

Black white list to display this screen use the black list screen to set up the anti virus black blocked list of virus file patterns click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 295

Chapter 20 anti virus 295

Label description 295

Nxc5200 user s guide 295

The following table describes the labels in this screen 295

Add edit pattern 296

Black list 296

Add edit pattern 297

Chapter 20 anti virus 297

Label description 297

Nxc5200 user s guide 297

The following table describes the labels in this screen 297

Chapter 20 anti virus 298

Label description 298

Nxc5200 user s guide 298

The following table describes the labels in this screen 298

White list 298

White list to display the screen shown next use the black white list screen to set up anti virus black blocked and white allowed lists of virus file patterns click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 298

Signature 299

Chapter 20 anti virus 300

Label description 300

Nxc5200 user s guide 300

Signature 300

The following table describes the labels in this screen 300

Computer virus infection and prevention 301

Table 111 common computer virus types 301

Technical reference 301

Types of computer viruses 301

Types of anti virus scanner 302

Hapter 303

Overview 303

What you can do in this chapter 303

What you need to know 303

Applying your idp configuration 304

Base idp profiles 304

Before you begin 304

Idp policies 304

Idp profiles 304

Idp summary 304

Note you can only apply one idp profile to one traffic flow 304

Note you must register in order to use packet inspection signatures see the registration screens 304

Chapter 21 idp 305

General 305

If you try to enable idp when the idp service has not yet been registered a warning screen displays and idp is not enabled 305

Label description 305

Nxc5200 user s guide 305

The following table describes the screens in this screen 305

Chapter 21 idp 306

General continued 306

Label description 306

Note depending on your network topology and traffic load binding every packet direction to an idp profile may affect the nxc s performance 306

Nxc5200 user s guide 306

General continued 307

Profile 307

Profile summary 307

Base profile description 308

Base profiles 308

Chapter 21 idp 308

Figure 138 base profiles 308

Label description 308

Nxc5200 user s guide 308

Profile 308

Profile screen click add to display the following screen 308

Table 114 base profiles 308

The following table describes the fields in this screen 308

The following table describes this screen 308

Base profile description 309

Chapter 21 idp 309

Creating new profiles 309

Nxc5200 user s guide 309

Profile screen to display a pop up screen allowing you to choose a base profile 309

Table 114 base profiles continued 309

To create a new profile 309

You could create a new monitor profile that creates logs but all actions are disabled observe the logs over time and try to eliminate the causes of the false alarms when you re satisfied that they have been reduced to an acceptable level you could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a signature 309

You may also find that certain signatures are triggering too many false positives or false negatives a false positive is when valid traffic is flagged as an attack a false negative is when invalid traffic is wrongly allowed to pass through the nxc as each network is different false positives and false negatives are common on initial idp deployment 309

You may want to create a new profile if not all signatures in a base profile are applicable to your network in this case you should disable non applicable signatures so as to improve nxc idp processing efficiency 309

Note if internet explorer opens a warning screen about a script making internet explorer run slowly and the computer maybe becoming unresponsive just click no to continue 310

Add edit profile 311

Add edit profile 312

Chapter 21 idp 312

Label description 312

Nxc5200 user s guide 312

The following table describes the fields in this screen 312

Add edit profile continued 313

Chapter 21 idp 313

Label description 313

Nxc5200 user s guide 313

Add edit profile continued 314

Chapter 21 idp 314

Label description 314

Nxc5200 user s guide 314

Policy type description 314

Policy types 314

Table 116 policy types 314

This section describes idp policy types also known as attack types as categorized in the nxc you may refer to these types when categorizing your own custom rules 314

Chapter 21 idp 315

Nxc5200 user s guide 315

Policy type description 315

Table 116 policy types continued 315

An idp service group is a set of related packet inspection signatures 316

Chapter 21 idp 316

Edit profile 316

Idp service groups 316

Logs and actions applied to a service group apply to all signatures within that group if you select original setting for service group logs and or actions all signatures within that group are returned to their last saved settings 316

Nxc5200 user s guide 316

Table 117 idp service groups 316

The following figure shows the web_php service group that contains signatures related to attacks on web servers using php exploits php php hypertext preprocessor is a server side html embedded scripting language that allows web developers to build dynamic websites 316

Chapter 21 idp 317

Click switch to query view in the edit profile screen to display the signature query screen in the query view screen you can search for signatures by criteria such as name id severity attack type vulnerable attack platforms service category log options or actions 317

Edit profile 317

Label description 317

Nxc5200 user s guide 317

Query view screen 317

The following table describes the fields specific to this screen s query view 317

Chapter 21 idp 318

Edit profile continued 318

Label description 318

Nxc5200 user s guide 318

Figure 142 query example search results 319

Query example 319

Chapter 21 idp 320

Create custom signatures for new attacks or attacks peculiar to your network custom signatures can also be saved to from your computer so as to share with others you need some knowledge of packet headers and attack types to create your own custom signatures 320

Custom idp signatures 320

Figure 143 ip v4 packet headers 320

Header description 320

Ip packet header 320

Nxc5200 user s guide 320

Table 119 ip v4 packet headers 320

The header fields are discussed below 320

These are the fields in an internet protocol ip version 4 packet header 320

Chapter 21 idp 321

Custom signature s the first screen shows a summary of all custom signatures created click the sid or name heading to sort click the add icon to create a new signature or click the edit icon to edit an existing signature you can also delete custom signatures here or save them to your computer 321

Custom signatures 321

Header description 321

Nxc5200 user s guide 321

Table 119 ip v4 packet headers continued 321

Chapter 21 idp 322

Custom signatures 322

Label description 322

Nxc5200 user s guide 322

The following table describes the fields in this screen 322

The nxc checks all signatures and continues searching even after a match is found if two or more rules have conflicting actions for the same packet then the nxc applies the more restrictive action reject both reject receiver or reject sender drop none in this order if a packet matches a rule for reject receiver and it also matches a rule for reject sender then the nxc will reject both 322

A packet must match all items you configure in this screen before it matches the signature the more specific your signature including packet contents then the fewer false positives the signature will trigger 323

Add edit custom signature 323

Chapter 21 idp 323

Custom signatures continued 323

In the custom signatures screen click the add icon to create a new signature or click the edit icon to edit an existing signature 323

Label description 323

Note the name of the complete custom signature file on the nxc is custom rules if you import a file named custom rules then all custom signatures on the nxc are overwritten with the new file if this is not your intention make sure that the files you import are not named custom rules 323

Nxc5200 user s guide 323

Add edit 324

Add edit 325

Chapter 21 idp 325

Label description 325

Nxc5200 user s guide 325

Add edit continued 326

Chapter 21 idp 326

Label description 326

Nxc5200 user s guide 326

Add edit continued 327

Chapter 21 idp 327

Label description 327

Nxc5200 user s guide 327

Add edit continued 328

Chapter 21 idp 328

Label description 328

Nxc5200 user s guide 328

Add edit continued 329

Custom signature example 329

Understand the vulnerability 329

Analyze packets 330

Figure 146 dns query packet details 330

Applying custom signatures 331

Figure 147 example custom signature 331

Figure 148 example custom signature in idp profile 332

Verifying custom signatures 332

Figure 149 custom signature log 333

Host intrusions 333

Technical reference 333

Network intrusions 334

Snort signatures 334

Table 122 nxc snort equivalent terms 334

Chapter 21 idp 335

Note not all snort functionality is supported in the nxc 335

Nxc term snort equivalent term 335

Nxc5200 user s guide 335

Table 122 nxc snort equivalent terms continued 335

Hapter 337

Overview 337

What you can do in this chapter 337

What you need to know 337

Adp policy 338

Adp profile 338

Base adp profiles 338

Before you begin 338

Protocol anomalies 338

Adp summary 339

Chapter 22 adp 339

General 339

General use this screen to turn anomaly detection on or off and apply anomaly profiles to traffic directions 339

Label description 339

Nxc5200 user s guide 339

The following table describes the screens in this screen 339

Chapter 22 adp 340

Create a new profile using an existing base profile 340

Delete an existing profile 340

Edit an existing profile 340

General continued 340

Label description 340

Note depending on your network topology and traffic load applying every packet direction to an anomaly profile may affect the nxc s performance 340

Nxc5200 user s guide 340

Profile summary 340

Use this screen to 340

Base profiles 341

Figure 152 base profiles 341

Profile 341

Creating new adp profiles 342

Table 125 base profiles 342

Traffic anomaly profiles 342

Traffic anomaly 343

Chapter 22 adp 344

Label description 344

Nxc5200 user s guide 344

The following table describes the fields in this screen 344

Traffic anomaly 344

Chapter 22 adp 345

Label description 345

Nxc5200 user s guide 345

Profile screen click the edit icon or click the add icon and choose a base profile then select the protocol anomaly tab if you made changes to other screens belonging to this profile make sure you have clicked ok or save to save the changes before selecting the protocol anomaly tab 345

Protocol anomaly configuration 345

Protocol anomaly detection includes http inspection tcp decoder udp decoder and icmp decoder where each category reflects the packet type inspected 345

Protocol anomaly is the third screen in an adp profile protocol anomaly pa rules check for protocol compliance against the relevant rfc request for comments 345

Protocol anomaly profiles 345

Protocol anomaly rules may be updated when you upload new firmware 345

Traffic anomaly continued 345

Protocol anomaly 346

Chapter 22 adp 347

Label description 347

Nxc5200 user s guide 347

Protocol anomaly 347

The following table describes the fields in this screen 347

Chapter 22 adp 348

Label description 348

Nxc5200 user s guide 348

Protocol anomaly continued 348

Decoy port scans 349

Port scanning 349

Protocol anomaly continued 349

Technical reference 349

Distributed port scans 350

Filtered port scans 350

Port sweeps 350

Figure 155 smurf attack 351

Flood detection 351

Icmp flood attack 351

Figure 156 tcp three way handshake 352

Figure 157 syn flood 352

Tcp syn flood attack 352

Chapter 22 adp 353

Http inspection and tcp udp icmp decoders 353

In a land attack hackers flood syn packets into a network with a spoofed source ip address of the network itself this makes it appear as if the computers in the network sent the packets to themselves so the network is unavailable while they try to respond to themselves 353

Label description 353

Land attack 353

Nxc5200 user s guide 353

Table 128 http inspection and tcp udp icmp decoders 353

The following table gives some information on the http inspection tcp decoder udp decoder and icmp decoder nxc protocol anomaly rules 353

Udp flood attack 353

Udp is a connection less protocol and it does not require any connection setup procedure to transfer data a udp flood attack is possible when an attacker sends a udp packet to a random port on the victim system when the victim system receives a udp packet it will determine what application is waiting on the destination port when it realizes that there is no application that is waiting on the port it will generate an icmp packet of destination unreachable to the forged source address if enough udp packets are delivered to ports on victim the system will go down 353

Chapter 22 adp 354

Label description 354

Nxc5200 user s guide 354

Table 128 http inspection and tcp udp icmp decoders continued 354

Chapter 22 adp 355

Label description 355

Nxc5200 user s guide 355

Table 128 http inspection and tcp udp icmp decoders continued 355

Chapter 22 adp 356

Label description 356

Nxc5200 user s guide 356

Table 128 http inspection and tcp udp icmp decoders continued 356

Device ha 357

Hapter 357

Overview 357

What you can do in this chapter 357

Before you begin 358

Management access 358

Note only nxcs of the same model and firmware version can synchronize 358

Note subscribe to services on the backup nxc before synchronizing it with the master nxc 358

Synchronization 358

What you need to know 358

Chapter 23 device ha 359

Device ha general 359

Device ha general to display 359

General 359

Label description 359

Note it is not recommended to use stp spanning tree protocol with device ha 359

Nxc5200 user s guide 359

The following table describes the labels in this screen 359

Chapter 23 device ha 360

General continued 360

Label description 360

Nxc5200 user s guide 360

Active passive mode 361

Active passive mode 362

Chapter 23 device ha 362

Label description 362

Note do not set this field to master for two or more nxcs in the same virtual router same cluster id 362

Nxc5200 user s guide 362

The following table describes the labels in this screen 362

Active passive mode continued 363

Chapter 23 device ha 363

Label description 363

Nxc5200 user s guide 363

Active passive mode continued 364

Edit monitored interface 364

Chapter 23 device ha 365

Edit monitored interface 365

Label description 365

Note do not connect the bridge interfaces on two nxcs without device ha activated on both doing so could cause a broadcast storm 365

Nxc5200 user s guide 365

The following table describes the labels in this screen 365

Cluster id 366

Figure 162 virtual router 366

Technical reference 366

Virtual router 366

Figure 163 cluster ids for multiple virtual routers 367

Monitored interfaces in active passive mode device ha 367

Virtual router and management ip addresses 367

Active passive mode device ha with bridge interfaces 368

Figure 164 management ip addresses 368

First option for connecting the bridge interfaces on two nxcs 368

Br0 ge4 ge5 370

Br0 ge4 ge5 disabled 370

Disabled 370

Second option for connecting the bridge interfaces on two nxcs 370

Br0 ge4 ge5 371

Synchronization 371

Hapter 373

Overview 373

User group 373

What you can do in this chapter 373

What you need to know 373

Ext group user accounts 374

Ext user accounts 374

Note if the nxc tries to authenticate an 374

Note the default admin account is always authenticated locally regardless of the authentication method setting 374

Table 132 types of user accounts 374

User types 374

Using the local database the attempt always fails 374

Ext server accounts 375

Note you cannot put access users and admin users in the same user group 375

Note you cannot put the default admin account into any user group 375

User awareness 375

User groups 375

User role priority 375

Add edit user 376

Rules for user names 376

User summary 376

Add edit a user 377

Alphanumeric a z 0 9 there is no unicode support 377

Chapter 24 user group 377

Dashes 377

Here are the reserved user names 377

Nxc5200 user s guide 377

The first character must be alphabetical a z a z an underscore _ or a dash other limitations on user names are 377

To access this screen go to the user screen and click add or edit 377

User names are case sensitive if you enter a user bob but use bob when connecting via cifs or ftp it will use the account settings used for bob not bob 377

User names have to be different than user group names 377

_ underscores 377

Add edit a user 378

Chapter 24 user group 378

Label description 378

Nxc5200 user s guide 378

The following table describes the labels in this screen 378

Add edit a user continued 379

Chapter 24 user group 379

Group summary 379

Label description 379

Nxc5200 user s guide 379

The following table describes the labels in this screen 379

Add edit group 380

Group continued 380

Add edit group continued 381

Chapter 24 user group 381

Label description 381

Nxc5200 user s guide 381

Setting 381

This screen controls default settings login settings lockout settings and other user settings for the nxc you can also use this screen to specify when users must log in to the nxc before it routes traffic for them 381

Chapter 24 user group 382

Label description 382

Nxc5200 user s guide 382

Setting 382

The following table describes the labels in this screen 382

Chapter 24 user group 383

Label description 383

Nxc5200 user s guide 383

Setting continued 383

Chapter 24 user group 384

Edit user authentication timeout settings 384

Label description 384

Nxc5200 user s guide 384

Setting continued 384

This screen allows you to set the default authentication timeout settings for the selected type of user account these default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings you can still manually configure any user account s authentication timeout settings 384

Chapter 24 user group 385

Edit user authentication timeout settings 385

Label description 385

Nxc5200 user s guide 385

Setting screen and click one of the default authentication timeout settings section s edit icons 385

The following table describes the labels in this screen 385

Access users cannot use the web configurator to browse the configuration of the nxc instead after access users log into the nxc the following screen appears 386

Chapter 24 user group 386

Figure 171 user aware login 386

Label description 386

Nxc5200 user s guide 386

Table 139 user aware login 386

The following table describes the labels in this screen 386

User aware login example 386

Ap profile 387

Hapter 387

Overview 387

What you can do in this chapter 387

What you need to know 387

Ieee 802 x 388

Note you can have a maximum of 64 radio profiles on the nxc 388

Radiot 388

Wpa and wpa2 388

Add edit profile 389

Add edit radio profile 389

Chapter 25 ap profile 389

Label description 389

Nxc5200 user s guide 389

The following table describes the labels in this screen 389

This screen allows you to create a new radio profile or edit an existing one to access this screen click the add button or select a radio profile from the list and click the edit button 389

Add edit profile 390

Chapter 25 ap profile 390

Label description 390

Nxc5200 user s guide 390

The following table describes the labels in this screen 390

Add edit profile continued 391

Chapter 25 ap profile 391

Label description 391

Note reducing the output power also reduces the nxc s effective broadcast radius 391

Nxc5200 user s guide 391

Add edit profile continued 392

Note you can have a maximum of 64 ssid profiles on the nxc 392

Ssid list 392

Add edit ssid profile 393

Chapter 25 ap profile 393

Label description 393

Nxc5200 user s guide 393

Ssid list 393

The following table describes the labels in this screen 393

This screen allows you to create a new ssid profile or edit an existing one to access this screen click the add button or select an ssid profile from the list and click the edit button 393

Add edit ssid profile 394

Chapter 25 ap profile 394

Label description 394

Note it is highly recommended that you create security profiles for all of your ssids to enhance your network security 394

Nxc5200 user s guide 394

The following table describes the labels in this screen 394

Add edit ssid profile continued 395

Chapter 25 ap profile 395

Label description 395

Nxc5200 user s guide 395

Chapter 25 ap profile 396

Label description 396

Note you can have a maximum of 64 security profiles on the nxc 396

Nxc5200 user s guide 396

Security list 396

The following table describes the labels in this screen 396

This screen allows you to manage wireless security configurations that can be used by your ssids wireless security is implemented strictly between the ap broadcasting the ssid and the stations that are connected to it 396

Add edit security profile 397

Chapter 25 ap profile 397

Label description 397

Note this screen s options change based on the security mode selected only the default screen is displayed here 397

Nxc5200 user s guide 397

Security profileadd edit security profile 397

The following table describes the labels in this screen 397

This screen allows you to create a new security profile or edit an existing one to access this screen click the add button or select a security profile from the list and click the edit button 397

Add edit security profile continued 398

Chapter 25 ap profile 398

Label description 398

Nxc5200 user s guide 398

Add edit security profile continued 399

Chapter 25 ap profile 399

Label description 399

Mac filter list 399

Note you can have a maximum of 64 mac filtering profiles on the nxc 399

Nxc5200 user s guide 399

The following table describes the labels in this screen 399

Add edit mac filter profile 400

Chapter 25 ap profile 400

Label description 400

Nxc5200 user s guide 400

The following table describes the labels in this screen 400

This screen allows you to create a new mac filtering profile or edit an existing one to access this screen click the add button or select a mac filter profile from the list and click the edit button 400

Hapter 401

Mon profile 401

Overview 401

What you can do in this chapter 401

What you need to know 401

Chapter 26 mon profile 402

Label description 402

Mon profile 402

Nxc5200 user s guide 402

The following table describes the labels in this screen 402

Add edit mon profile 403

Chapter 26 mon profile 403

Label description 403

Nxc5200 user s guide 403

The following table describes the labels in this screen 403

This screen allows you to create a new monitor mode profile or edit an existing one to access this screen click the add button or select and existing monitor mode profile and click the edit button 403

Add edit mon profile continued 404

Chapter 26 mon profile 404

Figure 182 rogue ap example 404

Label description 404

Nxc5200 user s guide 404

Rogue aps 404

Rogue aps are wireless access points operating in a network s coverage area that are not under the control of the network s administrators and can open up holes in a network s security attackers can take advantage of a rogue ap s weaker or non existent security to gain access to the network or set up their own rogue aps in order to capture information from wireless clients if a scan reveals a rogue ap you can use commercially available software to physically locate it 404

Technical reference 404

The following section contains additional technical information about the features described in this chapter 404

Friendly aps 405

Address summary 407

Addresses 407

Hapter 407

Overview 407

What you can do in this chapter 407

What you need to know 407

Address click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 408

Address summary 408

Chapter 27 addresses 408

Label description 408

Nxc5200 user s guide 408

Range a range address is defined by a starting ip address and an ending ip address 408

Subnet a network address is defined by a network ip address and netmask subnet mask 408

The following table describes the labels in this screen 408

Add edit 409

Add edit address 409

Chapter 27 addresses 409

Label description 409

Note the nxc automatically updates address objects that are based on an interface s ip address subnet or gateway if the interface s ip address settings change for example if you change ge1 s ip address the nxc automatically updates the corresponding interface based lan subnet address object 409

Nxc5200 user s guide 409

The add edit address screen allows you to create a new address or edit an existing one to access this screen go to the address screen and click either the add icon or an edit icon 409

The following table describes the labels in this screen 409

Add edit continued 410

Address group 410

Address group click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 410

Address group summary 410

Chapter 27 addresses 410

Label description 410

Nxc5200 user s guide 410

The following table describes the labels in this screen 410

Add edit 411

Add edit address group rule 411

Chapter 27 addresses 411

Label description 411

Nxc5200 user s guide 411

The add edit address group rule screen allows you to create a new address group or edit an existing one to access this screen go to the address group screen and click either the add icon or an edit icon 411

The following table describes the labels in this screen 411

Hapter 413

Overview 413

Services 413

What you can do in this chapter 413

What you need to know 413

Service objects and service groups 414

Chapter 28 services 415

Label description 415

Nxc5200 user s guide 415

Service 415

Service click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 415

Service summary 415

The following table describes the labels in this screen 415

The service summary screen provides a summary of all services and their definitions in addition this screen allows you to add edit and remove services 415

Add edit 416

Add edit service rule 416

Chapter 28 services 416

Label description 416

Nxc5200 user s guide 416

Service continued 416

The add edit service rule screen allows you to create a new service or edit an existing one to access this screen go to the service screen and click either the add icon or an edit icon 416

The following table describes the labels in this screen 416

Chapter 28 services 417

Label description 417

Nxc5200 user s guide 417

Service group 417

Service group summary 417

The following table describes the labels in this screen 417

The service group summary screen provides a summary of all service groups in addition this screen allows you to add edit and remove service groups 417

Add edit 418

Add edit service group rule 418

Chapter 28 services 418

Label description 418

Nxc5200 user s guide 418

The add edit service group rule screen allows you to create a new service group or edit an existing one to access this screen go to the service group screen and click either the add icon or an edit icon 418

The following table describes the labels in this screen 418

Hapter 419

Overview 419

Schedules 419

What you can do in this chapter 419

What you need to know 419

Chapter 29 schedules 420

Label description 420

Nxc5200 user s guide 420

Schedule 420

Schedule summary 420

The following table describes the labels in this screen 420

Add edit one time 421

Add edit schedule one time rule 421

Chapter 29 schedules 421

Label description 421

Nxc5200 user s guide 421

Schedule continued 421

The add edit schedule one time rule screen allows you to define a one time schedule or edit an existing one to access this screen go to the schedule screen and click either the add icon or an edit icon in the one time section 421

The following table describes the labels in this screen 421

Add edit one time continued 422

Add edit recurring 422

Add edit schedule recurring rule 422

Chapter 29 schedules 422

Label description 422

Nxc5200 user s guide 422

The add edit schedule recurring rule screen allows you to define a recurring schedule or edit an existing one to access this screen go to the schedule screen and click either the add icon or an edit icon in the recurring section 422

Add edit recurring 423

Chapter 29 schedules 423

Label description 423

Nxc5200 user s guide 423

The year month and day columns are not used in recurring schedules and are disabled in this screen the following table describes the remaining labels in this screen 423

Aaa server 425

Hapter 425

Overview 425

What you can do in this chapter 425

What you need to know 425

Figure 195 radius server network example 426

Radius server 426

Aaa servers supported by the nxc 427

Authentication capability list 427

Chapter 30 aaa server 427

Directory service ldap ad 427

Internal authentcation method external radius 427

Ldap lightweight directory access protocol ad active directory is a directory service that is both a directory and a protocol for controlling access to a network the directory consists of a database specialized for fast information retrieval and filtering activities you create and store user profile and login information on the external server 427

Local user database 427

Note because the nxc has an internal authentication database you can create local login accounts on it without needing to rely on an external authentication server the built in authentication server supports peap eap tls eap ttls 427

Nxc5200 user s guide 427

Radius 427

Radius remote authentication dial in user service authentication is a popular protocol used to authenticate users by means of an external or built in radius server radius authentication allows you to validate a large number of users from a central location 427

Table 161 authentication capability list 427

The following lists the types of authentication server the nxc supports 427

The nxc uses the built in local user database to authenticate administrative users logging into the nxc s web configurator or network access users logging into the network through the nxc 427

This list displays the nxc s authentication capabilities 427

Base dn 428

Directory structure 428

Distinguished name dn 428

Figure 196 basic directory structure 428

Active directory ldap 429

Bind dn 429

Note both the active directory and ldap screens while on separate tabs are identical in configuration this section applies to both equally 429

Add edit 430

Add edit active directory ldap server 430

Note the active directory and ldap server setup screens are almost identical so the features for both screens are described in this section 430

Add edit 431

Chapter 30 aaa server 431

Label description 431

Nxc5200 user s guide 431

O zyxel c u 431

Table 163 add edit 431

The following table describes the labels in these screens 431

Chapter 30 aaa server 432

Cn zyadmi 432

Label description 432

Note this is only for ldap 432

Nxc5200 user s guide 432

O zyxel c u 432

Table 163 add edit continued 432

Zyadmi 432

Chapter 30 aaa server 433

Label description 433

Nxc5200 user s guide 433

Radius 433

Radius to display the radius screen 433

Table 163 add edit continued 433

The following table describes the labels in this screen 433

Add edit 434

Add edit radius 434

Chapter 30 aaa server 434

Label description 434

Nxc5200 user s guide 434

Radius to display the radius screen click the add icon or an edit icon to display the following screen use this screen to create a new ad or ldap entry or edit an existing one 434

The following table describes the labels in this screen 434

Add edit continued 435

Chapter 30 aaa server 435

Label description 435

Nxc5200 user s guide 435

Authentication method 437

Before you begin 437

Hapter 437

Overview 437

What you can do in this chapter 437

Add authentication method 438

Auth method 438

Chapter 31 authentication method 439

Click ok to save the settings or click cancel to discard all changes and return to the previous screen 439

Label description 439

Nxc5200 user s guide 439

The following table describes the labels in this screen 439

Certificates 441

Hapter 441

Overview 441

What you can do in this chapter 441

What you need to know 441

Advantages of certificates 442

Certificate file formats 443

Factory default certificate 443

Note be careful not to convert a binary file to text during the transfer process it is easy for this to occur since many programs use text files by default 443

Self signed certificates 443

Verifying a certificate 443

Chapter 32 certificates 445

Label description 445

My certificates 445

My certificates to open this screen this is the nxc s summary list of certificates and certification requests 445

Nxc5200 user s guide 445

The following table describes the labels in this screen 445

Chapter 32 certificates 446

Label description 446

My certificates continued 446

Nxc5200 user s guide 446

Add my certificates 447

Chapter 32 certificates 448

Label description 448

Nxc5200 user s guide 448

The following table describes the labels in this screen 448

Add continued 449

Chapter 32 certificates 449

Label description 449

Nxc5200 user s guide 449

Add continued 450

Chapter 32 certificates 450

If you configured the my certificate create screen to have the nxc enroll a certificate and the certificate enrollment is not successful you see a screen with a return button that takes you back to the my certificate create screen click return and check your information in the my certificate create screen make sure that the certification authority information is correct and that your internet connection is working properly if you want the nxc to enroll a certificate online 450

Label description 450

Nxc5200 user s guide 450

Edit my certificates 451

Chapter 32 certificates 452

Label description 452

Nxc5200 user s guide 452

The following table describes the labels in this screen 452

Chapter 32 certificates 453

Label description 453

Nxc5200 user s guide 453

Chapter 32 certificates 454

Import 454

Import certificates 454

Import to open the my certificate import screen follow the instructions in this screen to save an existing certificate to the nxc 454

Label description 454

Note you can import a certificate that matches a corresponding certification request that was generated by the nxc you can also import a certificate in pkcs 12 format including the certificate s public and private keys 454

Nxc5200 user s guide 454

The certificate you import replaces the corresponding request in the my certificates screen 454

The following table describes the labels in this screen 454

You must remove any spaces in the certificate s filename before you can import it 454

Chapter 32 certificates 455

Import continued 455

Label description 455

Nxc5200 user s guide 455

The following table describes the labels in this screen 455

Trusted certificates 455

Trusted certificates to open the trusted certificates screen this screen displays a summary list of certificates that you have set the nxc to accept as trusted the nxc also accepts any valid certificate signed by a certificate on this list as being trustworthy thus you do not need to import any certificate that is signed by one of these certificates 455

Chapter 32 certificates 456

Label description 456

Nxc5200 user s guide 456

Trusted certificates continued 456

Edit trusted certificates 457

Chapter 32 certificates 458

Label description 458

Nxc5200 user s guide 458

The following table describes the labels in this screen 458

Chapter 32 certificates 459

Label description 459

Nxc5200 user s guide 459

Chapter 32 certificates 460

Import 460

Import to open the trusted certificates import screen follow the instructions in this screen to save a trusted certificate to the nxc 460

Import trusted certificates 460

Label description 460

Note you must remove any spaces from the certificate s filename before you can import the certificate 460

Nxc5200 user s guide 460

Chapter 32 certificates 461

Import 461

Label description 461

Nxc5200 user s guide 461

Ocsp online certificate status protocol allows an application or device to check whether a certificate is valid with ocsp the nxc checks the status of individual certificates instead of downloading a certificate revocation list crl ocsp has two main advantages over a crl the first is real time status information the second is a reduction in network traffic since the nxc only gets information on the certificates that it needs to verify not a huge list when the nxc requests certificate status information the ocsp server returns a expired current or unknown response 461

Technical reference 461

The following section contains additional technical information about the features described in this chapter 461

The following table describes the labels in this screen 461

Hapter 463

Overview 463

System 463

What you can do in this chapter 463

Chapter 33 system 464

Date and time 464

For effective scheduling and logging the nxc system time must be accurate the nxc s real time chip rtc keeps track of the time and date there is also a software mechanism to set the time manually or get the current time and date from an external server 464

Host name 464

Host name to open this screen 464

Label description 464

Nxc5200 user s guide 464

The following table describes the labels in this screen 464

Chapter 33 system 465

Date time 465

Date time the screen displays as shown you can manually set the nxc s time and date or have the nxc get the date and time from a time server 465

Label description 465

Nxc5200 user s guide 465

The following table describes the labels in this screen 465

Chapter 33 system 466

Date time continued 466

Label description 466

Nxc5200 user s guide 466

Chapter 33 system 467

Date time continued 467

Label description 467

Nxc5200 user s guide 467

Pre defined ntp time servers list 467

Table 177 default time servers 467

The nxc continues to use the following pre defined list of ntp time servers if you do not specify a time server or it cannot synchronize with the time server you specified 467

When the nxc uses the pre defined list of ntp time servers it randomly selects one server and tries to synchronize with it if the synchronization fails then the nxc goes through the rest of the list in order from the first one tried until either it is successful or all the pre defined ntp time servers have been tried 467

When you turn on the nxc for the first time the date and time start at 2003 01 01 00 00 00 the nxc then attempts to synchronize with one of the following pre defined list of network time protocol ntp time servers 467

Figure 212 loading 468

Time server synchronization 468

Console speed 469

Dns overview 469

Dns server address assignment 469

Configuring the dns screen 470

Chapter 33 system 471

Dns continued 471

Label description 471

Nxc5200 user s guide 471

Address record 472

An address record contains the mapping of a fully qualified domain name fqdn to an ip address an fqdn consists of a host and domain name for example www zyxel com is a fully qualified domain name where www is the host zyxel is the second level domain and com is the top level domain mail myzyxel com tw is also a fqdn where mail is the host myzyxel is the third level domain com is the second level domain and tw is the top level domain 472

Chapter 33 system 472

Dns continued 472

Label description 472

Nxc5200 user s guide 472

A ptr pointer record is also called a reverse record or a reverse lookup record it is a mapping of an ip address to a domain name 473

Add address ptr record 473

Add address ptr recordt 473

Adding an address ptr record 473

Chapter 33 system 473

Click the add icon in the address ptr record table to add an address ptr record 473

Label description 473

Nxc5200 user s guide 473

Ptr record 473

The following table describes the labels in this screen 473

The nxc allows you to configure address records about the nxc itself or another device this way you can keep a record of dns names and addresses that people on your network may use frequently if the nxc receives a dns query for an fqdn for which the nxc has an address record the nxc can send the ip address in a dns response without having to query a dns name server 473

Add domain zone forwarder 474

Domain zone forwarder 474

A mx mail exchange record indicates which host is responsible for the mail for a particular domain that is controls where mail is sent for that domain if you do not configure proper mx records for your domain or other domain external e mail from other mail servers will not be able to be delivered to your mail server and vice versa each host or domain can have only one mx record that is one domain is mapping to one host 475

Add domain zone forwarder 475

Chapter 33 system 475

Label description 475

Mx record 475

Note if all interfaces are static then this field is hidden 475

Nxc5200 user s guide 475

The following table describes the labels in this screen 475

0 add service control 476

Add mx record 476

Add service control rule 476

Chapter 33 system 476

Click the add icon in the mx record table to add a mx record 476

Click the add icon in the service control table to add a service control rule 476

Label description 476

Nxc5200 user s guide 476

The following table describes the labels in this screen 476

Add service control rule continued 477

Figure 219 secure and insecure service access from the wan 477

Service access limitations 477

Www overview 477

System timeout 478

Configuring www service control 479

Chapter 33 system 480

Label description 480

Nxc5200 user s guide 480

Service control 480

The following table describes the labels in this screen 480

Chapter 33 system 481

Label description 481

Nxc5200 user s guide 481

Service control continued 481

Chapter 33 system 482

Label description 482

Nxc5200 user s guide 482

Service control continued 482

Add edit 483

Chapter 33 system 483

Click add or edit in the service control table in a www ssh telnet ftp or snmp screen to add a service control rule 483

Https example 483

If you haven t changed the default https port on the nxc then in your browser enter https nxc ip address as the web site address where nxc ip address is the ip address or domain name of the nxc you wish to access 483

Label description 483

Nxc5200 user s guide 483

Service control rules 483

The following table describes the labels in this screen 483

Avoiding browser warning messages 484

Figure 223 security alert dialog box internet explorer 484

Internet explorer warning messages 484

Enrolling and importing ssl client certificates 485

Figure 224 login screen internet explorer 485

Figure 225 trusted certificates 485

Login screen 485

Installing the ca s certificate 486

Installing a personal certificate 487

Using a certificate when accessing the nxc 489

Figure 226 ssh communication over the wan example 491

Figure 227 how ssh v1 works example 491

How ssh works 491

Requirements for using ssh 492

Ssh implementation on the nxc 492

Chapter 33 system 493

Configuring ssh 493

Label description 493

Note it is recommended that you disable telnet and ftp when you configure ssh for secure connections 493

Nxc5200 user s guide 493

Ssh to change your nxc s secure shell settings use this screen to specify from which zones ssh can be used to manage the nxc you can also specify from which ip addresses the access can come 493

The following table describes the labels in this screen 493

Chapter 33 system 494

Configure the ssh client to accept connection using ssh version 1 494

Example 1 microsoft windows 494

Examples of secure telnet using ssh 494

Label description 494

Launch the ssh client and specify the connection information ip address port number for the nxc 494

Nxc5200 user s guide 494

Ssh continued 494

This section describes how to access the nxc using the secure shell client program 494

This section shows two examples using a command interface and a graphical interface ssh client program to remotely access the nxc the configuration and connection steps are similar for most ssh client programs refer to your ssh client program user s guide 494

Example 2 linux 495

Figure 229 ssh example 1 store host key 495

Figure 230 ssh example 2 test 495

Figure 231 ssh example 2 log in 496

Telnet 496

Chapter 33 system 497

Label description 497

Nxc5200 user s guide 497

Telnet 497

The following table describes the labels in this screen 497

You can upload and download the nxc s firmware and configuration files using ftp to use this feature your computer must have an ftp client see chapter 35 on page 519 for more information about firmware and configuration files 497

Chapter 33 system 498

Ftp tab the screen appears as shown use this screen to specify from which zones ftp can be used to access the nxc you can also specify from which ip addresses the access can come 498

Label description 498

Nxc5200 user s guide 498

The following table describes the labels in this screen 498

Chapter 33 system 499

Ftp continued 499

Label description 499

Nxc5200 user s guide 499

Figure 234 snmp management model 500

Snmp traps 501

Supported mibs 501

Table 189 snmp traps 501

Chapter 33 system 502

Configuring snmp 502

Label description 502

Nxc5200 user s guide 502

Snmp tab the screen appears as shown use this screen to configure your snmp settings including from which zones snmp can be used to access the nxc you can also specify from which ip addresses the access can come 502

The following table describes the labels in this screen 502

Chapter 33 system 503

Label description 503

Language 503

Language to open this screen use this screen to select a display language for the nxc s web configurator screens 503

Nxc5200 user s guide 503

Snmp continued 503

Chapter 33 system 504

Label description 504

Language 504

Nxc5200 user s guide 504

The following table describes the labels in this screen 504

Email daily report 505

Hapter 505

Log and report 505

Overview 505

What you can do in this chapter 505

Email daily report 506

Chapter 34 log and report 507

Email daily report 507

Label description 507

Log setting 507

Nxc5200 user s guide 507

The following table describes the labels in this screen 507

The nxc provides a system log and supports e mail profiles and remote syslog servers the system log is available on the view log tab the e mail profiles are used to mail log messages to the specified destinations and the other four logs are stored on specified syslog servers 507

These screens control log messages and alerts a log message stores the information for viewing for example in the view log tab or regular e mailing later and an alert is e mailed immediately usually alerts are used for events that require more serious attention such as system errors and attacks 507

Log setting 508

Log setting summary 508

Chapter 34 log and report 509

Label description 509

Log setting continued 509

Nxc5200 user s guide 509

Edit log settings 510

Chapter 34 log and report 511

Label description 511

Nxc5200 user s guide 511

The following table describes the labels in this screen 511

Chapter 34 log and report 512

Edit continued 512

Label description 512

Nxc5200 user s guide 512

Chapter 34 log and report 513

Edit continued 513

Label description 513

Nxc5200 user s guide 513

Edit remote server 514

Chapter 34 log and report 515

Edit remote server 515

Label description 515

Nxc5200 user s guide 515

The following table describes the labels in this screen 515

Active log summary 516

Figure 241 active log summary 516

Active log summary 517

Chapter 34 log and report 517

Label description 517

Nxc5200 user s guide 517

The following table describes the fields in this screen 517

Active log summary 518

Chapter 34 log and report 518

Label description 518

Nxc5200 user s guide 518

File manager 519

Hapter 519

Overview 519

What you can do in this chapter 519

What you need to know 519

Chapter 35 file manager 520

Comments in configuration files or shell scripts 520

Figure 242 configuration file shell script example 520

In a configuration file or shell script use or as the first character of a command line to have the nxc treat the line as a comment 520

Nxc5200 user s guide 520

Table 197 configuration files and shell scripts in the nxc 520

These files have the same syntax which is also identical to the way you run cli commands manually an example is shown below 520

While configuration files and shell scripts have the same syntax the nxc applies configuration files differently than it runs shell scripts this is explained below 520

You have to run the aforementioned example as a shell script because the first command is run in privilege mode if you remove the first command you have to run the example as a configuration file because the rest of the commands are executed in configuration mode 520

Your configuration files or shell scripts can use exit or a command line consisting of a single to have the nxc exit sub command mode 520

Errors in configuration files or shell scripts 521

Note exit or must follow sub commands if it is to make the nxc exit sub command mode 521

Configuration file 522

Configuration file flow at restart 522

Do not turn off the nxc while configuration file upload is in progress 522

Chapter 35 file manager 523

Configuration file 523

Label description 523

Nxc5200 user s guide 523

The following table describes the labels in this screen 523

Chapter 35 file manager 524

Configuration file continued 524

Label description 524

Nxc5200 user s guide 524

Chapter 35 file manager 525

Configuration file continued 525

Firmware package 525

Firmware package to open this screen use the firmware package screen to check your current firmware version and upload firmware to the nxc 525

Label description 525

Nxc5200 user s guide 525

Chapter 35 file manager 526

Find the firmware package at www zyxel com in a file that usually uses the system model name with a bin extension for example nxc bin 526

Firmware package 526

Label description 526

Note the web configurator is the recommended method for uploading firmware you only need to use the command line interface if you need to recover the firmware see the cli reference guide for how to determine if you need to recover the firmware and how to recover it 526

Nxc5200 user s guide 526

The firmware update can take up to five minutes do not turn off or reset the nxc while the firmware update is in progress 526

The following table describes the labels in this screen 526

The nxc s firmware package cannot go through the nxc when you enable the anti virus destroy compressed files that could not be decompressed option the nxc classifies the firmware package as not being able to be decompressed and deletes it you can upload the firmware package to the nxc with the option enabled so you only need to clear the destroy compressed files that could not be decompressed option while you download the firmware package 526

Figure 245 firmware upload in process 527

Figure 246 network temporarily disconnected 527

Figure 247 firmware upload error 527

Note the nxc automatically reboots after a successful upload 527

Shell script 527

Chapter 35 file manager 528

Command the changes will be lost when the nxc restarts you could use multiple 528

Commands in a long script 528

Commands in your scripts if you do not use the 528

Each field is described in the following table 528

Label description 528

Note you should include 528

Nxc5200 user s guide 528

Shell script 528

Chapter 35 file manager 529

Label description 529

Nxc5200 user s guide 529

Shell script continued 529

Diagnostics 531

Hapter 531

Overview 531

What you can do in this chapter 531

Capture 532

Diagnostics 532

Note new capture files overwrite existing files of the same name change the file suffix field s setting to avoid this 532

Packet capture 532

Chapter 36 diagnostics 533

Label description 533

Note if you have existing capture files you may need to set this size larger or delete existing capture files 533

Nxc5200 user s guide 533

Packet capture 533

The following table describes the labels in this screen 533

Chapter 36 diagnostics 534

Files to open the packet capture files screen this screen lists the files of packet captures the nxc has performed you can download the files to your computer where you can study them using a packet analyzer also known as a network or protocol analyzer such as wireshark 534

Label description 534

Nxc5200 user s guide 534

Packet capture continued 534

Packet capture files 534

The following table describes the labels in this screen 534

Example of viewing a packet capture file 535

Figure 252 packet capture file example 535

Files continued 535

Capture 536

Chapter 36 diagnostics 536

Label description 536

Note new capture files overwrite existing files of the same name change the file suffix field s setting to avoid this 536

Nxc5200 user s guide 536

The following table describes the labels in this screen 536

Use this screen to capture wireless network traffic going through the ap interfaces connected to your nxc studying these frame captures may help you identify network problems 536

Wireless frame capture 536

Wireless frame capture to display this screen 536

Capture 537

Chapter 36 diagnostics 537

Label description 537

Note if you have existing capture files you may need to set this size larger or delete existing capture files 537

Nxc5200 user s guide 537

Chapter 36 diagnostics 538

Files to open this screen this screen lists the files of wireless frame captures the nxc has performed you can download the files to your computer where you can study them using a packet analyzer also known as a network or protocol analyzer such as wireshark 538

Label description 538

Nxc5200 user s guide 538

The following table describes the labels in this screen 538

Wireless frame capture files 538

Hapter 539

Overview 539

Reboot 539

What you need to know 539

Hapter 541

Overview 541

Shutdown 541

What you need to know 541

General 543

Hapter 543

Overview 543

Troubleshooting 543

Cannot access the nxc from the lan 544

I cannot access the internet 544

I cannot update the anti virus signatures 544

I cannot update the idp application patrol signatures 545

I configured security settings but the nxc is not applying them for certain interfaces 545

I downloaded updated anti virus or idp application patrol signatures why has the nxc not re booted yet 545

The nxc is not applying the custom firewall rule i configured 545

The nxc is not applying the custom policy route i configured 545

Hackers have accessed my wep encrypted wireless lan 546

I can t enter the interface name i want 546

My rules and settings that apply to a particular interface no longer work 546

The nxc is not applying an interface s configured ingress bandwidth limit 546

The wireless security is not following the re authentication timer setting i specified 546

The nxc is deleting some zipped files 547

The nxc is not applying my application patrol bandwidth management settings 547

The nxc is not scanning some zipped files 547

The nxc s anti virus scanner cleaned an infected file but now i cannot use the file 547

The nxc s performance slowed down after i configured many new application patrol entries 547

Depending on your network topology and traffic load applying an anomaly profile to each and every packet direction may affect the nxc s performance 548

I cannot configure some items in idp that i can configure in snort 548

I uploaded a custom signature file and now all of my earlier custom signatures are gone 548

Idp is dropping traffic that matches a rule that says no action should be taken 548

The nxc s performance seems slower after configuring adp 548

The nxc s performance seems slower after configuring idp 548

I cannot get the application patrol to manage ftp traffic 549

I cannot get the application patrol to manage h 23 traffic 549

I cannot get the application patrol to manage sip traffic 549

The nxc is not applying a policy route s port triggering settings 549

The nxc keeps resetting the connection 549

The nxc routes and applies snat for traffic from some interfaces but not from others 549

You also need to create a firewall rule to allow an incoming service 549

I changed the lan ip address and can no longer access the internet 550

I configured application patrol to allow and manage access to a specific service but access is blocked 550

I configured application patrol to block use of a specific service but a few packet s still get through 550

I configured policy routes to manage the bandwidth of tcp and udp traffic but the bandwidth management is not being applied properly 550

A broadcast storm results when i turn on device ha 551

Device ha is not working 551

I cannot get the radius server to authenticate the nxc s default admin account 551

The nxc fails to authentication the ext user user accounts i configured 551

Device ha synchronization is not working for subscription services 552

I cannot add the admin users to a user group with access users 552

I cannot add the default admin account to a user group 552

I cannot get a certificate to import into the nxc 552

I cannot get the device ha synchronization to work 552

Subscribe to services on the backup nxc before synchronizing it with the master nxc 552

The schedule i configured is not being applied at the configured times 552

I cannot access the nxc from a computer connected to the internet 553

I uploaded a logo to display on the upper left corner of the web configurator login screen and access page but it does not display properly 553

My file sharing ssl application object does not work 553

Note be careful not to convert a binary file to text during the transfer process it is easy for this to occur since many programs use text files by default 553

I can only see newer logs older logs are missing 554

I cannot get the firmware uploaded using the commands 554

I uploaded a logo to use as the screen or window background but it does not display properly 554

Note exit or must follow sub commands if it is to make the nxc exit sub command mode 554

The commands in my configuration file or shell script are not working properly 554

The nxc s traffic throughput rate decreased after i started collecting traffic statistics 554

My earlier packet capture files are missing 555

My packet capture captured less than i wanted or failed 555

Wireless 555

Wireless clients cannot connect to an ap 555

A wireless client cannot be authenticated through the captive portal 556

The ap status is registered as offline even though it is on 556

Wireless clients are not being load balanced among my aps 556

Ap list page there is no load balancing indicator associated with any aps assigned to the load balancing task 557

Getting more troubleshooting help 557

Note this procedure removes the current configuration 557

Resetting the nxc 557

Hapter 559

Product specifications 559

Chapter 40 product specifications 560

Features additional information 560

Nxc5200 user s guide 560

Table 207 product specifications continued 560

Chapter 40 product specifications 561

Features additional information 561

Nxc5200 user s guide 561

Plug regulatory and safety compliance 561

Table 207 product specifications continued 561

Table 208 system environmental specifications 561

Chapter 40 product specifications 562

Feature standards referenced 562

Nxc5200 user s guide 562

Table 209 standards referenced by features 562

The following table lists many of the standards referenced by nxc features 562

Chapter 40 product specifications 563

Feature standards referenced 563

Nxc5200 user s guide 563

Table 209 standards referenced by features continued 563

Log descriptions 565

Ppendix 565

Appendix a log descriptions 566

Log message description 566

Nxc5200 user s guide 566

Table 212 blocked web site logs 566

Appendix a log descriptions 567

Log message description 567

Nxc5200 user s guide 567

Table 212 blocked web site logs continued 567

Table 213 zysh logs 567

The zysh logs deal with internal system errors 567

Appendix a log descriptions 568

Log message description 568

Nxc5200 user s guide 568

Table 213 zysh logs continued 568

Appendix a log descriptions 569

Log message description 569

Nxc5200 user s guide 569

Table 213 zysh logs continued 569

Table 214 adp logs 569

Appendix a log descriptions 570

Log message description 570

Nxc5200 user s guide 570

Table 215 anti virus logs 570

Appendix a log descriptions 571

Log message description 571

Nxc5200 user s guide 571

Table 215 anti virus logs continued 571

Appendix a log descriptions 572

Log message description 572

Nxc5200 user s guide 572

Table 215 anti virus logs continued 572

Appendix a log descriptions 573

Log message description 573

Nxc5200 user s guide 573

Table 216 user logs 573

Appendix a log descriptions 574

Log message description 574

Nxc5200 user s guide 574

Table 216 user logs continued 574

Table 217 myzyxel com logs 574

Appendix a log descriptions 575

Log message description 575

Nxc5200 user s guide 575

Table 217 myzyxel com logs continued 575

Appendix a log descriptions 576

Log message description 576

Nxc5200 user s guide 576

Table 217 myzyxel com logs continued 576

Appendix a log descriptions 577

Log message description 577

Nxc5200 user s guide 577

Table 217 myzyxel com logs continued 577

Appendix a log descriptions 578

Log message description 578

Nxc5200 user s guide 578

Table 217 myzyxel com logs continued 578

Appendix a log descriptions 579

Log message description 579

Nxc5200 user s guide 579

Table 217 myzyxel com logs continued 579

Table 218 idp logs 579

Appendix a log descriptions 580

Log message description 580

Nxc5200 user s guide 580

Table 218 idp logs continued 580

Appendix a log descriptions 581

Log message description 581

Nxc5200 user s guide 581

Table 218 idp logs continued 581

Appendix a log descriptions 582

Log message description 582

Nxc5200 user s guide 582

Table 218 idp logs continued 582

Appendix a log descriptions 583

Log message description 583

Message explanation 583

Nxc5200 user s guide 583

Table 218 idp logs continued 583

Table 219 application patrol 583

Appendix a log descriptions 584

Message explanation 584

Nxc5200 user s guide 584

Table 219 application patrol continued 584

Appendix a log descriptions 585

Log message description 585

Nxc5200 user s guide 585

Table 220 firewall logs 585

Table 221 sessions limit logs 585

Appendix a log descriptions 586

Log message description 586

Nxc5200 user s guide 586

Table 222 policy route logs 586

Appendix a log descriptions 587

Log message description 587

Nxc5200 user s guide 587

Table 222 policy route logs continued 587

Table 223 built in services logs 587

Appendix a log descriptions 588

Log message description 588

Nxc5200 user s guide 588

Table 223 built in services logs continued 588

Appendix a log descriptions 589

Log message description 589

Nxc5200 user s guide 589

Table 223 built in services logs continued 589

Appendix a log descriptions 590

Log message description 590

Nxc5200 user s guide 590

Table 223 built in services logs continued 590

Table 224 system logs 590

Appendix a log descriptions 591

Log message description 591

Nxc5200 user s guide 591

Table 224 system logs continued 591

Appendix a log descriptions 592

Log message description 592

Nxc5200 user s guide 592

Table 224 system logs continued 592

Table 225 connectivity check logs 592

Appendix a log descriptions 593

Log message description 593

Nxc5200 user s guide 593

Table 225 connectivity check logs continued 593

Appendix a log descriptions 594

Log message description 594

Nxc5200 user s guide 594

Table 225 connectivity check logs continued 594

Table 226 device ha logs 594

Appendix a log descriptions 595

Log message description 595

Nxc5200 user s guide 595

Table 226 device ha logs continued 595

Appendix a log descriptions 596

Log message description 596

Nxc5200 user s guide 596

Table 226 device ha logs continued 596

Appendix a log descriptions 597

Log message description 597

Nxc5200 user s guide 597

Table 227 nat logs 597

Appendix a log descriptions 598

Code description 598

Log message description 598

Nxc5200 user s guide 598

Table 228 certificate path verification failure reason codes 598

Table 229 interface logs 598

Appendix a log descriptions 599

Log message description 599

Nxc5200 user s guide 599

Table 229 interface logs continued 599

Appendix a log descriptions 600

Log message description 600

Nxc5200 user s guide 600

Table 229 interface logs continued 600

Appendix a log descriptions 601

Log message description 601

Nxc5200 user s guide 601

Table 229 interface logs continued 601

Appendix a log descriptions 602

Log message description 602

Nxc5200 user s guide 602

Table 229 interface logs continued 602

Appendix a log descriptions 603

Log message description 603

Nxc5200 user s guide 603

Table 230 wlan logs 603

Appendix a log descriptions 604

Log message description 604

Nxc5200 user s guide 604

Table 230 wlan logs continued 604

Table 231 account logs 604

Table 232 force authentication logs 604

Appendix a log descriptions 605

Log message description 605

Nxc5200 user s guide 605

Table 233 file manager logs 605

Table 234 dhcp logs 605

Appendix a log descriptions 606

Log message description 606

Nxc5200 user s guide 606

Table 234 dhcp logs 606

Table 235 e mail daily report logs 606

Table 236 ip mac binding logs 606

Appendix a log descriptions 607

Log message description 607

Nxc5200 user s guide 607

Table 236 ip mac binding logs 607

Table 237 capwap logs 607

Appendix a log descriptions 608

Log message description 608

Nxc5200 user s guide 608

Table 237 capwap logs 608

Appendix a log descriptions 609

Log message description 609

Nxc5200 user s guide 609

Table 237 capwap logs 609

Table 238 capwap client logs 609

Appendix a log descriptions 610

Log message description 610

Nxc5200 user s guide 610

Table 238 capwap client logs 610

Table 239 capwap data forward logs 610

Appendix a log descriptions 611

Log message description 611

Nxc5200 user s guide 611

Table 239 capwap data forward logs 611

Table 240 ap load balancing logs 611

Appendix a log descriptions 612

Log message description 612

Nxc5200 user s guide 612

Table 241 rogue ap logs 612

Table 242 wireless frame capture logs 612

Table 243 dcs logs 612

Common services 613

Ppendix 613

Appendix b common services 614

Name protocol port s description 614

Nxc5200 user s guide 614

Table 244 commonly used services continued 614

Appendix b common services 615

Name protocol port s description 615

Nxc5200 user s guide 615

Table 244 commonly used services continued 615

Appendix b common services 616

Name protocol port s description 616

Nxc5200 user s guide 616

Table 244 commonly used services continued 616

Displaying anti virus alert messages in windows 617

Ppendix 617

Windows xp 617

Windows 2000 618

Importing certificates 619

Ppendix 619

Internet explorer 620

Installing a stand alone certificate file in internet explorer 624

Removing a certificate in internet explorer 625

Firefox 627

Installing a stand alone certificate file in firefox 628

Removing a certificate in firefox 630

Ppendix 633

Wireless lan topologies 633

Wireless lans 633

Figure 258 basic service set 634

Channel 635

Figure 259 infrastructure wlan 635

Figure 260 rts cts 636

Rts cts 636

Fragmentation threshold 637

Note enabling the rts threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy 637

Preamble type 637

Ieee 802 1g wireless lan 638

Note the wireless devices must use the same preamble mode in order to communicate 638

Table 245 ieee 802 1g 638

Table 246 wireless security levels 638

Wireless security overview 638

Ieee 802 x 639

Note you must enable the same wireless security settings on the nxc and on all wireless clients that you want to associate with it 639

Radius 639

Types of radius messages 639

Types of eap authentication 640

Eap md5 message digest algorithm 5 641

Eap tls transport layer security 641

Eap ttls tunneled transport layer service 641

Peap protected eap 641

Appendix e wireless lans 642

Dynamic wep key exchange 642

Eap md5 eap tls eap ttls peap leap 642

For added security certificate based authentications eap tls eap ttls and peap use dynamic keys for data encryption they are often deployed in corporate environments but for public deployment a simple user name and password pair is more practical the following table is a comparison of the features of authentication types 642

If this feature is enabled it is not necessary to configure a default encryption key in the wireless security configuration screen you may still configure and store keys but they will not be used while dynamic wep is enabled 642

Key differences between wpa or wpa2 and wep are improved data encryption and user authentication 642

Leap lightweight extensible authentication protocol is a cisco implementation of ieee 802 x 642

Note eap md5 cannot be used with dynamic wep key exchange 642

Nxc5200 user s guide 642

Table 247 comparison of eap authentication types 642

The ap maps a unique key that is generated with the radius server this key expires when the wireless connection times out disconnects or reauthentication times out a new wep key is generated each time reauthentication is performed 642

Wi fi protected access wpa is a subset of the ieee 802 1i standard wpa2 ieee 802 1i is a wireless security standard that defines stronger encryption authentication and key management than wpa 642

Wpa and wpa2 642

Encryption 643

User authentication 644

Wireless client wpa supplicants 644

Wpa 2 with radius application example 644

Figure 261 wpa 2 with radius application example 645

Wpa 2 psk application example 645

Appendix e wireless lans 646

Authentication method key management protocol 646

Encryptio n method 646

Enter manual key ieee 802 x 646

Figure 262 wpa 2 psk authentication 646

Nxc5200 user s guide 646

Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type mac address filters are not dependent on how you configure these security features 646

Security parameters summary 646

Table 248 wireless security relational matrix 646

The ap and wireless clients use the tkip or aes encryption process the pmk and information exchanged in a handshake to create temporal encryption keys they use these keys to encrypt data exchanged between them 646

Open software announcements 647

Ppendix 647

Appendix f open software announcements 648

Nxc5200 user s guide 648

Appendix f open software announcements 649

Nxc5200 user s guide 649

Appendix f open software announcements 650

Nxc5200 user s guide 650

Appendix f open software announcements 651

Nxc5200 user s guide 651

Appendix f open software announcements 652

Nxc5200 user s guide 652

Appendix f open software announcements 653

Nxc5200 user s guide 653

Appendix f open software announcements 654

Nxc5200 user s guide 654

Appendix f open software announcements 655

Nxc5200 user s guide 655

Appendix f open software announcements 656

Nxc5200 user s guide 656

Appendix f open software announcements 657

Nxc5200 user s guide 657

Appendix f open software announcements 658

Nxc5200 user s guide 658

Appendix f open software announcements 659

Nxc5200 user s guide 659

Appendix f open software announcements 660

Nxc5200 user s guide 660

Appendix f open software announcements 661

Nxc5200 user s guide 661

Appendix f open software announcements 662

Nxc5200 user s guide 662

Appendix f open software announcements 663

Nxc5200 user s guide 663

Appendix f open software announcements 664

Nxc5200 user s guide 664

Appendix f open software announcements 665

Nxc5200 user s guide 665

Appendix f open software announcements 666

Nxc5200 user s guide 666

Appendix f open software announcements 667

Nxc5200 user s guide 667

Appendix f open software announcements 668

Nxc5200 user s guide 668

Appendix f open software announcements 669

Nxc5200 user s guide 669

Appendix f open software announcements 670

Nxc5200 user s guide 670

Appendix f open software announcements 671

Nxc5200 user s guide 671

Appendix f open software announcements 672

Nxc5200 user s guide 672

Appendix f open software announcements 673

Nxc5200 user s guide 673

Appendix f open software announcements 674

Nxc5200 user s guide 674

Appendix f open software announcements 675

Nxc5200 user s guide 675

Appendix f open software announcements 676

Nxc5200 user s guide 676

Appendix f open software announcements 677

Nxc5200 user s guide 677

Appendix f open software announcements 678

Nxc5200 user s guide 678

Appendix f open software announcements 679

Nxc5200 user s guide 679

Appendix f open software announcements 680

Nxc5200 user s guide 680

Appendix f open software announcements 681

Nxc5200 user s guide 681

Appendix f open software announcements 682

Nxc5200 user s guide 682

Appendix f open software announcements 683

Nxc5200 user s guide 683

Appendix f open software announcements 684

Nxc5200 user s guide 684

Appendix f open software announcements 685

Nxc5200 user s guide 685

Appendix f open software announcements 686

Nxc5200 user s guide 686

Appendix f open software announcements 687

Nxc5200 user s guide 687

Appendix f open software announcements 688

Nxc5200 user s guide 688

Appendix f open software announcements 689

Nxc5200 user s guide 689

Appendix f open software announcements 690

Nxc5200 user s guide 690

Appendix f open software announcements 691

Nxc5200 user s guide 691

Appendix f open software announcements 692

Nxc5200 user s guide 692

Appendix f open software announcements 693

Nxc5200 user s guide 693

Appendix f open software announcements 694

Nxc5200 user s guide 694

Appendix f open software announcements 695

Nxc5200 user s guide 695

Appendix f open software announcements 696

Nxc5200 user s guide 696

Appendix f open software announcements 697

Nxc5200 user s guide 697

Appendix f open software announcements 698

Nxc5200 user s guide 698

Certifications 699

Copyright 699

Legal information 699

Ppendix 699

Ce mark warning 700

Notices 700

Taiwanese bsmi bureau of standards metrology and inspection a warning 700

Viewing certifications 700

Registration 701

Zyxel limited warranty 701

Nxc5200 user s guide 703

Symbols 703

Nxc5200 user s guide 704

Nxc5200 user s guide 705

Nxc5200 user s guide 706

Nxc5200 user s guide 707

Nxc5200 user s guide 708

Nxc5200 user s guide 709

Nxc5200 user s guide 710

Nxc5200 user s guide 711

Nxc5200 user s guide 712

Nxc5200 user s guide 713

Nxc5200 user s guide 714

Nxc5200 user s guide 715

Nxc5200 user s guide 716

Nxc5200 user s guide 717

Nxc5200 user s guide 718

Zyxel NXC5200 [249/720] Firewall

Содержание

Похожие устройства