![Zyxel NXC5200 [705/720] Nxc5200 user s guide](/img/pdf.png)
Zyxel NXC5200 [705/720] Nxc5200 user s guide
![Zyxel NXC5200 [705/720] Nxc5200 user s guide](/views2/1169024/page705/bg2c1.png)
Index
NXC5200 User’s Guide
705
directory traversal 353
DoS/DDoS 314
double-encoding 354
false negatives 309
false positives 309
IIS-backslash-evasion 354
IIS-unicode-codepoint-encoding 354
IM 314
known 307
multi-slash-encoding 354
network-based 36
non-RFC-defined-char 354
non-RFC-HTTP-delimiter 354
obsolete-options 355
oversize-chunk-encoding 354
oversize-len 355
oversize-offset 355
oversize-request-uri-directory 354
P2P 314
pattern-based 36
scan 315
self-directory-traversal attack 354
severity of 313
spam 314
trapdoor 315
trojan 315
truncated-address-header 355
truncated-header 355, 356
truncated-options 355
truncated-timestamp-header 356
TTCP-detected 355
types of 314
u-encoding 354
undersize-len 355
undersize-offset 355
UTF-8-encoding 354
virus 288, 315
worm 315
Authenex Strong Authentication System
(ASAS) 426
authentication
LDAP/AD 427
server 425
authentication method objects 437
and users 374
and WWW 482
create 438
where used 67
Authentication, Authorization, Accounting
servers, see AAA server
authorization server 425
B
backdoor attacks 315
backing up configuration files 522
backslashes 354
bad-length-options attack 355
bandwidth
usage statistics 136
bandwidth management 152, 265
and policy routes 205
behavior 269
configured rate effect 269
examples 271
in application patrol 267
interface’s bandwidth 272
maximize bandwidth usage 205, 211, 269, 270,
281, 286
over allotment of bandwidth 270
priority 270
priority effect 270
see also application patrol 152, 265
bare byte encoding 353
bare byte encoding attack 353
Base DN 428
base profiles
in ADP 338, 341
in IDP 304, 308
base36-encoding 353
base36-encoding attack 353
Basic Service Set, See BSS 633
Bind DN 429, 432
BitTorrent 314
Blaster 334
boot module 526
boot sector virus 301
BSS 633
buffer overflow 315
buffer overflow attacks 315
Содержание
- Default login details 1
- Nxc5200 1
- Version 2 0 edition 1 05 2010 1
- Wireless lan controller 1
- Www zyxel com 1
- About this user s guide 3
- Intended audience 3
- Note it is recommended you use the web configurator to configure the nxc 3
- Related documentation 3
- User guide feedback 3
- Customer support 4
- Need more help 4
- Disclaimer 5
- Document conventions 6
- Note notes tell you other important information for example other things you may need to configure or helpful tips or recommendations 6
- Syntax conventions 6
- Warnings and notes 6
- Warnings tell you about things that could harm you or your device 6
- Document conventions 7
- Figures in this user s guide may use the following generic icons the nxc icon is not an exact representation of your device 7
- Icons used in figures 7
- Nxc5200 user s guide 7
- Nxc5200 user s guide 8
- Safety warnings 8
- About this user s guide 9
- Chapter 1 introduction 5 9
- Chapter 2 features and applications 5 9
- Chapter 3 the web configurator 1 9
- Document conventions 9
- Part i user s guide 23 9
- Safety warnings 9
- Table of contents 9
- Chapter 4 configuration basics 9 10
- Chapter 5 tutorials 1 11
- Chapter 6 dashboard 03 11
- Chapter 7 monitor 115 11
- Part ii technical reference 101 11
- Chapter 10 wireless 63 12
- Chapter 8 registration 51 12
- Chapter 9 signature update 57 12
- Chapter 11 interfaces 77 13
- Chapter 12 policy and static routes 97 13
- Chapter 13 zones 13 13
- Chapter 14 nat 17 14
- Chapter 15 alg 25 14
- Chapter 16 ip mac binding 33 14
- Chapter 17 captive portal 39 14
- Chapter 18 firewall 49 14
- Chapter 19 application patrol 65 15
- Chapter 20 anti virus 87 15
- Chapter 21 idp 03 15
- Chapter 22 adp 37 16
- Chapter 23 device ha 57 16
- Chapter 24 user group 73 17
- Chapter 25 ap profile 87 17
- Chapter 26 mon profile 01 17
- Chapter 27 addresses 07 17
- Chapter 28 services 13 18
- Chapter 29 schedules 19 18
- Chapter 30 aaa server 25 18
- Chapter 31 authentication method 37 18
- Chapter 32 certificates 41 18
- Chapter 33 system 63 19
- Chapter 34 log and report 05 20
- Chapter 35 file manager 19 20
- Chapter 36 diagnostics 31 20
- Chapter 37 reboot 39 20
- User s guide 23
- Hapter 25
- Introduction 25
- Overview 25
- Rack mounted installation 25
- Note failure to use the proper screws may damage the unit 26
- Rack mounted installation procedure 26
- Lan module installation procedure 27
- Base t ports 29
- Figure 1 nxc front panel configuration 1 29
- Figure 2 nxc front panel configuration 2 29
- Figure 3 nxc front panel configuration 3 29
- Figure 4 nxc back panel all configurations 29
- Front and back panels 29
- Default ethernet settings 30
- Figure 5 fiber connection example 30
- Optional fiber ports 30
- Ethernet status 31
- Fiber 5 6 link link 31
- Fiber 7 8 link 31
- Figure 6 nxc front panel configuration 3 31
- Front panel leds 31
- Management overview 31
- Table 1 front panel leds 31
- Web configurator 31
- Command line interface cli 32
- Console port 32
- Shutdown or the shutdown command before you turn off the nxc or remove the power not doing so can cause the firmware to become corrupt 32
- Starting and stopping the nxc 32
- Table 2 console port default settings 32
- Table 3 starting and stopping the nxc 32
- Chapter 1 introduction 33
- Method description 33
- Nxc5200 user s guide 33
- Table 3 starting and stopping the nxc 33
- The nxc does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources 33
- Features 35
- Features and applications 35
- Hapter 35
- Anomaly detection and prevention adp 36
- Anti virus scanner 36
- Application patrol 36
- Bandwidth management 36
- Firewall 36
- Intrusion detection and prevention idp 36
- Ap management 37
- Applications 37
- Figure 7 ap management example 37
- Wireless security 37
- Captive portal 38
- Dynamic channel selection 38
- Figure 8 applications captive portal 38
- Load balancing 38
- Device ha 39
- User aware access control 39
- Access 41
- Hapter 41
- Overview 41
- The web configurator 41
- Figure 9 the web configurator s main screen 43
- The main screen 43
- Chapter 3 the web configurator 44
- Figure 10 title bar 44
- Figure 11 navigation panel 44
- Label description 44
- Navigation panel 44
- Nxc5200 user s guide 44
- Table 4 title bar web configurator icons 44
- The icons provide the following functions 44
- The title bar provides some useful links that always appear over the screens below regardless of how deep into the web configurator you navigate 44
- Title bar 44
- Use the menu items on the navigation panel to open screens to configure nxc features click the arrow in the middle of the right edge of the navigation panel to hide the navigation panel menus or drag it to resize them the following sections introduce the nxc s navigation panel menus and their screens 44
- Chapter 3 the web configurator 45
- Dashboard 45
- Folder or link tab function 45
- For details on the dashboard s features see chapter 6 on page 103 45
- Monitor menu 45
- Nxc5200 user s guide 45
- Table 5 monitor menu screens summary 45
- The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can re arrange to suit your needs 45
- The monitor menu screens display status and statistics information 45
- Chapter 3 the web configurator 46
- Configuration menu 46
- Folder or link tab function 46
- Nxc5200 user s guide 46
- Table 6 configuration menu screens summary 46
- Use the configuration menu screens to configure the nxc s features 46
- Chapter 3 the web configurator 47
- Folder or link tab function 47
- Nxc5200 user s guide 47
- Table 6 configuration menu screens summary continued 47
- Chapter 3 the web configurator 48
- Folder or link tab function 48
- Nxc5200 user s guide 48
- Table 6 configuration menu screens summary continued 48
- Chapter 3 the web configurator 49
- Figure 12 warning message 49
- Folder or link tab function 49
- Maintenance menu 49
- Nxc5200 user s guide 49
- Table 7 maintenance menu screens summary 49
- Use the maintenance menu screens to manage configuration and firmware files run diagnostics and reboot or shut down the nxc 49
- Warning messages 49
- Warning messages such as those resulting from misconfiguration display in a popup window 49
- Figure 13 site map 50
- Figure 14 object reference 50
- Object reference 50
- Site map 50
- Chapter 3 the web configurator 51
- Cli messages 51
- Click clear to remove the currently displayed information 51
- Click cli to look at the cli commands sent by the web configurator these commands appear in a popup window such as the following 51
- Figure 15 cli messages 51
- Label description 51
- Note see the command reference guide for information about the commands 51
- Nxc5200 user s guide 51
- Table 8 object references 51
- The fields vary with the type of object the following table describes labels that can appear in this screen 51
- Console 52
- Figure 16 console 52
- Note to view the fuctions in the web configurator user interface that correspond directly to specific nxc cli commands use the cli messages window see section 3 on page 51 in tandem with this one 52
- Table 9 console 52
- Note you can log into the web configurator with a different account than used to log into the nxc through the console 53
- Table 9 console continued 53
- Manipulating table display 55
- Tables and lists 55
- Chapter 3 the web configurator 57
- Here are descriptions for the most common table icons 57
- Label description 57
- Nxc5200 user s guide 57
- Table 10 common table icons 57
- Table 11 common table icons 57
- The tables have icons for working with table entries a sample is shown next you can often use the shift or ctrl key to select multiple entries to remove activate or deactivate 57
- Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time 57
- Working with table entries 57
- Chapter 3 the web configurator 58
- Figure 17 working with lists 58
- Label description 58
- Nxc5200 user s guide 58
- Table 11 common table icons continued 58
- When a list of available entries displays next to a list of selected entries you can often just double click an entry to move it from one list to the other in some lists you can also use the shift or ctrl key to select multiple entries and then use the arrow button to move them to the other list 58
- Working with lists 58
- Configuration basics 59
- Hapter 59
- Object based configuration 59
- Overview 59
- Chapter 4 configuration basics 60
- Ethernet interfaces are the foundation for defining other interfaces and network policies by 60
- Interface types 60
- Note by default all ethernet interfaces are placed into vlan0 allowing the nxc to function as a bridge device 60
- Nxc5200 user s guide 60
- Table 12 zones interfaces and physical ethernet ports 60
- There are two types of interfaces in the nxc in addition to being used in various features interfaces also describe the network that is directly connected to it 60
- Vlan interfaces recognize tagged frames the nxc automatically adds or removes the tags as needed each vlan can only be associated with one ethernet interface 60
- Zones groups of interfaces simplify security settings here is an overview of zones interfaces and physical ports in the nxc 60
- Zones interfaces and physical ports 60
- Example interface and zone configuration 61
- Figure 18 default network topology 61
- Table 13 nxc sample topology 61
- Chapter 4 configuration basics 62
- Feature 62
- Feature configuration overview 62
- Licensing registration 62
- Menu item s 62
- Note prequisites or where used does not appear if there are no prerequisites or references in other features to this one for example no other features reference ap management entries so there is no where used entry 62
- Nxc5200 user s guide 62
- Prerequisites 62
- This provides a brief description see the appropriate chapter s in this user s guide for more information about any feature 62
- This section provides information about configuring the main features in the nxc the features are listed in the same sequence as the menu item s in the web configurator each feature description is organized as shown below 62
- Use these screens to register your nxc and subscribe to services like anti virus idp and application patrol you must have internet access to myzyxel com 62
- Where used 62
- Interface 63
- Licensing update 63
- Note when you create an interface no security is applied to it until you assign it to a zone first 63
- Policy routes 63
- Wireless 63
- Static routes 64
- Anti virus 65
- Application patrol 65
- Captive portal 65
- Firewall 65
- Device ha 66
- Objects 66
- Table 14 objects overview 66
- Ap profile 67
- Chapter 4 configuration basics 67
- Nxc5200 user s guide 67
- Object where used 67
- Table 14 objects overview 67
- Table 15 user types 67
- Table 16 ap profile types 67
- Type abilities 67
- Use these screens to configure preset profiles for the access points aps connected to your nxc s wireless network 67
- Use these screens to configure the nxc s administrator and user accounts the nxc provides the following user types 67
- User group 67
- Dns www ssh telnet ftp and snmp 68
- Logs and reports 68
- Mon profile 68
- System 68
- Table 17 mon profile types 68
- Diagnostics 69
- File manager 69
- Shutdown 69
- Shutdown or the shutdown command before you turn off the nxc or remove the power not doing so can cause the firmware to become corrupt 69
- Hapter 71
- Overview 71
- Tutorials 71
- Figure 19 tutorial network topology 72
- Note in this topology vlan 199 is managed by the router responsible for the upstream portion of the network such as a zywall 72
- Sample network setup 72
- Table 19 tutorial topology summary 72
- Chapter 5 tutorials 73
- Figure 20 tutorial guest vlan example 73
- In this example the guest vlan 102 is highlighted with the connections that it may make over this particular network topology the staff vlan 101 is unhighlighted because it has access to all aspects of the network 73
- In this tutorial you will 73
- Nxc5200 user s guide 73
- Table 20 tutorial tasks summary 73
- Task see also 73
- Tutorial tasks 73
- Set the management vlan vlan99 74
- Note you will use this procedure twice once for vlan 101 and the other time for vlan 102 vlan 101 is presented first while vlan 102 is presented second 75
- Set the other vlans vlan101 vlan102 75
- Configure the aaa object 77
- Figure 21 tutorial vlans summary 77
- Note unless your ad server is configured to explicitly handle these tutorial settings the test button may not work however it is handy know for future reference 78
- Configure the auth method objects staff guest 79
- Create the ap profiles staff guest 80
- Create the guest user account 83
- Configure the captive portal settings 84
- Configure the guest firewall rules 85
- Table 21 tutorial firewall rules 85
- Blocking network protocols 87
- Configuring the wlan zone 87
- Note for the purposes of this tutorial the firewall rules can be created in any order just so long as they use the settings presented here 87
- Configuring the firewall 88
- Blocking sub protocols 90
- Figure 22 rogue ap example a 92
- Rogue ap detection 92
- Figure 23 rogue ap example b 93
- Figure 24 containing a rogue ap 96
- Rogue ap containment 96
- Load balancing 97
- Dynamic channel selection 98
- Technical reference 101
- Dashboard 103
- Hapter 103
- Overview 103
- What you can do in this chapter 103
- Dashboard 104
- Figure 25 dashboard 104
- Table 22 dashboard 104
- Chapter 6 dashboard 105
- Label description 105
- Nxc5200 user s guide 105
- Table 22 dashboard continued 105
- Chapter 6 dashboard 106
- Label description 106
- Nxc5200 user s guide 106
- Table 22 dashboard continued 106
- Chapter 6 dashboard 107
- Label description 107
- Nxc5200 user s guide 107
- Table 22 dashboard continued 107
- Chapter 6 dashboard 108
- Label description 108
- Nxc5200 user s guide 108
- Table 22 dashboard continued 108
- Cpu usage 109
- Memory usage 110
- Session usage 111
- Chapter 6 dashboard 112
- Dhcp table 112
- Label description 112
- Nxc5200 user s guide 112
- The following table describes the labels in this screen 112
- Use this screen to look at the ip addresses currently assigned to dhcp clients and the ip addresses reserved for specific mac addresses to access this screen click the icon beside dhcp table in the dashboard 112
- Chapter 6 dashboard 113
- Dhcp table continued 113
- Label description 113
- Number of login users 113
- Nxc5200 user s guide 113
- The following table describes the labels in this screen 113
- Use this screen to look at a list of the users currently logged into the nxc to access this screen click the dashboard s number of login users icon 113
- Hapter 115
- Monitor 115
- Overview 115
- What you can do in this chapter 115
- What you need to know 116
- Chapter 7 monitor 117
- Label description 117
- Nxc5200 user s guide 117
- Port statistics 117
- The following table describes the labels in this screen 117
- Chapter 7 monitor 118
- Label description 118
- Nxc5200 user s guide 118
- Port statistics continued 118
- Port statistics graph 118
- Switch to graphic view 118
- The following table describes the labels in this screen 118
- Use the port statistics graph to look at a line graph of packet statistics for each physical port to view click port statistics in the status screen and then the switch to graphic view button 118
- Chapter 7 monitor 119
- Interface status 119
- Interface status to access this screen 119
- Label description 119
- Nxc5200 user s guide 119
- Switch to graphic view 119
- Chapter 7 monitor 120
- Each field is described in the following table 120
- Interface status 120
- Label description 120
- Nxc5200 user s guide 120
- Chapter 7 monitor 121
- Interface status continued 121
- Label description 121
- Lan ip with heaviest traffic and how much traffic has been sent to and from each one 121
- Most used protocols or service ports and the amount of traffic on each one 121
- Most visited web sites and the number of times each one was visited this count may not be accurate in some cases because the nxc counts http get packets 121
- Nxc5200 user s guide 121
- Traffic statistics 121
- Traffic statistics to display this screen this screen provides basic information about the different kinds of data traffic moving through the nxc for example 121
- Chapter 7 monitor 122
- Label description 122
- Nxc5200 user s guide 122
- There is a limit on the number of records shown in the report see table 32 on page 124 for more information the following table describes the labels in this screen 122
- Traffic statistics 122
- You use the traffic statistics screen to tell the nxc when to start and when to stop collecting information for these reports you cannot schedule data collection you have to start and stop it manually in the traffic statistics screen 122
- Chapter 7 monitor 123
- Label description 123
- Nxc5200 user s guide 123
- Traffic statistics continued 123
- Chapter 7 monitor 124
- Destination address 124
- Duration so far 124
- Label description 124
- Number of bytes received so far 124
- Number of bytes transmitted so far 124
- Nxc5200 user s guide 124
- Protocol or service port used 124
- Session monitor 124
- Source address 124
- Table 32 maximum values for reports 124
- The following table displays the maximum number of records shown in the report the byte count limit and the hit count limit 124
- This screen displays information about active sessions for debugging or statistical analysis it is not possible to manage sessions in this screen the following information is displayed 124
- Traffic statistics continued 124
- User who started the session 124
- You can look at all the active sessions by user service source ip address or destination ip address you can also filter the information by user protocol service or service group source address and or destination address and view it by user 124
- Chapter 7 monitor 125
- Label description 125
- Nxc5200 user s guide 125
- Session monitor 125
- Session monitor to display the following screen 125
- The following table describes the labels in this screen 125
- Chapter 7 monitor 126
- Label description 126
- Nxc5200 user s guide 126
- Session monitor continued 126
- Chapter 7 monitor 127
- Ip mac binding 127
- Ip mac binding monitor 127
- Ip mac binding to open the ip mac binding monitor screen this screen lists the devices that have received an ip address from nxc interfaces with ip mac binding enabled and have ever established a session with the nxc devices that have never established a session with the nxc do not display in the list 127
- Label description 127
- Nxc5200 user s guide 127
- System status 127
- The following table describes the labels in this screen 127
- Chapter 7 monitor 128
- Label description 128
- Login users 128
- Nxc5200 user s guide 128
- The following table describes the labels in this screen 128
- Ap list 129
- Ap list icons 129
- Chapter 7 monitor 129
- Label description 129
- Nxc5200 user s guide 129
- The following table describes the icons in this screen 129
- The following table describes the labels in this screen 129
- Ap list icons continued 130
- Station count of ap 130
- Chapter 7 monitor 131
- Label description 131
- Nxc5200 user s guide 131
- Radio list 131
- Station count of ap 131
- The following table describes the labels in this screen 131
- Ap mode radio information 132
- Radio list continued 132
- Ap mode radio information 133
- Chapter 7 monitor 133
- Label description 133
- Nxc5200 user s guide 133
- Station info to access this screen 133
- Station list 133
- The following table describes the labels in this screen 133
- Chapter 7 monitor 134
- Detected device 134
- Detected device to access this screen 134
- Label description 134
- Note at least one of the aps connected to the nxc must be set to monitor mode in order to detect other wireless devices in its vicinity 134
- Nxc5200 user s guide 134
- Station list 134
- The following table describes the labels in this screen 134
- Application patrol 135
- Application patrol general settings 135
- Apppatrol statistics general settings 135
- Apppatrol statistics screen to configure what to display 135
- Apppatrol statistics to open the following screens 135
- Chapter 7 monitor 135
- Detected device continued 135
- Label description 135
- Nxc5200 user s guide 135
- The application patrol screens display bandwidth usage graphs and statistics for selected protocols 135
- A solid line represents a protocol s incoming bandwidth usage this is the protocol s traffic that the nxc sends to the initiator of the connection 136
- Application patrol bandwidth statistics 136
- Apppatrol statistic 136
- Apppatrol statistics bandwidth statistics 136
- Apppatrol statistics general settings 136
- Chapter 7 monitor 136
- Label description 136
- Nxc5200 user s guide 136
- Screen displays a bandwidth usage line graph for the selected protocols 136
- The following table describes the labels in this screen 136
- The middle of the 136
- The x axis shows the time period over which the bandwidth usage occurred 136
- The y axis represents the amount of bandwidth used 136
- A dotted line represents a protocol s outgoing bandwidth usage this is the protocol s traffic that the nxc sends out from the initiator of the connection 137
- Application patrol protocol statistics 137
- Apppatrol statistics protocol statistics 137
- Apppatrol statistics screen displays statistics for each of the selected protocols 137
- Chapter 7 monitor 137
- Different colors represent different protocols 137
- Label description 137
- Nxc5200 user s guide 137
- The following table describes the labels in this screen 137
- Application patrol protocol statistics by rule 138
- Apppatrol statistics protocol statistics continued 138
- Apppatrol statistics screen displays statistics for each of the selected protocols click a service s name to display this screen with statistics for each of the service s application patrol rules 138
- Chapter 7 monitor 138
- Label description 138
- Nxc5200 user s guide 138
- Service 138
- The following table describes the labels in this screen 138
- Anti virus 139
- Anti virus to display the following screen this screen displays anti virus statistics 139
- Chapter 7 monitor 139
- Label description 139
- Nxc5200 user s guide 139
- Service continued 139
- The following table describes the labels in this screen 139
- Anti virus continued 140
- Anti virus destination ip 140
- Anti virus source ip 140
- Chapter 7 monitor 140
- Label description 140
- Nxc5200 user s guide 140
- The statistics display as follows when you display the top entries by destination 140
- The statistics display as follows when you display the top entries by source 140
- Chapter 7 monitor 141
- Idp to display the following screen this screen displays idp intrusion detection and prevention statistics 141
- Label description 141
- Nxc5200 user s guide 141
- The following table describes the labels in this screen 141
- Chapter 7 monitor 142
- Idp continued 142
- Idp destination 142
- Idp source 142
- Label description 142
- Nxc5200 user s guide 142
- The statistics display as follows when you display the top entries by destination 142
- The statistics display as follows when you display the top entries by source 142
- Note when a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first 143
- View log 143
- Chapter 7 monitor 144
- Label description 144
- Nxc5200 user s guide 144
- The following table describes the labels in this screen 144
- View log 144
- Chapter 7 monitor 145
- Label description 145
- Nxc5200 user s guide 145
- The web configurator saves the filter settings if you leave the view log screen and return to it later 145
- View log continued 145
- Chapter 7 monitor 146
- Label description 146
- Nxc5200 user s guide 146
- The following table describes the labels in this screen 146
- View ap log 146
- View ap log to access this screen 146
- Chapter 7 monitor 147
- Label description 147
- Note this criterion only appears when you show filter 147
- Nxc5200 user s guide 147
- View ap log 147
- Chapter 7 monitor 148
- Label description 148
- Nxc5200 user s guide 148
- View ap log 148
- Hapter 151
- Overview 151
- Registration 151
- What you can do in this chapter 151
- What you need to know 151
- Anti virus engines 152
- Intrusion detection and prevention application patrol 152
- Subscription services available on the nxc 152
- Managed aps 153
- Registration 153
- Chapter 8 registration 154
- Label description 154
- Nxc5200 user s guide 154
- Registration continued 154
- Note if the nxc is registered already this screen is read only and indicates whether trial services are activated if any you can still select the unchecked trial service s to activate it after registration use the service screen to update your service subscription status 155
- Registration registered device 155
- Service 155
- Chapter 8 registration 156
- Label description 156
- Nxc5200 user s guide 156
- Service 156
- The following table describes the labels in this screen 156
- Hapter 157
- Overview 157
- Signature update 157
- What you can do in this chapter 157
- What you need to know 157
- Anti virus 158
- Anti virus to display the following screen 158
- Chapter 9 signature update 158
- Label description 158
- Nxc5200 user s guide 158
- The following table describes the labels in this screen 158
- Anti virus continued 159
- Chapter 9 signature update 159
- Idp apppatrol 159
- Idp apppatrol to display the following screen 159
- Label description 159
- Nxc5200 user s guide 159
- The nxc comes with signatures for the idp and application patrol features these signatures are continually updated as new attack types evolve new signatures can be downloaded to the nxc periodically if you have subscribed for the idp apppatrol signatures service 159
- You need to create an account at myzyxel com register your nxc and then subscribe for idp service in order to be able to download new packet inspection 159
- Chapter 9 signature update 160
- Idp apppatrol 160
- Label description 160
- Nxc5200 user s guide 160
- Signatures from myzyxel com see the registration screens use the update idp apppatrol screen to schedule or immediately download idp signatures 160
- The following table describes the fields in this screen 160
- Idp apppatrol continued 161
- System protect 161
- Chapter 9 signature update 162
- Label description 162
- Nxc5200 user s guide 162
- System protect 162
- The following table describes the fields in this screen 162
- Hapter 163
- Overview 163
- What you can do in this chapter 163
- What you need to know 163
- Wireless 163
- Controller 164
- Load balancing wireless 164
- Note select the manual option for managing a specific set of aps this is recommended as the registration mechanism cannot automatically differentiate between friendly and rogue aps for details on how to handle rogue aps see section 7 2 on page 134 164
- Ap management 165
- Ap management to access this screen 165
- Chapter 10 wireless 165
- Controller screen you set the registration type to always accept then as soon as you remove an ap from this list it reconnects 165
- Each field is described in the following table 165
- Label description 165
- Nxc5200 user s guide 165
- Ap management table to display this screen 166
- Chapter 10 wireless 166
- Each field is described in the following table 166
- Edit ap list 166
- Label description 166
- Nxc5200 user s guide 166
- Chapter 10 wireless 167
- Edit ap list continued 167
- Label description 167
- Mon mode 167
- Mon mode to access this screen 167
- Nxc5200 user s guide 167
- Use this screen to assign aps either to the rogue ap list or the friendly ap list a rogue ap is a wireless access point operating in a network s coverage area that is not under the control of the network administrator and which can potentially open up holes in a network s security 167
- Chapter 10 wireless 168
- Each field is described in the following table 168
- Label description 168
- Mon mode 168
- Nxc5200 user s guide 168
- Add edit rogue friendly 169
- Add edit rogue friendly list 169
- Chapter 10 wireless 169
- Each field is described in the following table 169
- Label description 169
- Mon mode table to display this screen 169
- Nxc5200 user s guide 169
- Chapter 10 wireless 170
- Each field is described in the following table 170
- Label description 170
- Load balancing 170
- Load balancing to access this screen 170
- Nxc5200 user s guide 170
- Chapter 10 wireless 171
- Disassociating and delaying connections 171
- For example here the ap has a balanced bandwidth allotment of 6 mbps if laptop r connects and it pushes the ap over its allotment say to 7 mbps then the ap 171
- Label description 171
- Load balancing continued 171
- Note if you enable this function you should ensure that there are multiple aps within the broadcast radius that can accept any rejected or kicked wireless clients otherwise a wireless client attempting to connect to an overloaded ap will be kicked continuously and never be allowed to connect 171
- Nxc5200 user s guide 171
- When your ap becomes overloaded there are two basic responses it can take the first one is to delay a client connection this means that the ap withholds the connection until the data transfer throughput is lowered or the client connection is picked up by another ap if the client is picked up by another ap then the original ap cannot resume the connection 171
- Figure 68 delaying a connection 172
- Figure 69 kicking a connection 172
- Chapter 10 wireless 173
- Dcs to access this screen 173
- Each field is described in the following table 173
- Label description 173
- Note generally speaking the higher the sensitivity level the more frequently the ap switches channels as a consequence anyone connected to the ap will experience more frequent disconnects and reconnects unless you select enable dcs client aware 173
- Nxc5200 user s guide 173
- Chapter 10 wireless 174
- Dcs continued 174
- Dynamic channel selection 174
- Label description 174
- Nxc5200 user s guide 174
- Technical reference 174
- The following section contains additional technical information about the features described in this chapter 174
- When numerous aps broadcast within a given area they introduce the possibility of heightened radio interference especially if some or all of them are broadcasting on the same radio channel if the interference becomes too great then the network administrator must open his ap configuration options and manually change the channel to one that no other ap is using or at least a channel that has a lower level of interferrence in order to give the connected stations a minimum degree of interference dynamic channel selection frees the network administrator from this task by letting the ap do it automatically the ap can scan the area around it looking for the channel with the least amount of interference 174
- Figure 71 an example three channel deployment 175
- Figure 72 an example four channel deployment 175
- Figure 73 an alternative four channel deployment 175
- Load balancing 176
- Hapter 177
- Interface overview 177
- Interfaces 177
- What you can do in this chapter 177
- What you need to know 177
- Ethernet summary 178
- Types of interfaces 178
- Chapter 11 interfaces 179
- Each field is described in the following table 179
- Ethernet 179
- Label description 179
- Nxc5200 user s guide 179
- Edit ethernet 180
- Note if you create ip address objects based on an interface s ip address subnet or gateway the nxc automatically updates every rule or setting that uses the object whenever the interface s ip address settings change for example if you change lan s ip address the nxc automatically updates the corresponding interface based lan subnet address object 180
- Chapter 11 interfaces 181
- Edit continued 181
- Label description 181
- Nxc5200 user s guide 181
- Chapter 11 interfaces 182
- Edit continued 182
- Label description 182
- Nxc5200 user s guide 182
- Chapter 11 interfaces 183
- Edit continued 183
- Label description 183
- Nxc5200 user s guide 183
- Chapter 11 interfaces 184
- Edit continued 184
- Label description 184
- Nxc5200 user s guide 184
- Chapter 11 interfaces 185
- Edit continued 185
- Figure 76 object references 185
- Label description 185
- Nxc5200 user s guide 185
- Object references 185
- When a configuration screen includes an object references icon select a configuration object and click object references to open the object references screen this screen displays which configuration settings reference the selected object the fields shown vary with the type of object 185
- Figure 77 example before vlan 186
- Note by default the nxc acts a bridge device this means all interfaces ge1 g8 are grouped together into a single vid vlan0 see section 4 on page 61 for more information on this configuration also note that vlan0 cannot be removed and the vid cannot be changed 186
- Table 64 object references 186
- Vlan interfaces 186
- Figure 78 example after vlan 187
- Between the router and vlan 3 188
- Chapter 11 interfaces 188
- Each field is explained in the following table 188
- Label description 188
- Nxc5200 user s guide 188
- Vlan summary 188
- Add edit 189
- Add edit vlan 189
- Vlan continued 189
- Add edit continued 190
- Chapter 11 interfaces 190
- Label description 190
- Nxc5200 user s guide 190
- Add edit continued 191
- Chapter 11 interfaces 191
- Label description 191
- Nxc5200 user s guide 191
- Add edit continued 192
- Chapter 11 interfaces 192
- Label description 192
- Nxc5200 user s guide 192
- Add edit continued 193
- Chapter 11 interfaces 193
- Label description 193
- Nxc5200 user s guide 193
- Technical reference 193
- The following section contains additional technical information about the features described in this chapter 193
- Interface parameters 194
- Ip address assignment 194
- Table 67 example routing table entry for a gateway 194
- Dhcp settings 195
- Table 68 example assigning ip addresses from a pool 196
- Hapter 197
- Overview 197
- Policy and static routes 197
- What you can do in this chapter 197
- What you need to know 197
- Diffserv 198
- Policy routes versus static routes 198
- Static routes 198
- Dscp marking and per hop behavior 199
- Policy route 199
- Chapter 12 policy and static routes 200
- Ippr follows the existing packet filtering facility of ras in style and in implementation 200
- Label description 200
- Nxc5200 user s guide 200
- Policy route 200
- The following table describes the labels in this screen 200
- Chapter 12 policy and static routes 201
- Label description 201
- Nxc5200 user s guide 201
- Policy route continued 201
- Add edit 202
- Add edit policy route 202
- Add edit continued 203
- Chapter 12 policy and static routes 203
- Label description 203
- Nxc5200 user s guide 203
- Add edit continued 204
- Chapter 12 policy and static routes 204
- Label description 204
- Note you need to create a firewall rule to allow an incoming service before using a port triggering rule 204
- Nxc5200 user s guide 204
- Add edit continued 205
- Chapter 12 policy and static routes 205
- Label description 205
- Nxc5200 user s guide 205
- Chapter 12 policy and static routes 206
- Label description 206
- Nxc5200 user s guide 206
- Static route 206
- Static route to open the static route screen this screen displays the configured static routes 206
- The following table describes the labels in this screen 206
- Add edit 207
- Chapter 12 policy and static routes 207
- Label description 207
- Nxc5200 user s guide 207
- Select a static route index number and click add or edit the screen shown next appears use this screen to configure the required information for a static route 207
- Static route setting 207
- The following table describes the labels in this screen 207
- Assured forwarding af phb for diffserv 208
- Nat and snat 208
- Table 73 assured forwarding af behavior group 208
- Technical reference 208
- Port triggering 209
- Table 74 wmm to diffserv conversion on the nxc 209
- Figure 85 trigger port forwarding example 210
- Maximize bandwidth usage 211
- Hapter 213
- Overview 213
- Effects of zones on different types of traffic 214
- Extra zone traffic 214
- Inter zone traffic 214
- Intra zone traffic 214
- What you can do in this chapter 214
- What you need to know 214
- Chapter 13 zones 215
- Label description 215
- Nxc5200 user s guide 215
- The following table describes the labels in this screen 215
- Add edit 216
- Add edit zone 216
- Chapter 13 zones 216
- Label description 216
- Nxc5200 user s guide 216
- The following table describes the labels in this screen 216
- This screen allows you to add or edit a zone to access this screen go to the zone screen and click the add icon or an edit icon 216
- Hapter 217
- Overview 217
- What you can do in this chapter 217
- Chapter 14 nat 218
- Label description 218
- Nat summary 218
- Nat the following screen appears providing a summary of the existing nat rules 218
- Nxc5200 user s guide 218
- The following table describes the labels in this screen 218
- Add edit 219
- Add edit nat 219
- Chapter 14 nat 219
- Label description 219
- Nat continued 219
- Nxc5200 user s guide 219
- The following table describes the labels in this screen 219
- This screen lets you create new nat rules and edit existing ones to open this window open the nat summary screen then click on an add icon or edit icon to open the following screen 219
- Add edit continued 220
- Chapter 14 nat 220
- Label description 220
- Nxc5200 user s guide 220
- Add edit continued 221
- Chapter 14 nat 221
- Label description 221
- Nxc5200 user s guide 221
- Add edit continued 222
- Chapter 14 nat 222
- Label description 222
- Nat loopback 222
- Nxc5200 user s guide 222
- Suppose a nat 1 1 rule maps a public ip address to the private ip address of a lan smtp e mail server to give wan users access nat loopback allows other users to also use the rule s original ip to access the mail server 222
- Technical reference 222
- The following section contains additional technical information about the features described in this chapter 222
- Hapter 225
- Overview 225
- What you can do in this chapter 225
- Application layer gateway alg nat and firewall 226
- Figure 96 h 23 alg example 226
- Ftp alg 226
- H 23 alg 226
- What you need to know 226
- Before you begin 227
- Peer to peer calls and the nxc 227
- Sip alg 227
- Voip calls from the wan with multiple outgoing calls 227
- Note if the nxc provides an alg for a service you must enable the alg in order to use the application patrol on that service s traffic 228
- Chapter 15 alg 229
- Label description 229
- Nxc5200 user s guide 229
- The following table describes the labels in this screen 229
- Alg continued 230
- Technical reference 230
- Hapter 233
- Ip mac binding 233
- Overview 233
- What you can do in this chapter 233
- Interfaces used with ip mac binding 234
- Ip mac binding summary 234
- Summary 234
- What you need to know 234
- Chapter 16 ip mac binding 235
- Edit ip mac binding 235
- Edit to open this screen use this screen to configure an interface s ip to mac address binding settings 235
- Label description 235
- Nxc5200 user s guide 235
- Summary 235
- The following table describes the labels in this screen 235
- Chapter 16 ip mac binding 236
- Label description 236
- Nxc5200 user s guide 236
- The following table describes the labels in this screen 236
- Add edit 237
- Add edit static dhcp rule 237
- Chapter 16 ip mac binding 237
- Edit to open this screen click the add or edit icon to open the following screen use this screen to configure an interface s ip to mac address binding settings 237
- Label description 237
- Nxc5200 user s guide 237
- The following table describes the labels in this screen 237
- Chapter 16 ip mac binding 238
- Exempt list 238
- Exempt list to open the ip mac binding exempt list screen use this screen to configure ranges of ip addresses to which the nxc does not apply ip mac binding 238
- Ip mac binding exempt list 238
- Label description 238
- Nxc5200 user s guide 238
- The following table describes the labels in this screen 238
- Captive portal 239
- Hapter 239
- Overview 239
- Captive portal 240
- Note you can configure the look and feel of the captive portal web page on the login page screen see section 17 on page 245 for details 240
- What you can do in this chapter 240
- Captive portal 241
- Chapter 17 captive portal 241
- Label description 241
- Nxc5200 user s guide 241
- The following table describes the labels in this screen 241
- Add exceptional services 242
- Captive portal continued 242
- Chapter 17 captive portal 242
- Label description 242
- Note if you want 802 x to work properly you must set bootp_client and dns as exceptional services 242
- Nxc5200 user s guide 242
- The following table describes the labels in this screen 242
- This screen allows you to manage exceptions to captive portal interception click the add button in the exceptional services table on the captive portal screen to access this screen 242
- Add exceptional services continued 243
- Auth policy add edit 243
- Chapter 17 captive portal 243
- Label description 243
- Nxc5200 user s guide 243
- The following table describes the labels in this screen 243
- This screen allows you to add authentication policies to captive portal interception click the add or edit button for an existing policy in the authentication policy summary table on the captive portal screen to access this screen 243
- Auth policy add edit 244
- Chapter 17 captive portal 244
- Label description 244
- Nxc5200 user s guide 244
- Login page 245
- Chapter 17 captive portal 246
- Label description 246
- Login page 246
- Nxc5200 user s guide 246
- Firewall 249
- Hapter 249
- Overview 249
- What you can do in this chapter 249
- A zone is a group of interfaces group the nxc s interfaces into different zones based on your needs you can configure firewall rules for data passing between zones or even between interfaces in a zone 250
- Chapter 18 firewall 250
- Default firewall behavior 250
- Firewall rules are grouped based on the direction of travel of packets to which they apply here is the default firewall behavior for traffic going through the nxc in various directions 250
- From zone to zone behavior 250
- Nxc5200 user s guide 250
- Rules with nxc as the to zone apply to traffic going to the nxc itself by default 250
- Stateful inspection 250
- Table 88 default firewall behavior 250
- The firewall allows only lan wan computers to access or manage the nxc 250
- The following terms and concepts may help as you read this chapter 250
- The nxc drops most packets from the wan zone to the nxc itself except for vrrp traffic for device ha and generates a log 250
- The nxc has a stateful inspection firewall the nxc restricts access by screening data packets against defined access rules it also inspects sessions for example traffic from one zone is not allowed unless it is initiated by a computer in another zone first 250
- To nxc rules 250
- What you need to know 250
- Firewall and application patrol 251
- Firewall rule criteria 251
- Global firewall rules 251
- User specific firewall rules 251
- Figure 111 blocking all lan to wan irc traffic example 252
- Firewall rule example applications 252
- Session limits 252
- Table 89 blocking all lan to wan irc traffic example 252
- Figure 112 limited lan to wan irc traffic example 253
- Table 90 limited lan to wan irc traffic example 1 253
- Table 91 limited lan to wan irc traffic example 2 254
- Firewall rule configuration example 255
- Asymmetrical routes 256
- Firewall 257
- Chapter 18 firewall 258
- Firewall 258
- Label description 258
- Note allowing asymmetrical routes may let traffic from the wan go directly to the lan without passing through the nxc a better solution is to use virtual interfaces to put the nxc and the backup gateway on separate subnets 258
- Nxc5200 user s guide 258
- The following table describes the labels in this screen 258
- The nxc applies nat destination nat settings before applying the firewall rules so for example if you configure a nat entry that sends wan traffic to a lan ip address when you configure a corresponding firewall rule to allow the traffic you need to set the lan ip address as the destination 258
- The ordering of your rules is very important as rules are applied in sequence 258
- Chapter 18 firewall 259
- Firewall continued 259
- Label description 259
- Nxc5200 user s guide 259
- Add edit 260
- Add edit firewall screen 260
- Chapter 18 firewall 260
- Firewall continued 260
- In the firewall screen click the edit or add icon to display this screen 260
- Label description 260
- Nxc5200 user s guide 260
- The following table describes the labels in this screen 260
- Add edit continued 261
- Chapter 18 firewall 261
- Label description 261
- Note if you specified a source ip address group instead of any in the field below the user s ip address should be within the ip address range 261
- Nxc5200 user s guide 261
- Chapter 18 firewall 262
- Label description 262
- Nxc5200 user s guide 262
- Session limit 262
- Session limit to display the firewall session limit screen use this screen to limit the number of concurrent nat firewall sessions a client can use you can apply a default limit for all users and individual limits for specific users addresses or both the individual limit takes priority if you apply both 262
- The following table describes the labels in this screen 262
- Add edit 263
- Add edit session limit 263
- Chapter 18 firewall 263
- Label description 263
- Nxc5200 user s guide 263
- Session limit and the add or edit icon to display the firewall session limit edit screen use this screen to configure rules that define a session limit for specific users or addresses 263
- Session limit continued 263
- The following table describes the labels in this screen 263
- Add edit continued 264
- Chapter 18 firewall 264
- Label description 264
- Note if you specified an ip address or address group instead of any in the field below the user s ip address should be within the ip address range 264
- Nxc5200 user s guide 264
- Application patrol 265
- Hapter 265
- Overview 265
- What you can do in this chapter 265
- Classification of applications 266
- Configurable application policies 266
- Note the nxc allows the first eight packets to go through the firewall regardless of the application patrol policy for the application the nxc examines these first eight packets to identify the application 266
- Note the nxc checks firewall rules before it checks application patrol rules for traffic going through the nxc 266
- What you need to know 266
- Bandwidth management 267
- Custom ports for sip and the sip alg 267
- Diffserv and dscp marking 267
- Note bandwidth management in policy routes has priority over application patrol bandwidth management it is recommended to use application patrol instead of policy routes to manage the bandwidth of tcp and udp traffic 267
- Bandwidth management priority 268
- Connection and packet directions 268
- Figure 117 lan to wlan outbound 200 kbps inbound 500 kbps 268
- Outbound and inbound bandwidth limits 268
- Bandwidth management behavior 269
- Bwm 1000 kbps 269
- Configured rate effect 269
- Figure 118 bandwidth management behavior 269
- Maximize bandwidth usage 269
- Note this section uses examples that assume the device is operating in routing mode not bridge mode 269
- Table 96 configured rate effect 269
- Maximize bandwidth usage effect 270
- Priority and over allotment of bandwidth effect 270
- Priority effect 270
- Table 97 priority effect 270
- Table 98 maximize bandwidth usage effect 270
- Table 99 priority and over allotment of bandwidth effect 270
- Application patrol bandwidth management examples 271
- Bandwidth management is very useful when applications are competing for limited bandwidth for example say you have a wan zone interface connected to an adsl device with a 8 mbps downstream and 1 mbps upstream adsl connection the following sections give some simplified examples of using application patrol policies to manage applications competing for that 1 mbps of upstream bandwidth 271
- Chapter 19 application patrol 271
- Figure 119 application patrol bandwidth management example 271
- Ftp traffic from the lan1 to the dmz can use more bandwidth since the interfaces support up to 1 gbps connections but it must be the lowest priority and limited so it does not interfere with sip and http traffic 271
- Ftp traffic from the wan to the dmz must be limited so it does not interfere with sip and http traffic 271
- Here is an overview of what the rules need to accomplish see the following sections for more details 271
- Http traffic needs to be given priority over ftp traffic 271
- Note the following examples assume the nxc is operating in routing mode not in bridge mode in bridge mode there are only two zones lan and wlan in routing mode you can configure any of the zones described here 271
- Nxc5200 user s guide 271
- Sip traffic from vip users must get through with the least possible delay regardless of if it is an outgoing call or an incoming call the vip users must be able to make and receive sip calls no matter which interface they are connected to 271
- Chapter 19 application patrol 272
- Highest priority 1 set policies for other applications to lower priorities so the sip traffic always gets the best treatment 272
- Inbound traffic to the lan and dmz from the wan is also limited to 200 kbps the nxc applies this limit before sending the traffic to lan or dmz 272
- Manage sip traffic going to the wan zone from a vip user on the lan or dmz 272
- Nxc5200 user s guide 272
- Outbound traffic to the wan from the lan and dmz is limited to 200 kbps the nxc applies this limit before sending the traffic to the wan 272
- Setting the interface s bandwidth 272
- Sip any to wan bandwidth management example 272
- Use the interface screens to set the wan zone interface s upstream bandwidth to be equal to or slightly less than what the connected device can support this example uses 1000 kbps 272
- Figure 120 sip any to wan bandwidth management example 273
- Figure 121 http any to wan bandwidth management example 273
- Http any to wan bandwidth management example 273
- Inbound 200 kbps 273
- Inbound 500 kbps 273
- Outbound 200 kbps 273
- Sip wan to any bandwidth management example 273
- Bwm outbound 50 mbps 274
- Figure 122 ftp wan to dmz bandwidth management example 274
- Figure 123 ftp lan to dmz bandwidth management example 274
- Ftp lan to dmz bandwidth management example 274
- Ftp wan to dmz bandwidth management example 274
- Inbound 100 kbps 274
- Inbound 50 mbps 274
- Outbound 300 kbps 274
- Application patrol common applications 275
- Chapter 19 application patrol 275
- Common applications 275
- Common to open the following screen 275
- Label description 275
- Nxc5200 user s guide 275
- The following table describes the labels in this screen 275
- Use the application patrol common instant messenger peer to peer voip or streaming screen to manage traffic of individual applications 275
- Use the common screen shown here as an example to manage traffic of the most commonly used web file transfer and e mail protocols 275
- Chapter 19 application patrol 276
- Edit application 276
- Figure 125 edit application 276
- Label description 276
- Nxc5200 user s guide 276
- Table 101 edit application 276
- The following table describes the labels in this screen 276
- Use this screen to edit the settings for an application to access this screen go to the application patrol common instant messenger peer to peer voip or streaming screen and click an application s edit icon the screen displayed here is for the msn instant messenger service 276
- Chapter 19 application patrol 277
- Label description 277
- Note the nxc checks conditions in the order they appear in the list while this sequence does not affect the functionality you might improve the performance of the nxc by putting more common conditions at the top of the list 277
- Note the nxc checks ports in the order they appear in the list while this sequence does not affect the functionality you might improve the performance of the nxc by putting more commonly used ports at the top of the list 277
- Nxc5200 user s guide 277
- Table 101 edit application continued 277
- Chapter 19 application patrol 278
- Label description 278
- Nxc5200 user s guide 278
- Table 101 edit application continued 278
- Add edit policy 279
- Figure 126 add edit policy 279
- Table 101 edit application continued 279
- Table 102 add edit policy 279
- Chapter 19 application patrol 280
- Label description 280
- Nxc5200 user s guide 280
- Table 102 add edit policy continued 280
- Chapter 19 application patrol 281
- Label description 281
- Nxc5200 user s guide 281
- Other applications 281
- Sometimes the nxc cannot identify the application for example the application might be a new application or the packets might arrive out of sequence the nxc does not reorder packets when identifying the application 281
- Table 102 add edit policy continued 281
- The other applications screen controls the default policy for tcp and udp traffic that the nxc cannot identify you can use source zone destination zone destination port schedule user source and destination information as criteria to create a sequence of specific conditions similar to the sequence of rules used by firewalls to specify what the nxc should do more precisely you can also control 281
- Chapter 19 application patrol 282
- Label description 282
- Note the nxc checks conditions in the order they appear in the list while this sequence does not affect the functionality you might improve the performance of the nxc by putting more common conditions at the top of the list 282
- Nxc5200 user s guide 282
- Other to open the other screen 282
- The bandwidth used by these other applications this screen also allows you to add edit and remove conditions to this default policy 282
- The following table describes the labels in this screen 282
- Chapter 19 application patrol 283
- Label description 283
- Nxc5200 user s guide 283
- Other continued 283
- Add edit 284
- Add edit policy 284
- Chapter 19 application patrol 284
- Label description 284
- Nxc5200 user s guide 284
- Other continued 284
- The following table describes the labels in this screen 284
- This screen allows you to create a new condition or edit an existing one to access this screen go to the other protocol screen and click either the add icon or an edit icon 284
- Add edit continued 285
- Chapter 19 application patrol 285
- Label description 285
- Nxc5200 user s guide 285
- Add edit continued 286
- Chapter 19 application patrol 286
- Label description 286
- Nxc5200 user s guide 286
- Anti virus 287
- Hapter 287
- Overview 287
- What you can do in this chapter 287
- Anti virus engines 288
- How the nxc anti virus scanner works 288
- Nxc anti virus scanner 288
- Virus and worm 288
- What you need to know 288
- Before you begin 289
- Note since the nxc erases the infected portion of the file before sending it you may not be able to open the file 289
- Notes about the nxc anti virus 289
- Anti virus summary 290
- General 290
- Chapter 20 anti virus 291
- General continued 291
- Label description 291
- Nxc5200 user s guide 291
- Chapter 20 anti virus 292
- General continued 292
- Label description 292
- Nxc5200 user s guide 292
- Add edit 293
- Add edit rule 293
- Chapter 20 anti virus 293
- General screen to display this configuration screen 293
- Label description 293
- Nxc5200 user s guide 293
- The following table describes the labels in this screen 293
- Add edit continued 294
- Chapter 20 anti virus 294
- Label description 294
- Note the nxc decompresses a zip file once the nxc does not decompress any zip file s within a zip file 294
- Note the nxc s firmware package cannot go through the nxc with this option enabled the nxc classifies the firmware package as not being able to be decompressed and deletes it 294
- Note when you select this option the nxc deletes zip files that use password encryption 294
- Nxc5200 user s guide 294
- Add edit continued 295
- Black list 295
- Black white list to display this screen use the black list screen to set up the anti virus black blocked list of virus file patterns click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 295
- Chapter 20 anti virus 295
- Label description 295
- Nxc5200 user s guide 295
- The following table describes the labels in this screen 295
- Add edit pattern 296
- Black list 296
- Add edit pattern 297
- Chapter 20 anti virus 297
- Label description 297
- Nxc5200 user s guide 297
- The following table describes the labels in this screen 297
- Chapter 20 anti virus 298
- Label description 298
- Nxc5200 user s guide 298
- The following table describes the labels in this screen 298
- White list 298
- White list to display the screen shown next use the black white list screen to set up anti virus black blocked and white allowed lists of virus file patterns click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 298
- Signature 299
- Chapter 20 anti virus 300
- Label description 300
- Nxc5200 user s guide 300
- Signature 300
- The following table describes the labels in this screen 300
- Computer virus infection and prevention 301
- Table 111 common computer virus types 301
- Technical reference 301
- Types of computer viruses 301
- Types of anti virus scanner 302
- Hapter 303
- Overview 303
- What you can do in this chapter 303
- What you need to know 303
- Applying your idp configuration 304
- Base idp profiles 304
- Before you begin 304
- Idp policies 304
- Idp profiles 304
- Idp summary 304
- Note you can only apply one idp profile to one traffic flow 304
- Note you must register in order to use packet inspection signatures see the registration screens 304
- Chapter 21 idp 305
- General 305
- If you try to enable idp when the idp service has not yet been registered a warning screen displays and idp is not enabled 305
- Label description 305
- Nxc5200 user s guide 305
- The following table describes the screens in this screen 305
- Chapter 21 idp 306
- General continued 306
- Label description 306
- Note depending on your network topology and traffic load binding every packet direction to an idp profile may affect the nxc s performance 306
- Nxc5200 user s guide 306
- General continued 307
- Profile 307
- Profile summary 307
- Base profile description 308
- Base profiles 308
- Chapter 21 idp 308
- Figure 138 base profiles 308
- Label description 308
- Nxc5200 user s guide 308
- Profile 308
- Profile screen click add to display the following screen 308
- Table 114 base profiles 308
- The following table describes the fields in this screen 308
- The following table describes this screen 308
- Base profile description 309
- Chapter 21 idp 309
- Creating new profiles 309
- Nxc5200 user s guide 309
- Profile screen to display a pop up screen allowing you to choose a base profile 309
- Table 114 base profiles continued 309
- To create a new profile 309
- You could create a new monitor profile that creates logs but all actions are disabled observe the logs over time and try to eliminate the causes of the false alarms when you re satisfied that they have been reduced to an acceptable level you could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a signature 309
- You may also find that certain signatures are triggering too many false positives or false negatives a false positive is when valid traffic is flagged as an attack a false negative is when invalid traffic is wrongly allowed to pass through the nxc as each network is different false positives and false negatives are common on initial idp deployment 309
- You may want to create a new profile if not all signatures in a base profile are applicable to your network in this case you should disable non applicable signatures so as to improve nxc idp processing efficiency 309
- Note if internet explorer opens a warning screen about a script making internet explorer run slowly and the computer maybe becoming unresponsive just click no to continue 310
- Add edit profile 311
- Add edit profile 312
- Chapter 21 idp 312
- Label description 312
- Nxc5200 user s guide 312
- The following table describes the fields in this screen 312
- Add edit profile continued 313
- Chapter 21 idp 313
- Label description 313
- Nxc5200 user s guide 313
- Add edit profile continued 314
- Chapter 21 idp 314
- Label description 314
- Nxc5200 user s guide 314
- Policy type description 314
- Policy types 314
- Table 116 policy types 314
- This section describes idp policy types also known as attack types as categorized in the nxc you may refer to these types when categorizing your own custom rules 314
- Chapter 21 idp 315
- Nxc5200 user s guide 315
- Policy type description 315
- Table 116 policy types continued 315
- An idp service group is a set of related packet inspection signatures 316
- Chapter 21 idp 316
- Edit profile 316
- Idp service groups 316
- Logs and actions applied to a service group apply to all signatures within that group if you select original setting for service group logs and or actions all signatures within that group are returned to their last saved settings 316
- Nxc5200 user s guide 316
- Table 117 idp service groups 316
- The following figure shows the web_php service group that contains signatures related to attacks on web servers using php exploits php php hypertext preprocessor is a server side html embedded scripting language that allows web developers to build dynamic websites 316
- Chapter 21 idp 317
- Click switch to query view in the edit profile screen to display the signature query screen in the query view screen you can search for signatures by criteria such as name id severity attack type vulnerable attack platforms service category log options or actions 317
- Edit profile 317
- Label description 317
- Nxc5200 user s guide 317
- Query view screen 317
- The following table describes the fields specific to this screen s query view 317
- Chapter 21 idp 318
- Edit profile continued 318
- Label description 318
- Nxc5200 user s guide 318
- Figure 142 query example search results 319
- Query example 319
- Chapter 21 idp 320
- Create custom signatures for new attacks or attacks peculiar to your network custom signatures can also be saved to from your computer so as to share with others you need some knowledge of packet headers and attack types to create your own custom signatures 320
- Custom idp signatures 320
- Figure 143 ip v4 packet headers 320
- Header description 320
- Ip packet header 320
- Nxc5200 user s guide 320
- Table 119 ip v4 packet headers 320
- The header fields are discussed below 320
- These are the fields in an internet protocol ip version 4 packet header 320
- Chapter 21 idp 321
- Custom signature s the first screen shows a summary of all custom signatures created click the sid or name heading to sort click the add icon to create a new signature or click the edit icon to edit an existing signature you can also delete custom signatures here or save them to your computer 321
- Custom signatures 321
- Header description 321
- Nxc5200 user s guide 321
- Table 119 ip v4 packet headers continued 321
- Chapter 21 idp 322
- Custom signatures 322
- Label description 322
- Nxc5200 user s guide 322
- The following table describes the fields in this screen 322
- The nxc checks all signatures and continues searching even after a match is found if two or more rules have conflicting actions for the same packet then the nxc applies the more restrictive action reject both reject receiver or reject sender drop none in this order if a packet matches a rule for reject receiver and it also matches a rule for reject sender then the nxc will reject both 322
- A packet must match all items you configure in this screen before it matches the signature the more specific your signature including packet contents then the fewer false positives the signature will trigger 323
- Add edit custom signature 323
- Chapter 21 idp 323
- Custom signatures continued 323
- In the custom signatures screen click the add icon to create a new signature or click the edit icon to edit an existing signature 323
- Label description 323
- Note the name of the complete custom signature file on the nxc is custom rules if you import a file named custom rules then all custom signatures on the nxc are overwritten with the new file if this is not your intention make sure that the files you import are not named custom rules 323
- Nxc5200 user s guide 323
- Add edit 324
- Add edit 325
- Chapter 21 idp 325
- Label description 325
- Nxc5200 user s guide 325
- Add edit continued 326
- Chapter 21 idp 326
- Label description 326
- Nxc5200 user s guide 326
- Add edit continued 327
- Chapter 21 idp 327
- Label description 327
- Nxc5200 user s guide 327
- Add edit continued 328
- Chapter 21 idp 328
- Label description 328
- Nxc5200 user s guide 328
- Add edit continued 329
- Custom signature example 329
- Understand the vulnerability 329
- Analyze packets 330
- Figure 146 dns query packet details 330
- Applying custom signatures 331
- Figure 147 example custom signature 331
- Figure 148 example custom signature in idp profile 332
- Verifying custom signatures 332
- Figure 149 custom signature log 333
- Host intrusions 333
- Technical reference 333
- Network intrusions 334
- Snort signatures 334
- Table 122 nxc snort equivalent terms 334
- Chapter 21 idp 335
- Note not all snort functionality is supported in the nxc 335
- Nxc term snort equivalent term 335
- Nxc5200 user s guide 335
- Table 122 nxc snort equivalent terms continued 335
- Hapter 337
- Overview 337
- What you can do in this chapter 337
- What you need to know 337
- Adp policy 338
- Adp profile 338
- Base adp profiles 338
- Before you begin 338
- Protocol anomalies 338
- Adp summary 339
- Chapter 22 adp 339
- General 339
- General use this screen to turn anomaly detection on or off and apply anomaly profiles to traffic directions 339
- Label description 339
- Nxc5200 user s guide 339
- The following table describes the screens in this screen 339
- Chapter 22 adp 340
- Create a new profile using an existing base profile 340
- Delete an existing profile 340
- Edit an existing profile 340
- General continued 340
- Label description 340
- Note depending on your network topology and traffic load applying every packet direction to an anomaly profile may affect the nxc s performance 340
- Nxc5200 user s guide 340
- Profile summary 340
- Use this screen to 340
- Base profiles 341
- Figure 152 base profiles 341
- Profile 341
- Creating new adp profiles 342
- Table 125 base profiles 342
- Traffic anomaly profiles 342
- Traffic anomaly 343
- Chapter 22 adp 344
- Label description 344
- Nxc5200 user s guide 344
- The following table describes the fields in this screen 344
- Traffic anomaly 344
- Chapter 22 adp 345
- Label description 345
- Nxc5200 user s guide 345
- Profile screen click the edit icon or click the add icon and choose a base profile then select the protocol anomaly tab if you made changes to other screens belonging to this profile make sure you have clicked ok or save to save the changes before selecting the protocol anomaly tab 345
- Protocol anomaly configuration 345
- Protocol anomaly detection includes http inspection tcp decoder udp decoder and icmp decoder where each category reflects the packet type inspected 345
- Protocol anomaly is the third screen in an adp profile protocol anomaly pa rules check for protocol compliance against the relevant rfc request for comments 345
- Protocol anomaly profiles 345
- Protocol anomaly rules may be updated when you upload new firmware 345
- Traffic anomaly continued 345
- Protocol anomaly 346
- Chapter 22 adp 347
- Label description 347
- Nxc5200 user s guide 347
- Protocol anomaly 347
- The following table describes the fields in this screen 347
- Chapter 22 adp 348
- Label description 348
- Nxc5200 user s guide 348
- Protocol anomaly continued 348
- Decoy port scans 349
- Port scanning 349
- Protocol anomaly continued 349
- Technical reference 349
- Distributed port scans 350
- Filtered port scans 350
- Port sweeps 350
- Figure 155 smurf attack 351
- Flood detection 351
- Icmp flood attack 351
- Figure 156 tcp three way handshake 352
- Figure 157 syn flood 352
- Tcp syn flood attack 352
- Chapter 22 adp 353
- Http inspection and tcp udp icmp decoders 353
- In a land attack hackers flood syn packets into a network with a spoofed source ip address of the network itself this makes it appear as if the computers in the network sent the packets to themselves so the network is unavailable while they try to respond to themselves 353
- Label description 353
- Land attack 353
- Nxc5200 user s guide 353
- Table 128 http inspection and tcp udp icmp decoders 353
- The following table gives some information on the http inspection tcp decoder udp decoder and icmp decoder nxc protocol anomaly rules 353
- Udp flood attack 353
- Udp is a connection less protocol and it does not require any connection setup procedure to transfer data a udp flood attack is possible when an attacker sends a udp packet to a random port on the victim system when the victim system receives a udp packet it will determine what application is waiting on the destination port when it realizes that there is no application that is waiting on the port it will generate an icmp packet of destination unreachable to the forged source address if enough udp packets are delivered to ports on victim the system will go down 353
- Chapter 22 adp 354
- Label description 354
- Nxc5200 user s guide 354
- Table 128 http inspection and tcp udp icmp decoders continued 354
- Chapter 22 adp 355
- Label description 355
- Nxc5200 user s guide 355
- Table 128 http inspection and tcp udp icmp decoders continued 355
- Chapter 22 adp 356
- Label description 356
- Nxc5200 user s guide 356
- Table 128 http inspection and tcp udp icmp decoders continued 356
- Device ha 357
- Hapter 357
- Overview 357
- What you can do in this chapter 357
- Before you begin 358
- Management access 358
- Note only nxcs of the same model and firmware version can synchronize 358
- Note subscribe to services on the backup nxc before synchronizing it with the master nxc 358
- Synchronization 358
- What you need to know 358
- Chapter 23 device ha 359
- Device ha general 359
- Device ha general to display 359
- General 359
- Label description 359
- Note it is not recommended to use stp spanning tree protocol with device ha 359
- Nxc5200 user s guide 359
- The following table describes the labels in this screen 359
- Chapter 23 device ha 360
- General continued 360
- Label description 360
- Nxc5200 user s guide 360
- Active passive mode 361
- Active passive mode 362
- Chapter 23 device ha 362
- Label description 362
- Note do not set this field to master for two or more nxcs in the same virtual router same cluster id 362
- Nxc5200 user s guide 362
- The following table describes the labels in this screen 362
- Active passive mode continued 363
- Chapter 23 device ha 363
- Label description 363
- Nxc5200 user s guide 363
- Active passive mode continued 364
- Edit monitored interface 364
- Chapter 23 device ha 365
- Edit monitored interface 365
- Label description 365
- Note do not connect the bridge interfaces on two nxcs without device ha activated on both doing so could cause a broadcast storm 365
- Nxc5200 user s guide 365
- The following table describes the labels in this screen 365
- Cluster id 366
- Figure 162 virtual router 366
- Technical reference 366
- Virtual router 366
- Figure 163 cluster ids for multiple virtual routers 367
- Monitored interfaces in active passive mode device ha 367
- Virtual router and management ip addresses 367
- Active passive mode device ha with bridge interfaces 368
- Figure 164 management ip addresses 368
- First option for connecting the bridge interfaces on two nxcs 368
- Br0 ge4 ge5 370
- Br0 ge4 ge5 disabled 370
- Disabled 370
- Second option for connecting the bridge interfaces on two nxcs 370
- Br0 ge4 ge5 371
- Synchronization 371
- Hapter 373
- Overview 373
- User group 373
- What you can do in this chapter 373
- What you need to know 373
- Ext group user accounts 374
- Ext user accounts 374
- Note if the nxc tries to authenticate an 374
- Note the default admin account is always authenticated locally regardless of the authentication method setting 374
- Table 132 types of user accounts 374
- User types 374
- Using the local database the attempt always fails 374
- Ext server accounts 375
- Note you cannot put access users and admin users in the same user group 375
- Note you cannot put the default admin account into any user group 375
- User awareness 375
- User groups 375
- User role priority 375
- Add edit user 376
- Rules for user names 376
- User summary 376
- Add edit a user 377
- Alphanumeric a z 0 9 there is no unicode support 377
- Chapter 24 user group 377
- Dashes 377
- Here are the reserved user names 377
- Nxc5200 user s guide 377
- The first character must be alphabetical a z a z an underscore _ or a dash other limitations on user names are 377
- To access this screen go to the user screen and click add or edit 377
- User names are case sensitive if you enter a user bob but use bob when connecting via cifs or ftp it will use the account settings used for bob not bob 377
- User names have to be different than user group names 377
- _ underscores 377
- Add edit a user 378
- Chapter 24 user group 378
- Label description 378
- Nxc5200 user s guide 378
- The following table describes the labels in this screen 378
- Add edit a user continued 379
- Chapter 24 user group 379
- Group summary 379
- Label description 379
- Nxc5200 user s guide 379
- The following table describes the labels in this screen 379
- Add edit group 380
- Group continued 380
- Add edit group continued 381
- Chapter 24 user group 381
- Label description 381
- Nxc5200 user s guide 381
- Setting 381
- This screen controls default settings login settings lockout settings and other user settings for the nxc you can also use this screen to specify when users must log in to the nxc before it routes traffic for them 381
- Chapter 24 user group 382
- Label description 382
- Nxc5200 user s guide 382
- Setting 382
- The following table describes the labels in this screen 382
- Chapter 24 user group 383
- Label description 383
- Nxc5200 user s guide 383
- Setting continued 383
- Chapter 24 user group 384
- Edit user authentication timeout settings 384
- Label description 384
- Nxc5200 user s guide 384
- Setting continued 384
- This screen allows you to set the default authentication timeout settings for the selected type of user account these default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings you can still manually configure any user account s authentication timeout settings 384
- Chapter 24 user group 385
- Edit user authentication timeout settings 385
- Label description 385
- Nxc5200 user s guide 385
- Setting screen and click one of the default authentication timeout settings section s edit icons 385
- The following table describes the labels in this screen 385
- Access users cannot use the web configurator to browse the configuration of the nxc instead after access users log into the nxc the following screen appears 386
- Chapter 24 user group 386
- Figure 171 user aware login 386
- Label description 386
- Nxc5200 user s guide 386
- Table 139 user aware login 386
- The following table describes the labels in this screen 386
- User aware login example 386
- Ap profile 387
- Hapter 387
- Overview 387
- What you can do in this chapter 387
- What you need to know 387
- Ieee 802 x 388
- Note you can have a maximum of 64 radio profiles on the nxc 388
- Radiot 388
- Wpa and wpa2 388
- Add edit profile 389
- Add edit radio profile 389
- Chapter 25 ap profile 389
- Label description 389
- Nxc5200 user s guide 389
- The following table describes the labels in this screen 389
- This screen allows you to create a new radio profile or edit an existing one to access this screen click the add button or select a radio profile from the list and click the edit button 389
- Add edit profile 390
- Chapter 25 ap profile 390
- Label description 390
- Nxc5200 user s guide 390
- The following table describes the labels in this screen 390
- Add edit profile continued 391
- Chapter 25 ap profile 391
- Label description 391
- Note reducing the output power also reduces the nxc s effective broadcast radius 391
- Nxc5200 user s guide 391
- Add edit profile continued 392
- Note you can have a maximum of 64 ssid profiles on the nxc 392
- Ssid list 392
- Add edit ssid profile 393
- Chapter 25 ap profile 393
- Label description 393
- Nxc5200 user s guide 393
- Ssid list 393
- The following table describes the labels in this screen 393
- This screen allows you to create a new ssid profile or edit an existing one to access this screen click the add button or select an ssid profile from the list and click the edit button 393
- Add edit ssid profile 394
- Chapter 25 ap profile 394
- Label description 394
- Note it is highly recommended that you create security profiles for all of your ssids to enhance your network security 394
- Nxc5200 user s guide 394
- The following table describes the labels in this screen 394
- Add edit ssid profile continued 395
- Chapter 25 ap profile 395
- Label description 395
- Nxc5200 user s guide 395
- Chapter 25 ap profile 396
- Label description 396
- Note you can have a maximum of 64 security profiles on the nxc 396
- Nxc5200 user s guide 396
- Security list 396
- The following table describes the labels in this screen 396
- This screen allows you to manage wireless security configurations that can be used by your ssids wireless security is implemented strictly between the ap broadcasting the ssid and the stations that are connected to it 396
- Add edit security profile 397
- Chapter 25 ap profile 397
- Label description 397
- Note this screen s options change based on the security mode selected only the default screen is displayed here 397
- Nxc5200 user s guide 397
- Security profileadd edit security profile 397
- The following table describes the labels in this screen 397
- This screen allows you to create a new security profile or edit an existing one to access this screen click the add button or select a security profile from the list and click the edit button 397
- Add edit security profile continued 398
- Chapter 25 ap profile 398
- Label description 398
- Nxc5200 user s guide 398
- Add edit security profile continued 399
- Chapter 25 ap profile 399
- Label description 399
- Mac filter list 399
- Note you can have a maximum of 64 mac filtering profiles on the nxc 399
- Nxc5200 user s guide 399
- The following table describes the labels in this screen 399
- Add edit mac filter profile 400
- Chapter 25 ap profile 400
- Label description 400
- Nxc5200 user s guide 400
- The following table describes the labels in this screen 400
- This screen allows you to create a new mac filtering profile or edit an existing one to access this screen click the add button or select a mac filter profile from the list and click the edit button 400
- Hapter 401
- Mon profile 401
- Overview 401
- What you can do in this chapter 401
- What you need to know 401
- Chapter 26 mon profile 402
- Label description 402
- Mon profile 402
- Nxc5200 user s guide 402
- The following table describes the labels in this screen 402
- Add edit mon profile 403
- Chapter 26 mon profile 403
- Label description 403
- Nxc5200 user s guide 403
- The following table describes the labels in this screen 403
- This screen allows you to create a new monitor mode profile or edit an existing one to access this screen click the add button or select and existing monitor mode profile and click the edit button 403
- Add edit mon profile continued 404
- Chapter 26 mon profile 404
- Figure 182 rogue ap example 404
- Label description 404
- Nxc5200 user s guide 404
- Rogue aps 404
- Rogue aps are wireless access points operating in a network s coverage area that are not under the control of the network s administrators and can open up holes in a network s security attackers can take advantage of a rogue ap s weaker or non existent security to gain access to the network or set up their own rogue aps in order to capture information from wireless clients if a scan reveals a rogue ap you can use commercially available software to physically locate it 404
- Technical reference 404
- The following section contains additional technical information about the features described in this chapter 404
- Friendly aps 405
- Address summary 407
- Addresses 407
- Hapter 407
- Overview 407
- What you can do in this chapter 407
- What you need to know 407
- Address click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 408
- Address summary 408
- Chapter 27 addresses 408
- Label description 408
- Nxc5200 user s guide 408
- Range a range address is defined by a starting ip address and an ending ip address 408
- Subnet a network address is defined by a network ip address and netmask subnet mask 408
- The following table describes the labels in this screen 408
- Add edit 409
- Add edit address 409
- Chapter 27 addresses 409
- Label description 409
- Note the nxc automatically updates address objects that are based on an interface s ip address subnet or gateway if the interface s ip address settings change for example if you change ge1 s ip address the nxc automatically updates the corresponding interface based lan subnet address object 409
- Nxc5200 user s guide 409
- The add edit address screen allows you to create a new address or edit an existing one to access this screen go to the address screen and click either the add icon or an edit icon 409
- The following table describes the labels in this screen 409
- Add edit continued 410
- Address group 410
- Address group click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 410
- Address group summary 410
- Chapter 27 addresses 410
- Label description 410
- Nxc5200 user s guide 410
- The following table describes the labels in this screen 410
- Add edit 411
- Add edit address group rule 411
- Chapter 27 addresses 411
- Label description 411
- Nxc5200 user s guide 411
- The add edit address group rule screen allows you to create a new address group or edit an existing one to access this screen go to the address group screen and click either the add icon or an edit icon 411
- The following table describes the labels in this screen 411
- Hapter 413
- Overview 413
- Services 413
- What you can do in this chapter 413
- What you need to know 413
- Service objects and service groups 414
- Chapter 28 services 415
- Label description 415
- Nxc5200 user s guide 415
- Service 415
- Service click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 415
- Service summary 415
- The following table describes the labels in this screen 415
- The service summary screen provides a summary of all services and their definitions in addition this screen allows you to add edit and remove services 415
- Add edit 416
- Add edit service rule 416
- Chapter 28 services 416
- Label description 416
- Nxc5200 user s guide 416
- Service continued 416
- The add edit service rule screen allows you to create a new service or edit an existing one to access this screen go to the service screen and click either the add icon or an edit icon 416
- The following table describes the labels in this screen 416
- Chapter 28 services 417
- Label description 417
- Nxc5200 user s guide 417
- Service group 417
- Service group summary 417
- The following table describes the labels in this screen 417
- The service group summary screen provides a summary of all service groups in addition this screen allows you to add edit and remove service groups 417
- Add edit 418
- Add edit service group rule 418
- Chapter 28 services 418
- Label description 418
- Nxc5200 user s guide 418
- The add edit service group rule screen allows you to create a new service group or edit an existing one to access this screen go to the service group screen and click either the add icon or an edit icon 418
- The following table describes the labels in this screen 418
- Hapter 419
- Overview 419
- Schedules 419
- What you can do in this chapter 419
- What you need to know 419
- Chapter 29 schedules 420
- Label description 420
- Nxc5200 user s guide 420
- Schedule 420
- Schedule summary 420
- The following table describes the labels in this screen 420
- Add edit one time 421
- Add edit schedule one time rule 421
- Chapter 29 schedules 421
- Label description 421
- Nxc5200 user s guide 421
- Schedule continued 421
- The add edit schedule one time rule screen allows you to define a one time schedule or edit an existing one to access this screen go to the schedule screen and click either the add icon or an edit icon in the one time section 421
- The following table describes the labels in this screen 421
- Add edit one time continued 422
- Add edit recurring 422
- Add edit schedule recurring rule 422
- Chapter 29 schedules 422
- Label description 422
- Nxc5200 user s guide 422
- The add edit schedule recurring rule screen allows you to define a recurring schedule or edit an existing one to access this screen go to the schedule screen and click either the add icon or an edit icon in the recurring section 422
- Add edit recurring 423
- Chapter 29 schedules 423
- Label description 423
- Nxc5200 user s guide 423
- The year month and day columns are not used in recurring schedules and are disabled in this screen the following table describes the remaining labels in this screen 423
- Aaa server 425
- Hapter 425
- Overview 425
- What you can do in this chapter 425
- What you need to know 425
- Figure 195 radius server network example 426
- Radius server 426
- Aaa servers supported by the nxc 427
- Authentication capability list 427
- Chapter 30 aaa server 427
- Directory service ldap ad 427
- Internal authentcation method external radius 427
- Ldap lightweight directory access protocol ad active directory is a directory service that is both a directory and a protocol for controlling access to a network the directory consists of a database specialized for fast information retrieval and filtering activities you create and store user profile and login information on the external server 427
- Local user database 427
- Note because the nxc has an internal authentication database you can create local login accounts on it without needing to rely on an external authentication server the built in authentication server supports peap eap tls eap ttls 427
- Nxc5200 user s guide 427
- Radius 427
- Radius remote authentication dial in user service authentication is a popular protocol used to authenticate users by means of an external or built in radius server radius authentication allows you to validate a large number of users from a central location 427
- Table 161 authentication capability list 427
- The following lists the types of authentication server the nxc supports 427
- The nxc uses the built in local user database to authenticate administrative users logging into the nxc s web configurator or network access users logging into the network through the nxc 427
- This list displays the nxc s authentication capabilities 427
- Base dn 428
- Directory structure 428
- Distinguished name dn 428
- Figure 196 basic directory structure 428
- Active directory ldap 429
- Bind dn 429
- Note both the active directory and ldap screens while on separate tabs are identical in configuration this section applies to both equally 429
- Add edit 430
- Add edit active directory ldap server 430
- Note the active directory and ldap server setup screens are almost identical so the features for both screens are described in this section 430
- Add edit 431
- Chapter 30 aaa server 431
- Label description 431
- Nxc5200 user s guide 431
- O zyxel c u 431
- Table 163 add edit 431
- The following table describes the labels in these screens 431
- Chapter 30 aaa server 432
- Cn zyadmi 432
- Label description 432
- Note this is only for ldap 432
- Nxc5200 user s guide 432
- O zyxel c u 432
- Table 163 add edit continued 432
- Zyadmi 432
- Chapter 30 aaa server 433
- Label description 433
- Nxc5200 user s guide 433
- Radius 433
- Radius to display the radius screen 433
- Table 163 add edit continued 433
- The following table describes the labels in this screen 433
- Add edit 434
- Add edit radius 434
- Chapter 30 aaa server 434
- Label description 434
- Nxc5200 user s guide 434
- Radius to display the radius screen click the add icon or an edit icon to display the following screen use this screen to create a new ad or ldap entry or edit an existing one 434
- The following table describes the labels in this screen 434
- Add edit continued 435
- Chapter 30 aaa server 435
- Label description 435
- Nxc5200 user s guide 435
- Authentication method 437
- Before you begin 437
- Hapter 437
- Overview 437
- What you can do in this chapter 437
- Add authentication method 438
- Auth method 438
- Chapter 31 authentication method 439
- Click ok to save the settings or click cancel to discard all changes and return to the previous screen 439
- Label description 439
- Nxc5200 user s guide 439
- The following table describes the labels in this screen 439
- Certificates 441
- Hapter 441
- Overview 441
- What you can do in this chapter 441
- What you need to know 441
- Advantages of certificates 442
- Certificate file formats 443
- Factory default certificate 443
- Note be careful not to convert a binary file to text during the transfer process it is easy for this to occur since many programs use text files by default 443
- Self signed certificates 443
- Verifying a certificate 443
- Chapter 32 certificates 445
- Label description 445
- My certificates 445
- My certificates to open this screen this is the nxc s summary list of certificates and certification requests 445
- Nxc5200 user s guide 445
- The following table describes the labels in this screen 445
- Chapter 32 certificates 446
- Label description 446
- My certificates continued 446
- Nxc5200 user s guide 446
- Add my certificates 447
- Chapter 32 certificates 448
- Label description 448
- Nxc5200 user s guide 448
- The following table describes the labels in this screen 448
- Add continued 449
- Chapter 32 certificates 449
- Label description 449
- Nxc5200 user s guide 449
- Add continued 450
- Chapter 32 certificates 450
- If you configured the my certificate create screen to have the nxc enroll a certificate and the certificate enrollment is not successful you see a screen with a return button that takes you back to the my certificate create screen click return and check your information in the my certificate create screen make sure that the certification authority information is correct and that your internet connection is working properly if you want the nxc to enroll a certificate online 450
- Label description 450
- Nxc5200 user s guide 450
- Edit my certificates 451
- Chapter 32 certificates 452
- Label description 452
- Nxc5200 user s guide 452
- The following table describes the labels in this screen 452
- Chapter 32 certificates 453
- Label description 453
- Nxc5200 user s guide 453
- Chapter 32 certificates 454
- Import 454
- Import certificates 454
- Import to open the my certificate import screen follow the instructions in this screen to save an existing certificate to the nxc 454
- Label description 454
- Note you can import a certificate that matches a corresponding certification request that was generated by the nxc you can also import a certificate in pkcs 12 format including the certificate s public and private keys 454
- Nxc5200 user s guide 454
- The certificate you import replaces the corresponding request in the my certificates screen 454
- The following table describes the labels in this screen 454
- You must remove any spaces in the certificate s filename before you can import it 454
- Chapter 32 certificates 455
- Import continued 455
- Label description 455
- Nxc5200 user s guide 455
- The following table describes the labels in this screen 455
- Trusted certificates 455
- Trusted certificates to open the trusted certificates screen this screen displays a summary list of certificates that you have set the nxc to accept as trusted the nxc also accepts any valid certificate signed by a certificate on this list as being trustworthy thus you do not need to import any certificate that is signed by one of these certificates 455
- Chapter 32 certificates 456
- Label description 456
- Nxc5200 user s guide 456
- Trusted certificates continued 456
- Edit trusted certificates 457
- Chapter 32 certificates 458
- Label description 458
- Nxc5200 user s guide 458
- The following table describes the labels in this screen 458
- Chapter 32 certificates 459
- Label description 459
- Nxc5200 user s guide 459
- Chapter 32 certificates 460
- Import 460
- Import to open the trusted certificates import screen follow the instructions in this screen to save a trusted certificate to the nxc 460
- Import trusted certificates 460
- Label description 460
- Note you must remove any spaces from the certificate s filename before you can import the certificate 460
- Nxc5200 user s guide 460
- Chapter 32 certificates 461
- Import 461
- Label description 461
- Nxc5200 user s guide 461
- Ocsp online certificate status protocol allows an application or device to check whether a certificate is valid with ocsp the nxc checks the status of individual certificates instead of downloading a certificate revocation list crl ocsp has two main advantages over a crl the first is real time status information the second is a reduction in network traffic since the nxc only gets information on the certificates that it needs to verify not a huge list when the nxc requests certificate status information the ocsp server returns a expired current or unknown response 461
- Technical reference 461
- The following section contains additional technical information about the features described in this chapter 461
- The following table describes the labels in this screen 461
- Hapter 463
- Overview 463
- System 463
- What you can do in this chapter 463
- Chapter 33 system 464
- Date and time 464
- For effective scheduling and logging the nxc system time must be accurate the nxc s real time chip rtc keeps track of the time and date there is also a software mechanism to set the time manually or get the current time and date from an external server 464
- Host name 464
- Host name to open this screen 464
- Label description 464
- Nxc5200 user s guide 464
- The following table describes the labels in this screen 464
- Chapter 33 system 465
- Date time 465
- Date time the screen displays as shown you can manually set the nxc s time and date or have the nxc get the date and time from a time server 465
- Label description 465
- Nxc5200 user s guide 465
- The following table describes the labels in this screen 465
- Chapter 33 system 466
- Date time continued 466
- Label description 466
- Nxc5200 user s guide 466
- Chapter 33 system 467
- Date time continued 467
- Label description 467
- Nxc5200 user s guide 467
- Pre defined ntp time servers list 467
- Table 177 default time servers 467
- The nxc continues to use the following pre defined list of ntp time servers if you do not specify a time server or it cannot synchronize with the time server you specified 467
- When the nxc uses the pre defined list of ntp time servers it randomly selects one server and tries to synchronize with it if the synchronization fails then the nxc goes through the rest of the list in order from the first one tried until either it is successful or all the pre defined ntp time servers have been tried 467
- When you turn on the nxc for the first time the date and time start at 2003 01 01 00 00 00 the nxc then attempts to synchronize with one of the following pre defined list of network time protocol ntp time servers 467
- Figure 212 loading 468
- Time server synchronization 468
- Console speed 469
- Dns overview 469
- Dns server address assignment 469
- Configuring the dns screen 470
- Chapter 33 system 471
- Dns continued 471
- Label description 471
- Nxc5200 user s guide 471
- Address record 472
- An address record contains the mapping of a fully qualified domain name fqdn to an ip address an fqdn consists of a host and domain name for example www zyxel com is a fully qualified domain name where www is the host zyxel is the second level domain and com is the top level domain mail myzyxel com tw is also a fqdn where mail is the host myzyxel is the third level domain com is the second level domain and tw is the top level domain 472
- Chapter 33 system 472
- Dns continued 472
- Label description 472
- Nxc5200 user s guide 472
- A ptr pointer record is also called a reverse record or a reverse lookup record it is a mapping of an ip address to a domain name 473
- Add address ptr record 473
- Add address ptr recordt 473
- Adding an address ptr record 473
- Chapter 33 system 473
- Click the add icon in the address ptr record table to add an address ptr record 473
- Label description 473
- Nxc5200 user s guide 473
- Ptr record 473
- The following table describes the labels in this screen 473
- The nxc allows you to configure address records about the nxc itself or another device this way you can keep a record of dns names and addresses that people on your network may use frequently if the nxc receives a dns query for an fqdn for which the nxc has an address record the nxc can send the ip address in a dns response without having to query a dns name server 473
- Add domain zone forwarder 474
- Domain zone forwarder 474
- A mx mail exchange record indicates which host is responsible for the mail for a particular domain that is controls where mail is sent for that domain if you do not configure proper mx records for your domain or other domain external e mail from other mail servers will not be able to be delivered to your mail server and vice versa each host or domain can have only one mx record that is one domain is mapping to one host 475
- Add domain zone forwarder 475
- Chapter 33 system 475
- Label description 475
- Mx record 475
- Note if all interfaces are static then this field is hidden 475
- Nxc5200 user s guide 475
- The following table describes the labels in this screen 475
- 0 add service control 476
- Add mx record 476
- Add service control rule 476
- Chapter 33 system 476
- Click the add icon in the mx record table to add a mx record 476
- Click the add icon in the service control table to add a service control rule 476
- Label description 476
- Nxc5200 user s guide 476
- The following table describes the labels in this screen 476
- Add service control rule continued 477
- Figure 219 secure and insecure service access from the wan 477
- Service access limitations 477
- Www overview 477
- System timeout 478
- Configuring www service control 479
- Chapter 33 system 480
- Label description 480
- Nxc5200 user s guide 480
- Service control 480
- The following table describes the labels in this screen 480
- Chapter 33 system 481
- Label description 481
- Nxc5200 user s guide 481
- Service control continued 481
- Chapter 33 system 482
- Label description 482
- Nxc5200 user s guide 482
- Service control continued 482
- Add edit 483
- Chapter 33 system 483
- Click add or edit in the service control table in a www ssh telnet ftp or snmp screen to add a service control rule 483
- Https example 483
- If you haven t changed the default https port on the nxc then in your browser enter https nxc ip address as the web site address where nxc ip address is the ip address or domain name of the nxc you wish to access 483
- Label description 483
- Nxc5200 user s guide 483
- Service control rules 483
- The following table describes the labels in this screen 483
- Avoiding browser warning messages 484
- Figure 223 security alert dialog box internet explorer 484
- Internet explorer warning messages 484
- Enrolling and importing ssl client certificates 485
- Figure 224 login screen internet explorer 485
- Figure 225 trusted certificates 485
- Login screen 485
- Installing the ca s certificate 486
- Installing a personal certificate 487
- Using a certificate when accessing the nxc 489
- Figure 226 ssh communication over the wan example 491
- Figure 227 how ssh v1 works example 491
- How ssh works 491
- Requirements for using ssh 492
- Ssh implementation on the nxc 492
- Chapter 33 system 493
- Configuring ssh 493
- Label description 493
- Note it is recommended that you disable telnet and ftp when you configure ssh for secure connections 493
- Nxc5200 user s guide 493
- Ssh to change your nxc s secure shell settings use this screen to specify from which zones ssh can be used to manage the nxc you can also specify from which ip addresses the access can come 493
- The following table describes the labels in this screen 493
- Chapter 33 system 494
- Configure the ssh client to accept connection using ssh version 1 494
- Example 1 microsoft windows 494
- Examples of secure telnet using ssh 494
- Label description 494
- Launch the ssh client and specify the connection information ip address port number for the nxc 494
- Nxc5200 user s guide 494
- Ssh continued 494
- This section describes how to access the nxc using the secure shell client program 494
- This section shows two examples using a command interface and a graphical interface ssh client program to remotely access the nxc the configuration and connection steps are similar for most ssh client programs refer to your ssh client program user s guide 494
- Example 2 linux 495
- Figure 229 ssh example 1 store host key 495
- Figure 230 ssh example 2 test 495
- Figure 231 ssh example 2 log in 496
- Telnet 496
- Chapter 33 system 497
- Label description 497
- Nxc5200 user s guide 497
- Telnet 497
- The following table describes the labels in this screen 497
- You can upload and download the nxc s firmware and configuration files using ftp to use this feature your computer must have an ftp client see chapter 35 on page 519 for more information about firmware and configuration files 497
- Chapter 33 system 498
- Ftp tab the screen appears as shown use this screen to specify from which zones ftp can be used to access the nxc you can also specify from which ip addresses the access can come 498
- Label description 498
- Nxc5200 user s guide 498
- The following table describes the labels in this screen 498
- Chapter 33 system 499
- Ftp continued 499
- Label description 499
- Nxc5200 user s guide 499
- Figure 234 snmp management model 500
- Snmp traps 501
- Supported mibs 501
- Table 189 snmp traps 501
- Chapter 33 system 502
- Configuring snmp 502
- Label description 502
- Nxc5200 user s guide 502
- Snmp tab the screen appears as shown use this screen to configure your snmp settings including from which zones snmp can be used to access the nxc you can also specify from which ip addresses the access can come 502
- The following table describes the labels in this screen 502
- Chapter 33 system 503
- Label description 503
- Language 503
- Language to open this screen use this screen to select a display language for the nxc s web configurator screens 503
- Nxc5200 user s guide 503
- Snmp continued 503
- Chapter 33 system 504
- Label description 504
- Language 504
- Nxc5200 user s guide 504
- The following table describes the labels in this screen 504
- Email daily report 505
- Hapter 505
- Log and report 505
- Overview 505
- What you can do in this chapter 505
- Email daily report 506
- Chapter 34 log and report 507
- Email daily report 507
- Label description 507
- Log setting 507
- Nxc5200 user s guide 507
- The following table describes the labels in this screen 507
- The nxc provides a system log and supports e mail profiles and remote syslog servers the system log is available on the view log tab the e mail profiles are used to mail log messages to the specified destinations and the other four logs are stored on specified syslog servers 507
- These screens control log messages and alerts a log message stores the information for viewing for example in the view log tab or regular e mailing later and an alert is e mailed immediately usually alerts are used for events that require more serious attention such as system errors and attacks 507
- Log setting 508
- Log setting summary 508
- Chapter 34 log and report 509
- Label description 509
- Log setting continued 509
- Nxc5200 user s guide 509
- Edit log settings 510
- Chapter 34 log and report 511
- Label description 511
- Nxc5200 user s guide 511
- The following table describes the labels in this screen 511
- Chapter 34 log and report 512
- Edit continued 512
- Label description 512
- Nxc5200 user s guide 512
- Chapter 34 log and report 513
- Edit continued 513
- Label description 513
- Nxc5200 user s guide 513
- Edit remote server 514
- Chapter 34 log and report 515
- Edit remote server 515
- Label description 515
- Nxc5200 user s guide 515
- The following table describes the labels in this screen 515
- Active log summary 516
- Figure 241 active log summary 516
- Active log summary 517
- Chapter 34 log and report 517
- Label description 517
- Nxc5200 user s guide 517
- The following table describes the fields in this screen 517
- Active log summary 518
- Chapter 34 log and report 518
- Label description 518
- Nxc5200 user s guide 518
- File manager 519
- Hapter 519
- Overview 519
- What you can do in this chapter 519
- What you need to know 519
- Chapter 35 file manager 520
- Comments in configuration files or shell scripts 520
- Figure 242 configuration file shell script example 520
- In a configuration file or shell script use or as the first character of a command line to have the nxc treat the line as a comment 520
- Nxc5200 user s guide 520
- Table 197 configuration files and shell scripts in the nxc 520
- These files have the same syntax which is also identical to the way you run cli commands manually an example is shown below 520
- While configuration files and shell scripts have the same syntax the nxc applies configuration files differently than it runs shell scripts this is explained below 520
- You have to run the aforementioned example as a shell script because the first command is run in privilege mode if you remove the first command you have to run the example as a configuration file because the rest of the commands are executed in configuration mode 520
- Your configuration files or shell scripts can use exit or a command line consisting of a single to have the nxc exit sub command mode 520
- Errors in configuration files or shell scripts 521
- Note exit or must follow sub commands if it is to make the nxc exit sub command mode 521
- Configuration file 522
- Configuration file flow at restart 522
- Do not turn off the nxc while configuration file upload is in progress 522
- Chapter 35 file manager 523
- Configuration file 523
- Label description 523
- Nxc5200 user s guide 523
- The following table describes the labels in this screen 523
- Chapter 35 file manager 524
- Configuration file continued 524
- Label description 524
- Nxc5200 user s guide 524
- Chapter 35 file manager 525
- Configuration file continued 525
- Firmware package 525
- Firmware package to open this screen use the firmware package screen to check your current firmware version and upload firmware to the nxc 525
- Label description 525
- Nxc5200 user s guide 525
- Chapter 35 file manager 526
- Find the firmware package at www zyxel com in a file that usually uses the system model name with a bin extension for example nxc bin 526
- Firmware package 526
- Label description 526
- Note the web configurator is the recommended method for uploading firmware you only need to use the command line interface if you need to recover the firmware see the cli reference guide for how to determine if you need to recover the firmware and how to recover it 526
- Nxc5200 user s guide 526
- The firmware update can take up to five minutes do not turn off or reset the nxc while the firmware update is in progress 526
- The following table describes the labels in this screen 526
- The nxc s firmware package cannot go through the nxc when you enable the anti virus destroy compressed files that could not be decompressed option the nxc classifies the firmware package as not being able to be decompressed and deletes it you can upload the firmware package to the nxc with the option enabled so you only need to clear the destroy compressed files that could not be decompressed option while you download the firmware package 526
- Figure 245 firmware upload in process 527
- Figure 246 network temporarily disconnected 527
- Figure 247 firmware upload error 527
- Note the nxc automatically reboots after a successful upload 527
- Shell script 527
- Chapter 35 file manager 528
- Command the changes will be lost when the nxc restarts you could use multiple 528
- Commands in a long script 528
- Commands in your scripts if you do not use the 528
- Each field is described in the following table 528
- Label description 528
- Note you should include 528
- Nxc5200 user s guide 528
- Shell script 528
- Chapter 35 file manager 529
- Label description 529
- Nxc5200 user s guide 529
- Shell script continued 529
- Diagnostics 531
- Hapter 531
- Overview 531
- What you can do in this chapter 531
- Capture 532
- Diagnostics 532
- Note new capture files overwrite existing files of the same name change the file suffix field s setting to avoid this 532
- Packet capture 532
- Chapter 36 diagnostics 533
- Label description 533
- Note if you have existing capture files you may need to set this size larger or delete existing capture files 533
- Nxc5200 user s guide 533
- Packet capture 533
- The following table describes the labels in this screen 533
- Chapter 36 diagnostics 534
- Files to open the packet capture files screen this screen lists the files of packet captures the nxc has performed you can download the files to your computer where you can study them using a packet analyzer also known as a network or protocol analyzer such as wireshark 534
- Label description 534
- Nxc5200 user s guide 534
- Packet capture continued 534
- Packet capture files 534
- The following table describes the labels in this screen 534
- Example of viewing a packet capture file 535
- Figure 252 packet capture file example 535
- Files continued 535
- Capture 536
- Chapter 36 diagnostics 536
- Label description 536
- Note new capture files overwrite existing files of the same name change the file suffix field s setting to avoid this 536
- Nxc5200 user s guide 536
- The following table describes the labels in this screen 536
- Use this screen to capture wireless network traffic going through the ap interfaces connected to your nxc studying these frame captures may help you identify network problems 536
- Wireless frame capture 536
- Wireless frame capture to display this screen 536
- Capture 537
- Chapter 36 diagnostics 537
- Label description 537
- Note if you have existing capture files you may need to set this size larger or delete existing capture files 537
- Nxc5200 user s guide 537
- Chapter 36 diagnostics 538
- Files to open this screen this screen lists the files of wireless frame captures the nxc has performed you can download the files to your computer where you can study them using a packet analyzer also known as a network or protocol analyzer such as wireshark 538
- Label description 538
- Nxc5200 user s guide 538
- The following table describes the labels in this screen 538
- Wireless frame capture files 538
- Hapter 539
- Overview 539
- Reboot 539
- What you need to know 539
- Hapter 541
- Overview 541
- Shutdown 541
- What you need to know 541
- General 543
- Hapter 543
- Overview 543
- Troubleshooting 543
- Cannot access the nxc from the lan 544
- I cannot access the internet 544
- I cannot update the anti virus signatures 544
- I cannot update the idp application patrol signatures 545
- I configured security settings but the nxc is not applying them for certain interfaces 545
- I downloaded updated anti virus or idp application patrol signatures why has the nxc not re booted yet 545
- The nxc is not applying the custom firewall rule i configured 545
- The nxc is not applying the custom policy route i configured 545
- Hackers have accessed my wep encrypted wireless lan 546
- I can t enter the interface name i want 546
- My rules and settings that apply to a particular interface no longer work 546
- The nxc is not applying an interface s configured ingress bandwidth limit 546
- The wireless security is not following the re authentication timer setting i specified 546
- The nxc is deleting some zipped files 547
- The nxc is not applying my application patrol bandwidth management settings 547
- The nxc is not scanning some zipped files 547
- The nxc s anti virus scanner cleaned an infected file but now i cannot use the file 547
- The nxc s performance slowed down after i configured many new application patrol entries 547
- Depending on your network topology and traffic load applying an anomaly profile to each and every packet direction may affect the nxc s performance 548
- I cannot configure some items in idp that i can configure in snort 548
- I uploaded a custom signature file and now all of my earlier custom signatures are gone 548
- Idp is dropping traffic that matches a rule that says no action should be taken 548
- The nxc s performance seems slower after configuring adp 548
- The nxc s performance seems slower after configuring idp 548
- I cannot get the application patrol to manage ftp traffic 549
- I cannot get the application patrol to manage h 23 traffic 549
- I cannot get the application patrol to manage sip traffic 549
- The nxc is not applying a policy route s port triggering settings 549
- The nxc keeps resetting the connection 549
- The nxc routes and applies snat for traffic from some interfaces but not from others 549
- You also need to create a firewall rule to allow an incoming service 549
- I changed the lan ip address and can no longer access the internet 550
- I configured application patrol to allow and manage access to a specific service but access is blocked 550
- I configured application patrol to block use of a specific service but a few packet s still get through 550
- I configured policy routes to manage the bandwidth of tcp and udp traffic but the bandwidth management is not being applied properly 550
- A broadcast storm results when i turn on device ha 551
- Device ha is not working 551
- I cannot get the radius server to authenticate the nxc s default admin account 551
- The nxc fails to authentication the ext user user accounts i configured 551
- Device ha synchronization is not working for subscription services 552
- I cannot add the admin users to a user group with access users 552
- I cannot add the default admin account to a user group 552
- I cannot get a certificate to import into the nxc 552
- I cannot get the device ha synchronization to work 552
- Subscribe to services on the backup nxc before synchronizing it with the master nxc 552
- The schedule i configured is not being applied at the configured times 552
- I cannot access the nxc from a computer connected to the internet 553
- I uploaded a logo to display on the upper left corner of the web configurator login screen and access page but it does not display properly 553
- My file sharing ssl application object does not work 553
- Note be careful not to convert a binary file to text during the transfer process it is easy for this to occur since many programs use text files by default 553
- I can only see newer logs older logs are missing 554
- I cannot get the firmware uploaded using the commands 554
- I uploaded a logo to use as the screen or window background but it does not display properly 554
- Note exit or must follow sub commands if it is to make the nxc exit sub command mode 554
- The commands in my configuration file or shell script are not working properly 554
- The nxc s traffic throughput rate decreased after i started collecting traffic statistics 554
- My earlier packet capture files are missing 555
- My packet capture captured less than i wanted or failed 555
- Wireless 555
- Wireless clients cannot connect to an ap 555
- A wireless client cannot be authenticated through the captive portal 556
- The ap status is registered as offline even though it is on 556
- Wireless clients are not being load balanced among my aps 556
- Ap list page there is no load balancing indicator associated with any aps assigned to the load balancing task 557
- Getting more troubleshooting help 557
- Note this procedure removes the current configuration 557
- Resetting the nxc 557
- Hapter 559
- Product specifications 559
- Chapter 40 product specifications 560
- Features additional information 560
- Nxc5200 user s guide 560
- Table 207 product specifications continued 560
- Chapter 40 product specifications 561
- Features additional information 561
- Nxc5200 user s guide 561
- Plug regulatory and safety compliance 561
- Table 207 product specifications continued 561
- Table 208 system environmental specifications 561
- Chapter 40 product specifications 562
- Feature standards referenced 562
- Nxc5200 user s guide 562
- Table 209 standards referenced by features 562
- The following table lists many of the standards referenced by nxc features 562
- Chapter 40 product specifications 563
- Feature standards referenced 563
- Nxc5200 user s guide 563
- Table 209 standards referenced by features continued 563
- Log descriptions 565
- Ppendix 565
- Appendix a log descriptions 566
- Log message description 566
- Nxc5200 user s guide 566
- Table 212 blocked web site logs 566
- Appendix a log descriptions 567
- Log message description 567
- Nxc5200 user s guide 567
- Table 212 blocked web site logs continued 567
- Table 213 zysh logs 567
- The zysh logs deal with internal system errors 567
- Appendix a log descriptions 568
- Log message description 568
- Nxc5200 user s guide 568
- Table 213 zysh logs continued 568
- Appendix a log descriptions 569
- Log message description 569
- Nxc5200 user s guide 569
- Table 213 zysh logs continued 569
- Table 214 adp logs 569
- Appendix a log descriptions 570
- Log message description 570
- Nxc5200 user s guide 570
- Table 215 anti virus logs 570
- Appendix a log descriptions 571
- Log message description 571
- Nxc5200 user s guide 571
- Table 215 anti virus logs continued 571
- Appendix a log descriptions 572
- Log message description 572
- Nxc5200 user s guide 572
- Table 215 anti virus logs continued 572
- Appendix a log descriptions 573
- Log message description 573
- Nxc5200 user s guide 573
- Table 216 user logs 573
- Appendix a log descriptions 574
- Log message description 574
- Nxc5200 user s guide 574
- Table 216 user logs continued 574
- Table 217 myzyxel com logs 574
- Appendix a log descriptions 575
- Log message description 575
- Nxc5200 user s guide 575
- Table 217 myzyxel com logs continued 575
- Appendix a log descriptions 576
- Log message description 576
- Nxc5200 user s guide 576
- Table 217 myzyxel com logs continued 576
- Appendix a log descriptions 577
- Log message description 577
- Nxc5200 user s guide 577
- Table 217 myzyxel com logs continued 577
- Appendix a log descriptions 578
- Log message description 578
- Nxc5200 user s guide 578
- Table 217 myzyxel com logs continued 578
- Appendix a log descriptions 579
- Log message description 579
- Nxc5200 user s guide 579
- Table 217 myzyxel com logs continued 579
- Table 218 idp logs 579
- Appendix a log descriptions 580
- Log message description 580
- Nxc5200 user s guide 580
- Table 218 idp logs continued 580
- Appendix a log descriptions 581
- Log message description 581
- Nxc5200 user s guide 581
- Table 218 idp logs continued 581
- Appendix a log descriptions 582
- Log message description 582
- Nxc5200 user s guide 582
- Table 218 idp logs continued 582
- Appendix a log descriptions 583
- Log message description 583
- Message explanation 583
- Nxc5200 user s guide 583
- Table 218 idp logs continued 583
- Table 219 application patrol 583
- Appendix a log descriptions 584
- Message explanation 584
- Nxc5200 user s guide 584
- Table 219 application patrol continued 584
- Appendix a log descriptions 585
- Log message description 585
- Nxc5200 user s guide 585
- Table 220 firewall logs 585
- Table 221 sessions limit logs 585
- Appendix a log descriptions 586
- Log message description 586
- Nxc5200 user s guide 586
- Table 222 policy route logs 586
- Appendix a log descriptions 587
- Log message description 587
- Nxc5200 user s guide 587
- Table 222 policy route logs continued 587
- Table 223 built in services logs 587
- Appendix a log descriptions 588
- Log message description 588
- Nxc5200 user s guide 588
- Table 223 built in services logs continued 588
- Appendix a log descriptions 589
- Log message description 589
- Nxc5200 user s guide 589
- Table 223 built in services logs continued 589
- Appendix a log descriptions 590
- Log message description 590
- Nxc5200 user s guide 590
- Table 223 built in services logs continued 590
- Table 224 system logs 590
- Appendix a log descriptions 591
- Log message description 591
- Nxc5200 user s guide 591
- Table 224 system logs continued 591
- Appendix a log descriptions 592
- Log message description 592
- Nxc5200 user s guide 592
- Table 224 system logs continued 592
- Table 225 connectivity check logs 592
- Appendix a log descriptions 593
- Log message description 593
- Nxc5200 user s guide 593
- Table 225 connectivity check logs continued 593
- Appendix a log descriptions 594
- Log message description 594
- Nxc5200 user s guide 594
- Table 225 connectivity check logs continued 594
- Table 226 device ha logs 594
- Appendix a log descriptions 595
- Log message description 595
- Nxc5200 user s guide 595
- Table 226 device ha logs continued 595
- Appendix a log descriptions 596
- Log message description 596
- Nxc5200 user s guide 596
- Table 226 device ha logs continued 596
- Appendix a log descriptions 597
- Log message description 597
- Nxc5200 user s guide 597
- Table 227 nat logs 597
- Appendix a log descriptions 598
- Code description 598
- Log message description 598
- Nxc5200 user s guide 598
- Table 228 certificate path verification failure reason codes 598
- Table 229 interface logs 598
- Appendix a log descriptions 599
- Log message description 599
- Nxc5200 user s guide 599
- Table 229 interface logs continued 599
- Appendix a log descriptions 600
- Log message description 600
- Nxc5200 user s guide 600
- Table 229 interface logs continued 600
- Appendix a log descriptions 601
- Log message description 601
- Nxc5200 user s guide 601
- Table 229 interface logs continued 601
- Appendix a log descriptions 602
- Log message description 602
- Nxc5200 user s guide 602
- Table 229 interface logs continued 602
- Appendix a log descriptions 603
- Log message description 603
- Nxc5200 user s guide 603
- Table 230 wlan logs 603
- Appendix a log descriptions 604
- Log message description 604
- Nxc5200 user s guide 604
- Table 230 wlan logs continued 604
- Table 231 account logs 604
- Table 232 force authentication logs 604
- Appendix a log descriptions 605
- Log message description 605
- Nxc5200 user s guide 605
- Table 233 file manager logs 605
- Table 234 dhcp logs 605
- Appendix a log descriptions 606
- Log message description 606
- Nxc5200 user s guide 606
- Table 234 dhcp logs 606
- Table 235 e mail daily report logs 606
- Table 236 ip mac binding logs 606
- Appendix a log descriptions 607
- Log message description 607
- Nxc5200 user s guide 607
- Table 236 ip mac binding logs 607
- Table 237 capwap logs 607
- Appendix a log descriptions 608
- Log message description 608
- Nxc5200 user s guide 608
- Table 237 capwap logs 608
- Appendix a log descriptions 609
- Log message description 609
- Nxc5200 user s guide 609
- Table 237 capwap logs 609
- Table 238 capwap client logs 609
- Appendix a log descriptions 610
- Log message description 610
- Nxc5200 user s guide 610
- Table 238 capwap client logs 610
- Table 239 capwap data forward logs 610
- Appendix a log descriptions 611
- Log message description 611
- Nxc5200 user s guide 611
- Table 239 capwap data forward logs 611
- Table 240 ap load balancing logs 611
- Appendix a log descriptions 612
- Log message description 612
- Nxc5200 user s guide 612
- Table 241 rogue ap logs 612
- Table 242 wireless frame capture logs 612
- Table 243 dcs logs 612
- Common services 613
- Ppendix 613
- Appendix b common services 614
- Name protocol port s description 614
- Nxc5200 user s guide 614
- Table 244 commonly used services continued 614
- Appendix b common services 615
- Name protocol port s description 615
- Nxc5200 user s guide 615
- Table 244 commonly used services continued 615
- Appendix b common services 616
- Name protocol port s description 616
- Nxc5200 user s guide 616
- Table 244 commonly used services continued 616
- Displaying anti virus alert messages in windows 617
- Ppendix 617
- Windows xp 617
- Windows 2000 618
- Importing certificates 619
- Ppendix 619
- Internet explorer 620
- Installing a stand alone certificate file in internet explorer 624
- Removing a certificate in internet explorer 625
- Firefox 627
- Installing a stand alone certificate file in firefox 628
- Removing a certificate in firefox 630
- Ppendix 633
- Wireless lan topologies 633
- Wireless lans 633
- Figure 258 basic service set 634
- Channel 635
- Figure 259 infrastructure wlan 635
- Figure 260 rts cts 636
- Rts cts 636
- Fragmentation threshold 637
- Note enabling the rts threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy 637
- Preamble type 637
- Ieee 802 1g wireless lan 638
- Note the wireless devices must use the same preamble mode in order to communicate 638
- Table 245 ieee 802 1g 638
- Table 246 wireless security levels 638
- Wireless security overview 638
- Ieee 802 x 639
- Note you must enable the same wireless security settings on the nxc and on all wireless clients that you want to associate with it 639
- Radius 639
- Types of radius messages 639
- Types of eap authentication 640
- Eap md5 message digest algorithm 5 641
- Eap tls transport layer security 641
- Eap ttls tunneled transport layer service 641
- Peap protected eap 641
- Appendix e wireless lans 642
- Dynamic wep key exchange 642
- Eap md5 eap tls eap ttls peap leap 642
- For added security certificate based authentications eap tls eap ttls and peap use dynamic keys for data encryption they are often deployed in corporate environments but for public deployment a simple user name and password pair is more practical the following table is a comparison of the features of authentication types 642
- If this feature is enabled it is not necessary to configure a default encryption key in the wireless security configuration screen you may still configure and store keys but they will not be used while dynamic wep is enabled 642
- Key differences between wpa or wpa2 and wep are improved data encryption and user authentication 642
- Leap lightweight extensible authentication protocol is a cisco implementation of ieee 802 x 642
- Note eap md5 cannot be used with dynamic wep key exchange 642
- Nxc5200 user s guide 642
- Table 247 comparison of eap authentication types 642
- The ap maps a unique key that is generated with the radius server this key expires when the wireless connection times out disconnects or reauthentication times out a new wep key is generated each time reauthentication is performed 642
- Wi fi protected access wpa is a subset of the ieee 802 1i standard wpa2 ieee 802 1i is a wireless security standard that defines stronger encryption authentication and key management than wpa 642
- Wpa and wpa2 642
- Encryption 643
- User authentication 644
- Wireless client wpa supplicants 644
- Wpa 2 with radius application example 644
- Figure 261 wpa 2 with radius application example 645
- Wpa 2 psk application example 645
- Appendix e wireless lans 646
- Authentication method key management protocol 646
- Encryptio n method 646
- Enter manual key ieee 802 x 646
- Figure 262 wpa 2 psk authentication 646
- Nxc5200 user s guide 646
- Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type mac address filters are not dependent on how you configure these security features 646
- Security parameters summary 646
- Table 248 wireless security relational matrix 646
- The ap and wireless clients use the tkip or aes encryption process the pmk and information exchanged in a handshake to create temporal encryption keys they use these keys to encrypt data exchanged between them 646
- Open software announcements 647
- Ppendix 647
- Appendix f open software announcements 648
- Nxc5200 user s guide 648
- Appendix f open software announcements 649
- Nxc5200 user s guide 649
- Appendix f open software announcements 650
- Nxc5200 user s guide 650
- Appendix f open software announcements 651
- Nxc5200 user s guide 651
- Appendix f open software announcements 652
- Nxc5200 user s guide 652
- Appendix f open software announcements 653
- Nxc5200 user s guide 653
- Appendix f open software announcements 654
- Nxc5200 user s guide 654
- Appendix f open software announcements 655
- Nxc5200 user s guide 655
- Appendix f open software announcements 656
- Nxc5200 user s guide 656
- Appendix f open software announcements 657
- Nxc5200 user s guide 657
- Appendix f open software announcements 658
- Nxc5200 user s guide 658
- Appendix f open software announcements 659
- Nxc5200 user s guide 659
- Appendix f open software announcements 660
- Nxc5200 user s guide 660
- Appendix f open software announcements 661
- Nxc5200 user s guide 661
- Appendix f open software announcements 662
- Nxc5200 user s guide 662
- Appendix f open software announcements 663
- Nxc5200 user s guide 663
- Appendix f open software announcements 664
- Nxc5200 user s guide 664
- Appendix f open software announcements 665
- Nxc5200 user s guide 665
- Appendix f open software announcements 666
- Nxc5200 user s guide 666
- Appendix f open software announcements 667
- Nxc5200 user s guide 667
- Appendix f open software announcements 668
- Nxc5200 user s guide 668
- Appendix f open software announcements 669
- Nxc5200 user s guide 669
- Appendix f open software announcements 670
- Nxc5200 user s guide 670
- Appendix f open software announcements 671
- Nxc5200 user s guide 671
- Appendix f open software announcements 672
- Nxc5200 user s guide 672
- Appendix f open software announcements 673
- Nxc5200 user s guide 673
- Appendix f open software announcements 674
- Nxc5200 user s guide 674
- Appendix f open software announcements 675
- Nxc5200 user s guide 675
- Appendix f open software announcements 676
- Nxc5200 user s guide 676
- Appendix f open software announcements 677
- Nxc5200 user s guide 677
- Appendix f open software announcements 678
- Nxc5200 user s guide 678
- Appendix f open software announcements 679
- Nxc5200 user s guide 679
- Appendix f open software announcements 680
- Nxc5200 user s guide 680
- Appendix f open software announcements 681
- Nxc5200 user s guide 681
- Appendix f open software announcements 682
- Nxc5200 user s guide 682
- Appendix f open software announcements 683
- Nxc5200 user s guide 683
- Appendix f open software announcements 684
- Nxc5200 user s guide 684
- Appendix f open software announcements 685
- Nxc5200 user s guide 685
- Appendix f open software announcements 686
- Nxc5200 user s guide 686
- Appendix f open software announcements 687
- Nxc5200 user s guide 687
- Appendix f open software announcements 688
- Nxc5200 user s guide 688
- Appendix f open software announcements 689
- Nxc5200 user s guide 689
- Appendix f open software announcements 690
- Nxc5200 user s guide 690
- Appendix f open software announcements 691
- Nxc5200 user s guide 691
- Appendix f open software announcements 692
- Nxc5200 user s guide 692
- Appendix f open software announcements 693
- Nxc5200 user s guide 693
- Appendix f open software announcements 694
- Nxc5200 user s guide 694
- Appendix f open software announcements 695
- Nxc5200 user s guide 695
- Appendix f open software announcements 696
- Nxc5200 user s guide 696
- Appendix f open software announcements 697
- Nxc5200 user s guide 697
- Appendix f open software announcements 698
- Nxc5200 user s guide 698
- Certifications 699
- Copyright 699
- Legal information 699
- Ppendix 699
- Ce mark warning 700
- Notices 700
- Taiwanese bsmi bureau of standards metrology and inspection a warning 700
- Viewing certifications 700
- Registration 701
- Zyxel limited warranty 701
- Nxc5200 user s guide 703
- Symbols 703
- Nxc5200 user s guide 704
- Nxc5200 user s guide 705
- Nxc5200 user s guide 706
- Nxc5200 user s guide 707
- Nxc5200 user s guide 708
- Nxc5200 user s guide 709
- Nxc5200 user s guide 710
- Nxc5200 user s guide 711
- Nxc5200 user s guide 712
- Nxc5200 user s guide 713
- Nxc5200 user s guide 714
- Nxc5200 user s guide 715
- Nxc5200 user s guide 716
- Nxc5200 user s guide 717
- Nxc5200 user s guide 718
Похожие устройства
- HP 1405-5g v2 switch, j9792a Инструкция по эксплуатации
- Zyxel NXC5200 Инструкция по установке
- Zyxel NXC5200 Рекомендации по настройке
- Zyxel NXC5200 Технические характеристики
- Zyxel NXC5200 Справочник командного интерфейса
- HP 1405-5 v2 switch, j9791a Инструкция по эксплуатации
- Zyxel NWA3000-N series Инструкция по эксплуатации
- Zyxel NWA3000-N series Технические характеристики
- HP probook 4540s, h5j04ea Инструкция по эксплуатации
- HP envy dv6-7263er, c5u12ea Инструкция по эксплуатации
- Zyxel NWA5123-NI Инструкция по эксплуатации
- Zyxel NWA5123-NI Инструкция по установке
- Zyxel NWA5123-NI Технические характеристики
- HP in-ear headphone h1000 Инструкция по эксплуатации
- HP probook 4540s, h4r27es Инструкция по эксплуатации
- Zyxel NWA5121-NI Инструкция по эксплуатации
- Zyxel NWA5121-NI Инструкция по установке
- Zyxel NWA5121-NI Технические характеристики
- HP webcam hd 2300 Инструкция по эксплуатации
- Zyxel NWA5121-N Инструкция по эксплуатации