Home » ZyXEL Manuals » Wireless » ZyXEL NXC2500 » Manual Viewer

ZyXEL NXC2500 User Guide - Page 230

Stateful Inspection, Zones, Default Firewall Behavior, To-NXC Rules

Add to My Manuals
Save this manual to your list of manuals

Page 230 highlights

CHAPTER 17 Firewall 17.1 Overview Use the firewall to block or allow services that use static port numbers. The firewall can also limit the number of user sessions. 17.1.1 What You Can Do in this Chapter • The Firewall screens (Section 17.2 on page 232) enable or disable the firewall and asymmetrical routes, and manage and configure firewall rules. • The Session Control screens (Section 17.3 on page 235) limit the number of concurrent NAT/firewall sessions a client can use. 17.1.2 What You Need to Know The following terms and concepts may help as you read this chapter. Stateful Inspection The NXC has a stateful inspection firewall. The NXC restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. Zones A zone is a group of interfaces. Group the NXC's interfaces into different zones based on your needs. You can configure firewall rules for data passing between zones or even between interfaces in a zone. Default Firewall Behavior Firewall rules are grouped based on the direction of travel of packets to which they apply. Here is the default firewall behavior for traffic going through the NXC in various directions. Table 104 Default Firewall Behavior FROM ZONE TO ZONE BEHAVIOR From ANY to ANY Traffic that does not match any firewall rule is allowed. So for example, LAN to WAN, LAN to DMZ, and LAN to WLAN traffic is allowed. This also includes traffic to or from interfaces that are not assigned to a zone (extra-zone traffic). To-NXC Rules Rules with EnterpriseWLAN as the To Zone apply to traffic going to the NXC itself. By default: NXC Series User's Guide 230

Section	Page
NXC Series	1
Document Conventions	3
Contents Overview	4
Table of Contents	6
User’s Guide	18
Introduction	19
1.1 Overview	19
1.2 Zones, Interfaces, and Physical Ports	19
1.2.1 Interface Types	20
1.2.2 Interface and Zone Configuration	20
1.3 Applications	21
1.3.1 AP Management	21
1.3.2 Wireless Security	21
1.3.3 Captive Portal	21
1.3.4 Load Balancing	22
1.3.5 Dynamic Channel Selection	22
1.3.6 User-Aware Access Control	22
1.4 Management Overview	23
1.5 Object-based Configuration	23
1.6 Starting and Stopping the NXC	24
Hardware Installation and Connection	25
2.1 Overview	25
2.2 Desktop Installation Procedure	25
2.3 Rack-mounted Installation	26
2.3.1 Rack-Mounted Installation Procedure	26
2.4 Wall-mounting	27
2.5 Front Panel	28
2.5.1 NXC2500	28
2.5.2 NXC5500	28
2.5.3 Front Panel LEDs	30
2.6 Rear Panel	31
The Web Configurator	33
3.1 Overview	33
3.2 Access	33
3.3 The Main Screen	34
3.3.1 Title Bar	35
3.3.2 Navigation Panel	38
3.3.3 Warning Messages	43
3.3.4 Tables and Lists	43
Setup Wizard	47
4.1 Accessing the Wizard	47
4.2 Using the Wizard	47
4.2.1 Step 1 Password and Time Settings	47
4.2.2 Step 2 Uplink Connection and Management VLAN	48
4.2.3 Step 3 VLAN Settings	49
4.2.4 Step 4 SSID	52
4.2.5 Step 5 Radio	54
4.2.6 Summary	55
Technical Reference	57
Dashboard	58
5.1 Overview	58
5.1.1 What You Can Do in this Chapter	58
5.2 Dashboard	59
5.2.1 CPU Usage	63
5.2.2 Memory Usage	63
5.2.3 Session Usage	64
5.2.4 DHCP Table	64
5.2.5 Number of Login Users	66
5.2.6 AP Status	66
5.2.7 Station Traffic	68
Monitor	69
6.1 Overview	69
6.1.1 What You Can Do in this Chapter	69
6.2 What You Need to Know	70
6.3 Port Statistics	71
6.3.1 Port Statistics Graph	72
6.4 Interface Status	73
6.5 Traffic Statistics	75
6.6 Session Monitor	78
6.7 IP/MAC Binding Monitor	80
6.8 Login Users	81
6.8.1 Dynamic Guest	82
6.8.2 Trusted MAC Address List	83
6.9 USB Storage	84
6.10 Ethernet Neighbor	85
6.11 AP List	86
6.11.1 Station Count of AP	90
6.11.2 Edit AP List	92
6.12 Radio List	102
6.12.1 AP Mode Radio Information	103
6.13 ZyMesh Link Info	105
6.14 SSID Info	106
6.15 Station List	107
6.16 Detected Device	109
6.17 View Log	111
6.18 View AP Log	113
Registration	116
7.1 Overview	116
7.1.1 What You Can Do in this Chapter	116
7.1.2 What you Need to Know	116
7.2 Registration	117
7.3 Service	117
Wireless	119
8.1 Overview	119
8.1.1 What You Can Do in this Chapter	119
8.1.2 What You Need to Know	119
8.2 Controller	120
8.3 AP Management	120
8.3.1 Mgmt. AP List	121
8.3.2 AP Policy	130
8.3.3 AP Group	131
8.3.4 Firmware	138
8.4 Rogue AP	140
8.4.1 Add/Edit Rogue/Friendly List	142
8.5 Auto Healing	142
8.6 Technical Reference	143
8.6.1 Dynamic Channel Selection	143
8.6.2 Load Balancing	144
8.6.3 Disassociating and Delaying Connections	145
Interfaces	147
9.1 Interface Overview	147
9.1.1 What You Can Do in this Chapter	147
9.1.2 What You Need to Know	147
9.2 Ethernet Summary	148
9.2.1 Edit Ethernet	149
9.2.2 Object References	156
9.2.3 Add DHCPv6 Request Options	156
9.2.4 Add/Edit DHCP Extended Options	157
9.3 VLAN Interfaces	159
9.3.1 VLAN Summary	160
9.3.2 Add/Edit VLAN	161
9.4 LAG	167
9.4.1 LAG Summary Screen	167
9.4.2 LAG Add/Edit	168
9.5 Technical Reference	174
Policy and Static Routes	177
10.1 Overview	177
10.1.1 What You Can Do in this Chapter	177
10.1.2 What You Need to Know	177
10.2 Policy Route	178
10.2.1 Add/Edit Policy Route	180
10.3 Static Route	183
10.3.1 Static Route Setting	184
10.4 Technical Reference	184
Zones	186
11.1 Overview	186
11.1.1 What You Can Do in this Chapter	186
11.1.2 What You Need to Know	186
11.2 Zone	187
11.2.1 Add/Edit Zone	187
NAT	189
12.1 Overview	189
12.1.1 What You Can Do in this Chapter	189
12.2 NAT Summary	189
12.2.1 Add/Edit NAT	190
12.3 Technical Reference	193
ALG	196
13.1 Overview	196
13.1.1 What You Can Do in this Chapter	196
13.1.2 What You Need to Know	196
13.1.3 Before You Begin	196
13.2 ALG	196
13.3 Technical Reference	197
IP/MAC Binding	198
14.1 Overview	198
14.1.1 What You Can Do in this Chapter	198
14.1.2 What You Need to Know	198
14.2 IP/MAC Binding Summary	199
14.2.1 Edit IP/MAC Binding	200
14.2.2 Add/Edit Static DHCP Rule	201
14.3 IP/MAC Binding Exempt List	201
Captive Portal	203
15.1 Overview	203
15.1.1 Captive Portal Type	203
15.1.2 What You Can Do in this Chapter	204
15.2 Captive Portal	204
15.2.1 Add Exceptional Services	206
15.3 Custom Captive Portal	207
15.3.1 Add Customized Page	208
15.3.2 Custom Login and Access Pages	211
15.3.3 External or Uploaded Web Portal Details	213
15.4 Redirect on Controller	216
15.4.1 Auth. Policy Add/Edit	217
15.5 Redirect on AP	221
15.5.1 Auth. Policy Group Add/Edit	223
15.5.2 Auth. Policy Add/Edit	224
RTLS	227
16.1 Overview	227
16.1.1 What You Can Do in this Chapter	227
16.2 Before You Begin	228
16.3 Configuring RTLS	228
Firewall	230
17.1 Overview	230
17.1.1 What You Can Do in this Chapter	230
17.1.2 What You Need to Know	230
17.2 Firewall	232
17.2.1 Add/Edit Firewall Screen	234
17.3 Session Control	235
17.3.1 Add/Edit Session Limit	236
User/Group	238
18.1 Overview	238
18.1.1 What You Can Do in this Chapter	238
18.1.2 What You Need To Know	238
18.2 User Summary	240
18.2.1 Add/Edit User	241
18.3 Group Summary	244
18.3.1 Add/Edit Group	245
18.4 Setting	246
18.4.1 Edit User Authentication Timeout Settings	250
18.4.2 Add/Edit Dynamic Guest Group	251
18.4.3 User Aware Login Example	251
18.4.4 Guest Manager Login Example	252
18.5 MAC Address	255
18.5.1 Add/Edit MAC Address	256
AP Profile	257
19.1 Overview	257
19.1.1 What You Can Do in this Chapter	257
19.1.2 What You Need To Know	257
19.2 Radio	258
19.2.1 Add/Edit Radio Profile	259
19.3 SSID	265
19.3.1 SSID List	265
19.3.2 Security List	270
19.3.3 MAC Filter List	275
19.3.4 Layer-2 Isolation List	277
MON Profile	279
20.1 Overview	279
20.1.1 What You Can Do in this Chapter	279
20.1.2 What You Need To Know	279
20.2 MON Profile	279
20.2.1 Add/Edit MON Profile	280
20.3 Technical Reference	282
ZyMesh Profile	284
21.1 Overview	284
21.1.1 What You Can Do in this Chapter	285
21.2 ZyMesh Profile	285
21.2.1 Add/Edit ZyMesh Profile	287
Addresses	288
22.1 Overview	288
22.1.1 What You Can Do in this Chapter	288
22.1.2 What You Need To Know	288
22.2 Address Summary	288
22.2.1 Add/Edit Address	289
22.3 Address Group Summary	290
22.3.1 Add/Edit Address Group Rule	291
Services	293
23.1 Overview	293
23.1.1 What You Can Do in this Chapter	293
23.1.2 What You Need to Know	293
23.2 Service Summary	294
23.2.1 Add/Edit Service Rule	295
23.3 Service Group Summary	296
23.3.1 Add/Edit Service Group Rule	296
Schedules	298
24.1 Overview	298
24.1.1 What You Can Do in this Chapter	298
24.1.2 What You Need to Know	298
24.2 Schedule Summary	298
24.2.1 Add/Edit Schedule One-Time Rule	300
24.2.2 Add/Edit Schedule Recurring Rule	301
AAA Server	302
25.1 Overview	302
25.1.1 What You Can Do in this Chapter	302
25.1.2 What You Need To Know	302
25.2 Active Directory / LDAP	305
25.2.1 Add/Edit Active Directory / LDAP Server	306
25.3 RADIUS	309
25.3.1 Add/Edit RADIUS	309
Authentication Method	313
26.1 Overview	313
26.1.1 What You Can Do in this Chapter	313
26.1.2 Before You Begin	313
26.2 Authentication Method	313
26.2.1 Add Authentication Method	314
Certificates	316
27.1 Overview	316
27.1.1 What You Can Do in this Chapter	316
27.1.2 What You Need to Know	316
27.1.3 Verifying a Certificate	318
27.2 My Certificates	319
27.2.1 Adding My Certificates	320
27.2.2 Editing My Certificates	322
27.2.3 Importing Certificates	324
27.3 Trusted Certificates	325
27.3.1 Editing Trusted Certificates	327
27.3.2 Importing Trusted Certificates	329
27.4 Technical Reference	330
DHCPv6	331
28.1 Overview	331
28.1.1 What You Can Do in this Chapter	331
28.2 DHCPv6 Request	331
28.2.1 Add/Edit DHCPv6 Request Object	332
System	333
29.1 Overview	333
29.1.1 What You Can Do in this Chapter	333
29.2 Host Name	333
29.3 USB Storage	334
29.4 Date and Time	335
29.4.1 Pre-defined NTP Time Servers List	338
29.4.2 Time Server Synchronization	338
29.5 Console Speed	339
29.6 DNS Overview	340
29.6.1 DNS Server Address Assignment	340
29.6.2 Configuring the DNS Screen	340
29.6.3 Address Record	342
29.6.4 PTR Record	342
29.6.5 Adding an Address/PTR Record	342
29.6.6 Domain Zone Forwarder	343
29.6.7 Add Domain Zone Forwarder	343
29.6.8 MX Record	344
29.6.9 Add MX Record	344
29.6.10 Add Service Control	345
29.7 WWW Overview	345
29.7.1 Service Access Limitations	346
29.7.2 System Timeout	346
29.7.3 HTTPS	346
29.7.4 Configuring WWW Service Control	347
29.7.5 Service Control Rules	350
29.7.6 HTTPS Example	351
29.7.7 Mozilla Firefox Warning Messages	352
29.7.8 Google Chrome Warning Messages	353
29.8 SSH	360
29.8.1 How SSH Works	361
29.8.2 SSH Implementation on the NXC	362
29.8.3 Requirements for Using SSH	362
29.8.4 Configuring SSH	362
29.8.5 Examples of Secure Telnet Using SSH	363
29.9 Telnet	364
29.10 FTP	366
29.11 SNMP	367
29.11.1 Supported MIBs	368
29.11.2 SNMP Traps	368
29.11.3 Configuring SNMP	369
29.11.4 Adding or Editing an SNMPv3 User Profile	370
29.12 Authentication Server	371
29.12.1 Add/Edit Trusted Client	372
29.13 Language	373
29.14 IPv6	374
Log and Report	375
30.1 Overview	375
30.1.1 What You Can Do In this Chapter	375
30.2 Email Daily Report	375
30.3 Log Settings	377
30.3.1 Log Settings Summary	378
30.3.2 Editing System Log Settings	380
30.3.3 Editing USB Storage Log Settings	383
30.3.4 Editing Remote Server Log Settings	384
30.3.5 Log Category Settings	386
File Manager	390
31.1 Overview	390
31.1.1 What You Can Do in this Chapter	390
31.1.2 What you Need to Know	390
31.2 Configuration File	392
31.3 Firmware Package	396
31.4 Shell Script	398
Diagnostics	401
32.1 Overview	401
32.1.1 What You Can Do in this Chapter	401
32.2 Diagnostics	401
32.2.1 Diagnostics - AP Configuration	402
32.2.2 Diagnostics Files	404
32.3 Packet Capture	405
32.3.1 Packet Capture on AP	408
32.3.2 Packet Capture Files	411
32.3.3 Example of Viewing a Packet Capture File	412
32.4 Core Dump	413
32.4.1 Core Dump Files	413
32.5 System Log	414
32.6 Wireless Frame Capture	415
32.6.1 Wireless Frame Capture Files	417
Packet Flow Explore	418
33.1 Overview	418
33.1.1 What You Can Do in this Chapter	418
33.2 The Routing Status Screen	418
33.3 The SNAT Status Screen	421
Reboot	424
34.1 Overview	424
34.1.1 What You Need To Know	424
34.2 Reboot	424
Shutdown	425
35.1 Overview	425
35.1.1 What You Need To Know	425
35.2 Shutdown	425
Appendices and Troubleshooting	426
Troubleshooting	427
36.1 Overview	427
36.1.1 General	427
36.1.2 Wireless	432
36.2 Resetting the NXC	434
36.3 Getting More Troubleshooting Help	435
Log Descriptions	436
Common Services	463
Importing Certificates	466
Wireless LANs	490
IPv6	502
Customer Support	510
Legal Information	516