Home » ZyXEL Manuals » Networking » ZyXEL Vantage CNM » Manual Viewer

ZyXEL Vantage CNM User Guide - Page 161

Device Operation > Device Configuration > Security > VPN > Global

Get ZyXEL Vantage CNM PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 161 highlights

Chapter 6 Device Security Settings Table 55 Device Operation > Device Configuration > Security > VPN > Global Setting (continued) LABEL DESCRIPTION Gateway Domain This field is applicable when you enter a domain name to identify Name Update Timer the device and/or the remote secure gateway. Enter the time period (between 2 and 60 minutes) to wait before the device updates the domain name and IP address mapping through a DNS server. The device rebuilds the VPN tunnel if it finds that the domain name is now using a different IP address (any users of the VPN tunnel will be temporarily disconnected). VPN rules skip applying to the overlap range of local and remote IP addresses Enter 0 to disable this feature. When you configure a VPN rule, the device checks to make sure that the IP addresses in the local and remote networks do not overlap. Select Turn Off box to disable the check if you need to configure a VPN policy with overlapping local and remote IP addresses. Adjust TCP Maximum Segment Size IPSec MSS Apply Reset Note: If a VPN policy's local and remote IP addresses overlap, you may not be able to access the device on your LAN because the device automatically triggers a VPN tunnel to the remote device with the same IP address. The TCP packets are larger after the device encrypts them for VPN. The device fragments packets that are larger than a connection's MTU (Maximum Transmit Unit). In most cases you should leave this set to Auto. The device automatically sets the Maximum Segment Size (MSS) of the TCP packets that are to be encrypted by VPN based on the encapsulation type. Select Off to not adjust the MSS for the encrypted TCP packets. If your network environment causes fragmentation issues that are affecting your throughput performance, you can manually set a smaller MSS for the TCP packets that are to be encrypted by VPN. Select User Define, and specify a size in the IPSec MSS field. This field is enabled if Adjust TCP Maximum Segment Size is User Define. Specify the Maximum Segment Size (MSS) for the TCP packets that are to be encrypted by VPN. Specify a size from 0~1460 bytes. 0 has the device use the auto setting. Click this to save your changes back to the device. Click this to begin configuring this screen afresh. Vantage CNM User's Guide 161

Section	Page
Vantage CNM	1
About This User's Guide	3
Document Conventions	5
Contents Overview	7
Introducing Vantage CNM	21
1.1 Overview	21
1.2 Ways to Manage Vantage CNM	22
1.3 Suggestions for Using Vantage CNM	22
Introduction	23
GUI Introduction	25
2.1 Menu Bar	26
2.2 Title Bar	27
2.3 Device Window	27
2.3.1 Topology	27
2.3.2 Device Search	36
2.4 Navigation Panel and Configuration Window	37
2.5 Security Risk Pop-up Messages in Internet Explorer 7.0	41
Device Configuration (ZyNOS and Prestige)	45
Load or Save Building Blocks (BB)	47
3.1 Load or Save BB	47
Device General Settings	51
4.1 System	51
4.2 Time Setting	52
Device Network Settings	55
5.1 LAN (ZyNOS ZyWALL)	55
5.2 LAN (Prestige)	59
5.2.1 Static DHCP	62
5.2.2 IP Alias	63
5.3 WAN General (ZyNOS ZyWALL)	65
5.3.1 WAN1 (ZyNOS ZyWALL with one WAN port)	69
5.3.2 WAN1 and WAN2 (ZyNOS ZyWALL with two WAN ports)	78
5.3.3 WAN2 (ZyNOS ZyWALL with 3G WAN)	87
5.3.4 Dial Backup (ZyNOS ZyWALL)	96
5.3.5 Advanced Modem Setup (ZyNOS ZyWALL)	98
5.3.6 Edit Dial Backup (ZyNOS ZyWALL)	100
5.3.7 WAN Setup (Prestige)	102
5.3.8 WAN Backup (Prestige)	106
5.3.9 Advanced WAN Backup (Prestige)	109
5.3.10 Advanced Modem Setup (Prestige)	111
5.4 Wireless Card	112
5.4.1 Wireless and Wireless Security Settings	112
5.4.2 Advanced Wireless Security Settings	115
5.4.3 MAC Filter	121
Device Security Settings	123
6.1 Firewall	123
6.1.1 Default Rule	123
6.1.2 Rule Summary	126
6.1.3 Add/Edit a Rule	128
6.1.4 Anti-Probing	131
6.1.5 Threshold	132
6.1.6 Service	135
6.1.7 Add/Edit Service	135
6.2 VPN	137
6.3 IPSec High Availability	137
6.3.1 VPN Rules (IKE)	138
6.3.2 Add/Edit an IKE Gateway Policy	139
6.3.3 Add/Edit an IKE Network Policy	148
6.3.4 Move an IKE Network Policy	154
6.3.5 VPN Rules (Manual)	154
6.3.6 Add/Edit an Manual VPN Rule	157
6.3.7 VPN Global Setting	160
6.4 Anti-Virus	162
6.4.1 General Anti-Virus Setup	162
6.5 Anti-Spam	164
6.5.1 Anti-Spam General Screen	164
6.5.2 Anti-Spam External DB Screen	167
6.6 Anti-Spam Lists Screen	170
6.6.1 Anti-Spam Lists Edit Screen	171
6.7 IDP	174
6.8 General Setup	174
6.9 IDP Signatures	176
6.9.1 Attack Types	176
6.9.2 Intrusion Severity	178
6.9.3 Signature Actions	178
6.9.4 Configuring IDP Signatures	179
6.9.5 Query View	181
6.9.6 Protocol Anomaly	184
6.10 Signature Update	186
6.11 Content Filter	189
6.12 Content Filter General Screen	189
6.13 Content Filter Policy	193
6.13.1 Content Filter Policy: General	194
6.13.2 Content Filter Policy: External Database	197
6.13.3 Content Filter Policy: Customization	204
6.13.4 Content Filter Policy: Schedule	207
6.14 Content Filter Objects	208
6.15 Content Filtering Cache	210
6.16 X Auth	211
6.16.1 Local User Database	211
6.16.2 RADIUS	212
Device Advanced Settings	215
7.0.1 NAT	215
7.1 NAT	215
7.2 Port Forwarding	218
7.3 Address Mapping	219
7.3.1 Edit an Address Mapping Rule	221
7.4 Trigger Port	222
7.4.1 Edit a Trigger Port Rule	223
7.5 Static Route	224
7.6 Static Route	224
7.6.1 Edit a Static Route	226
7.7 DNS	227
7.8 Address Record	227
7.8.1 Add/Edit an Address Record	228
7.9 Name Server Record	229
7.9.1 Add/Edit a Name Server Record	230
7.10 Cache	232
7.11 DDNS	233
7.12 DHCP	235
7.13 Remote MGMT	236
7.14 Remote MGMT	236
Device Log	241
8.1 Device Log	241
Device Configuration (ZLD)	245
Device Network Settings	247
9.1 Ethernet (ZLD ZyWALL)	247
9.1.1 Ethernet Edit	248
9.1.2 Adding Virtual Interfaces	255
9.2 WLAN General	256
9.2.1 WLAN Add/Edit Screen	259
9.2.2 WLAN Add/Edit: WEP Security	265
9.2.3 WLAN Add/Edit: WPA-PSK/WPA2-PSK Security	266
9.2.4 WLAN Add/Edit: WPA/WPA2 Security	267
9.2.5 WLAN Interface MAC Filter	269
9.2.6 MAC Filter Add/Edit Screen	271
9.3 VLAN Summary Screen	272
9.3.1 VLAN Add/Edit	272
9.4 Bridge Summary	277
9.4.1 Bridge Add/Edit	278
9.5 PPPoE/PPTP Interface Summary	283
9.5.1 PPPoE/PPTP Interface Edit	284
9.6 Auxiliary Interface	290
9.7 The Trunk Summary Screen	292
9.8 Configuring a Trunk	294
9.8.1 The Trunk Member List Screen	297
9.9 Interface Summary Screen	298
9.10 Policy Route Screen	300
9.10.1 Policy Route Edit Screen	303
9.11 IP Static Route Screen	306
9.11.1 Static Route Add/Edit Screen	307
9.12 The RIP Screen	308
9.13 The OSPF Screen	310
9.13.1 The OSPF Area Add/Edit Screen	312
Firewall	315
10.1 The Firewall Screen	315
10.1.1 The Firewall Edit Screen	318
10.2 The Session Limit Screen	319
10.2.1 The Session Limit Add/Edit Screen	321
IPSec VPN	323
11.1 The IPSec VPN Connection Screen	323
11.1.1 The IPSec VPN Connection Add/Edit Screen	325
11.1.2 IPSec VPN Connection Add/Edit (Manual Key)	331
11.2 The VPN Gateway Screen	335
11.2.1 The VPN Gateway Add/Edit Screen	336
11.3 The VPN Concentrator Screen	343
11.3.1 The VPN Concentrator Add/Edit Screen	345
SSL VPN	347
12.1 Overview	347
12.2 The SSL Access Privilege Screen	347
12.2.1 The SSL Access Policy Add/Edit Screen	349
12.3 The SSL Global Setting Screen	351
L2TP VPN	353
13.1 Overview	353
13.2 L2TP VPN Screen	353
Object	357
14.1 User Summary Screen	357
14.1.1 User Add/Edit Screen	358
14.2 User Group Summary Screen	360
14.2.1 Group Add/Edit Screen	361
14.3 Setting Screen	362
14.3.1 Default User Authentication Timeout Settings Edit Screens	366
14.3.2 Force User Authentication Policy Add/Edit Screen	368
14.4 Address Summary Screen	369
14.4.1 Address Add/Edit Screen	370
14.4.2 Address Group Summary Screen	371
14.4.3 Address Group Add/Edit Screen	373
14.5 The Service Summary Screen	374
14.5.1 The Service Add/Edit Screen	375
14.6 The Service Group Summary Screen	376
14.6.1 The Service Group Add/Edit Screen	378
14.7 The Schedule Summary Screen	379
14.7.1 The One-Time Schedule Add/Edit Screen	380
14.7.2 The Recurring Schedule Add/Edit Screen	381
AAA	385
15.1 Configuring Active Directory or LDAP Default Server Settings	385
15.2 Active Directory or LDAP Group Summary Screen	386
15.2.1 Creating an Active Directory or LDAP Group	388
15.3 Configuring a Default RADIUS Server	390
15.3.1 Configuring a Group of RADIUS Servers	391
15.3.2 Adding a RADIUS Server Member	392
15.4 Viewing Authentication Method Objects	393
15.5 Creating an Authentication Method Object	394
15.6 The My Certificates Screen	396
15.7 ISP Account Summary	397
15.7.1 ISP Account Edit	398
15.8 The SSL Application Screen	400
15.8.1 Creating/Editing a Web-based SSL Application Object	401
15.8.2 Creating/Editing a File Sharing SSL Application Object	403
Maintenance	405
16.1 Edit Remote Server Log Settings	405
Configuration, Firmware and Licence Management	407
Configuration Management	409
17.1 Synchronization (Device)	409
17.2 Synchronization (Folder)	411
17.3 Configuration File Management	412
17.3.1 Backup & Restore (Device)	413
17.3.2 Backup a Device	414
17.3.3 Backup & Restore (Folder)	415
17.3.4 Group Backup (Folder)	416
17.3.5 Group Restore (Folder)	418
17.4 Schedule List (Device)	419
17.5 Schedule List (Folder)	420
17.5.1 Add/Edit Schedule List (Folder)	421
17.6 Signature Profile Management	423
17.6.1 Signature Profile Backup & Restore (Device)	423
17.6.2 Signature Profile Backup & Restore (Folder)	425
17.6.3 Signature Profile Restore (Folder)	427
17.6.4 Restore to Device	429
17.6.5 Signature Profile Backup (Device)	430
17.6.6 Reset to Factory	431
17.7 Configuration Building Block	431
17.8 Add/Edit a Configuration BB	433
17.8.1 Create a Schedule Configuration BB (ZLD)	436
17.8.2 Create a User Configuration BB (ZLD)	437
17.8.3 Create an Address Configuration BB (ZLD)	439
17.8.4 Create a Service Configuration BB (ZLD)	440
17.9 Component BB	441
17.10 Add/Edit/Save as a Component BB	443
17.11 ZLD Firewall Rule Group Configuration	443
17.12 Add/Edit a Firewall Rule Group	444
Firmware Management	449
18.1 Firmware List	449
18.1.1 Add Firmware	450
18.2 Scheduler List	451
18.3 Firmware Upgrade	451
18.3.1 Firmware Upgrade (Folder)	452
18.3.2 Firmware Upgrade (Device)	453
18.3.3 Firmware Upgrade (Device) > Upgrade	453
License Management	457
19.1 Service Activation	457
19.1.1 Registration	457
19.1.2 Service	460
19.2 License Status	462
19.2.1 Activate/Upgrade License	465
19.3 License Status (Folder)	466
19.4 Signature Status (Device)	469
19.5 Signature Status (Folder)	471
VPN Management	473
VPN Community	475
20.1 VPN Community	475
20.1.1 Add/Edit a VPN Community	476
Installation Report	483
21.1 Installation Report	483
21.1.1 Show Detailed Installation Reportl	484
VPN Monitor	485
22.1 Monitor VPN by Community	485
22.1.1 Show Detailed VPN Community	486
22.1.2 VPN Tunnel Diagnostics	487
22.2 Monitor VPN by Device	489
22.2.1 VPN Tunnel Status	489
22.2.2 Search VPN Tunnels	490
22.2.3 SA Monitor	491
Monitor	493
Device Status Monitor	495
23.1 Device Status	495
3G Monitor	497
24.1 Summary	498
24.1.1 Show Detail	500
24.2 Availability Report	509
24.3 Radio Report	513
24.4 Traffic Report	518
24.5 Alert Report	519
24.6 Monitor Setting	523
24.6.1 Notification Setting	523
24.6.2 Notification	524
24.6.3 Monitor Interval	526
Device HA Status Monitor	527
25.1 Device HA Status	527
Device Alarm	529
26.1 Device Alarm Introduction	529
26.1.1 Alarm Severity	529
26.1.2 Unresolved Alarms	529
26.1.3 Responded Alarm	532
Log & Report	535
Device Operation Report	537
27.1 Firmware Upgrade Report	537
27.1.1 Firmware Report Details	538
27.2 Configuration Report	540
27.2.1 Configuration Report Details	542
27.3 Configuration File Backup Report	543
27.3.1 Configuration File Backup Report Details	545
27.4 Configuration File Restore Report	546
27.5 Signature Profile Backup Report	548
27.6 Signature Profile Restore Report	549
CNM Logs	553
28.1 Vantage CNM Logs	553
28.1.1 CNM Logs	553
VRPT	555
29.1 Vantage Report Overview	555
29.2 Vantage Report in Vantage CNM	556
29.3 Setting Up Vantage Report in Vantage CNM	556
29.4 Opening Vantage Report in Vantage CNM	557
CNM System Setting	559
CNM System Setting	561
30.1 Servers Configuration	561
30.1.1 Vantage CNM Server Public IP Address	563
30.2 Servers Status	564
30.3 User Access	565
30.4 Notifications	566
30.4.1 Notifications Settings	567
30.5 Log Setting	569
30.6 VRPT Management	571
30.6.1 Add/Edit VRPT Management	573
30.7 Certificate Management Overview	574
30.7.1 Advantages of Certificates	575
30.7.2 Current Certificate Information	576
30.7.3 Create CSR	577
30.7.4 Import Certificate	578
Maintenance	581
31.1 System Maintenance	581
31.1.1 Backup	582
31.2 Device Maintenance	583
Device Owner	585
32.1 Device Owner	585
32.1.1 Add/Edit a Device Owner	586
Vantage CNM Software Upgrade	587
33.1 CNM Software Upgrade	587
License	589
34.1 CNM Licence	589
34.1.1 License Upgrade	590
About CNM	591
35.1 About CNM	591
Account Management	593
User Group	595
36.1 Group	595
36.1.1 Add User Group	596
Account	599
37.1 “Root” Administrator	599
37.2 “Super” Administrators	599
37.3 Account	600
37.3.1 Add/Edit an Administrator Account	601
Troubleshooting	603
Troubleshooting	605
38.1 Vantage CNM Access and Login	605
38.2 Device Management	606
38.3 Device Firmware Management	606
38.4 Vantage Report	607
Appendices and Index	609
Product Specifications	611
Setting up Your Computer’s IP Address	617
Pop-up Windows, Java Scripts and Java Permissions	635
IP Addresses and Subnetting	643
IP Address Assignment Conflicts	653
Common Services	657
Importing Certificates	661
Open Software Announcements	667
Legal Information	695

Match case Limit results 1 per page

Chapter 6 Device Security Settings

Vantage CNM User’s Guide

161

Gateway Domain

Name Update Timer

This field is applicable when you enter a domain name to identify

the device and/or the remote secure gateway.

Enter the time period (between 2 and 60 minutes) to wait before

the device updates the domain name and IP address mapping

through a DNS server. The device rebuilds the VPN tunnel if it finds

that the domain name is now using a different IP address (any

users of the VPN tunnel will be temporarily disconnected).

Enter

to disable this feature.

VPN rules skip

applying to the

overlap range of

local and remote IP

addresses

When you configure a VPN rule, the device checks to make sure

that the IP addresses in the local and remote networks do not

overlap. Select

Turn Off

box to disable the check if you need to

configure a VPN policy with overlapping local and remote IP

addresses.

Note: If a VPN policy’s local and remote IP addresses overlap,

you may not be able to access the device on your LAN

because the device automatically triggers a VPN tunnel

to the remote device with the same IP address.

Adjust TCP

Maximum Segment

Size

The TCP packets are larger after the device encrypts them for VPN.

The device fragments packets that are larger than a connection’s

MTU (Maximum Transmit Unit).

In most cases you should leave this set to

Auto

. The device

automatically sets the Maximum Segment Size (MSS) of the TCP

packets that are to be encrypted by VPN based on the

encapsulation type.

Select

Off

to not adjust the MSS for the encrypted TCP packets.

If your network environment causes fragmentation issues that are

affecting your throughput performance, you can manually set a

smaller MSS for the TCP packets that are to be encrypted by VPN.

Select

User Define

, and specify a size in the

IPSec MSS

field.

IPSec MSS

This field is enabled if

Adjust TCP Maximum Segment Size

User Define

Specify the Maximum Segment Size (MSS) for the TCP packets that

are to be encrypted by VPN. Specify a size from 0~1460 bytes. 0

has the device use the auto setting.

Apply

Click this to save your changes back to the device.

Reset

Click this to begin configuring this screen afresh.

Table 55

Device Operation > Device Configuration > Security > VPN > Global

Setting (continued)

LABEL

DESCRIPTION