ADMINISTRATION GUIDE Cisco Small Business ISA500 Series Integrated Security Appliance
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) © 2011 Cisco Systems, Inc. All rights reserved.
Federal Communication Commission Interference Statement (For ISA570 and ISA570W) This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
Ce dispositif est conforme à la norme CNR-210 d'Industrie Canada applicable aux appareils radio exempts de licence. Son fonctionnement est sujet aux deux conditions suivantes: (1) le dispositif ne doit pas produire de brouillage préjudiciable, et (2) ce dispositif doit accepter tout brouillage reçu, y compris un brouillage susceptible de provoquer un fonctionnement indésirable.
D) Circuit Overloading - Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern.
OL-23370-01
Contents Chapter 1: Getting Started 12 Introduction 12 Feature Overview 13 Device Overview 14 Front Panel 14 Back Panel 17 Installation 18 Before You Begin 19 Installation Options 19 Placement Tips 19 Wall Mounting 20 Rack Mounting 21 Hardware Installation 22 Getting Started with the Configuration Utility 23 Launching the Configuration Utility 23 Navigating Through the Configuration Utility 24 Using the Help System 25 Using the Management Buttons 25 About the Default Set
Contents Using the DMZ Wizard to Configure the DMZ Settings 46 Using the DMZ Wizard to Configure the DMZ Settings 47 Configuring the DMZ 48 Configuring the DMZ Services 49 Using the Dual WAN Wizard to Configure the WAN Redundancy Settings 51 Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels 53 Using the Site-to-Site Wizard to Establish the Site-to-Site VPN tunnel 53 Configuring the IKE Policies 55 Configuring the Transform Policies 57 Using the Remote Access Wizard t
Contents Web Security Blocked Report 88 Anti-Virus Report 88 Email Security Report 89 Network Reputation Report 90 IPS Policy Protocol Inspection Report 90 IM and P2P Blocking Report 91 Process Status 92 Resource Utilization 92 Chapter 4: Networking 94 Configuring IP Routing Mode 95 Port Management 95 Viewing the Status of Physical Interfaces 95 Configuring the Physical Interfaces 96 Configuring 802.
Contents Configuring the Zones Configuring the Routing 129 130 Configuring the Routing Mode 131 Viewing the Routing Table 131 Configuring the Static Routing 132 Configuring the Dynamic Routing 133 Configuring Policy-based Routing Settings 134 Priority of Routing Rules 136 Dynamic DNS 136 IGMP 138 VRRP 139 Configuring the Quality of Service 140 General QoS Settings 141 Configuring the WAN QoS 141 Managing the WAN Bandwidth for Upstream Traffic 142 Configuring the WAN Queue Settin
Contents Configuring the Group Services Chapter 5: Wireless Configuration for ISA550W and ISA570W 155 157 Configuring the Radio Settings 157 Basic Radio Settings 158 Advanced Radio Settings 160 Configuring the Access Points 162 Configuring the Security Mode 162 Controlling the Wireless Access Based on MAC Addresses 169 Mapping the SSID to VLAN 170 Configuring the SSID Schedule 171 Configuring Wi-Fi Protected Setup 172 Configuring Wireless Rogue AP Detection 173 Configuring Wireless
Contents Priorities of NAT Rules 200 Configuring the Session Settings 200 Configuring the Content Filtering to Control Access to Internet 201 Configuring the Content Filtering Policy Profiles 201 Configuring the Website Access Control List 203 Mapping the Content Filtering Policy Profiles to Zones 204 Configuring Advanced Settings 204 Configuring the MAC Filtering to Permit or Block Traffic 205 Configuring the IP/MAC Binding to Prevent Spoofing 206 Configuring the Attack Protection 207
Contents Configuring Advanced Web URL Filter Settings 229 Web Reputation Filter 230 Network Reputation 231 Chapter 8: VPN 232 About VPN 232 Configuring the Cisco IPSec VPN Server 233 Cisco VPN Client Compatibility 234 Configuring the Group Policies for Cisco IPSec VPN Server 235 Configuring the Cisco IPSec VPN Client 238 Restrictions for Cisco IPSec VPN Client 239 Benefits of the Cisco IPSec VPN Client Feature 239 Modes of Operation 240 Client Mode 240 Network Extension Mode 241
Contents Configuring the VPN Passthrough 268 Viewing the VPN Status 268 Monitoring the IPSec VPN Status 269 Monitoring the SSL VPN Status 270 Chapter 9: User Management About the Users and Groups 273 273 Available Services for User Groups 273 Default User and Group 274 Preempt the Administrators 274 Configuring the Users and Groups 275 Configuring Local Users 275 Configuring Local User Groups 276 Configuring the User Authentication Settings 277 Authentication Methods for User Login
Contents Reverting to the Factory Default Settings Firmware Management 296 297 Viewing the Firmware Information 297 Checking for New Firmwares 298 Upgrading the Firmware 299 Using the Secondary Firmware 300 Firmware Auto Fall Back Mechanism 301 Using the Rescue Mode to Recover the System 302 Rebooting the Security Appliance 302 Log Management 302 Configuring the Log Settings 303 Configuring the Log Facilities 305 Viewing the Logs 306 Managing the Security License 307 Checking the
Contents Diagnosing the Device 324 Ping 325 Tracert 325 DNS Lookup 326 Packet Capture 326 System Diagnostics 327 Measuring and Limiting Traffic with the Traffic Meter 328 Configuring the ViewMaster 330 Configuring the CCO Account 331 Configuring the Device Properties 332 Configuring the Debug Settings 332 Appendix A: Troubleshooting 333 Internet Connection 333 Date and Time 336 Pinging to Test LAN Connectivity 337 Testing the LAN Path from Your PC to Your Security Appliance 3
Contents Appendix D: Where to Go From Here Cisco ISA500 Series Integrated Security Appliance Administration Guide 365 11
1 Getting Started This chapter provides the product overview and installation instruction to help you to install the security appliance, and describes the default settings and some basic configuration tasks to help you to begin configuring your security appliance.
1 Getting Started Feature Overview Models Description Configuration ISA550 Cisco ISA550 Integrated Security Appliance 1 WAN port, 2 LAN ports, 4 configurable ports, and 1 USB 2.0 port ISA550W Cisco ISA550 Integrated Security Appliance with WiFi 1 WAN port, 2 LAN ports, 4 configurable ports, 1 USB 2.0 port, and 802.11b/g/n ISA570 Cisco ISA570 Integrated Security Appliance 1 WAN port, 4 LAN ports, 5 configurable ports, and 1 USB 2.
1 Getting Started Device Overview Feature ISA550 ISA550W ISA570 ISA570W Maximum Concurrent Sessions 15,000 15,000 40,000 40,000 Sessions per Seconds (cps) 2,500 2,500 3,000 3,000 Wireless (802.11b/g/ n) No Yes No Yes IPSec Tunnels 50 50 100 100 SSL VPN Tunnels 25 25 50 50 Device Overview Before you begin to use the security appliance, become familiar with the lights on the front panel and the ports on the rear panel.
1 Getting Started Device Overview ISA570 Front Panel ISA570 282350 Cisco Small Business SPEED LINK /ACT POWER/SYS VPN 1 WAN USB 2 3 4 5 6 7 LAN 8 9 CONFIGURABLE 10 ISA570W Front Panel ISA570W SPEED LINK /ACT POWER/SYS VPN USB WLAN 1 WAN 2 3 4 LAN 5 6 7 8 9 CONFIGURABLE 10 281980 Cisco Small Business Front Panel Lights The following table describes the lights on the front panel of the security appliance. These lights are used for monitoring system activity.
1 Getting Started Device Overview Lights Description USB Indicates the USB device status. WLAN (ISA550W and ISA570W only) SPEED LINK/ACT • Green lights when a USB device is detected and operates normally. • Green flashes when the USB device is transmitting and receiving data. Indicates the WLAN status. • Green lights when the WLAN is enabled and associated. • Green flashes when the WLAN is transmitting and receiving data. Indicates the traffic rate of the associated port.
1 Getting Started Device Overview Back Panel The back panel is where you connect the network devices. The ports on the panel vary depending on the model.
1 Getting Started Installation Back Panel Descriptions Feature Description ANT01/ANT02 Threaded connectors for the antennas (for ISA550W and ISA570W only). USB Port Connects the unit to a USB device. You can use a USB device to backup and restore the configurations, or to upgrade the firmware images. Configurable Ports Can be set to operate as WAN, LAN, or DMZ ports. The ISA550 and ISA550W have 4 configurable ports. The ISA570 and ISA570W have 5 configurable ports.
1 Getting Started Installation • Installation Options, page 19 • Hardware Installation, page 22 Before You Begin Before you begin the installation, make sure that you have the following equipments and services: • An active Internet account. • Mounting kits and tools for installing the hardware. The kits packed with the security appliance are used for desktop placement and rack mounting. The kits include 4 rubber feet, 2 brackets, 2 silicon rubber spacers, 8 M3 screws, 4 M5 screws, and 4 washers.
1 Getting Started Installation • Mechanical Loading: Be sure that the security appliance is level and stable to avoid any hazardous conditions. To place the security appliance on a desktop, install the supplied four rubber feet on the bottom of the security appliance. Place the security appliance on a flat surface. Wall Mounting There is no wall-mounting kit included with your security appliance.
1 Getting Started Installation Rack Mounting You can mount the security appliance in any standard size, 19-inch (about 48 cm) wide rack. The security appliance requires 1 rack unit (RU) of space, which is 1.75 inches (44.45 mm) high. ! CAUTION Do not overload the power outlet or circuit when installing multiple devices in a rack. STEP 1 Place one of the supplied silicon rubber spacers on the side of the security appliance so that the four holes align to the screw holes.
1 Getting Started Installation Hardware Installation Follow these steps to connect the security appliance: STEP 1 Connect the security appliance to power using the supplied power cord and adapter. Make sure that the power switch is turned off. STEP 2 If you are installing the ISA550W and ISA570W, screw each antenna onto a threaded connector on the back panel. Orient each antenna to point upward.
Getting Started Getting Started with the Configuration Utility 1 Getting Started with the Configuration Utility The Configuration Utility is a web based device manager that is used to provision the security appliance. To use this utility, you must be able to connect to the security appliance from your administration PC or laptop. You can access the security appliance by using web browser such as Microsoft Internet Explorer 8.0, or Mozilla Firefox 3.6.x (or later).
1 Getting Started Getting Started with the Configuration Utility After you change them, the Startup Wizard launches. For more information about how to use the Startup Wizard to configure your security appliance, see Using the Startup Wizard, page 32. Navigating Through the Configuration Utility Use the left hand navigation pane and content pane to perform the tasks in the Configuration Utility.
1 Getting Started About the Default Settings Using the Help System The Configuration Utility includes a detailed Help file for all configuration tasks. To view the Help page, click the Help link in the top right corner of the screen. Using the Management Buttons Device Management buttons and icons provide an easy method of configuring device information. In this guide, we use the texts by replacing the buttons or icons to indicate what the buttons or icons are used for.
1 Getting Started About the Default Settings • IP Routing Mode: By default, only the IPv4 mode is enabled. To support the IPv4 and IPv6 addressing, you need to enable the IPv4/IPv6 mode. To change the IP routing mode, see Configuring IP Routing Mode, page 95. • WAN Configuration: By default, the security appliance is configured to obtain an IP address from your ISP by using Dynamic Host Configuration Protocol (DHCP).
Getting Started Performing Common Configuration Tasks 1 • Security Services: By default, the UTM security services such as Intrusion Prevention Service (IPS), Web URL Filter, Web Reputation Filter, Anti-Virus, and Email Reputation Filter are disabled. For more information about how to configure the security services, see Security Services, page 210. • Firewall: By default, the firewall prevents inbound traffic and allows all outbound traffic.
1 Getting Started Performing Common Configuration Tasks STEP 1 After the first login, a prompt window opens. STEP 2 Enter the following information: • User Name: Enter a new user name that contains the letters, numbers, or underline for the default administrator account. • New Password: Enter a new password for the default administrator account. Passwords are case-sensitive.
Getting Started Performing Common Configuration Tasks 1 c. Locate where to save the configuration file, and then click Save. STEP 3 To save the current settings on a USB device, perform the following steps: a. Insert a USB device into the USB interface on the back panel of your security appliance. The USB device is automatically mounted once you insert it. b. In the USB -> Mount/Unmount area, check the mounting status of the USB device.
Getting Started Performing Common Configuration Tasks STEP 2 1 To manually upgrade the firmware from your local PC, perform the following steps: a. In the Network -> Firmware Upgrade area, click Browse to locate and select the firmware image from your local PC. b. To upgrade the firmware and keep using the current settings, click Upgrade. c. To upgrade the firmware and revert to the factory default settings, click Upgrade & Factory Reset.
Getting Started Performing Common Configuration Tasks STEP 1 1 Click Device Management -> Firmware and Configuration -> Configuration. The Configuration window opens. STEP 2 In the Backup/Restore Settings -> Revert To Factory Default Settings area, click Default. The security appliance will reboot with the factory default settings.
2 Wizards This chapter describes how to use the wizards to configure your security appliance.
2 Wizards Using the Startup Wizard ! CAUTION When the Startup Wizard is complete, the previous settings relevant to the changed WAN, DDNS, LAN, DMZ, and WLAN are cleaned up, and relevant services are reinitialized. For the first login, you can ignore this warning message and follow the on-screen prompts to complete the initial configuration.
2 Wizards Using the Startup Wizard - • STEP 3 Restrict access to a range of IP addresses: Only the hosts in the specified remote network can access the Configuration Utility. Enter the starting IP address in the From field and the ending IP address in the To field. Remote SNMP: Click On to enable SNMP for the remote connection, or click Off to disable SNMP. Enabling SNMP allows remote users to use the SNMP protocol to access the Configuration Utility. After you are finished, click Next.
2 Wizards Using the Startup Wizard • 1 WAN, 1 WAN Backup, and 5 LAN Switch: The security appliance is set to two WAN ports (WAN1 is the primary WAN and WAN2 is the secondary WAN) and five LAN ports. The configurable port GE7 is set to a secondary WAN port. • 1 WAN, 1 WAN Backup, 1 DMZ, and 4 LAN Switch: The security appliance is set to two WAN ports (WAN1 is the primary WAN and WAN2 is the secondary WAN), one DMZ port, and four LAN ports.
2 Wizards Using the Startup Wizard Choose the network addressing mode from the IP Address Assignment dropdown list and complete the corresponding fields for the secondary WAN port depending on the requirements of your ISP. For complete details, see Configuring the Network Addressing Mode, page 106. STEP 6 After you are finished, click Next. The WAN Redundancy window opens. From this page you can determine how the two ISP links are used.
2 Wizards Using the Startup Wizard • IP: Enter the IP address of the default LAN. • Netmask: Enter the IP address of the netmask. • DHCP Server: Choose one of the following DHCP modes: - Disable: Choose this option if the computers on the VLAN are configured with static IP addresses or are configured to use another DHCP server. - DHCP Server: Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the DEFAULT VLAN.
2 Wizards Using the Startup Wizard If you have a DMZ port, the DMZ Configuration window opens. To host public services, you need to configure a DMZ network in this page and specify the relevant DMZ services from the next DMZ Service page. • IP: Enter the subnet IP address of the DMZ. • Netmask: Enter the subnet mask of the DMZ.
2 Wizards Using the Startup Wizard STEP 9 After you are finished, click Next. The DMZ Service window opens. From this page you can configure the DMZ services. For complete details, see Configuring the DMZ Services, page 49. NOTE After you configure the DMZ services, the firewall access rules will automatically generated by the security appliance to allow the access to the services on your DMZ. STEP 10 After you are finished, click Next. The Wireless Radio Setting window opens.
Wizards Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W • 2 Wireless Channel: Choose a channel or choose Auto to let the system determine the best channel to use based on the environmental noise levels for the available channels. STEP 11 After you are finished, click Next. The Wireless Connectivity Type - Intranet WLAN Access window opens. From this page you can configure the wireless connectivity settings for the SSID1.
Wizards Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W 2 • Configuring the SSID for Intranet WLAN Access, page 43 • Configuring the SSID for Guest WLAN Access, page 44 • Configuring the SSID for Guest WLAN Access (Captive Portal), page 45 Using the Wireless Wizard to Configure the Wireless Settings STEP 1 Click Wizards -> Wireless Wizard. The Getting Started window opens. STEP 2 Click Begin. The Wireless Radio Setting window opens.
Wizards Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W 2 • Enable: Check this box to enable the SSID. • Mode: Choose the wireless connectivity type for each enabled SSID. - Intranet WLAN Access: Allows wireless users to access the corporate network via the wireless network. The WLAN is mapped to the DEFAULT VLAN. - Guest WLAN Access: Only allows guest users to access the corporate network via the wireless network. The WLAN is mapped to the GUEST VLAN.
Wizards Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W 2 Configuring the SSID for Intranet WLAN Access This section describes how to configure the connectivity settings for Intranet WLAN access. STEP 1 After you enable the SSIDs and specify the wireless connectivity type for each SSID, click Next. If SSID1 is enabled and is set to Intranet WLAN Access, the SSID1 window opens. STEP 2 STEP 3 Enter the following information: • SSID: Enter the SSID name.
Wizards Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W 2 • VLAN Mapping: Choose the VLAN to which the SSID is mapped. All traffic from the wireless clients that are connected to this SSID will be directed to the selected VLAN. For Intranet VLAN access, you should choose a VLAN that is mapped to a trust zone. • User Limit: Specify the maximum number of users that can simultaneously connect to this SSID.
Wizards Using the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W • 2 User Limit: Specify the maximum number of users that can simultaneously connect to this SSID. Configuring the SSID for Guest WLAN Access (Captive Portal) This section describes how to configure the connectivity settings for Captive Portal WLAN access. STEP 1 After you are finished the SSID2 configuration, click Next.
Wizards Using the DMZ Wizard to Configure the DMZ Settings 2 - Internal: Allows you to use the default web authentication login page to authenticate the wireless users. If you choose this option, enter the URL of the portal in the Redirect URL After Login field and specify the monitored HTTP port list. If you do not specify the portal, the wireless user can access the original web site directly.
Wizards Using the DMZ Wizard to Configure the DMZ Settings 2 Using the DMZ Wizard to Configure the DMZ Settings STEP 1 Click Wizards -> DMZ Wizard. The Getting Started window opens. STEP 2 Click Begin. The DDNS Setup window opens. From this page you can optionlly configure the DDNS for the remote management of the DMZ network. Enter the following information: STEP 3 • Service: Choose either DynDNS or No-IP service.
Wizards Using the DMZ Wizard to Configure the DMZ Settings STEP 6 2 Click Submit to save your settings and exit the DMZ Wizard. Configuring the DMZ In the DMZ Configure window, follow these procedures to create a DMZ network. STEP 1 Click Add to create a DMZ network. Other Options: To edit an entry, click Edit. To delete an entry, click Delete. The DMZ - Add/Edit window opens.
Wizards Using the DMZ Wizard to Configure the DMZ Settings • 2 End IP: Enter the ending IP address of the DHCP pool. NOTE The starting and ending IP addresses should be in the same range as the DMZ’s subnet address. • Lease Time: Enter the maximum connection time that a dynamic IP address is “leased” to a network user. When the time elapses, the user is automatically assigned a new dynamic IP address. • DNS 1: Enter the IP address of the primary DNS server.
Wizards Using the DMZ Wizard to Configure the DMZ Settings 2 The DMZ Service - Add/Edit window opens. STEP 2 STEP 3 Enter the following information: • Original Service: Choose a service as the incoming service. • Translated Service: Choose a service as the translated service that you will host. If the service you want is not in the list, choose Create a Service to create a new service object. To maintain the service objects, go to the Networking -> Service Management page.
Wizards Using the Dual WAN Wizard to Configure the WAN Redundancy Settings 2 Using the Dual WAN Wizard to Configure the WAN Redundancy Settings If you have two ISP links, a backup WAN is required so that you can provide backup connectivity or load balancing. Use the Dual WAN Wizard to configure the WAN redundancy settings.
Wizards Using the Dual WAN Wizard to Configure the WAN Redundancy Settings 2 Choose the WAN redundancy mode and configure the relevant settings: • • STEP 6 Weighted Load Balancing: Distributes the bandwidth to two WAN ports by the weighted percentage or by weighted link bandwidth.
Wizards Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels 2 The Summary window opens. The Summary window displays the summary information for all configurations you made. STEP 8 Click Submit to save your settings and exit the Dual WAN Wizard. Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels Use the Site-to-Site Wizard to configure the site-to site VPN to provide a secure connection between two routers that are physically separated over the IPSec VPN tunnel.
Wizards Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels • • STEP 3 2 IP Address/FQDN of Remote Peer Site: Choose one of the following options: - Static IP: If the remote peer uses a static IP address, choose this option. Enter the IP address of the remote device in the Address field. - Dynamic IP: If the remote peer uses a dynamic IP address, choose this option. - FQDN (Fully Qualified Domain Name): To use the domain name of the remote network, such as vpn.company.
Wizards Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels 2 • Local Network: Choose the IP address of the local network. If you want to enable zone access control settings for the IPSec VPN tunnels, choose Any for the local network. • Remote Network: Choose the IP address of the remote network. You must know the IP address of the remote network before connecting the IPSec VPN tunnel.
Wizards Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels • 2 HASH: Specify the authentication algorithm for the VPN header. There are two HASH algorithms supported by the security appliance: SHA1 and MD5. NOTE Ensure that the authentication algorithm is configured identically on both sides. • • • STEP 3 Authentication: Specify the authentication method that the security appliance uses to establish the identity of each IPSec peer.
Wizards Using the Site-to-Site Wizard to Establish the Site-to-Site VPN Tunnels 2 Configuring the Transform Policies In the Transform Policy window, follow these procedures to create a new transform policy. STEP 1 To add an entry, click Add. Other options: To edit an entry, click Edit. To delete an entry, click Delete. After you click Add, the Transform Policy - Add/Edit window opens. STEP 2 Enter the following information: • Name: Enter an unique name for the transform policy.
Wizards Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access 2 Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access The Remote Access Wizard helps you configure your security appliance as a Cisco IPSec VPN server or as a SSL VPN gateway so that remote users can securely access the corporate network resources over the VPN tunnels.
Wizards Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access 2 Figure 1 IPSec Remote Access with a Cisco VPN Client Software or a Cisco Device as a Cisco VPN Hardware Client DNS Server 10.10.10.163 Personal Computer running Cisco VPN Client software ISA500 as a Cisco IPSec VPN Server Internal network Inside 10.10.10.0 Outside WINS Server 10.10.10.
Wizards Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access STEP 4 2 After you are finished, click Next. The WAN Setting window opens. From this page you can choose the WAN interface that the traffic passes through over the IPSec VPN tunnel. If you have two links, you can enable WAN Failover to redirect the traffic to the secondary link when the primary link is down. • WAN Failover: Click On to enable WAN Failover, or click Off to disable it.
Wizards Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access • STEP 6 2 NEM: Choose this mode for the group policy that is only used for the Cisco device that supports the Cisco VPN hardware client. The Cisco VPN hardware client will obtain a private IP address from a DHCP server over the IPSec VPN tunnel. After you are finished, click Next. The Access Control Setting window opens.
Wizards Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access 2 NOTE The backup servers specified on the Cisco IPSec VPN server will be sent to remote clients when initiating the VPN connection. The remote clients will cache them. • STEP 9 Peer Timeout: Enter the time in minutes that the client retries to connect the backup server. After you are finished, click Next. The Split Tunnel Setting window opens.
Wizards Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access 2 Configuring the Cisco IPSec VPN User Groups In the Cisco IPSec VPN - User Group Setting window, follow these procedures to create a Cisco IPSec VPN user group. STEP 1 Click Add to add a Cisco IPSec VPN user group. Other options: To edit an entry, click Edit. To delete an entry, click Delete. To delete multiple entries, check the boxes of multiple entries and click Delete Selection.
Wizards Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access 2 STEP 2 To establish the SSL VPN tunnels for remote access, choose SSL VPN as the VPN tunnel type. STEP 3 Click Begin. The SSL VPN Configuration window opens. STEP 4 In the Gateway (Basic) area, enter the following information: • Gateway Interface: Choose the WAN interface that the traffic over the SSL VPN tunnel passes through.
Wizards Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access STEP 5 STEP 6 2 In the Gateway (Advanced) area, enter the following information: • Idle Timeout: Enter the timeout value in seconds that the SSL VPN session can remain idle. • Session Timeout: Enter the timeout value in seconds that the SSL VPN session can remain connected. • Client DPD Timeout: Dead Peer Detection (DPD) allows detection of dead peers.
Wizards Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access 2 The SSL VPN Summary window opens. The Summary page displays the summary information for all SSL VPN group policies and user groups you made. STEP 9 Click Submit to save your settings and exit the Remote Access Wizard. Configuring the SSL VPN Group Policies In the SSL VPN Group Policy window, follow these procedures to create a SSL VPN goup policy.
Wizards Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access STEP 4 2 • Address: If you choose Bypass-Local, enter the IP address or domain name of the MSIE proxy server. It is configured as an IPv4 address or fully qualified domain name, followed by a colon and port number, for example xxx.xxx.xxx.xxx:80. • Port: Enter the port number of the MSIE proxy server.
Wizards Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access - • 2 Exclude LAN: If you choose Exclude Traffic, click True to deny the SSL VPN clients to access the local LANs over the VPN tunnel, or click False to allow the SSL VPN clients to access the local LANs over the VPN tunnel.
Wizards Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access 2 Configuring the SSL VPN User Groups In the SSL VPN-User Group Setting window, follow these procedures to create a SSL VPN user group. STEP 1 Click Add to add a SSL VPN user group. Other options: To edit an entry, click Edit. To delete an entry, click Delete. To delete multiple entries, check the boxes of multiple entries and click Delete Selection.
3 Status This chapter describes how to monitor the system status and performance for your security appliance. • System Status, page 70 • Interface Status, page 74 • Wireless Status for ISA550W and ISA570W, page 79 • Active Users, page 81 • VPN Status, page 81 • Reports, page 85 • Process Status, page 92 • Resource Utilization, page 92 To access the Status pages, click Status in the left hand navigation pane. System Status The Dashboard page displays the current system status.
3 Status System Status Firmware (Primary/ Secondary) The firmware version that the security appliance is currently using (primary) and the firmware version that was previously running (secondary). By default, the security appliance boots up with the primary firmware. To switch to the secondary firmware, see Using the Secondary Firmware, page 300. Bootloader Version The bootloader version. Serial Number The security appliance serial number.
3 Status System Status Critical Total number of Critical logs. Click the number link for details. Error Total number of Error logs. Click the number link for details. Warning Total number of Warning logs. Click the number link for details. Notification Total number of Notification logs. Click the number link for details. Information Total number of Information logs. Site-to-Site VPN Display the total number of Site-to-Site VPN sessions. To see complete details, click details.
3 Status System Status Mode The link status of the physical interface. WAN Mode Display the WAN configuration mode of the security appliance (Single WAN port, Failover, or Load Balancing). To see complete details for WAN redundancy, click details. WAN Interfaces To see complete details for all WAN interfaces, click details. WAN1 to WANx The name of the WAN interface. IP Address The IP addresses assigned to the WAN interface. LAN Interface To see complete details for all VLANs, click details.
3 Status Interface Status SSID Number The SSID ID. SSID Name The SSID name. VLAN The VLANs to which the SSID is mapped. Client List The number of client stations that are connected to the SSID. Interface Status The Interface Status pages display the ARP entries, IP address assignment of DHCP pool, and the status and statistic information for all Ethernet ports, WANs, VLANs, and DMZs.
3 Status Interface Status Device Indicates the interface for which the ARP parameters are defined. DHCP Pool Assignment The DHCP Pool Assignment page displays the IP address assignment by the DHCP server on your security appliance. Click Refresh to refresh the data. To open this page, click Status -> Interface Status -> DHCP Pool Assignment. IP Address The IP address assigned to the host or the remote device. MAC Address The MAC address of the host or the remote device.
3 Status Interface Status PVID The Port VLAN ID (PVID) to be used to forward or filter the untagged packets coming into the port. The PVID of a Trunk port is fixed to the DEFAULT VLAN (1). Speed/Duplex The duplex mode (speed and duplex setting) of the physical port. Link Status Shows if the physical port is connected or not. WAN Table The WAN table displays the following information of all WAN interfaces: Name The name of the WAN interface.
3 Status Interface Status Name The VLAN name. VID The VLAN ID. Address The subnet IP address and netmask of the VLAN. Physical Port The physical ports that are assigned to the VLAN. Zone The zone to which the VLAN is mapped. DMZ Table The DMZ table displays the following DMZ information: Name The DMZ name. VID The VLAN ID. Address The subnet IP address and netmask of the DMZ. Physical Port The physical port that is assigned to the DMZ. Zone The zone to which the DMZ is mapped.
3 Status Interface Status Collisions The number of signal collisions that have occurred on this port. A collision occurs when the port tries to send data at the same time as a port on the other router or computer that is connected to this port. Tx B/s The number of bytes going out of the port per second. Rx B/s The number of bytes received by the port per second. Up Time How long the port has been active. The uptime is reset to zero when the security appliance or the port is restarted.
3 Status Wireless Status for ISA550W and ISA570W Collisions The number of signal collisions that have occurred on this VLAN. Tx B/s The number of bytes going out of the VLAN per second. Rx B/s The number of bytes received by the VLAN per second. Up Time How long the LAN port has been active. DMZ Table The DMZ table displays the flow statistic information for all DMZs: Name The name of the DMZ. Tx Pkts The number of IP packets going out of the DMZ.
3 Status Wireless Status for ISA550W and ISA570W Wireless Status The Wireless Status page displays the cumulative total of relevant wireless statistics for all active SSIDs. The counters is reset when the security appliance reboots. To open this page, click Status -> Wireless -> Wireless Status. Wireless Table The security appliance may have multiple SSIDs enabled and configured concurrently. This table displays the following information of all active SSIDs. SSID Number The SSID ID.
3 Status Active Users Client Status The Client Status page displays the MAC address and IP address of all client stations that are already connected to each SSID. Click Refresh to refresh the data. To open this page, click Status -> Wireless -> Client Status. Active Users The Active Users page displays all active users who are currently logged into the security appliance. Click the Logout button to terminate an active user session. To open this page, click Status -> Active Users.
3 Status VPN Status IPSec VPN Status The VPN Table page displays the status and statistic information for IPsec VPN sessions. To open this page, click Status -> VPN Status -> VPN Table. Status for all IPSec VPN Sessions The Active Sessions tab displays the following IPsec VPN session information: Name The name of the IPSec VPN policy that is used for the VPN session. VPN Type The connection type of the IPSec VPN session, such as Site-to-Site, Cisco IPSec VPN Server, or Cisco IPSec VPN Client.
3 Status VPN Status Remote Gateway The IP address of the remote gateway for a Site-to-Site VPN session or the IP address of the remote VPN client for a Cisco IPSec VPN session. Tx Bytes The volume of traffic in Kilobytes transmitted from the VPN tunnel. Rx Bytes The volume of traffic in Kilobytes received from the VPN tunnel. Tx Pkts The number of IP packets transmitted from the VPN tunnel. Rx Pkts The number of IP packets received from the VPN tunnel.
3 Status VPN Status Statistics for all SSL VPN Sessions or for a single SSL VPN session The Statistic tab displays the global statistic information for all active SSL VPN sessions or for each SSL VPN session. In the Global Status area, the global statistic information is displayed. To clear the global statistic information, click Clear Global. Active Users The number of all connected SSL VPN users. In CSTP frames The number of CSTP frames received from all clients.
3 Status Reports Out CSTP frames The number of CSTP frames sent to the client. Out CSTP bytes The total number of bytes in the CSTP frames sent to the client. Out CSTP data The number of CSTP data frames sent to the client. Out CSTP control The number of CSTP control frames sent to the client. NOTE CSTP is a Cisco proprietary protocol for SSL VPN tunneling. “In” means “from the client” and “Out” means “to the client”.
3 Status Reports Reports of Event Logs The security appliance can perform a rolling analysis of the event logs. The Report page displays the top 25 most frequently accessed websites, the top 25 users of bandwidth usage, and the top 25 services that consume the most bandwidth. ! CAUTION Enabling the IP Bandwidth, Service Bandwidth, and TopN Web reports consumes additional system resources and may impact the system performance. Go to the Status -> Dashboard page to view the CPU and memory utilization.
3 Status Reports STEP 5 Click Refresh Data to update the data on the screen or click Reset Data to reset the values to zero. Reports of WAN Bandwidth The WAN Bandwidth report displays the run-time WAN network bandwidth usage by hour in the past 24 hours. STEP 1 Click Status -> Report -> WAN Bandwidth. STEP 2 Check the Enable WAN Bandwidth box to enable this report. STEP 3 Click Save to save your settings.
3 Status Reports NOTE The reports for the security services are provided only if the corresponding security services are enabled. Web Security Blocked Report This report displays the number of web access requests logged and the number of websites blocked by the Web URL Filter service, Web Reputation Filter service, or both. In the Web Security Blocked Report tab, check the Enable Web Security Blocked Report box to enable this report, and then click Save to save your settings.
3 Status Reports Device System Date The current date for counting the data. Total since the service was actived The total number of files checked and the total number of viruses detected since the Anti-Virus service was enabled. Total for last 7 days The total number of files checked and the total number of viruses detected in last seven days. Total for today The total number of files checked and the total number of viruses detected in one day.
3 Status Reports Network Reputation Report This report displays the total number of packets checked and the number of packets blocked by the Network Reputation service. In the Network Reputation Report tab, check the Enable Network Reputation Report box to enable this report, and then click Save to save your settings. After you enable this report, the corresponding statistic information is displayed. Device System Date The current date for counting the data.
3 Status Reports Total since the service was actived The total number of packets for suspicious behaviors and attacks detected and the total number of packets dropped since both the IPS service and the IPS Policy and Protocol Inspection were enabled. Total for last 7 days The total number of packets for suspicious behaviors and attacks detected and the total number of packets dropped in last seven days.
3 Status Process Status Graph Shows the total number of packets for the predefined IM and P2P applications detected and the total number of packets blocked by day for last seven days. Process Status The Process Status page displays the status for all sockets and the processes to which each socket belongs. To open this page, click Status -> Process Status. Name The process name that is running on your security appliance. Description A brief description for the running process.
3 Status Resource Utilization CPU Waiting for I/O The percentage of CPU waiting for I/O since the security appliance boots up. Memory Utilization Total Memory The total amount of memory space available on the security appliance. Used Memory The amount of memory space used by the processes at current time. Free Memory The amount of memory space not used by the processes at current time. Cached Memory The amount of memory space used as cache at current time.
4 Networking This chapter describes how to configure your Internet connection, VLAN, DMZ, zones, routing, Quality of Service, and related features.
4 Networking Configuring IP Routing Mode Configuring IP Routing Mode Internet Protocol Version 6 (IPv6) is a new IP protocol designed to replace IPv4, the Internet protocol that is predominantly deployed and extensively used throughout the world. IPv6 quadruples the number of network address bits from 32 bits (in IPv4) to 128 bits, resulting in an exponentially larger address space. You can configure the security appliance to support IPv6 addressing on the WAN, LAN, and DMZ.
4 Networking Port Management In the Physical Interfaces area, all physical ports available on your security appliance are listed in the table. The following information is displayed: • Name: The name of the physical port. • Enable: Shows if the physical port is enabled or disabled. • Port Type: The physical port type, such as WAN, LAN, or DMZ. The type of the dedicated WAN and LAN ports cannot be changed, but the type of the configurable ports can be set to LAN, WAN, or DMZ.
4 Networking Port Management STEP 2 To edit the setting of a physical port, click Edit. After you click Edit, the Ethernet Configuration - Add/Edit window opens. STEP 3 Enter the following information: • Name: The name of the physical port. • Port Type: The physical port type, such as WAN , LAN, or DMZ. • Mode: Choose either Access or Trunk mode for a LAN port, and choose Access mode for a WAN or DMZ port. By default, all ports are set to Access mode.
4 Networking Port Management • Speed: Choose one of these options: AUTO, 10 Mbps, 100 Mbps, and 1000 Mbps. The default is AUTO for all ports. The AUTO option lets the system and network determine the optimal port speed. • Duplex: Choose either Half Duplex or Full Duplex based on the port support. The default is Full Duplex for all ports. - Full: Indicates that the port supports transmissions between the device and the client in both directions simultaneously.
4 Networking Port Management STEP 1 Click Networking -> Port -> Port-Based Access Control. The Port-Based Access Control window opens. STEP 2 Specify the RADIUS servers for authentication. The security appliance predefines three RADIUS groups. You can choose a predefined RADIUS group from the RADIUS Index drop-down list to authenticate the users on 802.1X-capable clients. The RADIUS server settings of the selected group are displayed.
4 Networking Port Management STEP 6 • Forced Authentication: Disables 802.1X access control and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1Xbased authentication of the client. • Forced Unauthentication: Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate.
4 Networking Configuring the WAN STEP 4 • TX Monitored Ports: Check the boxes of the ports that are monitored. The port that you set as a TX Destination port cannot be selected as a monitored port. • RX Destination: Choose the port that monitors the received traffic for other ports. • RX Monitored Ports: Check the boxes of the ports that are monitored. The port that you set as a RX Destination port cannot be selected as a monitored port. Click Save to apply your settings.
4 Networking Configuring the WAN • WAN Name: The name of the primary WAN (WAN1). • IP Address Assignment: Choose the network addressing mode for the primary WAN depending on the requirements of your ISP. The security appliance supports DHCPC, Static IP, PPPoE, PPTP, and L2TP. For complete details to configure the network addressing mode, see Configuring the Network Addressing Mode, page 106. • DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to IP addresses.
4 Networking Configuring the WAN - SLAAC: SLAAC provides a convenient method to assign IP addresses to IPv6 nodes. This method does not require any human intervention from an IPv6 user. If you choose SLAAC, the security appliance can generate its own addresses using a combination of locally available information and information advertised by routers.
4 Networking Configuring the WAN Configuring the Secondary WAN A secondary WAN is required to set up two ISP links for your network. You can use one link as the primary link and another link for backup purposes, or you can configure the load balancing to use both links simultaneously. STEP 1 Click Networking -> WAN. The WAN window opens. STEP 2 To add the secondary WAN, click Add. After you click Add, the WAN - Add/Edit window opens.
4 Networking Configuring the WAN STEP 4 • MAC Address: Enter the MAC address in the format xx:xx:xx:xx:xx:xx where x is a number from 0 to 9 (inclusive) or an alphabetical letter between A and F (inclusive), for example, 01:23:45:67:89:ab. • Zone: Maps the secondary WAN to an untrusted zone. The WAN zone is the default unstrusted zone. Click Create Zone to create other untrusted zones. See Configuring the Zones, page 127.
4 Networking Configuring the WAN Configuring the Network Addressing Mode The security appliance supports five types of network addressing modes. Specify the network addressing mode for the primary WAN and the secondary WAN depending on your ISP requirements. Network Addressing Mode Configurations DHCPC DHCP is the default settting. If you use DHCP, the WAN port will be the DHCP client and get the IP address from your ISP or the peer router.
4 Networking Configuring the WAN Network Addressing Mode Configurations Static IP Choose this option if your ISP assigns you a specific IP address or a group of addresses. Use the corresponding information from your ISP to complete the following fields: • IP Address: Enter the IP address of the WAN port that can be accessable from the Internet. • Netmask: Enter the IP address of the subnet mask. • Gateway: Enter the IP address of default gateway.
4 Networking Configuring the WAN Network Addressing Mode Configurations PPPoE PPPoE uses Point to Point Protocol over Ethernet (PPPoE) to connect to the Internet. The PPPoE protocol is typically found when using a DSL modem. Choose this option if your ISP provides you with client software, user name, and password. Use the necessary PPPoE information from your ISP to complete the PPPoE configurations. You can predefine multiple PPPoE profiles before you set the network addressing mode as PPPoE.
4 Networking Configuring the WAN Network Addressing Mode Configurations PPTP The PPTP protocol is typically used for VPN connection. Use the necessary information from your ISP to complete the PPTP configurations: • IP Address: Enter the IP address of the WAN port that can be accessable from the Internet. • Netmask: Enter the IP address of the subnet mask. • Gateway: Enter the IP address of default gateway.
4 Networking Configuring the WAN Network Addressing Mode Configurations L2TP Choose this option if you want to use IPSec to connect a L2TP (Layer 2 Tunneling Protocol) server and encrypt all data transmitted from the client to the server. However, it does not encrypt network traffic to other destinations. Use the necessary information from your ISP to complete the L2TP configurations: • IP Address: Enter the IP address of the WAN port that can be accessable from the Internet.
4 Networking Configuring the WAN NOTE Confirm that you have the proper network information from your ISP or a peer router to configure the security appliance to access the Internet. Configuring the PPPoE Profiles If you have multiple PPPoE accounts, use the PPPoE Profile page to configure multiple PPPoE profiles for later use. STEP 1 Click Networking -> PPPoE Profile. The PPPoE Profile window opens. All existing PPPoE profiles are listed in the table. STEP 2 To add a new PPPoE profile, click Add.
4 Networking Configuring the WAN Redundancy - MS-CHAPv2: MS-CHAPv2 provides mutual authentication between peers by piggybacking a peer challenge on the Response packet and an authenticator response on the Success packet. • Keep Live: Keeps the connection always on, regardless of the level of activity. This option is recommended if you pay a flat fee for your Internet service. • Max Idle Time: Lets the security appliance disconnect from the Internet after a specified period of inactivity (Idle Time).
4 Networking Configuring the WAN Redundancy NOTE When the security appliance is working in Dual WAN mode, if one WAN link is down, the WAN redundancy and Policy-based Routing settings are ignored and all traffic is handled by the active WAN port. This section describes how to configure the WAN redundancy and the link failover detection settings.
4 Networking Configuring the WAN Redundancy NOTE To configure the Loading Balancing, make sure that you configure both WAN ports to Keep Live. If the WAN port is configured to time out after a specified period of inactivity, then the Loading Balancing is not applicable. STEP 1 Click Networking -> WAN Redundancy -> WAN Redundancy Operation Configuration. The WAN Redundancy Operation Configuration opens. STEP 2 STEP 3 Use the Load Balancing mode if you want to use both ISP links simultaneously.
4 Networking Configuring the WAN Redundancy STEP 4 Click Save to apply your settings. STEP 5 To check the connection of both links at regular intervals after you enable the Load Balancing mode, you first need to enable the Link Failover Detection feature. To configure the Link Failover Detection settings, go to the Networking -> Link Failover Detection Settings page. See Configuring the Link Failover Detection, page 117.
4 Networking Configuring the WAN Redundancy Failover for WAN Redundancy Use the Failover mode when you want to use one ISP link as a backup. If a failure is detected on the primary link, then the security appliance directs all Internet traffic to the backup link. When the primary link regains connectivity, all Internet traffic is directed to the primary link and the backup link becomes idle. By default, the primary WAN is set as the primary link and the secondary WAN is set to the backup link.
4 Networking Configuring the WAN Redundancy STEP 4 To check the connection of both links at regular intervals after you enable the Failover mode, you first need to enable the Link Failover Detection feature. To configure the Link Failover Detection settings, go to the Networking -> Link Failover Detection Settings page. See Configuring the Link Failover Detection, page 117.
4 Networking Configuring the VLAN • Retry Count: Enter the number of retries. The security appliance repeatedly tries to connect to the ISP after the link failure is detected. The default is 5. • Retry Timeout: If the connection to the ISP is down, the security appliance tries to connect to the ISP after a specified timeout. Enter the timeout in seconds to re-connect to the ISP. The default is 5 seconds.
4 Networking Configuring the VLAN This section describes how to configure the VLANs. It includes the following topics: • Configuring the VLANs, page 119 • Configuring DHCP Reserved IPs, page 122 Configuring the VLANs The security appliance predefines a native VLAN (DEFAULT) and a guest VLAN (GUEST). You can change the settings for the predefined VLANs, or add new VLANs, for up to a total of 16 VLANs.
4 Networking Configuring the VLAN Choose the ports from the Port list and click ->Access to add them to the Member list and set the selected ports as Access mode. All packets going into and out of the Access ports are untagged. Access mode is recommended if the port is connected to a single end-user device which is VLAN unaware. Alternatively, you can choose the ports from the Port list and click ->Trunk to add them to the Member list and set the selected ports as Trunk mode.
4 Networking Configuring the VLAN NOTE The Start and End IP addresses must be in the same subnet with the VLAN IP address. • Lease Time: Enter the maximum connection time that a dynamic IP address is “leased” to a network user. When the time elapses, the user will be automatically renewed the dynamic IP address. • DNS 1: Enter the IP address of the primary DNS server. • DNS 2: Optionally, enter the IP address of the secondary DNS server. • WINS 1: Enter the IP address for the primary WINS server.
4 Networking Configuring the VLAN • IPv6 Prefix Length: Enter the number of characters in the IPv6 prefix. The IPv6 network (subnet) is identified by the prefix, which consists of the initial bits of the address. The default prefix length is 64 bits. All hosts in the network have the identical initial bits for the IPv6 address. The number of common initial bits in the addresses is set by the prefix length field. STEP 7 Click OK to save your settings. STEP 8 Click Save to apply your settings.
4 Networking Configuring the DMZ Configuring the DMZ A DMZ (Demarcation Zone or Demilitarized Zone) is a subnetwork that is behind the firewall but that is open to the public. By placing your public services on a DMZ, you can add an additional layer of security to the LAN. The public can connect to the services on the DMZ but cannot penetrate the LAN. You should configure your DMZ to include any hosts that must be exposed to the WAN (such as web or email servers).
4 Networking Configuring the DMZ In this scenario, the business has one public IP address, 209.165.200.225, which is used for both the security appliance’s public IP address and the web server’s public IP address. The administrator configures the configurable port to be used as a DMZ port. A firewall access rule allows inbound HTTP traffic to the web server at 172.16.2.30. Internet users enter the domain name that is associated with the IP address 209.165.200.225 and can then connect to the web server.
4 Networking Configuring the DMZ HTTP traffic to the web server at 172.16.2.30. The firewall rule specifies an external IP address of 209.165.200.226. Internet users enter the domain name that is associated with the IP address 209.165.200.226 and can then connect to the web server. STEP 1 Click Networking -> DMZ. The DMZ window opens. STEP 2 To add a DMZ, click Add. Other options: To edit an entry, click Edit. To delete an entry, click Delete.
4 Networking Configuring the DMZ STEP 4 STEP 5 In the DHCP Pool Settings tab, choose the DHCP mode from the DHCP Server drop-down list. • Disable: Choose this option if the computers on the DMZ are configured with static IP addresses or are configured to use another DHCP server. • DHCP Server: Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the DMZ. Any new DHCP client joining the DMZ is assigned an IP address of the DHCP pool.
4 Networking Configuring the Zones The IPv6 network (subnet) is identified by the prefix, which consists of the initial bits of the address. The default prefix length is 64 bits. All hosts in the network have the identical initial bits for the IPv16 address. The number of common initial bits in the addresses is set by the prefix length field. STEP 7 Click OK to save your settings. STEP 8 Click Save to apply your settings.
4 Networking Configuring the Zones NOTE We recommend that you configure the zones before configuring the WAN, VLAN, DMZ, and the security features such as zone-based firewall and UTM security services. Security Levels for Zones The security appliance supports five security levels for zones as described below. The greater value, the higher the permission level. The VPN and SSLVPN zones have the same security level. • Trusted (100): Offers the highest level of trust. The LAN zone is always trusted.
4 Networking Configuring the Zones • SSLVPN: The SSLVPN zone is a virtual zone used for simplifying secure and remote SSL VPN connections. This zone does not have an assigned physical interface. • VPN: The VPN zone is a virtual zone used for simplifying secure IPSec VPN connections. This zone does not have an assigned physical interface. • GUEST: The GUEST zone can only be used for guest access. By default, the GUEST VLAN is mapped to this zone.
4 Networking Configuring the Routing • - For VLANs, all security levels are selectable. - For DMZs, choose Public (50). - For WAN interfaces, choose Untrusted (0). Map VLANs to This Zone: Choose the existing VLANs or WAN interfaces from the Available VLANs list, and click the right arrow -> to add them to the Mapped to Zone list. You can create new VLANs by clicking Create VLAN. STEP 5 Click OK to save your settings. STEP 6 Click Save to apply your settings.
4 Networking Configuring the Routing • Viewing the Routing Table, page 131 • Configuring the Static Routing, page 132 • Configuring the Dynamic Routing, page 133 • Configuring Policy-based Routing Settings, page 134 • Priority of Routing Rules, page 136 Configuring the Routing Mode Depending on the requirements of your ISP, you can configure your security appliance to operate in NAT mode or Routing mode. By default, NAT mode is enabled. STEP 1 Click Networking -> Routing -> Routing.
4 Networking Configuring the Routing STEP 2 • Symbol: The routing status flags. • Metric: The cost of a route. Routing metrics are assigned to routes by routing protocols to provide measurable values that can be used to judge how useful (or how low cost) a route will be. • Interface: The physical network interface through which this route is accessible. Click Refresh to refresh the routing table.
4 Networking Configuring the Routing • IP Address: Choose an IP address of the gateway through which the destination host or network can be reached. Metric: If needed, enter a number to manage the route priority. If multiple routes to the same destination exist, the route with the lowest metric is selected. STEP 4 Click OK to save your settings. STEP 5 Click Save to apply your settings.
4 Networking Configuring the Routing STEP 4 • Port Passive: Determines how the security appliance receives RIP packets. Check this box to enable this feature on the interface or VLAN. • Authentication: If you are using RIPv2, click Edit to specify the authentication method for the interface or VLAN. - None: Choose this option to invalidate the authentication. - Simple Password Authentication: Choose this option to validate the simple password authentication. Enter the password in the field.
4 Networking Configuring the Routing STEP 1 Click Networking -> Routing -> Policy Based Routing. The Policy-based Routing window opens. STEP 2 Click On to enable PBR, or click Off to disable it. STEP 3 To add a new PBR rule, click Add. Other options: To edit an entry, click Edit. To delete an entry, click Delete. The Policy-based Routing - Add/Edit window opens. STEP 4 Enter the following information; • From VLAN: Choose the VLAN for the outbound traffic.
4 Networking Dynamic DNS STEP 6 Click Save to apply your settings. Priority of Routing Rules If multiple routing features operate simultaneously, the security appliance first matches up with the Policy-based Routing rules, and then matches up with the Static Routing and default Routing rules. For example, if WAN redundancy is set to the Weighted Loading Balancing mode, and the PBR and Static Routing rules are configured, the routing priority works as follows: 1.
4 Networking Dynamic DNS - DynDNS.org: Dynamic Network Services provides world-class DNS hosting and management services, domain registration, email services, network monitoring by hostname or IP address, and web redirection. - No-IP.com: No-IP is a dynamic DNS provider (DDNS), both free and paid, backed by our industry proven network of highly available name servers. • Active on Startup: Check this box to activate the DDNS service when the security appliance starts up.
4 Networking IGMP STEP 5 Click Save to apply your settings. IGMP The Internet Group Management Protocol (IGMP) is a communication protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. IGMP can be used for online streaming video and gaming, and allows more efficient use of resources when supporting these types of applications.
4 Networking VRRP • STEP 3 - IGMPv2: Leave messages are added to the protocol. This allows group membership termination to be quickly reported to the routing protocol, which is important for high-bandwidth multicast groups and/or subnets with highly volatile group membership. - IGMPv3: Major revision of the protocol. It allows hosts to specify the lists of hosts from which they want to receive traffic. Traffic from other hosts is blocked inside the network.
4 Networking Configuring the Quality of Service • VRID: The master virtual router ID. A virtual router has an unique ID that will be represented as the unique virtual MAC address. Enter a value from 1 to 255. • Priority: The priority of the master virtual router. Priority determines the role that each VRRP router plays and what happens if the master virtual router fails. Enter a value from 1 to 254.
4 Networking Configuring the Quality of Service QoS guarantees are important if the network capacity is insufficient, especially for real-time streaming multimedia applications such as voice over IP, online games, and IPTV, since these applications are delay sensitive and often require a fixed bit rate. This section describes how to configure the WAN, LAN, and WLAN QoS.
4 Networking Configuring the Quality of Service • Configuring the WAN Queue Settings, page 142 • Configuring the Traffic Selectors for WAN Interfaces, page 144 • Configuring the WAN QoS Policy Profiles, page 145 • Mapping the WAN QoS Policy Profiles to WAN Interfaces, page 146 Managing the WAN Bandwidth for Upstream Traffic Use the Bandwidth Settings page to determine how much traffic the WAN interfaces can send and receive. STEP 1 Click Networking -> QoS -> WAN QoS -> Bandwidth Settings.
4 Networking Configuring the Quality of Service STEP 1 SP Egress traffic from the highest-priority queue (Q1) is transmitted first. Traffic from the lower queues is processed only after the highest queue has been transmitted, thus providing the highest level of priority of traffic to the highest numbered queue. WRR Distributes the bandwidth between the classes using the weighted round robin scheme. The weights decide how fast each queue can send packets.
4 Networking Configuring the Quality of Service STEP 3 If needed, you can enter a brief description for each queue in the Queue Description field. STEP 4 Click Save to apply your settings. Configuring the Traffic Selectors for WAN Interfaces Traffic Selector (or Traffic Classification) is used to classify the traffic through WAN interfaces to a given traffic class so that traffic in need of management can be identified. NOTE The security appliance allows you to create up to 256 traffic selectors.
4 Networking Configuring the Quality of Service • Destination Service: Choose Any or choose an existing service from the drop-down list. If the service objects you want are not in the list, choose Create a Single Service to create a new service object. To maintain the service objects, go to the Networking -> Service Management page. See Service Management, page 154. • DSCP: DSCP is a field in an IP packet that enables different levels of service to be assigned to network traffic.
4 Networking Configuring the Quality of Service STEP 4 • Policy Name: Enter the name for the WAN QoS policy profile. • Policy In/Out: Click Inbound to enable this policy profile for inbound traffic, or click Outbound to enable this policy profile for outbound traffic. Specify the QoS settings for the traffic classes that you want to associate with the policy profile. Up to 64 traffic classes can be associate with one WAN QoS policy profile. Click Add to add a rule.
4 Networking Configuring the Quality of Service STEP 3 Enter the following information: • Interface: The name of the WAN interface with which the policy profiles are associated. • Inbound Policy Name: Choose an inbound policy profile for managing the inbound traffic through the selected WAN interface. • Outbound Policy Name: Choose an outbound policy profile for managing the outbound traffic through the selected WAN interface. STEP 4 Click OK to save your settings.
4 Networking Configuring the Quality of Service STEP 4 • SP: Indicates that traffic scheduling for the selected queue is based strictly on the queue priority. • WRR: Indicates that traffic scheduling for the selected queue is based strictly on the WRR weights. If WRR is selected, the predefined weights 8, 4, 2 and 1 are assigned to queues 1, 2, 3 and 4 respectively. • SP+WRR: Integrates the SP and WRR queues. It applies SP to two groups.
Networking Configuring the Quality of Service 4 STEP 2 Depending on your networking design, choose either DSCP or CoS remarking method for traffic through each LAN interface. STEP 3 Click Save to apply your settings. Mapping CoS to LAN Queue STEP 1 Click Networking -> QoS -> LAN QoS -> Mapping CoS to Queue. The Mapping CoS to Queue window opens. STEP 2 Choose the traffic forwarding queue to which the CoS priority tag value is mapped.
4 Networking Configuring the Quality of Service STEP 3 • Default CoS: Choose the default CoS priority tag value for the LAN interfaces, where 0 is the lowest and 7 is the highest. • Trust: Choose Yes to keep the CoS tag value for packets through the LAN interfaces, or choose No to change the CoS tag value for packets through the LAN interface. Click Save to apply your settings.
4 Networking Configuring the Quality of Service 802.1p DSCP Wireless Queue WMM value 4 100xxx Q2 (Video Priority) 4 5 101xxx Q2 (Video Priority) 5 6 110xxx Q1 (Voice Priority) 6 7 111xxx Q1 (Voice Priority) 7 Configuring the Wireless QoS Classification Methods Traffic Classification is used to classify the traffic through the SSIDs to a given traffic class so that traffic in need of management can be identified.
4 Networking Address Management STEP 2 Choose the traffic forwarding queue to which the DSCP priority tag value is mapped. STEP 3 Click Save to apply your settings. Address Management Use the Address Object Management page to manage the address and group address objects. The security appliance is configured with a long list of common address objects so that you can use to configure the firewall access rules, port forwarding rules, or other features.
4 Networking Address Management - Host: Defines a single host by its IP address. The netmask for a Host address object will automatically be set to 32-bit (255.255.255.255) to identify it as a single host. If you choose Host, enter the IP address of the host in the IP Address field. - Range: Defines a range of contiguous IP addresses. No netmask is associated with the Range address object, but internal logic generally treats each member of the specified range as a 32-bit masked host object.
4 Networking Service Management Other options: To edit an entry, check the box and click Edit. To delete an entry, check the box and click Delete. To delete multiple entries, check the boxes of multiple entries and click Delete Group. After you click Add or Edit, the Address Table - Add/Edit window opens. STEP 3 Enter the name for the group address in the Group Name field. STEP 4 To add the address objects to the group, select the address objects from the left list and click the right arrow ->.
4 Networking Service Management Other options: To edit an entry, click Edit. To delete an entry, click Delete. To delete multiple entries, check the boxs of multiple entries and click Delete Service. After you click Add or Edit, the Service Table - Add/Edit window opens. STEP 3 Enter the following information: • Name: Enter the name for the service. • Protocol: Specify the protocol and port range for the service: - IP: Uses only the predefined IP types.
4 Networking Service Management STEP 1 Click Network -> Services. The Services window opens. All existing group service objects are listed in the Group Service table. STEP 2 In the Group Service Table area, click Add Group to add a new group service. Other options: To edit an entry, click Edit. To delete an entry, click Delete. To delete multiple entries, check the boxs of multiple entries and click Delete Group. After you click Add or Edit, the Service Table - Add/Edit window opens.
5 Wireless Configuration for ISA550W and ISA570W This chapter describes how to configure the the radio settings and SSIDs for the ISA550W and ISA570W. It includes the following sections: • Configuring the Radio Settings, page 157 • Configuring the Access Points, page 162 • Configuring Wi-Fi Protected Setup, page 172 • Configuring Wireless Rogue AP Detection, page 173 • Configuring Wireless Captive Portal, page 174 To access the Wireless pages, click Wireless in the left hand navigation pane.
Wireless Configuration for ISA550W and ISA570W Configuring the Radio Settings 5 Basic Radio Settings You can change the wireless network mode to suit the devices in your network, specify the wireless channel and bandwidth for operation to resolve issues with interference from other access points in the area, or enable the U-APSD and SSID Isolation if needed. STEP 1 Click Wireless -> Basic Settings. The Basic Settings window opens.
Wireless Configuration for ISA550W and ISA570W Configuring the Radio Settings STEP 3 5 • Bandwidth Channel: Choose 20 MHz or choose Auto to let the system determine the optical bandwidth channel to use. This setting is specific to 802.11n traffic. • Extension Channel: If you choose Auto as the bandwidth channel, choose either Lower or Upper. • U-APSD: Click Enable to enable the Unscheduled Automatic Power Save Delivery (U-APSD) feature to conserve the power, or click Disable to disable it.
Wireless Configuration for ISA550W and ISA570W Configuring the Radio Settings 5 If you enable WMM, the wireless QoS settings control the downstream traffic from the SSID to the client station and the upstream traffic from the client station to the SSID. Fore more information about Wireless QoS, see Configuring the Wireless QoS, page 150. • STEP 4 Station Isolation: Check this box so that the wireless clients on the same SSID will not be able to see eachother. Click Save to apply your settings.
Wireless Configuration for ISA550W and ISA570W Configuring the Radio Settings STEP 3 5 • Beacon Interval: Beacon frames are transmitted by the access point at regular intervals to announce the existence of the wireless network. Set the interval by entering a value in milliseconds. Enter a value from 20 to 999. The default is 100 milliseconds, which means that beacon frames are sent every 100 milliseconds.
Wireless Configuration for ISA550W and ISA570W Configuring the Access Points 5 Configuring the Access Points The ISA550W and ISA570W support four SSIDs. By default, each SSID has Open security and is identifying itself to all wireless devices that are in range. For security purposes, we strongly recommend that you configure each SSID with the highest level of security that is supported by the wireless devices that you want to allow into your network.
Wireless Configuration for ISA550W and ISA570W Configuring the Access Points STEP 3 5 In the Edit Security Mode tab, choose the security mode and configure the correponding settings: • SSID Name: The name of the SSID on which the security mode settings are applied. • Security Mode: Choose the encryption algorithm for the data encryption to be configured in the SSID. Security Mode Description Open Any wireless device that is in range can connect to the SSID.
Wireless Configuration for ISA550W and ISA570W Configuring the Access Points 5 Security Mode Description WPA Wi-Fi Protected Access (WPA) provides better security than WEP because it uses dynamic key encryption. This standard was implemented as an intermediate measure to replace WEP, pending final completion of the 802.11i standard for WPA2. The following WPA security modes are supported on your security appliance. Choose one of them if you need to allow access to devices that do not support WPA2.
Wireless Configuration for ISA550W and ISA570W Configuring the Access Points 5 Security Mode Description WPA + WPA2 This mode allows both WPA and WPA2 clients to connect simultaneously. The SSID automatically chooses the encryption algorithm used by each client device. This option is a good choice to enable a higher level of security while allowing access by devices that might not support WPA2.
Wireless Configuration for ISA550W and ISA570W Configuring the Access Points STEP 6 STEP 7 STEP 8 5 • Encryption: Choose the encryption type: 64 bits (10 hex digits), 64 bits (5 ASCII), 128 bits (26 hex digits), or 128 bits (13 ASCII). The default is 64 bits (10 hex digits). The larger size keys provide stronger encryption, thus making the key more difficult to crack.
Wireless Configuration for ISA550W and ISA570W Configuring the Access Points STEP 9 5 • Shared Secret: The Pre-shared Key (PSK ) is the shared secret key for WPA. Enter a string of at least 8 characters to a maximum of 63 characters. • Key Renewal Timeout: Enter a value to set the interval at which the key is refreshed for clients associated to this SSID. The valid range is 0 to 86400 seconds. A value of 0 indicates that the key is not refreshed. The default is 3600 seconds.
Wireless Configuration for ISA550W and ISA570W Configuring the Access Points 5 NOTE You can also change the settings in the above fields.The RADIUS server settings you specify will replace the default settings of the selected group. Go to the Device Management -> RADIUS Settings page to maintain the RADIUS server settings. See Configuring the RADIUS Servers, page 319.
Wireless Configuration for ISA550W and ISA570W Configuring the Access Points 5 STEP 12 If you choose RADIUS as the security mode, choose an existing RADIUS group for client authentication from the RADIUS Server-ID drop-down list. The RADIUS server settings of the selected group are displayed. You can also change the RADIUS server settings.The RADIUS server settings you specify will replace the default settings of the selected group.
Wireless Configuration for ISA550W and ISA570W Configuring the Access Points 5 - Allow Only the Following MAC Addresses to Connect to the Wireless Network: All devices in the MAC Address table are allowed to connect to this SSID. All other devices are denied access. - Prevent the Following MAC Addresses from Connecting to the Wireless Network: All devices in the MAC Address table are prevented from connecting to this SSID. All other devices are allowed access.
Wireless Configuration for ISA550W and ISA570W Configuring the Access Points 5 Configuring the SSID Schedule You can specify the schedule to keep the SSID active within a certained time per day. STEP 1 Click Wireless -> Basic Settings. The Wireless Basic Settings window opens. STEP 2 In the SSID table area, click Edit to edit the settings of the SSID. After you click Edit, the Edit window opens. STEP 3 In the Scheduling tab, you can specify the time per day to keep the SSID active.
Wireless Configuration for ISA550W and ISA570W Configuring Wi-Fi Protected Setup 5 Configuring Wi-Fi Protected Setup The Wi-Fi Protected Setup (WPS) protocol can simplify the process of configuring the security on wireless networks. The WPS protocol allows the home users who know little of wireless security and may be intimidated by the available security options to configure the Wi-Fi Protected Access, which is supported by all Wi-Fi certified devices. STEP 1 Click Wireless -> Wi-Fi Protected Setup.
Wireless Configuration for ISA550W and ISA570W Configuring Wireless Rogue AP Detection STEP 7 • Security: The security mode used for the selected SSID. • Encryption: The encryption method used for the selected SSID. 5 Click Save to apply your settings. Configuring Wireless Rogue AP Detection A Rogue access point (Rogue AP) is any Wi-Fi access point connected to your network without authorization.
Wireless Configuration for ISA550W and ISA570W Configuring Wireless Captive Portal STEP 6 • To add an authorized AP in the known AP list, click Add. • To delete an authorized AP from the known AP list, click Delete. • To change the MAC address of an authorized AP, click Edit. • To export the known AP list to a file, click Export List. • To import the known AP list from a file, click Import List. 5 - If you want to replace the current known AP list, choose Replace.
Wireless Configuration for ISA550W and ISA570W Configuring Wireless Captive Portal • 5 Web Authentication Type: Choose one of the following methods for web authentication. The security appliance can authenticate the wireless users by using the local database and external AAA server (such as RADIUS, AD, LDAP, and so forth). The authentication method is derived from the user login settings that you specified in the Users -> Settings page.
Wireless Configuration for ISA550W and ISA570W Configuring Wireless Captive Portal 5 For example, if you select Internal for authentication and the web portal is set to www.ABcompanyC.com. When a wireless user tries to access the website www.google.com, the default web authentication login page opens. The user needs to enter the user name and password information, and then click Submit. After passed the authentication, first the user is directed to the web portal (www.ABcompanyC.
6 Firewall This chapter describes how to control network access through the security appliance by using the zone-based firewall access rules or other methods such as MAC Filtering and Content Filtering.
6 Firewall Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic The zone-based firewall access rules can permit or deny inbound or outbound traffic based on the zone, service, source and destination address.
6 Firewall Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic From\To Trusted(100) VPN(75) Public(50) GUEST(25) Untrust(0) Public(50) Deny Deny Deny Permit Permit GUEST(25) Deny Deny Deny Deny Permit Untrust(0) Deny Deny Deny Deny Deny The default access behaviors for all predefined zones and new zones follow the above settings depending on their security levels.
Firewall Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic 6 NOTE The firewall access rules only support for inter-zones. Priorities of Firewall Access Rules The security appliance includes three types of firewall access rules: • Default access rules: The firewall access rules that are predefined on your security appliance for all predefined zones and new zones. The default access rules cannot be deleted and edited.
Firewall Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic • 6 To create the firewall access rule that applies only at a specific day and time, first create the firewall schedule. See Configuring the Firewall Schedule, page 186. General Settings for Configuring the Firewall Access Rules STEP 1 Click Firewall -> ACL Rules-> Rule. The ACL Rules window opens.
Firewall Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic 6 • Add: To add a new entry, click Add. • Edit: To edit an entry, click Edit. • Delete: To delete an entry, click Delete. • Delete Selection: To delete multiple selected entries, check the boxes in the first column of the table heading and click Delete Selection. • Log: Check this box to log the events when a firewall access rule is hit.
Firewall Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic 6 Configuring a Firewall Access Rule STEP 1 Click Firewall -> ACL Rules -> Rule. The ACL Rules window opens. STEP 2 To add a new access rule, click Add. After you click Add, the Rule - Add/Edit window opens. STEP 3 Enter the following information: • Enable: Click On to enable the access rule, or click Off to create only the access rule.
Firewall Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic 6 • Schedule: By default, the access rule is always on. If you want to keep the access rule active at the specified date and time, choose the schedule for the access rule. If the schedule you want is not in the list, choose Create New Schedule to create new firewall schedules. To maintain the firewall schedules, go to the Firewall -> Schedule page. See Configuring the Firewall Schedule, page 186.
Firewall Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic 6 Configuring a Firewall Access Rule to Allow the Multicast Traffic By default, the multicast traffic from any zone to any zone is blocked by the default firewall access rules. To enable the multicast, you first need to uncheck the Block Multicast Packets box in the Firewall -> Attack Protection page and then manually create the firewall rules to allow multicast forwarding from a specific zone to other zones.
6 Firewall Configuring the Firewall Schedule • Match Action: Choose Permit to allow the access, or choose Deny to deny the access. STEP 4 Click OK to save your settings. STEP 5 Click Save to apply your settings. Configuring the Firewall Schedule The schedule specifies when the access rule is active. For example, if you want a firewall access rule only to work on the weekend, you can create a schedule called “Weekend” that is only active on Saturday and Sunday. STEP 1 Click Firewall -> Schedules.
6 Firewall Firewall Access Rule Configuration Examples - Specific Times: Choose this option if you want to keep the access rule active at specific times. Specify the Start Time and End Time by entering the hour and minute. STEP 4 Click OK to save your settings. STEP 5 Click Save to apply your settings. Firewall Access Rule Configuration Examples This section provides some configuration examples on adding firewall access and NAT rules.
6 Firewall Firewall Access Rule Configuration Examples STEP 4 STEP 5 Or go to the Firewall -> NAT -> Advanced NAT page to create an Advanced NAT rule as follows.
6 Firewall Firewall Access Rule Configuration Examples Allowing Inbound Traffic to the RDP Server using a Specified Public IP address User Case: You host a RDP server on the DMZ. Your ISP has provided a static IP address that you want to expose to the public as your RDP server address. You want to allow Internet user to access the internal RDP server by using the specified public IP address.
6 Firewall Firewall Access Rule Configuration Examples STEP 6 Original services RDP Translated source address ANY Translated destination address RDPServer Translated services RDP Then go to the Firewall -> ACL Rules -> Rule page to create a firewall access rule as follows to allow the access: From Zone WAN To Zone DMZ Services RDP Source Address ANY Destination Address RDPServer Match Action Permit Allowing Inbound Traffic from Specified Range of Outside Hosts User Case: You want to
6 Firewall Firewall Access Rule Configuration Examples Parameter Value Source Address OutsideNetwork Destination Address InternalIP Match Action Permit Blocking Outbound Traffic By Schedule and IP Address Range User Case: Block all weekend Internet usage if the request originates from a specified range of IP addresses. Solution: Create a range address object with the range 10.1.1.1 to 10.1.1.
Firewall Configuring the NAT Rules to Securely Access a Remote Network Parameter Value Services SMTP Source Address Any Destination Address OffsiteMail Match Action Deny 6 Configuring the NAT Rules to Securely Access a Remote Network Network address translation (NAT) enables private IP networks to connect to the Internet.
Firewall Configuring the NAT Rules to Securely Access a Remote Network • 6 Priorities of NAT Rules, page 200 Configuring Dynamic PAT Rules Dynamic PAT can only be used to establish connections from private network to public network. Dynamic PAT translates multiple private addresses to one or more public IP address. NOTE For the duration of the translation, a remote host can initiate a connection to the translated host if a firewall access rule allows it.
Firewall Configuring the NAT Rules to Securely Access a Remote Network 6 Configuring Static NAT Rules Static NAT creates a fixed translation of a real address to a mapped address. Because the mapped address is the same for each consecutive connection, static NAT allows bidirectional connection initiation, both to and from the host (if a firewall access rule allows it).
Firewall Configuring the NAT Rules to Securely Access a Remote Network STEP 5 6 Click Save to apply your settings. Configuring Port Forwarding Rules Port forwarding forwards a TCP/IP packet traversing a Network Address Translator (NAT) gateway to a pre-determined network port on a host within a NAT-masqueraded, typically private network based on the port number on which it was received at the gateway from the originating host.
Firewall Configuring the NAT Rules to Securely Access a Remote Network 6 If the service you want is not in the list, choose Create a Service to create a new service object. To maintain the service objects, go to the Networking > Service Management page. See Service Management, page 154. • Translated IP: Choose the IP address of your local server that needs to be translated. If the IP address you want is not in the list, choose Create an IP Address to create a new IP address object.
Firewall Configuring the NAT Rules to Securely Access a Remote Network 6 NOTE Port triggering is not appropriate for servers on the LAN, since the LAN device must make an outgoing connection before an incoming port is opened. In this case, you can create port forwarding rules for this purpose. STEP 1 Click Firewall -> NAT -> Port Trigger. The Port Trigger window opens. All existing port triggering rules are listed in the table.
Firewall Configuring the NAT Rules to Securely Access a Remote Network 6 NOTE You must create firewall access rules to allow the access so that the advanced NAT rule can function properly. STEP 1 Click Firewall -> NAT -> Advanced NAT. The Advanced NAT window opens. All existing advanced NAT rules are listed in the table. STEP 2 To add a new advanced NAT rule, click Add. Other options: To edit an entry, click Edit. To delete an entry, click Delete.
Firewall Configuring the NAT Rules to Securely Access a Remote Network 6 If the IP address you want is not in the list, choose Create a New Address to create a new IP address object. To maintain the IP address objects, go to the Networking -> Address Object Management page. See Address Management, page 152. If the service you want is not in the list, choose Create a New Service to create a new service object. To maintain the service objects, go to the Networking -> Service Management page.
6 Firewall Configuring the Session Settings • RxPkt: The number of received packets. • Tx Traffic (bytes): The volume in bytes of transmitted traffic. • Rx Traffic (bytes): The volume in bytes of received traffic. Priorities of NAT Rules If multiple NAT features operate simultaneously on the security appliance: • For pre-routing, the security appliance first matches up with the advanced NAT rules, and then matches up with the static NAT, port forwarding, and port triggering rules.
Firewall Configuring the Content Filtering to Control Access to Internet STEP 3 6 Click Save to apply your settings. Configuring the Content Filtering to Control Access to Internet The Content Filtering feature provides protection against websites. It blocks or allows web access based on analysis of its content (URL or URL keywords), rather than its source or other criteria. It is most widely used on the Internet to filter the web access.
Firewall Configuring the Content Filtering to Control Access to Internet STEP 2 6 To add a content filtering policy profile, click Add. Other Options: To edit an entry, click Edit. To delete an entry, click Delete. After you click Add or Edit, the Add/Edit window opens. STEP 3 Enter the following information: • Policy Profile: Enter a descriptive name for the content filtering policy profile. • Description: Enter a brief message to describe the content filtering policy profile.
Firewall Configuring the Content Filtering to Control Access to Internet 6 Configuring the Website Access Control List The whitelist and blacklist defines the websites that you want to permit or block. Up to 32 websites can be defined for each content filtering policy profile. STEP 1 To add a website access rule in the list, click Add. Other Options: To edit an entry, click Edit. To delete an entry, click Delete. To delete all entries, click Delete All.
Firewall Configuring the Content Filtering to Control Access to Internet 6 Mapping the Content Filtering Policy Profiles to Zones Use the Policy Profile & Zone Mapping page to map the content filtering policy profile to each zone. STEP 1 Click Firewall -> Content Filtering -> Policy Profile & Zone Mapping. The Policy Profile & Zone Mapping window opens. STEP 2 Click On to enable the content filtering feature, or click Off to disable it.
Firewall Configuring the MAC Filtering to Permit or Block Traffic • STEP 3 6 Cookies: Check the box to block cookies, which typically contain sessions. When a web page is blocked: Choose one of the following actions when a web page is blocked: - Use the default blocked page: Use the default blocked page if a web page is blocked. The default blocked page will display a message such as “Access of this website is blocked due to security policy configurations on the security appliance”.
Firewall Configuring the IP/MAC Binding to Prevent Spoofing 6 For example, if you click Add, the MAC Filtering - Add/Edit window opens. Select the MAC address object from the MAC Address drop-down list, and then click OK. If the MAC address object you want is not in the list, choose Create New Address to create a new MAC Address object. To maintain the MAC Address objects, go to the Networking -> Address Object Management page. See Address Management, page 152. STEP 5 Click Save to apply your settings.
6 Firewall Configuring the Attack Protection • IP Address: Choose an existing IP address object that you want to bind with the selected MAC address. If the IP address object you want is not in the list, choose Create an IP Address to add a new IP address object. To maintain the IP address objects, go to the Networking -> Address Object Management page. See Address Management, page 152. • Log Dropped Packets: Choose Enable to log all packets that are dropped. Otherwise, choose Disable.
6 Firewall Configuring the Attack Protection • STEP 4 STEP 5 STEP 6 Block UDP Flood: Check the box to prevent the security appliance from accepting more than 200 simultaneous, active UDP connections per second from a single computer on the LAN. In the Firewall Settings area, enter the following information: • Block ICMP Notification: Check the box to silently block without sending an ICMP notification to the sender. Some protocols, such as MTU Path Discovery, require ICMP notifications.
6 Firewall Configuring the Application Level Gateway Configuring the Application Level Gateway The security appliance can function as an Application Level Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP or H.323) to operate properly through the security appliance. If Voice-over-IP (VoIP) is used in your organization, you should enable the H.323 ALG or SIP ALG to open the ports necessary to enable the VoIP through your voice device.
7 Security Services This chapter describe how to configure the UTM security services to provide the Internet threat protection. • Managing the Security Services, page 210 • Intrusion Prevention Service, page 214 • Anti-Virus, page 220 • Email Reputation Filter, page 224 • Web URL Filter, page 226 • Web Reputation Filter, page 230 • Network Reputation, page 231 To access the Security Services pages, click Security Services in the left hand navigation pane.
7 Security Services Managing the Security Services About the Security Services The security services activated by the security license are listed in the following table. Security Services Description Intrusion Prevention System The Intrusion Prevention System (IPS) service can protect the zones for a given set of categories. IPS monitors network traffic for malicious or unwanted behaviors on the security appliance and can react, in real-time, to block or prevent those activities.
Security Services Managing the Security Services 7 Security License The security services are licensable. The security license is valid for one year or three years depending on the bundle type. By default, the security appliance comes with a one year bundle license for all security services. To renew the security license before it expires, go to the Device Management -> License Management page. See Managing the Security License, page 307.
7 Security Services Managing the Security Services • To enable a security service, check the box in the Enable column. By default, only the Network Reputation service is enabled. NOTE If you enable the IM & P2P Blocking service, it will enable both the IPS service and the IM & P2P Blocking settings. If you enable the IPS (Signature) service, it will enable both the IPS service and the IPS Policy and Protocol Inspection settings.
7 Security Services Intrusion Prevention Service • STEP 5 Redirected HTTP Port List: Specify the number of the ports used to redirect the HTTP traffic. To add an entry, click Add. To edit an entry, click Edit. To delete an entry, click Delete. Click Save to apply your settings. Viewing the Security Service Reports After you enable and configure the security services, you can enable the corresponding reports for these services to analyze the security performance.
7 Security Services Intrusion Prevention Service This section includes the following topics: • General IPS Settings, page 215 • Configuring the IPS Policy and Protocol Inspection, page 216 • Blocking the Instant Messaging and Peer-to-Peer Applications, page 218 General IPS Settings Use the IPS Setup page to enable or disable the IPS service, choose the security zones you want to protect, update the IPS signatures, and view the IPS signature status and logs.
7 Security Services Intrusion Prevention Service To send alert emails for IPS Alert events, you first need to enable the IPS Alert feature and configure the email account settings, see Configuring the Email Alert Settings, page 316. And then configure the IPS Policy and Protocol Inspection settings and/or the IM and P2P Blocking settings, see Configuring the IPS Policy and Protocol Inspection, page 216 and Blocking the Instant Messaging and Peer-to-Peer Applications, page 218.
7 Security Services Intrusion Prevention Service • IPS (Signature) Enable: If you enable IPS, click On to enable the IPS Policy and Protocol Inspection settings. • View IPS Category Items: Allows you to view the signatures under a specific IPS category or protocol. For example, if you choose DoS, only the signatures under the DoS category are displayed. To display all signatures, choose All. • Search by IPS Signature ID: Allows you to view a specific signature by searching the signature ID.
7 Security Services Intrusion Prevention Service - To save the IPS logs to the remote syslog server if you have a remote syslog server support, you need to enable the Log feature, specify the Remote Log settings, and check the Remote Log boxes for the IPS (signature based) and IPS (reputation based) log facilities. For more information about how to configure the log settings and log facilities, and how to view the logs, see Log Management, page 302.
7 Security Services Intrusion Prevention Service For example, if you choose BitTorrent, only the signatures under the BitTorrent application are displayed. To display all signatures, choose All. STEP 3 • Search by Signature ID: Allows you to view a specific signature by searching the signature ID. Enter the signature ID in this field, and then click Search. To display all categories, click Reset. • Expand/Collapse: To expand the signatures under an IM or P2P application, click the + button.
7 Security Services Anti-Virus STEP 4 Click Save to apply your settings. Anti-Virus The security appliance can scan for viruses over a multitude of protocols including HTTP, FTP, POP3, SMTP, CIFS, NETBIOS, and IMAP. Because files containing malicious code and viruses can also be compressed and therefore inaccessible to conventional anti-virus solutions, the security appliance integrates advanced decompression technology that automatically decompresses and scans the files on a per packet basis.
7 Security Services Anti-Virus • STEP 3 Select which zone to scan for virus: Specify the zones to scan the viruses for the incoming traffic from the selected zones: - WAN zone: Choose this option to scan the viruses only for the traffic from WAN zone to all other zones. - WAN + VPN zone: Choose this option to scan the viruses for the traffic from both WAN and VPN zones to all other zones. - All zones: Choose this option to scan the viruses for the incoming traffic from all zones.
7 Security Services Anti-Virus The available preventive actions for each protocol are listed in the following table. Protocols Preventive Actions HTTP None, Alert, Alert+Drop Connection SMTP None, Alert, Alert+Destruct File FTP None, Drop Connection POP3 None, Alert, Alert+Destruct File IMAP None, Drop Connection NETBIOS None, Drop Connection CIFS None, Drop Connection STEP 4 Because the compressed files in .bz2 and .
7 Security Services Anti-Virus Configuring the Email Notification Use the Email Notification page to configure the tag and content message that are displayed in the alert email. The subject of the alert email will be tagged such as [Virus] Email Subject. If you select Alert for SMTP or POP3 protocol, when viruses are detected in the email, the original email and an alert email are sent to the email receiver.
7 Security Services Email Reputation Filter Configuring the HTTP Notification Use the HTTP Notification page to configure the alert message if viruses are detected when using the HTTP protocol to download the files containing viruses. If you select Alert , an alert message is sent to the user when viruses are detected. If you select Alert+Drop Connection, the connection is dropped and an alert message is sent to the user when viruses are detected.
7 Security Services Email Reputation Filter • Enable Anti-Spam Filter: Click On to enable Email Reputation Filter, or check Off to disable it. • SMTP Server Address: Enter the address of the SMTP server. • Choose Reputation Threshold: Specify the block sensitivity as either Conservative, Moderate or Aggressive, or as a numerical threshold (Custom). When the Custom radio button is selected, the drop-down lists next to it are enabled allowing the threshold values to be entered.
7 Security Services Web URL Filter Web URL Filter The Web URL Filter feature provides protection against URL categories. The Web URL Filter policy profile assigned to each zone determines whether to block or forward the HTTP request from the hosts in the zone. The blocked request will be logged. ! CAUTION Enabling Web URL Filter consumes additional system resources and may impact the system performance. Go to the Status -> Dashboard page to view the CPU and memory utilizations.
7 Security Services Web URL Filter • STEP 4 Select URL Categories to Block: Specify the URL categories to be blocked. To block an URL catetory, check the box. Click Select All to block all categories, or click Clear All to permit all categories. If needed, specify the whitelist and blacklist of websites to permit or block specific websites. For complete details, see Configuring the Whitelist and Blacklist of Websites, page 227.
7 Security Services Web URL Filter Other Options: To edit an entry, click Edit. To delete an entry, click Delete. To delete all entries, click Delete All. After you click Add or Edit, the Add/Edit window opens. STEP 3 Enter the following information: • Enable Content Filter URL: Click On to enable the access control rule, or click Off to create only the access control rule. • URL: Enter the domain name or URL keyword of a website that you want to permit or block.
7 Security Services Web URL Filter NOTE Enabling the Web URL Filter service will disable the firewall content filtering settings. STEP 3 In the Specify the policy used for each zone area, choose the Web URL Filter policy profile used for each zone. STEP 4 Click Save to apply your settings. Configuring Advanced Web URL Filter Settings STEP 1 Click Security Services -> Web URL Filter -> Advanced Settings. The Advanced Settings window opens.
7 Security Services Web Reputation Filter • STEP 3 - Block all web traffic until web URL filter services are restored: If you choose this option, all web traffic will be blocked until the Web URL Filter services are restored, and displays the default blocked page. The default blocked page will display a message to remind the user. You can edit the message in the Block Message field.
7 Security Services Network Reputation STEP 2 STEP 3 STEP 4 Enter the folllowing information: • Enable Web Threat Filter: Click On to enable the Web Reputation Filter feature, or click Off to disable it. • Choose Reputation Threshold: If you enable the Web Reputation Filter feature, specify the block sensitivity as either Conservative, Moderate, or Aggressive, or as a numerical threshold (Custom). The threshold values for Conservative, Moderate, or Aggressive option are predefined and uneditable.
8 VPN This chapter describes how to configure Virtual Private Networks (VPN) that allowing other sites and remote workers to access your network resources.
VPN Configuring the Cisco IPSec VPN Server 8 • Cisco IPSec VPN Client: The Cisco IPSec VPN Client feature minimizes the configuration requirements at remote locations by allowing the security appliance to work as a Cisco VPN hardware client to receive the security policies upon the VPN tunnel from a remote Cisco IPSec VPN Server. See Configuring the Cisco IPSec VPN Client, page 238.
8 VPN Configuring the Cisco IPSec VPN Server Cisco VPN Client Compatibility The remote client can be a Cisco device that supports the Cisco IPSec VPN Client feature (a Cisco VPN hardware client) or a PC running the Cisco VPN Client software (v4.x or 5.x, a Cisco VPN software client). Figure 6 IPSec Remote Access with a Cisco VPN Client Software or a Cisco Device as a Cisco VPN Hardware Client DNS Server 10.10.10.
VPN Configuring the Cisco IPSec VPN Server 8 Configuring the Group Policies for Cisco IPSec VPN Server This section describes how to enable the Cisco IPSec VPN Server feature and specify the group policies that can be used by the remote clients to establish the IPSec VPN tunnels. NOTE The security appliance supports up to 16 group policies for Cisco IPSec VPN Server. STEP 1 Click VPN -> Remote User Access -> Cisco IPSec VPN Server. The Cisco IPSec VPN Server window opens.
8 VPN Configuring the Cisco IPSec VPN Server • • Mode: The operation mode determines whether the inside hosts relative to the Cisco VPN hardware client are accessible from the corporate network over the IPSec VPN tunnel. Specifying a operation mode is mandatory before making a connection because the Cisco VPN hardware client does not have a default mode. For more information, see Modes of Operation, page 240.
8 VPN Configuring the Cisco IPSec VPN Server NOTE The VPN access rules that are automatically generated by the Zone Access Control settings will be added to the firewall access rule table with the priority higher than the default access rules, but lower than the custom access rules. STEP 6 In the Mode Config Settings tab, enter the following information: • Primary DNS Server: Enter the IP address of the primary DNS server. • Secondary DNS Server: Enter the IP address of the secondary DNS server.
8 VPN Configuring the Cisco IPSec VPN Client NOTE To use Split DNS, you must also enable the split tunneling feature and specify the domains. The Split DNS feature supports up to 10 domains. STEP 7 Click OK to save your settings. STEP 8 Click Save to apply your settings. STEP 9 To check the status and statistic information for IPSec VPN tunnels, go to the Session Status -> VPN Table page. See Monitoring the IPSec VPN Status, page 269.
VPN Configuring the Cisco IPSec VPN Client 8 This section describes how to configure the Cisco IPSec VPN Client feature.
VPN Configuring the Cisco IPSec VPN Client 8 • Eliminates the need for end users to purchase and configure external VPN devices. • Eliminates the need for end users to install and configure Cisco VPN Client software on their PCs. • Offloads the creation and maintenance of the VPN connections from the PC to the router. • Reduces interoperability problems between the different PC-based software VPN clients, external hardware-based VPN solutions, and other VPN applications.
8 VPN Configuring the Cisco IPSec VPN Client Figure 7 illustrates the client mode of operation. In this example, the security appliance provides access to two PCs, which have IP addresses in the 10.0.0.0 private network space. These PCs connect to the Ethernet interface on the security appliance, and the server assigns an IP address 192.168.101.2 to the security appliance. The security appliance performs NAT or PAT translation over the VPN tunnel so that the PCs can access the destination network.
8 VPN Configuring the Cisco IPSec VPN Client NAT or PAT translation over the VPN tunnel. When accessing the remote network 192.168.100.x, the hosts 10.0.0.3 and 10.0.04 will not be translated, and hosts in the remote network 192.168.100.x can access the hosts 10.0.0.3 and 10.0.04 directly. The client hosts are given IP addresses that are fully routable by the destination network over the tunnel.
VPN Configuring the Cisco IPSec VPN Client • STEP 3 8 Auto Initiation Retry: Click On to enable the Auto Initiation Retry feature, or click Off to disable it. This feature is used to re-initiate the VPN connection to the primary server if it does not response during the timeout. When the primary server can not be connected over the timeout, the client will try to initiate the VPN connection to the backup servers.
VPN Configuring the Cisco IPSec VPN Client 8 • Server (Remote Address): Enter the IP address of the remote Cisco IPSec VPN server. • Connection on Startup: Click On to establish the connection with the remote server when your security appliance starts up, or click Off to disable it. Only one connection can be active on startup. • Authentication Method: The client must be properly authenticated before it can access the remote network.
8 VPN Configuring the Cisco IPSec VPN Client permit the access, or click click Deny to deny the access. By default, the access from all zones to the remote network is permitted. NOTE The VPN access control rules that are automatically generated by the Zone Access Control settings will be added to the firewall access rule table with the priority higher than the default firewall access rules, but lower than the custom firewall access rules.
8 VPN Configuring the Site-to-Site VPN Configuring the Site-to-Site VPN The Site-to-Site VPN tunnel connects two routers to secure traffic between two sites that are physically separated. Figure 10 Site-to-Site VPN Internet Outside 209.165.200.226 ISA500 Site B ISA500 Inside 10.10.10.0 Inside 10.20.20.0 Printer Printer Personal computers Personal computers 235142 Site A Outside 209.165.200.236 This section describes how to configure a Site-to-Site VPN tunnel.
8 VPN Configuring the Site-to-Site VPN • (Optional) Import the certificate for authentication between two peers. Skip this step if you want to use the pre-shared key for authentication. See Managing the Certificates for Authentication, page 310. • Enable the Site-to-Site VPN feature on your security appliance. See General Site-to-Site VPN Settings, page 247. • Configure the IPSec IKE policies. See Configuring the IPSec IKE Policies, page 254. • Configure the IPSec Transform policies.
8 VPN Configuring the Site-to-Site VPN • Tranform: The tranform policy used for the IPSec VPN policy. STEP 2 Click On to enable the Site-to-Site VPN feature, or click Off to disable it. STEP 3 Check the box of an IPSec VPN policy in the Enable column to enable the IPSec VPN policy, or uncheck the box to disable the policy. STEP 4 After you enable the Site-to-Site VPN feature, check the box of an enabled IPSec VPN policy and click Connect to establish the IPSec VPN tunnel.
8 VPN Configuring the Site-to-Site VPN • IPSec Policy Enable: Click On to enable the IPSec VPN policy, or click Off to create only the IPSec VPN policy. For an enabled IPSec VPN policy, the VPN tunnel can be connected by manually clicking Connect or be triggered by traffic. • Remote Type: Choose one of the following types for the remote peer: - Static IP: Choose this option if the remote peer uses a static IP address. Enter the IP address of the remote peer in the Address field.
8 VPN Configuring the Site-to-Site VPN For the example as illustrated in Figure 10, Site A has a LAN IP address of 10.10.10.0 and Site B has a LAN IP address of 10.20.20.0. When you configure the Site-to-Site VPN on Site A, the local network is 10.10.10.0 and the remote network is 10.20.20.0. If the IP address object is not in the list, choose Create an IP Address to add a new address object. To maintain the address objects, go to the Networking -> Address Object Management page.
8 VPN Configuring the Site-to-Site VPN Clean: Terminates the IPSec tunnel over the timeout. You must manually re-initiate the IPSec VPN tunnel . We recommend that you use Clean when the remote peer uses dynamic IP address. Restart: Re-initiates the IPSec VPN tunnel for three times over the timeout. • Windows Network (NetBios) Broadcasting: Click On to allow access remote network resources by using its NetBIOS name, for example, browsing Windows Neighborhood.
8 VPN Configuring the Site-to-Site VPN one site to access the hosts at the other site, Network Address Translation (NAT) is used on the routers to change both the source and destination addresses to different subnets. Figure 11 Networking example that simulates two merging companies with the same IP addressing scheme In this example, when the host 172.16.1.2 at Site A accesses the same IPaddressed host at Site B, it connects to a 172.19.1.2 address rather than to the actual 172.16.1.2 address.
8 VPN Configuring the Site-to-Site VPN STEP 5 • IKE Policy: Choose the IKE policy used for the IPSec VPN tunnel. If the IKE policy is not in the list, go to the IKE Policies page to create new IKE policies. See Configuring the IPSec IKE Policies, page 254. • Transform: Choose the transform policy used for the IPSec VPN tunnel. If the transform policy is not in the list, go to the Transform Policies page to create new transform policies. See Configuring the IPSec Transform Policies, page 256.
8 VPN Configuring the Site-to-Site VPN NOTE The DPD should be enabled if you want to use the Redundant Gateway feature for the IPSec VPN connection. STEP 6 Click OK to save your settings. STEP 7 Click Save to apply your settings. NOTE Next Steps: • To maintain the IKE policies, click Site-to-Site -> IKE Policies. See Configuring the IPSec IKE Policies, page 254. • To maintain the Tranform policies, click Site-to-Site -> Transform Policies. See Configuring the IPSec Transform Policies, page 256.
8 VPN Configuring the Site-to-Site VPN After you click Add or Edit, the IKE Policy - Add/Edit window opens. STEP 3 Enter the following information: • Name: Enter an unique name for the IKE policy. • Encryption: Choose the algorithm used to negotiate the security association. There are four algorithms supported by the security appliance: ESP_3DES, ESP_AES-128, ESP_AES-192, and ESP_AES-256. • HASH: Specify the authentication algorithm for the VPN header.
8 VPN Configuring the Site-to-Site VPN STEP 4 Click OK to save your settings. STEP 5 Click Save to apply your settings. Configuring the IPSec Transform Policies A transform policy specifies the algorithms of integrity and encrytion the peers will use to protect data communications. Two peers must use the same algorithm to communicate. NOTE The security appliance supports up to 16 transform policies. STEP 1 Click VPN -> Site-to-Site -> Transform Policies. The Transform Policies window opens.
8 VPN Configuring the SSL VPN • Encryption: Choose the symmetric encryption algorithm that protects data transmitted between two IPsec peers. The default is 168-bit Triple DES (ESP_3DES). The Advanced Encryption Standard supports key lengths of 128, 192, 256 bits. - ESP_3DES: Encryption with 3DES (168-bit). - ESP_AES_128: Encryption with AES (128-bit). - ESP_AES_192: Encryption with AES (192-bit). - ESP_AES_256: Encryption with AES (256-bit). STEP 4 Click OK to save your settings.
8 VPN Configuring the SSL VPN Figure 12 SSL VPN for Remote Access DNS Server 10.10.10.163 Cisco AnyConnect VPN Client ISA500 Internal network Inside 10.10.10.0 Outside Internet Cisco AnyConnect VPN Client WINS Server 10.10.10.133 Cisco AnyConnect VPN Client Use the SSL Remote Access pages to configure the SSL VPN gateway, SSL VPN group policies, and SSL VPN portal. The security appliance supports multiple concurrent SSL VPN sessions to allow remote users to access the LAN.
8 VPN Configuring the SSL VPN • SSL VPN Group Policies: The default SSL VPN policy (“SSLVPNDefaultPolicy”) is sufficient for most purposes. As needed, you can custom new policies to meet specific business needs. See Configuring the SSL VPN Group Policies, page 263. • Cisco AnyConnect VPN Client: The Cisco AnyConnect VPN Client is the next-generation VPN client, providing remote users with secure VPN connections to the security appliance.
8 VPN Configuring the SSL VPN Installing the Cisco AnyConnect VPN Client on User’s PC You can set up a user’s PC to run the Cisco AnyConnect VPN Client in standalone mode by installing the client software for the appropriate operating system directly on the user’s PC. In standalone mode, the user starts the Cisco AnyConnect VPN Client, and needs to provide the authentication credentials. The security appliance supports the Cisco AnyConnect VPN Client v2.x and v3.0 (SSL VPN function only).
8 VPN Configuring the SSL VPN VPN group policies for them. Specifying a SSL VPN group policy for a user group can enable the SSL VPN service for all included SSL VPN users. For complete details about the users and user groups, see Configuring the Users and Groups, page 275 According to the user login settings specified on your security appliance, the SSL VPN users can be authenticated by the local database or external AAA server (such as Active Directory, LDAP, or RADIUS).
8 VPN Configuring the SSL VPN NOTE Configure an IP address range that does not directly overlap with any of addresses on your local network. • STEP 4 Client Netmask: Enter the IP address of the netmask used for SSL VPN clients. The Client Address Pool is used with the Client Netmask. If they are set as follows, then the SSL VPN client will get a VPN address whose range is from 10.0.0.1 to 10.0.0.254. - Client Address Pool = 10.0.0.0 - Client Netmask = 255.255.255.
8 VPN Configuring the SSL VPN • STEP 5 SSL VPN Portal Message: Enter the message that you want to display on the SSL VPN portal. The SSL VPN portal provides a link to download the Cisco AnyConnect VPN Client software installer from Cisco.com website. The CCO account is required to log into the website for downloading. For more information about the SSL VPN portal, see Configuring the SSL VPN Portal, page 266. Click Save to apply your settings.
8 VPN Configuring the SSL VPN • STEP 4 Secondary WINS: Enter the IP address of the secondary WINS server. In the IE Proxy Settings tab, enter the following information: The SSL VPN gateway can specify several Microsoft Internet Explorer (MSIE) proxies for client PCs. If these settings are enabled, IE on the client PC is automatically configured with these settings: • STEP 5 IE Proxy Policy: Choose one of the following IE proxy policies: - None: Allows the browser to use no proxy settings.
8 VPN Configuring the SSL VPN a route is added on the SSL VPN client in the Address field and the the subnet mask for the destination network in the Netmask field, and then click Add. • - Exclude Traffic: Allows you to exclude the destination networks on the SSL VPN client. The traffic to the destination networks is redirected using the SSL VPN clients native network interface (resolved through the Internet Service Provider or WAN connection).
VPN Configuring the L2TP Server STEP 8 8 Click Save to apply your settings. Configuring the SSL VPN Portal User can access the SSL VPN portal via web browser from WAN or LAN side to download the Cisco AnyConnect VPN Client software installer from Cisco.com website. The CCO account is required to log into the website for downloading the software installer. For example, if the IP address of the SSL VPN gateway is 173.39.202.103, enter https://173.39.202.
8 VPN Configuring the L2TP Server STEP 2 Click On to enable L2TP server, or click Off to disable it. STEP 3 If you enable L2TP, enter the following information: • Listen WAN Interface: Choose the WAN interface on which the L2TP server listens to accept the incoming L2TP VPN connection. • User Name: Enter the user name that all L2TP clients use to access the L2TP server. • Password: Enter the password that all L2TP clients use to access the L2TP server.
8 VPN Configuring the VPN Passthrough Configuring the VPN Passthrough You need to configure VPN passthrough if there are devices behind the security appliance that need to set up the VPN tunnels independently, for example, to connect to another router on the WAN. STEP 1 Click VPN -> Passthrough. The Passthrough window opens. STEP 2 STEP 3 Enter the following information: • L2TP: Click On to allow L2TP clients at LAN site to connect to a L2TP server on Internet, or click Off to disable it.
8 VPN Viewing the VPN Status Monitoring the IPSec VPN Status The VPN Table page displays the status and statistic information for all IPSec VPN sessions. STEP 1 Click VPN -> Session Status -> VPN Table. The VPN Table window opens. STEP 2 In the Active Sessions tab, all IPSec VPN sessions are listed in the table. • Name: The name of the VPN policy that is used for the IPSec VPN session.
8 VPN Viewing the VPN Status • Remote Gateway: The IP address of the remote gateway for a Site-to-Site VPN session or the IP address of the remote client for a Cisco IPSec VPN session. • Tx Bytes: The total volume of traffic in Kilobytes transmitted from the VPN tunnel. • Rx Bytes: The total volume of traffic in Kilobytes received from the VPN tunnel. • Tx Pkts: The number of IP packets transmitted from the VPN tunnel. • Rx Pkts: The number of IP packets received from the VPN tunnel.
8 VPN Viewing the VPN Status CSTP is a Cisco proprietary protocol for SSL VPN tunneling. “In” means “from the client” and “Out” means “to the client”. The client is the PC running the Cisco AnyConnect VPN Client software that connects to the security appliance running the SSL VPN server. A CSTP frame is a packet carrying CSTP protocol information. There are two major frame types, control frames and data frames. Control frames implement control functions within the protocol.
8 VPN Viewing the VPN Status In CSTP bytes The total number of bytes in the CSTP frames received from the client. In CSTP data The number of CSTP data frames received from the client. In CSTP control The number of CSTP control frames received from the client. Out CSTP frames The number of CSTP frames sent to the client. Out CSTP bytes The total number of bytes in the CSTP frames sent to the client. Out CSTP data The number of CSTP data frames sent to the client.
9 User Management This chapter describes how to manage the users and user groups, and configure the user login settings when they try to access your network resources. • About the Users and Groups, page 273 • Configuring the Users and Groups, page 275 • Configuring the User Authentication Settings, page 277 • Viewing Active User Sessions, page 287 To access the Users pages, click Users in the left hand navigation pane.
9 User Management About the Users and Groups NOTE You cannot disable the web login service or change its web login service level for the default user group (admin). • SSL VPN: Allows the members of the group at the remote site to establish the SSL VPN tunnels based on the selected SSL VPN group policy to access your network resources. The Cisco AnyConnect VPN Client must be installed on the user’s PC.
9 User Management Configuring the Users and Groups Configuring the Users and Groups This section describes how to maintain the users and user groups in local database. It includes the following topics: • Configuring Local Users, page 275 • Configuring Local User Groups, page 276 Configuring Local Users The local database supports up to 100 users. You can add new accounts for specific services, such as the SSL VPN and Cisco IPSec VPN services. STEP 1 Click Users -> Users & Groups.
9 User Management Configuring the Users and Groups • New Password Confirm: Enter the password again for confirmation. • Group: Choose the user group to which the user belongs. NOTE For SSL VPN or Cisco IPSec VPN users, you need to enable the corresponding services for the user groups to which they belongs. STEP 4 Click OK to save your settings. Configuring Local User Groups Groups are used to create a logical grouping of users that share the service policies.
User Management Configuring the User Authentication Settings 9 Administrator: All members of the group have full privilege to set the configurations and read the system status. STEP 4 STEP 5 - SSLVPN: Choose a SSL VPN group policy so that all members of the group at the remote site can establish the SSL VPN tunnels based on the selected SSL VPN group policy to access your network resources, or choose Disable to disable it.
User Management Configuring the User Authentication Settings 9 The local database on the security appliance can support up to 100 users and 16 groups. If you have more than 100 users, you need to use the AAA server for authentication.
User Management Configuring the User Authentication Settings 9 Using Local Database for Authentication Use the local database to authenticate the users when the number of users accessing the network is less than 100 users. When you use the local database for authentication, the local database verifies the user name and password information of the users who try to access the network. Only the valid local users are allowed to access the network. STEP 1 Click Users -> Settings.
User Management Configuring the User Authentication Settings 9 STEP 2 In the User Login Settings area, choose RADIUS as the authentication method from the Authentication Method drop-down list. STEP 3 Click Configure to configure the RADIUS settings. The RADIUS Settings window opens. STEP 4 In the Settings tab, choose the RADIUS group for authentication and configure the global timeout and retry settings.
9 User Management Configuring the User Authentication Settings Local Database Settings RADIUS Server Settings User1 in Group1 User1 in Group2 User1 in Group3 User1 in Group1 Group1 Group2 Default Group User1 in Group2 Group1 Group2 Default Group User1 does not exist Group1 Group2 Default Group In the above table, if the User1 in the RADIUS server belongs to the Group1 and the User1 in the local database belongs to the Group2, then the User1 belongs to the Group1 after passed the RADIUS aut
User Management Configuring the User Authentication Settings • 9 Defualt User Group to Which all RADIUS Users Belong: If the group of a RADIUS user does not exist in the local database, you can set the RADIUS user to a specific local user group. Choose a local user group as the default local group to which the RADIUS user belongs. STEP 6 In the Test tab, enter the user and password credentials in the User and Password fields to test the configured RADIUS settings.
User Management Configuring the User Authentication Settings 9 Using LDAP for Authentication The security appliance can use the LDAP directory for user authentication, with support for three schemes including Microsoft Active Directory, RFC2798 InterOrgPerson, and RFC2307 Network Information Service. STEP 1 Click Users -> Settings. The User Settings window opens. STEP 2 In the User Login Settings area, choose LDAP as the authentication method from the Authentication Method drop-down list.
User Management Configuring the User Authentication Settings STEP 5 • Login Password: If you choose Give Login Name or Location in Tree or Give Bind Distinguished Name as the login method, enter the password of the account that can log into the LDAP server. • Protocol Version: Choose either LDAP Version 2 or LDAP Version 3. Most LDAP directories, including Active Directory, use LDAP Version 3.
User Management Configuring the User Authentication Settings 9 • User Tree for Login to Server: If you choose Give Login Name or Location in Tree as the login method in the Setting tab, specify the user tree that is used to log into the LDAP server. • Trees Containing Users: Specify the trees that contain the users commonly reside in the LDAP directory. To add an entry, click Add. To edit an entry, click Edit. To delete an entry, click Remove.
User Management Configuring the User Authentication Settings 9 Using Local Database and LDAP for Authentication You can use both the local database and LDAP to authenticate the users who try to access to the network. STEP 1 Click Users -> Settings. The User Settings window opens. STEP 2 In the User Login Settings area, choose LDAP + Local Database as the authentication method from the Authentication Method drop-down list. STEP 3 Click Configure to configure the LDAP settings for user authentication.
9 User Management Viewing Active User Sessions Viewing Active User Sessions Use the Active Sessions page to view the status for all active user sessions, and manually terminate the active user sessions. STEP 1 Click Users -> Active Sessions. The Active Sessions window opens. All active user sessions are listed in the table. You can view the following user session information: STEP 2 • User Name: The name of the logged user.
10 Device Management This chapter describes how to maintain the configurations and firmwares, manage the security license and digital certificates, and configure other features to help maintain the security appliance.
10 Device Management Remote Management To access the Device Management pages, click Device Management in the left hand navigation pane. Remote Management You can access the Configuration Utility from the LAN side by using the security appliance’s LAN IP address and HTTP, or from the WAN side by using the security appliance’s WAN IP address and HTTPS (HTTP over SSL) or HTTP.
10 Device Management Administration • STEP 3 - All IP Addresses: Any IP address from a remote WAN network can access the Configuration Utility. - Single Address: Only the specified remote host can access the Configuration Utility. Enter the IP address of the remote host in the IP Address field. - Network Range: Only the hosts in the specified remote network can access the Configuration Utility. Enter the starting IP address in the From field and the ending IP address in the To field.
10 Device Management Administration • User Name: Enter a new user name that contains the letters, numbers, or underline for the default administrator account. • Current Password: Enter the current password for the default administrator account. The default password is cicso. • New Password: Enter a new password for the default administrator account. Passwords are case-sensitive.
10 Device Management SNMP • STEP 3 Web Server SSL Certificate: Choose the certificate to authenticate the users who try to access the Configuration Utility through the web browser by using HTTPS. By default, the web authentication server uses the default certificate for authentication. If you choose an imported certificate for authentication, the web authentication server restarts to load the selected certificate. Click Save to apply your settings.
10 Device Management SNMP STEP 4 STEP 5 STEP 6 Authentication: Verifies that the message is from a valid source. After you enable SNMP and select the SNMP version, enter the following information: • System Contact: Enter the name of the contact person for your security appliance. • Device: Enter the device name for easy identification of your security appliance. • System Location: Enter the physical location of your security appliance.
10 Device Management Configuration Management Configuration Management You can perform the following tasks to maintain the configurations: • Save the current settings used on your security appliance. See Saving your Current Configurations, page 294. • Restore your settings from a saved configuration file. See Restoring your Settings from a Saved Configuration File, page 295. • Revert to the factory default settings. See Reverting to the Factory Default Settings, page 296.
10 Device Management Configuration Management STEP 3 To backup the current settings on a USB device, perform the following steps: a. Insert the USB device into the USB interface on the back panel of your security appliance. The USB device is automatically mounted once you insert it. b. In the USB -> Mount/Unmount area, make sure that the USB Driver Status shows as “UP” when you use the USB device to manage the configurations. c.
10 Device Management Configuration Management STEP 3 To restore the settings from a saved configuration file on a USB device, perform the following steps: a. Insert the USB device into the USB interface on the back panel of your security appliance. The USB device is automatically mounted once you insert it. b. In the USB -> Mount/Unmount area, make sure that the USB Driver Status shows as “UP” when you use the USB device to manage the configurations. c.
10 Device Management Firmware Management Firmware Management You can perform the following tasks to maintain the firmwares. • View the firmware status. See Viewing the Firmware Information, page 297. • Check periodically for new firmwares. See Checking for New Firmwares, page 298. • Upgrade the firmware. See Upgrading the Firmware, page 299. • Switch to the secondary firmware through the Configuration Utility. See Using the Secondary Firmware, page 300. • Auto fall back to the secondary firmware.
10 Device Management Firmware Management STEP 3 • Secondary Firmware Version: The version of the secondary firmware that you used previously. • Link to Release Note: Click the link to find the release notes for all available firmwares. • Time At Which Last Query was made: The time at which last query for the new firmware was made. • Latest Image Available: The latest version of the available firmware on the IDA server after your query.
10 Device Management Firmware Management STEP 3 Click Save to save your settings. STEP 4 Click Check Now to immediately check whether new firmware is available on the IDA server. If a new firmware is available, the version of the new firmware is displayed in the Latest Image Available area. Upgrading the Firmware You can manually upgrade the firmware from your local PC or a USB device. STEP 1 Click Device Management -> Firmware and Configuration -> Firmware. The Firmware window opens.
10 Device Management Firmware Management • To upgrade the firmware and keep using the current settings, select a firmware image from the list and then click Upgrade. When the operation is complete, the security appliance automatically reboots with the previous settings you used. • To upgrade the firmware and revert to the factory default settings, select a firmware image from the list and then click Upgrade & Factory Reset.
10 Device Management Firmware Management After you switch to the secondary firmware, the security appliance automatically reboots with the saved settings. Firmware Auto Fall Back Mechanism The security appliance includes two firmware images in the same NAND flash to provide an Auto Fall Back mechanism so that the security appliance can automatically switch to the secondary firmware when the primary firmware occurs a CRC (Cyclic Redundancy Check) Error or cannot boot up successfully for five times.
10 Device Management Log Management Using the Rescue Mode to Recover the System When the system booting problem or device error occurs, or the system has a problem, the POWER/SYS LED lights amber color. Follow these procedures to start up the Rescue mode directly and then recover the system. STEP 1 Press and hold the RESET button on the back panel of your security appliance for minimal three seconds and turn on the power switch simutaneously, the Rescue mode starts up.
10 Device Management Log Management • Viewing the Logs, page 306 Configuring the Log Settings STEP 1 Click Device Management -> Loggings -> Log Settings. The Log Settings window opens. STEP 2 STEP 3 STEP 4 In the Log Settings area, enter the following information: • Log: Click On to enable the Log feature, or click Off to disable it. • Log Buffer Size: If you enable the Log feature, specify the size of the local log buffer. The default value is 409600 bytes.
10 Device Management Log Management • Mail Subtitle: Enter the subtitle that is displayed in the email. For example, if you set the device name as the subtitle, the receiver of the alert email can recognize quickly what device the logs or alerts are coming from. • Severity: Choose the severity level of the syslogs that you want to send. Severity Levels Description Emergency (level 0, highest severity) System unusable. Syslog definition is LOG_EMERG. Alert (level 1) Immediate action needed.
10 Device Management Log Management STEP 5 In the Remote Logs area, specify the logs to be saved to a remote syslog server. • Remote Logs: Click On to save the syslogs to the specified remote syslog server, or click Off to disable it. • Syslog Server: Enter the IP address of the remote syslog server that runs a syslog daemon. • Severity: Choose the severity level of the logs that you want to save to the remote syslog server.
10 Device Management Log Management If you enable this feature, the logs that belong to the selected facilities and match up with the specified severity level for Email Alert can be sent to the specified email address. • Remote Log: Check the box at the left side of the Remote Log heading to enable the remote log settings for all log facilities, or check the box of a log facility to enable the remote log settings for the selected log facility.
10 Device Management Managing the Security License • Log Severity: Choose the log severity level to filter the logs. For example: If you select Critical, all logs listed under the Critical, Emergency, and Alert categories can be viewed. • Log Facility: Choose the log facility to filter the logs. All logs that belong to the selected facility and match up with the specified severity settings can be viewed. • Source IP: Enter the source IP address to filter the logs.
10 Device Management Managing the Security License Checking the License Status STEP 1 Click Device Management -> License Manaagement. The License Management window opens. The following information of the security license is displayed. STEP 2 • Feature: The security license name. • Status: The security license status. The security license cannot be transferred or revoked once it is licensed. • Seats Available: The number of SSL VPN users supported by the security license.
10 Device Management Managing the Security License NOTE To send the alert email for license expiration events, you first need to enable the License Expiration Alert feature and configure the email account settings in the Email Alert Setting page. Click the link or go to the Device Management -> Email Alert Settings page to do this. See Configuring the Email Alert Settings, page 316. Renewing the Security License Perform the following steps to renew the security license before it expires.
Device Management Managing the Certificates for Authentication 10 NOTE Make sure that the security appliance is set to the current time, or the license will not install properly. STEP 5 After you finish entering the information in the required fields, click Validate License. After the license is renewed, the expiration date of the security license is updated immediately. Managing the Certificates for Authentication Use the Certificate Management page to manage the certificates for authentication.
10 Device Management Managing the Certificates for Authentication STEP 2 - Local Certificate: The local certificate is issued by a trusted CA, and is involved in the applications like remote management and SSL VPN. To use a local certificate, you must first request a certificate from the CA and then import the certificate on your security appliance. - CA Certificate: The CA certificate is issed by intermediate CAs, such as GoDaddy or VeriSign.
Device Management Managing the Certificates for Authentication 10 • To export a local certificate or a CSR to a mounted USB device, check the box and click Export to USB. See Exporting the Certificates to a USB Device, page 313. • To import a CA certificate or a local certificate from your PC, click Import. See Importing the Certificates from Your Local PC, page 313. • To import a CA certificate or a local certificate from a mounted USB device, click Import from USB.
Device Management Managing the Certificates for Authentication 10 Exporting the Certificates to a USB Device To export a local certificate or a CSR to a USB device, you first need to insert the USB device into the USB interface on the back panel of your security appliance. The USB device is automatically mounted once you insert it. The CA certificate is not allowed to export. STEP 1 Click Device Management -> Certificate Management. The Certificate window opens.
Device Management Managing the Certificates for Authentication • 10 Import a CA certificate from a PEM (.pem or .crt) encoded file: If you choose this option, click Browse to locate and select a CA certificate file from your local PC, and then click Import. Importing the Certificates from a Mounted USB Device To import local or CA certificates from a USB device, you first need to insert the USB device into the USB interface on the back panel of your security appliance.
Device Management Managing the Certificates for Authentication 10 Generating New Certificate Signing Requests STEP 1 Click Device Management -> Certificate Management. The Certificate Management window opens. STEP 2 Click New Signing Request to generate a new certificate signing request. The Generate Certificate Signing Request window opens. STEP 3 STEP 4 Enter the following information: • Certificate Alias: Enter an alias name for the certificate.
10 Device Management Configuring the Email Alert Settings Configuring the Email Alert Settings Use the Email Alert Settings page to centrally configure how to send the alert messages to the operator or administrator for specific events or behaviors that may impact the performance, operation, and security of your security appliance, or for debugging purposes. STEP 1 Click Device Management -> Email Alert Settings. The Email Alert Settings window opens.
10 Device Management Configuring the Email Alert Settings Alert Category Description Configurations WAN UP/ DOWN Alert Sends an alert email if the WAN interface link is UP or DOWN. To Email Address: Enter the email address to receive the alert messages. Alert Interval: Specify how often in minutes the security appliance sends the alert messages for WAN down or up events. IPSec Alert Sends an alert email if the IPSec VPN tunnel negotiation fails.
10 Device Management Configuring the Email Alert Settings Alert Category Description Configurations License Expiration Alert Sends an alert email at x days before the security license expires. x is configurable. To Email Address: Enter the email address to receive the alert messages. Sends an alert email if the CPU utilization is higher than the threshold. To Email Address: Enter the email address to receive the alert messages.
10 Device Management Configuring the RADIUS Servers Alert Category Description Configurations Syslog Email Send the syslog messages on schedule to the specified email receiver. To Email Address: Enter the email address to receive the alert messages. To specify the syslogs to be sent, see Configuring the Log Settings, page 303. STEP 3 Click Save to apply your settings.
10 Device Management Configuring the Time Zone • Secondary RADIUS Server IP: Enter the IP address of the secondary RADIUS server. • Secondary RADIUS Server Port: Enter the port number on the secondary RADIUS server that is used to send the RADIUS traffic. The default is 1812. • Secondary RADIUS Server Pre-shared Key: Enter the pre-shared key that is configured on the secondary RADIUS server. STEP 4 Click OK to save your settings.
10 Device Management Device Discovery STEP 4 • Use Custom NTP Servers: Click this option to use a custom NTP server. Enter the IP addresses or domain names of up to two custom NTP servers in the Server 1 Name/IP Address and Server 2 Name/IP Address fields. The Server 1 is the primary NTP server and the Server 2 is the secondary NTP server. • Current Time: The current date and time sychronized with the configured NTP server. Click Save to apply your settings.
10 Device Management Device Discovery • Advertisement Period: Enter the value in seconds of how often the security appliance broadcasts its UPnP information to all devices within range. The default value is 1800 seconds. • Advertisement Time to Live: Enter the value expressed in hops for each UPnP packet. This is the number of steps a packet is allowed to propagate before being discarded. Small values will limit the UPnP broadcast range. The default value is 4.
10 Device Management Device Discovery CDP Cisco Discovery Protocol (CDP) is a device discovery protocol that runs on all Cisco manufactured equipment. Each CDP enabled device sends periodic messages to a multicast address and also listens to the periodic messages sent by others in order to learn about neighboring devices and determine the status of these devices. Use the CDP page to configure the settings to control CDP.
10 Device Management Diagnosing the Device LLDP The Link Layer Discovery Protocol (LLDP) enables network managers to troubleshoot and enhance network management by discovering and maintaining network topologies over multi-vendor environments. LLDP discovers network neighbors by standardizing methods for network devices to advertise themselves to other systems, and to store discovered information.
10 Device Management Diagnosing the Device NOTE These features require an active WAN connection. Ping Use the Ping page to test the connectivity between the security appliance and a connected device on the network. STEP 1 Click Device Management -> Diagnostics -> Ping. The Ping window opens. STEP 2 STEP 3 Enter the following information: • IP or URL Address: Enter the IP address or URL to ping. • Packet Size: Enter the packet size in the range of 32 to 65500 bytes to ping.
10 Device Management Diagnosing the Device STEP 3 Click Start Traceroute to trace the route of the IP address or URL, or click Stop Traceroute to stop tracing. DNS Lookup Use the DNS Lookup page to retrieve the IP address of any server on the Internet. STEP 1 Click Device Management -> Diagnostics -> DNS Lookup. The DNS Lookup window opens. STEP 2 Enter the IP address or domain name that you want to look up in the IP Address or Domain Name field.
10 Device Management Diagnosing the Device System Diagnostics Use the Collect Diagnostics page to compress the contents like configuration files, syslog files, and system status data into one file in the zip format, and send the compressed file to the specified email account for system diagnosis. You can set a password to protect the compressed file for security purposes. STEP 1 Click Device Management -> Diagnostics -> Collect Diagnostics. The Collect Diagnostics window opens.
Device Management Measuring and Limiting Traffic with the Traffic Meter 10 NOTE To send the compressed file for system diagnosis, you first need to enable the Debug Support Alert feature and configure the email account settings in the Email Alert Setting page. Click the link or go to the Device Management -> Email Alert Settings page to do this. See Configuring the Email Alert Settings, page 316. STEP 5 Click Save to apply your settings.
Device Management Measuring and Limiting Traffic with the Traffic Meter STEP 3 - Download Only: Limits the amount of download traffic. Enter the maximum allowed data in Megabytes that can be downloaded for a given month in the Monthly Limit field. Once the limit is reached, no traffic is allowed from the WAN side. - Both Directions: Calculates the traffic for both upload and download directions. The traffic limit entered into the Monthly Limit field is shared by both upload and download traffic.
10 Device Management Configuring the ViewMaster • STEP 5 STEP 6 Block All Traffic Except Email: Blocks all traffic except email through the WAN interface when the traffic limit is reached. Send email alert: Click On to send an alert email to the specific email account when the traffic limit is reached, or click Off to disable it. This feature requires that you enable the Email Alert feature in the Log Settings page. See Log Management, page 302.
10 Device Management Configuring the CCO Account STEP 2 Click On to enable ViewMaster, or click Off to disable it. By default, ViewMaster is enabled. STEP 3 Click Save to apply your settings. Configuring the CCO Account Use the CCO Account page to configure your registered CCO account. The CCO account is used to log into Cisco.com for specific services.
10 Device Management Configuring the Device Properties Configuring the Device Properties Use the Device Properties page to configure the host name and domain name to identify your security appliance on the network. STEP 1 Click Device Management -> Device Properties. The Device Properties window opens. STEP 2 STEP 3 Enter the following information: • Host Name: Enter the host name of your security appliance, which is displayed on the network to identify your device.
A Troubleshooting This chapter describes how to fix some common issues when you are using the security appliance. It includes the following sections: • Internet Connection, page 333 • Date and Time, page 336 • Pinging to Test LAN Connectivity, page 337 • Restoring Factory Default Settings, page 339 Internet Connection Symptom: You cannot access the Configuration Utility from a PC on your LAN. Recommended Actions: STEP 1 Check the Ethernet connection between the PC and the security appliance.
A Troubleshooting Internet Connection If you do not want to reset to factory default settings and lose your configuration, reboot the security appliance and use a packet sniffer (such as Ethereal™) to capture packets sent during the reboot. Look at the ARP packets to locate the LAN interface address. STEP 5 Launch your web browser and ensure that Java, JavaScript, or ActiveX is enabled. If you are using Internet Explorer, click Refresh to ensure that the Java applet is loaded.
A Troubleshooting Internet Connection Symptom: The security appliance cannot obtain an IP address from the ISP. Recommended Actions: STEP 1 Turn off power to the cable or DSL modem. STEP 2 Turn off the security appliance. STEP 3 Wait 5 minutes, and then reapply power to the cable or DSL modem. STEP 4 When the modem LEDs indicate that it has resynchronized with the ISP, reapply power to the security appliance. If the security appliance still cannot obtain an ISP address, see the next symptom.
A Troubleshooting Date and Time STEP 1 Ask your ISP for the addresses of its designated DNS servers. Configure your PC to recognize those addresses. For details, see your operating system documentation. STEP 2 On your PC, configure the security appliance to be its TCP/IP gateway. Date and Time Symptom: Date shown is January 1, 2000. Possible Cause: The security appliance has not yet successfully reached a network Time Server (NTS).
A Troubleshooting Pinging to Test LAN Connectivity Pinging to Test LAN Connectivity Most TCP/IP terminal devices and security appliances contain a ping utility that sends an ICMP echo-request packet to the designated device. The device responds with an echo reply. Troubleshooting a TCP/IP network is made very easy by using the ping utility in your PC or workstation.
A Troubleshooting Pinging to Test LAN Connectivity • Verify that the Ethernet card driver software and TCP/IP software are installed and configured on the PC. • Verify that the IP addresses for the security appliance and PC are correct and on the same subnet. Testing the LAN Path from Your PC to a Remote Device STEP 1 On your PC, click the Windows Start button, and then click Run.
A Troubleshooting Restoring Factory Default Settings Restoring Factory Default Settings To restore the factory default settings, take one of the following actions: • Launch the Configuration Utility and login. Click Device Management -> Firmware and Configuration -> Configuration in the left hand navigation pane. In the Backup/Restore Settings area, click Default. • Or press and hold the RESET button on the back panel of your security appliance for about 3 seconds, until the LED lights and then blinks.
B Technical Specifications and Environmental Requirements Feature ISA550 ISA550W ISA570 ISA570W Standards-Safety UL 60950-1 UL 60950-1 UL 60950-1 UL 60950-1 CAN/CSA-C22.2 No. 60950-1 CAN/CSA-C22.2 No. 60950-1 CAN/CSA-C22.2 No. 60950-1 CAN/CSA-C22.2 No.
B Technical Specifications and Environmental Requirements Feature ISA550 ISA550W ISA570 ISA570W Standards-Radio 47 CFR Part 15C 47 CFR Part 15C 47 CFR Part 15C 47 CFR Part 15C Industry Canada RSS-210 Industry Canada RSS-210 Industry Canada RSS-210 Industry Canada RSS-210 EN 300.328 EN 300.328 EN 300.328 EN 300.
B Technical Specifications and Environmental Requirements Feature ISA550 ISA550W ISA570 ISA570W Storage Humidity 5 to 95 percent relative humidity, non-condensing 5 to 95 percent relative humidity, non-condensing 5 to 95 percent relative humidity, non-condensing 5 to 95 percent relative humidity, non-condensing Normal Voltagess: 100 to 240 VAC Normal Voltagess: 100 to 240 VAC Normal Voltagess: 100 to 240 VAC Normal Voltagess: 100 to 240 VAC Voltage Variation Range: 90 to 264 VAC Voltage Var
C Factory Default Settings This chapter provides the factory default settings for the primary features available on your security appliance and the predefined service and address objects.
C Factory Default Settings Device Management Features Settings Listened Port Numer for HTTPS 8080 Remote Managaement by using HTTP enable Listened Port Numer for HTTP 80 Remote SNMP enable Firmware Check Periodically disable Ping Time 5 Maximum Hops for Tracert 5 System Diagnostics disable Password Protection disable Syslog Settings disable Logs Facility Email Alert Kernel, System Remote Log Kernel, System Local Log Kernel, System Time Zone and Clock Settings Dynamic Date/Tim
C Factory Default Settings Device Management Features Settings Bonjour disable CDP disable CDP Timer 60 (5 to 900) CDP Hold Timer 180 (10 to 255) LLDP disable Traffic Meter-Primary WAN Settings disable Traffic Meter-Secondary WAN Settings disable ViewMaster enable RADIUS Groups 3 RADIUS Server Port 1812 SMTP Authentication disable Email Alert Settings disable WAN UP/DOWN Alert disable IPSec Alert disable Firmware Upgrade Alert disable License Expiration Alert disable CPU O
C Factory Default Settings User Management User Management Feature Settings Default User Group admin Services for Default Group Web Login: Administrator SSLVPN: SSLVPNDefaultPolicy EzVPN: enable Captive Portal: enable Default Administrator Account User Name: cisco Password: cisco Available User Login Authentication Methods Local Database RADIUS RADIUS+Local Database LDAP LDAP+Local Database Default User Login Authentication Method Local Database RADIUS Settings for Authentication RADIUS Serve
C Factory Default Settings Networking Feature Default User Group to which all RADIUS Users Belong Settings None LDAP Settings for Authentication Port number 389 Login Method Anonymous login Protocol Version LDAP version3 LDAP Schemas Microsoft Active Directory RFC2789 InetOrgPerson RFC2307 Network Information Service LDAP Users, Allow Only Users Listed Locally disable LDAP Users, Default LDAP User Group None User Session Settings Inactivity timeout 5 minutes Login Session Limit for Web Log
C Factory Default Settings Networking Feature Settings Configurable Ports 4 Physical Interface Number for ISA570 and ISA570W 10 Dedicated WAN Port 1 Dedicated LAN Ports 4 Configurable Ports 5 WAN Interfaces WAN1-IP Address Assignment DHCPC WAN1-MTU Auto WAN1-MTU Value 1500 WAN1-Zone Mapping WAN Port-Based Access Control disable Default Setting for WAN Redundancy Equal load balancing (Round robin) Default Settings for Weighted Loading Balancing Weighted By PercentageWAN1 50% Weigh
C Factory Default Settings Networking Feature Settings VLANs Maximum number of VLANs 32 DEFAULT VLAN VID=1 IP Address=192.168.1.1 Subnet=255.255.255.0 Mapped Zone=LAN Spanning Tree=disable DHCP Pool Settings=DHCP Server DHCP Pool-Start IP =192.168.1.100 DHCP Pool-End IP:1=192.168.1.200 Lease Time=1 day Default Gateway=192.168.1.1 GUEST VLAN VID=2 IP Address=192.168.2.1 Subnet=255.255.255.0 Mapped Zone=GUEST Spanning Tree=disable DHCP Pool Settings=DHCP Server DHCP Pool-Start IP =192.168.2.
C Factory Default Settings Networking Feature Settings Routing Routing Mode disable Static Routing disable Dynamic Routing (RIP) disable RIP Version Default Policy-based Routing disable WAN QoS disable WAN Bandwidth Uptream Settings WAN1 Upstream limit=0 (0 to 1000000) WAN QoS Queue Settings WAN1 Queueing Method=SP WAN2 Upstream limit=0 (0 to 1000000) WAN2 Queueing Method=SP Maximum number of Traffic Selectors 256 Maximum number of Traffic Selectors associated with one WAN QoS Policy
C Factory Default Settings Networking Feature Mapping CoS to Queue Settings CoS 0=Queue3 CoS 1=Queue4 CoS 2=Queue4 CoS 3=Queue3 CoS 4=Queue2 CoS 5=Queue2 CoS 6=Queue1 CoS 7=Queue1 Mapping DSCP to Queue DSCP 000xxx=Queue3 DSCP 001xxx=Queue4 DSCP 010xxx=Queue4 DSCP 011xxx=Queue3 DSCP 100xxx=Queue2 DSCP 101xxx=Queue2 DSCP 110xxx=Queue1 DSCP 111xxx=Queue1 Service Management Maximum number of Group Service Objects 64 Maximum number of Service Objects 256 Address Management Maximum number of Group Addre
C Factory Default Settings Wireless Feature Settings IGMP Proxy disable IGMP Snooping enable IGMP Version (Default) IGMP V3 Feature Settings Wireless Basic Radio enable Wireless Network Mode 802.
C Factory Default Settings VPN Feature Settings Guart Interval Long (800ns) CTS Protection Mode disabled Beacon Interval 100 ms DTIM Interval 2 ms RTS Threshold 2347 Fragmentation Threshold 2346 Power Output 100% Wi-Fi Protected Setup (WPS) disable Rogue AP Detection disable Captive Portal disable VPN Feature Settings Site-to-Site VPN disable Site-to-Site VPN policies Maxinum number of Site-toSite VPN policies 100 for ISA570 and ISA570W, and 50 for ISA550 and ISA550W PFS enab
C Factory Default Settings VPN Feature Settings Net BIOS Broadcast disable WAN Failover disable Redundant Gateway disable Security time 1 hour IKE policies Maximum number of IKE policies 16 Hash SHA1 Authenication Pre-shared Key D-H Group group_5 Encryption AES256 Lifetime 24 hours Transform policies Maximum number of Transform policies 16 Integrity ESP_MD5_HMAC Encryption ESP_3DES Cisco IPSec VPN Server disable Maximum number of group policies 16 WAN Failover disable Aut
C Factory Default Settings VPN Feature Settings Maximum number of group policies 16 Auto Initiation Retry disable Retry Interval 120 (120 to 1800) Retry Limit 0 (0 to 16) Connection on Startup disable Authentication Method Pre-shared Key Network Mode Client mode Zone-based Access Control Permit SSL VPN disable Gateway Interface WAN1 Gateway Port 443 Certificate File default Idle Timeout 2100 Session Timeout 43200 Client DPD Timeout 300 Gateway DPD Timeout 300 Keep Alive
C Factory Default Settings Security Services Feature Settings User Name cisco Password cisco MTU 1400 (128 to 1400) CHAP enable PAP enable Enable over IPSec disable IPSec Passthrough enable PPTP Passthrough enable L2TP Passthrough enable Security Services Feature Settings Intrusion Prevention Service disable Automatically Update Signatures disable Select which zone to block intrusion WAN zone Anti-Virus disable Select which zone to scan for viruses WAN zone Maximum Scan Co
C Factory Default Settings Firewall Feature Settings Block or permit web components (Proxy, Java, ActiveX, and Cookies) permit HTTP Port for Filtering 80 Web Reputation Filter disable Reputation Threshold Conservative Custom Threshold -5 Action when Web Repuation Filter services are unavailable All all web traffic until Web Repuation Filter services are restored Email Reputation Filter disable Reputation Threshold Conservative Custom Spam Threshold -5 Custom Suspect Spam Threshold -3
C Factory Default Settings Firewall Features Maximum number of custom firewall rules Settings 100 NAT Dynamic PAT enable Maximum number of Static NAT rules 128 Maximum number of Port Forwarding rules 15 Maximum number of Port Triggering rules 15 Maximum number of Advanced NAT rules 16 Session Settings Maximum number of Connections 60000 (1000 to 60000) TCP Timeout 1200 (5 to 3600) UDP Timeout 180 (5 to 3600) Attack Protection Block Ping WAN interface enable Enable Stealth Mode disable
C Factory Default Settings Reports Features Settings Echo Storm [ping pkts./sec] 0 (0 to 65535) ICMP Flood [ICMP pkts./sec] 0 (0 to 65535) Application Level Gateway enable SIP ALG enable H.
C Factory Default Settings Default Service Objects Feature Settings IM and P2P Blocking Report disable IPS Policy Protocol and Inspection Report disable Web Security Blocked Report disable Email Security Blocked Report disable Anti-Virus Report disable Default Service Objects Service Name Protocol Port Start Port End Remarks AIM-CONNECT TCP 4443 4443 Direct connect AIM-CHAT TCP 5190 5190 File transfer and chat BGP TCP 179 179 BOOTP_client UDP 68 68 BOOTP_server UDP 67
C Factory Default Settings Default Service Objects Service Name Protocol Port Start Port End Remarks FTP-DATA TCP 20 20 Data transfer FTP-CONTROL TCP 21 21 Control command, keep using the port 21 for FTP server when you public it on the Internet or use the active mode for ????21??? public?????????21? ??????active mode ?not passive? HTTP TCP 80 80 HTTPS TCP 443 443 ICMP-TYPE-0 ICMP ICMP-TYPE-3 ICMP ICMP-TYPE-4 ICMP ICMP-TYPE-5 ICMP ICMP-TYPE-6 ICMP ICMP-TYPE-7 ICMP ICMP-T
C Factory Default Settings Default Service Objects Service Name Protocol Port Start Port End IMAP3 TCP 220 220 IRC TCP 6660 6660 NEWS TCP 144 144 NFS UDP 2049 2049 NNTP TCP 119 119 POP3 TCP 110 110 PPTP TCP 1723 1723 L2TP UDP 1701 1701 RCMD TCP 512 512 REAL-AUDIO TCP 7070 7070 REXEC TCP 512 512 RLOGIN TCP 513 513 RTELNET TCP 107 107 RTSP TCP/UDP 554 554 SFTP TCP 115 115 SMTP TCP 25 25 SNMP TCP/UDP 161 161 SNMP-TRAPS TCP/UDP 162 162
C Factory Default Settings Default Address Objects Service Name Protocol Port Start Port End TELNET Secondary TCP 8023 8023 TELNET SSL TCP 992 992 TFTP UDP 69 69 RIP UDP 520 520 IKE UDP 500 500 ISAKMP UDP 500 500 SHTTPD TCP 8080 8080 SHTTPDS TCP 443 443 IDENT TCP 113 113 VDOLIVE TCP 7000 7000 SSH TCP/UDP 22 22 SIP TCP/UDP 5060 5060 DHCP UDP 67 67 ESP IP (Protocol 50) IPSEC-UDPENCAP UDP 4500 4500 Remarks Default Address Objects Address Name T
C Factory Default Settings Default Address Objects Address Name Type Start IP End IP WAN1_DNS1 Host 192.168.100.1 192.168.100.1 WAN1_DNS2 Host 0.0.0.0 0.0.0.0 WAN1_NETWORK Host 0.0.0.0 0.0.0.0 DEFAULT_IP Host 192.168.1.1 192.168.1.1 DEFAULT_GW Host 192.168.1.1 192.168.1.1 DEFAULT_DNS1 Host 192.168.1.1 192.168.1.1 DEFAULT_DNS2 Host 192.168.1.1 192.168.1.1 DEFAULT_WINS1 Host 192.168.1.1 192.168.1.1 DEFAULT_WINS2 Host 192.168.1.1 192.168.1.
D Where to Go From Here Cisco provides a wide range of resources to help you and your customers obtain the full benefits of the Cisco ISA500 Series Integrated Security Appliance. Where to Go From Here Support Cisco Small Business Support Community www.cisco.com/go/smallbizsupport Cisco Small Business Support and Resources www.cisco.com/go/smallbizhelp Phone Support Contacts www.cisco.com/go/sbsc Firmware Download www.cisco.