P ART III Security Firewall (153) Content Filtering (161) IPSec VPN (165) 151
152
CHAPTER 13 Firewall This chapter gives some background information on firewalls and explains how to get started with the NBG-460N’s firewall. 13.1 Introduction to ZyXEL’s Firewall 13.1.1 What is a Firewall? Originally, the term “firewall” referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term "firewall" is a system or group of systems that enforces an access-control policy between two networks.
Chapter 13 Firewall The NBG-460N is installed between the LAN and a broadband modem connecting to the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN. The NBG-460N has one Ethernet WAN port and four Ethernet LAN ports, which are used to physically separate the network into two areas.The WAN (Wide Area Network) port attaches to the broadband (cable or DSL) modem to the Internet.
Chapter 13 Firewall 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN. 2 The NBG-460N reroutes the packet to Gateway A, which is in Subnet 2. 3 The reply from the WAN goes to the NBG-460N. 4 The NBG-460N then sends it to the computer on the LAN in Subnet 1. Figure 96 Using IP Alias to Solve the Triangle Route Problem 13.3 General Firewall Screen Click Security > Firewall to open the General screen.
Chapter 13 Firewall Table 57 Security > Firewall > General LABEL DESCRIPTION Log Select whether to create a log for packets that are traveling in the selected direction when the packets are blocked (Log All) or forwarded (Log Forward). Or select Not Log to not log any records. To log packets related to firewall rules, make sure that Access Control under Log is selected in the Logs > Log Settings screen. Apply Click Apply to save the settings. Reset Click Reset to start configuring this screen again.
Chapter 13 Firewall Table 58 Security > Firewall > Services LABEL DESCRIPTION Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the NBG-460N by probing for unused ports. If you select this option, the NBG-460N will not respond to port request(s) for unused ports, thus leaving the unused ports and the NBG-460N unseen.
Chapter 13 Firewall Figure 99 Security > Firewall > Services > Adding a Rule The following table describes the labels in this screen. Table 59 Security > Firewall > Services > Adding a Rule LABEL DESCRIPTION Active Select this check box to turn the rule on. Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.
Chapter 13 Firewall Table 59 Security > Firewall > Services > Adding a Rule LABEL DESCRIPTION Available Services This is a list of pre-defined services (ports) you may prohibit your LAN computers from using. Select the port you want to block using the drop-down list and click Add to add the port to the Blocked Services field. Blocked Services This is a list of services (ports) that will be inaccessible to computers on your LAN once you enable service blocking.
Chapter 13 Firewall 160 NBG-460N User’s Guide
CHAPTER 14 Content Filtering This chapter provides a brief overview of content filtering using the embedded web GUI. 14.1 Introduction to Content Filtering Internet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering is the ability to block certain web features or specific URL keywords. 14.2 Restrict Web Features The NBG-460N can block web features such as ActiveX controls, Java applets, cookies and disable web proxies. 14.
Chapter 14 Content Filtering Figure 100 Security > Content Filter > Filter The following table describes the labels in this screen. Table 60 Security > Content Filter > Filter LABEL DESCRIPTION Trusted Computer IP Address To enable this feature, type an IP address of any one of the computers in your network that you want to have as a trusted computer. This allows the trusted computer to have full access to all features that are configured to be blocked by content filtering.
Chapter 14 Content Filtering Table 60 Security > Content Filter > Filter LABEL DESCRIPTION Keyword Type a keyword in this field. You may use any character (up to 64 characters). Wildcards are not allowed. You can also enter a numerical IP address. Keyword List This list displays the keywords already added. Add Click Add after you have typed a keyword. Repeat this procedure to add other keywords. Up to 64 keywords are allowed.
Chapter 14 Content Filtering Table 61 Security > Content Filter > Schedule LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh 14.6 Customizing Keyword Blocking URL Checking You can use commands to set how much of a website’s URL the content filter is to check for keyword blocking. See the appendices for information on how to access and use the command interpreter. 14.6.
CHAPTER 15 IPSec VPN 15.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Chapter 15 IPSec VPN 15.1.2 What You Need To Know About IPSec VPN A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the NBG-460N and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the NBG-460N and remote IPSec router.
Chapter 15 IPSec VPN You can usually provide a static IP address or a domain name for the remote IPSec router as well. Sometimes, you might not know the IP address of the remote IPSec router (for example, telecommuters). In this case, you can still set up the IKE SA, but only the remote IPSec router can initiate an IKE SA. 15.1.
Chapter 15 IPSec VPN The following table describes the fields in this screen. Table 62 Security > VPN > General LABEL DESCRIPTION # This is the VPN policy index number. Active This field displays whether the VPN policy is active or not. This icon is turned on when the rule is enabled. Local Addr. This displays the beginning and ending (static) IP addresses or a (static) IP address and a subnet mask of computer(s) on your local network behind your NBG-460N. Remote Addr.
Chapter 15 IPSec VPN Figure 105 IPSec Fields Summary Use this screen to configure a VPN rule.
Chapter 15 IPSec VPN The following table describes the labels in this screen. Table 63 SECURITY > VPN > Rule Setup: IKE (Basic) LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy. Keep Alive Select this check box to have the NBG-460N automatically reinitiate the SA after the SA lifetime times out, even if there is no traffic. The remote IPSec router must also have keep alive enabled in order for this feature to work.
Chapter 15 IPSec VPN Table 63 SECURITY > VPN > Rule Setup: IKE (Basic) (continued) LABEL DESCRIPTION Remote Policy Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. The remote fields do not apply when the Secure Gateway IP Address field is configured to 0.0.0.0. In this case only the remote IPSec router can initiate the VPN. Two active SAs cannot have the local and remote IP address(es) both the same.
Chapter 15 IPSec VPN Table 63 SECURITY > VPN > Rule Setup: IKE (Basic) (continued) LABEL DESCRIPTION Secure Gateway Address Type the WAN IP address or the domain name (up to 31 characters) of the IPSec router with which you're making the VPN connection. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the IPSec Keying Mode field must be set to IKE). In order to have more than one active rule with the Secure Gateway Address field set to 0.0.0.
Chapter 15 IPSec VPN Table 63 SECURITY > VPN > Rule Setup: IKE (Basic) (continued) LABEL DESCRIPTION Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection. Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9", "A-F") characters.
Chapter 15 IPSec VPN Figure 107 Security > VPN > General > Rule Setup: IKE (Advanced) 174 NBG-460N User’s Guide
Chapter 15 IPSec VPN The following table describes the labels in this screen. Table 64 Security > VPN > Rule Setup: IKE (Advanced) LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy. Keep Alive Select this check box to have the NBG-460N automatically reinitiate the SA after the SA lifetime times out, even if there is no traffic. The remote IPSec router must also have keep alive enabled in order for this feature to work.
Chapter 15 IPSec VPN Table 64 Security > VPN > Rule Setup: IKE (Advanced) (continued) LABEL DESCRIPTION Local Address End / Mask When the local IP address is a single address, type it a second time here. When the local IP address is a range, enter the end (static) IP address, in a range of computers on the LAN behind your NBG-460N. When the local IP address is a subnet address, enter a subnet mask on the LAN behind your NBG-460N. Local Port Start 0 is the default and signifies any port.
Chapter 15 IPSec VPN Table 64 Security > VPN > Rule Setup: IKE (Advanced) (continued) LABEL DESCRIPTION Local Content When you select IP in the Local ID Type field, type the IP address of your computer in the Local Content field. The NBG-460N automatically uses the IP address in the My IP Address field (refer to the My IP Address field description) if you configure the Local Content field to 0.0.0.0 or leave it blank. It is recommended that you type an IP address other than 0.0.0.
Chapter 15 IPSec VPN Table 64 Security > VPN > Rule Setup: IKE (Advanced) (continued) LABEL DESCRIPTION Peer Content The configuration of the peer content depends on the peer ID type. For IP, type the IP address of the computer with which you will make the VPN connection. If you configure this field to 0.0.0.0 or leave it blank, the NBG-460N will use the address in the Secure Gateway Address field (refer to the Secure Gateway Address field description).
Chapter 15 IPSec VPN Table 64 Security > VPN > Rule Setup: IKE (Advanced) (continued) LABEL DESCRIPTION IPSec Protocol Select the security protocols used for an SA. Both AH and ESP increase processing requirements and communications latency (delay). If you select ESP here, you must select options from the Encryption Algorithm and Authentication Algorithm fields (described below). Encryption Algorithm Select which key size and encryption algorithm to use in the IKE SA.
Chapter 15 IPSec VPN In IPSec SAs using manual keys, the NBG-460N and remote IPSec router do not establish an IKE SA. They only establish an IPSec SA. As a result, an IPSec SA using manual keys has some characteristics of IKE SA and some characteristics of IPSec SA. There are also some differences between IPSec SA using manual keys and other types of SA. 15.2.3.
Chapter 15 IPSec VPN Figure 108 Security > VPN > General > Rule Setup: Manual The following table describes the labels in this screen. Table 65 Security > VPN > Rule Setup: Manual LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy. IPSec Keying Mode Select IKE or Manual from the drop-down list box. IKE provides more protection so it is generally recommended. Manual is a useful option for troubleshooting if you have problems using IKE key management.
Chapter 15 IPSec VPN Table 65 Security > VPN > Rule Setup: Manual (continued) 182 LABEL DESCRIPTION DNS Server (for IPSec VPN) If there is a private DNS server that services the VPN, type its IP address here. The NBG-460N assigns this additional DNS server to the NBG-460N's DHCP clients that have IP addresses in this IPSec rule's range of local addresses. A DNS server allows clients on the VPN to find other computers and servers on the VPN by their (private) domain names.
Chapter 15 IPSec VPN Table 65 Security > VPN > Rule Setup: Manual (continued) LABEL DESCRIPTION Remote Address End /Mask When the remote IP address is a single address, type it a second time here. When the remote IP address is a range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the remote IP address is a subnet address, enter a subnet mask on the network behind the remote IPSec router.
Chapter 15 IPSec VPN Table 65 Security > VPN > Rule Setup: Manual (continued) LABEL DESCRIPTION IPSec Protocol Select the security protocols used for an SA. Both AH and ESP increase processing requirements and communications latency (delay). If you select ESP here, you must select options from the Encryption Algorithm and Authentication Algorithm fields (described below). Encryption Algorithm Select which key size and encryption algorithm to use in the IKE SA.
Chapter 15 IPSec VPN The following table describes the labels in this screen. Table 66 Security > VPN > SA Monitor LABEL DESCRIPTION # This is the security association index number. Name This field displays the identification name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase NBG-460N processing requirements and communications latency (delay).
Chapter 15 IPSec VPN 15.5 IPSec VPN Technical Reference IKE SA Proposal The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the NBG-460N and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2, as illustrated below. Figure 111 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal 1 2 The NBG-460N sends a proposal to the remote IPSec router.
Chapter 15 IPSec VPN Authentication Before the NBG-460N and remote IPSec router establish an IKE SA, they have to verify each other’s identity. This process is based on pre-shared keys and router identities. In main mode, the NBG-460N and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. Their identities are encrypted using the encryption algorithm and encryption key the NBG-460N and remote IPSec router selected in previous steps.
Chapter 15 IPSec VPN In the following example, the ID type and content do not match so the authentication fails and the NBG-460N and the remote IPSec router cannot establish an IKE SA. Table 68 VPN Example: Mismatching ID Type and Content NBG-460N REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.15 Peer ID content: tom@yourcompany.
Chapter 15 IPSec VPN Figure 114 VPN/NAT Example If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. The routers cannot establish a VPN tunnel. Most routers like router A now have an IPSec pass-through feature. This feature helps router A recognize VPN packets and route them appropriately.
Chapter 15 IPSec VPN These modes are illustrated below. Figure 115 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Header Data Transport Mode Packet IP Header AH/ESP Header TCP Header Data Tunnel Mode Packet IP Header AH/ESP Header IP Header TCP Header Data In tunnel mode, the NBG-460N uses the IPSec protocol to encapsulate the entire IP packet.
Chapter 15 IPSec VPN Additional IPSec VPN Topics This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SAs or both. Relationships between the topics are also highlighted. SA Life Time SAs have a lifetime that specifies how long the SA lasts until it times out.
Chapter 15 IPSec VPN The following figure depicts an example where one VPN tunnel is created from an NBG-460N at branch office (B) to headquarters (HQ). In order to access computers that use private domain names on the HQ network, the NBG-460N at B uses the Intranet DNS server in headquarters. Figure 116 Private DNS Server Example ISP DNS Servers LAN DNS: 212.51.61.170 212.54.64.171 B " 192 212.54.64.170 212.54.64.171 HQ 10.1.1.1/200 Intranet DNS 10.1.1.
P ART IV Management Static Route Screens (195) Bandwidth Management (199) Remote Management (209) Universal Plug-and-Play (UPnP) (215) 193
194
CHAPTER 16 Static Route Screens This chapter shows you how to configure static routes for your NBG-460N. 16.1 Static Route Overview The NBG-460N usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet. To have the NBG-460N send data to devices not reachable through the default gateway, use static routes. For example, the next figure shows a computer (A) connected to the NBG-460N’s LAN interface.
Chapter 16 Static Route Screens Figure 118 Management > Static Route > IP Static Route The following table describes the labels in this screen. Table 69 Management > Static Route > IP Static Route LABEL DESCRIPTION # This is the index number of an individual static route. The first entry is for the default route and not editable. Name This is the name that describes or identifies this route. Active This icon is turned on when this static route is active.
Chapter 16 Static Route Screens Figure 119 Management > Static Route > IP Static Route: Static Route Setup The following table describes the labels in this screen. Table 70 Management > Static Route > IP Static Route: Static Route Setup LABEL DESCRIPTION Route Name Enter the name of the IP static route. Leave this field blank to delete this static route. Active This field allows you to activate/deactivate this static route.
Chapter 16 Static Route Screens 198 NBG-460N User’s Guide
CHAPTER 17 Bandwidth Management This chapter contains information about configuring bandwidth management, editing rules and viewing the NBG-460N’s bandwidth management logs. 17.1 Bandwidth Management Overview ZyXEL’s Bandwidth Management allows you to specify bandwidth management rules based on an application and/or subnet. You can allocate specific amounts of bandwidth capacity (bandwidth budgets) to different bandwidth rules.
Chapter 17 Bandwidth Management The following figure shows LAN subnets. You could configure one bandwidth class for subnet A and another for subnet B. Figure 120 Subnet-based Bandwidth Management Example 17.4 Application and Subnet-based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets.
Chapter 17 Bandwidth Management Table 72 Bandwidth Management Priorities PRIORITY LEVELS: TRAFFIC WITH A HIGHER PRIORITY GETS THROUGH FASTER WHILE TRAFFIC WITH A LOWER PRIORITY IS DROPPED IF THE NETWORK IS CONGESTED. Mid Typically used for “excellent effort” or better than best effort and would include important business traffic that can tolerate some delay.
Chapter 17 Bandwidth Management 17.7 Default Bandwidth Management Classes and Priorities If you enable bandwidth management but do not configure a rule for critical traffic like VoIP, the voice traffic may then get delayed due to insufficient bandwidth. With the automatic traffic classifier feature activated, the NBG-460N automatically assigns a default bandwidth management class and priority to traffic that does not match any of the user-defined rules. The traffic is classified based on the traffic type.
Chapter 17 Bandwidth Management The following table describes the labels in this screen. Table 75 Management > Bandwidth MGMT > General LABEL DESCRIPTION Enable Bandwidth Management Select this check box to have the NBG-460N apply bandwidth management. Enable bandwidth management to give traffic that matches a bandwidth rule priority over traffic that does not match a bandwidth rule.
Chapter 17 Bandwidth Management The following table describes the labels in this screen. Table 76 Management > Bandwidth MGMT > Advanced 204 LABEL DESCRIPTION Check my upstream bandwidth Click the Detection button to check the size of your upstream bandwidth. Upstream Bandwidth (kbps) Enter the amount of bandwidth in kbps (2 to 100,000) that you want to allocate for traffic. 20 kbps to 20,000 kbps is recommended.
Chapter 17 Bandwidth Management 17.9.1 Rule Configuration with the Pre-defined Service To edit a bandwidth management rule for the pre-defined service in the NBG-460N, click the Edit icon in the Application List table of the Advanced screen. The following screen displays. Figure 123 Bandwidth Management Rule Configuration: Pre-defined Service The following table describes the labels in this screen.
Chapter 17 Bandwidth Management Figure 124 Management > Bandwidth MGMT > Advanced: User-defined Service Rule Configuration The following table describes the labels in this screen Table 78 Management > Bandwidth MGMT > Advanced: User-defined Service Rule Configuration LABEL DESCRIPTION BW Budget Select Maximum Bandwidth or Minimum Bandwidth and specify the maximum or minimum bandwidth allowed for the rule in kilobits per second.
Chapter 17 Bandwidth Management Figure 125 Management > Bandwidth MGMT > Monitor NBG-460N User’s Guide 207
Chapter 17 Bandwidth Management 208 NBG-460N User’s Guide
CHAPTER 18 Remote Management This chapter provides information on the Remote Management screens. 18.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which NBG-460N interface (if any) from which computers. " When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access. See the firewall chapters for details on configuring firewall rules.
Chapter 18 Remote Management 1 You have disabled that service in one of the remote management screens. 2 The IP address in the Secured Client IP Address field does not match the client IP address. If it does not match, the NBG-460N will disconnect the session immediately. 3 There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time. 4 There is a firewall rule that blocks it. 18.1.
Chapter 18 Remote Management LABEL DESCRIPTION Secured Client IP Address A secured client is a “trusted” computer that is allowed to communicate with the NBG-460N using this service. Select All to allow any computer to access the NBG-460N using this service. Choose Selected to just allow the computer with the IP address that you specify to access the NBG-460N using this service. Apply Click Apply to save your customized settings and exit this screen.
Chapter 18 Remote Management 18.5 FTP Screen You can use FTP (File Transfer Protocol) to upload and download the NBG-460N’s firmware and configuration files. To use this feature, your computer must have an FTP client. To change your NBG-460N’s FTP settings, click Management > Remote MGMT > FTP. The screen appears as shown. Use this screen to specify which interfaces allow FTP access and from which IP address the access can come.
Chapter 18 Remote Management Figure 129 Management > Remote MGMT > DNS The following table describes the labels in this screen. Table 82 Management > Remote MGMT > DNS LABEL DESCRIPTION Server Port The DNS service port number is 53 and cannot be changed here. Server Access Select the interface(s) through which a computer may send DNS queries to the NBG-460N. Secured Client IP Address A secured client is a “trusted” computer that is allowed to send DNS queries to the NBG-460N.
Chapter 18 Remote Management 214 NBG-460N User’s Guide
CHAPTER 19 Universal Plug-and-Play (UPnP) This chapter introduces the UPnP feature in the web configurator. 19.1 Introducing Universal Plug and Play Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
Chapter 19 Universal Plug-and-Play (UPnP) When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the NBG-460N allows multicast messages on the LAN only. All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 19.2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP™ Implementers Corp. (UIC).
Chapter 19 Universal Plug-and-Play (UPnP) Table 83 Management > UPnP > General LABEL DESCRIPTION Apply Click Apply to save the setting to the NBG-460N. Reset Click Reset to begin configuring this screen afresh. 19.4 Installing UPnP in Windows Example This section shows how to install UPnP in Windows Me and Windows XP. 19.4.0.1 Installing UPnP in Windows Me Follow the steps below to install the UPnP in Windows Me. 1 Click Start and Control Panel. Double-click Add/Remove Programs.
Chapter 19 Universal Plug-and-Play (UPnP) Figure 132 Add/Remove Programs: Windows Setup: Communication: Components 4 Click OK to go back to the Add/Remove Programs Properties window and click Next. 5 Restart the computer when prompted. Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. 1 Click Start and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….
Chapter 19 Universal Plug-and-Play (UPnP) Figure 134 Windows Optional Networking Components Wizard 5 In the Networking Services window, select the Universal Plug and Play check box. Figure 135 Networking Services 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next.
Chapter 19 Universal Plug-and-Play (UPnP) 19.4.0.2 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the NBG-460N. Make sure the computer is connected to a LAN port of the NBG-460N. Turn on your computer and the NBG-460N. Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway.
Chapter 19 Universal Plug-and-Play (UPnP) Figure 137 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings.
Chapter 19 Universal Plug-and-Play (UPnP) Figure 138 Internet Connection Properties: Advanced Settings Figure 139 Internet Connection Properties: Advanced Settings: Add 5 When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 6 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.
Chapter 19 Universal Plug-and-Play (UPnP) Figure 140 System Tray Icon 7 Double-click on the icon to display your current Internet connection status. Figure 141 Internet Connection Status Web Configurator Easy Access With UPnP, you can access the web-based configurator on the NBG-460N without finding out the IP address of the NBG-460N first. This comes helpful if you do not know the IP address of the NBG-460N. Follow the steps below to access the web configurator. 1 Click Start and then Control Panel.
Chapter 19 Universal Plug-and-Play (UPnP) Figure 142 Network Connections 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click on the icon for your NBG-460N and select Invoke. The web configurator login screen displays.
Chapter 19 Universal Plug-and-Play (UPnP) Figure 143 Network Connections: My Network Places 6 Right-click on the icon for your NBG-460N and select Properties. A properties window displays with basic information about the NBG-460N.
Chapter 19 Universal Plug-and-Play (UPnP) 226 NBG-460N User’s Guide
P ART V Maintenance and Troubleshooting System (229) Logs (233) Tools (251) Configuration Mode (257) Sys Op Mode (259) Language (263) Troubleshooting (265) 227
228
CHAPTER 20 System This chapter provides information on the System screens. 20.1 System Overview See the chapter about wizard setup for more information on the next few screens. 20.2 System General Screen Click Maintenance > System. The following screen displays. Figure 145 Maintenance > System > General The following table describes the labels in this screen.
Chapter 20 System Table 84 Maintenance > System > General LABEL DESCRIPTION Administrator Inactivity Timer Type how many minutes a management session can be left idle before the session times out. The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts may have security risks. A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended).
Chapter 20 System The following table describes the labels in this screen. Table 85 Maintenance > System > Time Setting LABEL DESCRIPTION Current Time and Date Current Time This field displays the time of your NBG-460N. Each time you reload this page, the NBG-460N synchronizes the time with the time server. Current Date This field displays the date of your NBG-460N. Each time you reload this page, the NBG-460N synchronizes the date with the time server.
Chapter 20 System Table 85 Maintenance > System > Time Setting 232 LABEL DESCRIPTION End Date Configure the day and time when Daylight Saving Time ends if you selected Daylight Savings. The o'clock field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the last Sunday of October. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time.
CHAPTER 21 Logs This chapter contains information about configuring general log settings and viewing the NBG-460N’s logs. Refer to the appendices for example log message explanations. 21.1 View Log The web configurator allows you to look at all of the NBG-460N’s logs in one location. Click Maintenance > Logs to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see Section 21.2 on page 234).
Chapter 21 Logs The following table describes the labels in this screen. Table 86 Maintenance > Logs > View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see Section 21.2 on page 234) display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.
Chapter 21 Logs Figure 148 Maintenance > Logs > Log Settings The following table describes the labels in this screen. Table 87 Maintenance > Logs > Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via E-mail.
Chapter 21 Logs Table 87 Maintenance > Logs > Log Settings LABEL DESCRIPTION Send Alerts To Alerts are real-time notifications that are sent as soon as an event, such as a DoS attack, system error, or forbidden web access attempt occurs. Enter the Email address where the alert messages will be sent. Alerts include system errors, attacks and attempted access to blocked web sites. If this field is left blank, alert messages will not be sent via E-mail.
Chapter 21 Logs 21.3 Log Descriptions This section provides descriptions of example log messages. Table 88 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is successful The router has adjusted its time based on information from the time server. Time calibration failed The router failed to get information from the time server. WAN interface gets IP:%s A WAN interface got a new IP address from the DHCP, PPPoE, PPTP or dial-up server.
Chapter 21 Logs Table 89 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. number of session per host! This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host. setNetBIOSFilter: calloc error The router failed to allocate memory for the NetBIOS filter settings. readNetBIOSFilter: calloc error The router failed to allocate memory for the NetBIOS filter settings. WAN connection is down. A WAN connection is down.
Chapter 21 Logs Table 91 TCP Reset Logs (continued) LOG MESSAGE DESCRIPTION Firewall session time out, sent TCP RST The router sent a TCP reset packet when a dynamic firewall session timed out. The default timeout values are as follows: ICMP idle timeout: 3 minutes UDP idle timeout: 3 minutes TCP connection (three way handshaking) timeout: 270 seconds TCP FIN-wait timeout: 2 MSL (Maximum Segment Lifetime set in the TCP header).
Chapter 21 Logs Table 94 CDR Logs LOG MESSAGE DESCRIPTION board%d line%d channel%d, call%d,%s C01 Outgoing Call dev=%x ch=%x%s The router received the setup requirements for a call. “call” is the reference (count) number of the call. “dev” is the device type (3 is for dial-up, 6 is for PPPoE, 10 is for PPTP). "channel" or “ch” is the call channel ID.For example,"board 0 line 0 channel 0, call 3, C01 Outgoing Call dev=6 ch=0 "Means the router has dialed to the PPPoE server 3 times.
Chapter 21 Logs Table 97 Content Filtering Logs (continued) LOG MESSAGE DESCRIPTION %s: Proxy mode detected The router detected proxy mode in the packet. %s The content filter server responded that the web site is in the blocked category list, but it did not return the category type. %s:%s The content filter server responded that the web site is in the blocked category list, and returned the category type.
Chapter 21 Logs Table 98 Attack Logs (continued) LOG MESSAGE DESCRIPTION teardrop UDP The firewall detected an UDP teardrop attack. teardrop ICMP (type:%d, code:%d) The firewall detected an ICMP teardrop attack. For type and code details, see Table 104 on page 247. illegal command TCP The firewall detected a TCP illegal command attack. NetBIOS TCP The firewall detected a TCP NetBIOS attack.
Chapter 21 Logs Table 100 IKE Logs (continued) LOG MESSAGE DESCRIPTION Verifying Local ID failed: The connection failed during IKE phase 2 because the router and the peer’s Local/Remote Addresses don’t match. IKE Packet Retransmit The router retransmitted the last packet sent because there was no response from the peer. Failed to send IKE Packet An Ethernet error stopped the router from sending IKE packets. Too many errors! Deleting SA An SA was deleted because there were too many errors.
Chapter 21 Logs Table 100 IKE Logs (continued) 244 LOG MESSAGE DESCRIPTION No known phase 1 ID type found The router could not find a known phase 1 ID in the connection attempt. ID type mismatch. Local / Peer: The phase 1 ID types do not match. ID content mismatch The phase 1 ID contents do not match. Configured Peer ID Content: The phase 1 ID contents do not match and the configured "Peer ID Content" is displayed.
Chapter 21 Logs Table 100 IKE Logs (continued) LOG MESSAGE DESCRIPTION Rule [%d] Phase 1 ID mismatch The listed rule’s IKE phase 1 ID did not match between the router and the peer. Rule [%d] Phase 1 hash mismatch The listed rule’s IKE phase 1 hash did not match between the router and the peer. Rule [%d] Phase 1 preshared key mismatch The listed rule’s IKE phase 1 pre-shared key did not match between the router and the peer.
Chapter 21 Logs Table 101 PKI Logs (continued) LOG MESSAGE DESCRIPTION Rcvd user cert: The router received a user certificate, with subject name as recorded, from the LDAP server whose IP address and port are recorded in the Source field. Rcvd CRL : The router received a CRL (Certificate Revocation List), with size and issuer name as recorded, from the LDAP server whose IP address and port are recorded in the Source field.
Chapter 21 Logs Table 102 802.1X Logs (continued) LOG MESSAGE DESCRIPTION User logout because of user deassociation. The router logged out a user who ended the session. User logout because of no authentication response from user. The router logged out a user from which there was no authentication response. User logout because of idle timeout expired. The router logged out a user whose idle timeout period expired. User logout because of user request. A user logged out.
Chapter 21 Logs Table 104 ICMP Notes (continued) TYPE CODE DESCRIPTION 5 Source route failed Source Quench 4 0 A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.
Chapter 21 Logs The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type.
Chapter 21 Logs 250 NBG-460N User’s Guide