Gateway
Overview
This discusses the menus that you can use to monitor the Nebula managed security gateways in your network and configure settings even before a gateway is deployed and added to the site.
Monitor
Use the Monitor menus to check the security gateway information, client information, event log messages and summary report for the gateway in the selected site.
Security Gateway
This screen allows you to view the detailed information about a security gateway in the selected site.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Configuration Click the edit icon to change the device name, description, tags and address. You can also move the device to another site. | |
Name | This shows the descriptive name of the gateway. |
MAC address | This shows the MAC address of the gateway. |
Serial number | This shows the serial number of the gateway. |
Description | This shows the user-specified description for the gateway. |
Address | This shows the user-specified address for the gateway. |
Tags | This shows the user-specified tag for the gateway. |
Port | This shows the ports on the gateway. The port is highlighted in green color when it is connected and the link is up. |
Map | This shows the location of the gateway on the Google map. |
Photo | This shows the photo of the gateway. Click Add to upload one or more photos. Click x to remove a photo. |
Status | |
WAN1/WAN2 | This shows the IP address, gateway and DNS information for the active WAN connection. |
Public IP | This shows the global (WAN) IP address of the gateway. |
CPU usage | This shows what percentage of the gateway’s processing capability is currently being used. |
Memory usage | This shows what percentage of the gateway’s RAM is currently being used. |
Security Service: | This shows whether security services are enabled on the gateway. Click What is this? to view the type of enabled security services. |
Usage | This shows the amount of data that has been transmitted or received by the gateway’s clients. |
Topology | |
History | Click Event log to go to the Gateway > Monitor > Event log screen. |
Configuration status | This shows whether the configuration on the gateway is up-to-date. |
Firmware status | This shows whether the firmware installed on the gateway is up-to-date. |
Live tools | |
Internet traffic | This shows the WAN port statistics. The y-axis represents the transmission rate in Kbps (kilobits per second). The x-axis shows the time period over which the traffic flow occurred. |
DHCP leases | This shows the IP addresses currently assigned to DHCP clients. |
Ping | Enter the host name or IP address of a computer that you want to perform ping in order to test a connection and click Ping. You can select the interface through which the gateway sends queries for ping. |
Trace route | Enter the host name or IP address of a computer that you want to perform the traceroute function. This determines the path a packet takes to the specified computer. |
DNS | Enter a host name and click Run to resolve the IP address for the specified domain name. |
Reboot gateway | Click the Reboot button to restart the gateway. |
Network usage and connectivity Move the cursor over the chart to see the transmission rate at a specific time. | |
Zoom | Select to view the statistics in the past twelve hours, day, week, month, three months or six months. |
Pan | Click to move backward or forward by one day or week. |
Client
This screen allows you to view the connection status and detailed information about clients connected to a security gateway in the selected site.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Security Gateway - Client | Select to view the device information and connection status in the past two hours, day, week or month. |
 | Click this button to reload the data-related frames on this page. |
Usage | |
y-axis | The y-axis shows the transmission speed of data sent or received by the client in kilobits per second (Kbps). |
x-axis | The x-axis shows the time period over which the traffic flow occurred. |
Top 10 Ports | This shows top ten applications/services and the ports that identify a service. Click More to display port details. Click Less to hide them. |
Port Details | |
Name | This shows the service name and the associated port number(s). |
Usage | This shows the amount of data consumed by the service. |
% Usage | This shows the percentage of usage for the service. |
Policy | Select the client(s) from the table below, and then choose the security policy that you want to apply to the selected client(s). To allow the selected clients to bypass captive portal authentication, choose Whitelisted. Otherwise, choose Normal and click Apply policy. |
Search | Specify your desired filter criteria to filter the list of clients. |
client | This shows the number of clients connected to the gateway in the site network. |
Add client | Click this button to open a window where you can specify a client’s name and IP address to apply a policy before it is connected to the gateway’s network. |
Export | Click this button to save the client list as a CSV or XML file to your computer. |
Status | This shows whether the client is online (green), or goes off-line (red). |
Description | This shows the descriptive name of the client. Click the name to display the individual client statistics. See Client Details. |
First seen | This shows the first date and time the client was discovered over the specified period of time. |
Last seen | This shows the last date and time the client was discovered over the specified period of time. |
Connected to | This shows the name of the Nebula device to which the client is connected in this site. Click the device name to display the screen where you can view detailed information about the Nebula device. |
IPv4 address | This shows the IP address of the client. |
MAC address | This shows the MAC address of the client. Click the MAC address to display the individual client statistics. See Client Details. |
OS | This shows the operating system running on the client device. |
Manufacturer | This shows the manufacturer of the client device. |
Note | This shows additional information for the client. |
Usage | This shows the amount of data transmitted by the client. |
User | This shows the number of users currently connected to the network through the client device. |
Interface | This shows the interface on the security gateway to which the client belongs. |
Policy | This shows the security policy applied to the client. |
 | Click this icon to display a greater or lesser number of configuration fields. |
Client Details
Click a client’s descriptive name in the Gateway > Monitor > Client screen to display individual client statistics.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Client | Click the edit icon to change the client name. |
Status | This shows whether the client is online (green), or goes off-line (red). It also shows the last date and time the client was discovered. |
Device type | This shows the manufacturer of the client device. |
History | Click Event log to go to the Gateway > Monitor > Event log screen. |
Note | This shows additional information for the client. Click the edit icon to modify it. |
Period | Select to view the client connection status in the past two hours, day, week or month. |
Pan | Click to move backward or forward by two hours or one day. |
y-axis | The y-axis shows the transmission speed of data sent or received by the client in kilobits per second (Kbps). |
x-axis | The x-axis shows the time period over which the traffic flow occurred. |
Network | |
IPv4 address | This shows the IP address of the client. |
MAC address | This shows the MAC address of the client. |
Interface | This shows the interface on the security gateway to which the client belongs. |
Port forwarding | This shows the public IP address or DDNS host name and port mapping information if there is a virtual server rule configured for this client. |
1:1 NAT IPs | This shows the public IP address information if there is a 1:1 NAT rule configured for this client. |
Event Log
Use this screen to view gateway log messages. You can enter a key word, select one or multiple event types, or specify a date/time or even a time range to display only the log messages related to it.
VPN Connection
Use this screen to view status of the site-to-site IPSec VPN connections and L2TP VPN sessions.
Note: If the peer gateway is not a Nebula device, go to the Gateway > Configure > Site-to-Site VPN screen to view and configure a VPN rule. See Site-to-Site VPN for more information.
The following table describes the labels in this screen.
Label | Description |
|---|---|
| Click this button to reload the data-related frames on this page. |
Connection Status | |
Configuration | This shows the number and address of the local network(s) behind the security gateway, on which the computers are allowed to use the VPN tunnel. |
NAT Type | This shows the public IP address or the domain name that is configured and mapped to the security gateway on the NAT router. |
Site Connectivity | |
Location | This shows the name of the site to which the peer gateway is assigned. Click the name to go to the Gateway > Configure > Site-to-Site VPN screen, where you can modify the VPN settings. |
Subnet(s) | This shows the address of the local network(s) behind the gateway. |
Status | This shows whether the VPN tunnel is connected or disconnected. |
Inbound(Bytes) | This shows the amount of traffic that has gone through the VPN tunnel from the remote IPSec router to the Nebula security gateway since the VPN tunnel was established. |
Outbound(Bytes) | This shows the amount of traffic that has gone through the VPN tunnel from the Nebula security gateway to the remote IPSec router since the VPN tunnel was established. |
Tunnel up time | This shows how many seconds the VPN tunnel has been active. |
Last heartbeat | This shows the last date and time a heartbeat packet is sent to determine if the VPN tunnel is up or down. |
L2TP Login Account | |
User Name | This shows the remote user’s login account name. |
Hostname | This shows the name of the computer that has this L2TP VPN connection with the gateway. |
Assigned IP | This shows the IP address that the gateway assigned for the remote user’s computer to use within the L2TP VPN tunnel. |
Public IP | This shows the public IP address that the remote user is using to connect to the Internet. |
NSS Analysis Report
Use this screen to view the statistics report for NSS (Nebula Security Service). The screen varies depending on the service type (Application, Content Filtering, or Anti-Virus) you select.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Security Gateway - NSS Analysis | Select to view the report for the past day, week or month. Alternatively, select Select range... to specify a time period the report will span. You can also select the number of results you want to view in a table. |
Select the type of service for which you want to view the statistics report. | |
Email report | Click this button to send summary reports by email, change the logo and set email schedules. |
Application The following fields displays when you select to view the application statistics. Click a specific segment of the donut chart or the application name to view the IPv4 addresses of the clients who use that application. Click the number in the center of the donut chart or Top Application under the chart to switch back to the previous screen. | |
y-axis | The y-axis shows the amount of the application’s traffic which has been transmitted or received. |
x-axis | The x-axis shows the time period over which the traffic flow occurred. |
Application | This shows the name of the application. Click an application name to view the IPv4 addresses of the clients who used the application. |
IPv4 Address | This shows the IPv4 address of the client who used the application. This field is available when you click a specific segment of the donut chart or the application name. |
Category | This shows the name of the category to which the application belongs. |
Usage | This shows the total amount of data consumed by the application used by all or a specific IPv4 address. |
% Usage | This shows the percentage of usage for the application used by all or a specific IPv4 address. |
Content Filtering The following fields displays when you select to view the content filtering statistics. Click a specific segment of the donut chart or the website URL to view the IPv4 addresses of the clients who tried to access that web page. Click the number in the center of the donut chart or Content Filtering under the chart to switch back to the previous screen. | |
y-axis | The y-axis shows the number of hits on web pages that the gateway’s content filter service has blocked. |
x-axis | The x-axis shows the time period over which the web page is checked. |
Website | This shows the URL of the web page to which the gateway blocked access. Click a website URL to view the IPv4 addresses of the clients who tried to access the web page. |
IPv4 Address | This shows the IPv4 address of the client who tried to access the web page. This field is available when you click a specific segment of the donut chart or the website URL. |
Category | This shows the name of the category to which the web page belongs. |
Hits | This shows the number of hits on the web page visited by all or a specific IPv4 address. |
% Hits | This shows the percentage of the hit counts for the web page visited by all or a specific IPv4 address. |
Anti-Virus The following fields displays when you select to view the anti-virus statistics. Click a specific segment of the donut chart or the virus name to view the IPv4 addresses of the clients who sent the virus. Click the number in the center of the donut chart or Anti-Virus under the chart to switch back to the previous screen. | |
y-axis | The y-axis shows the total number of viruses that the gateway has detected. |
x-axis | The x-axis shows the time period over which the virus is detected. |
Virus Name | This shows the name of the virus that the gateway has detected and blocked. Click a virus name to view the IPv4 addresses of the clients who sent the virus. |
IPv4 Address | This shows the IPv4 address of the virus sender. This field is available when you click a specific segment of the donut chart or the virus name. |
Hits | This shows how many times the gateway has detected the virus sent by all or a specific IPv4 address. |
% Hits | This shows the percentage of the hit counts for the virus sent by all or a specific IPv4 address. |
Summary Report
This screen displays network statistics for the gateway of the selected site, such as WAN usage, top applications and/or top clients.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Security gateway - Summary report | Select to view the report for the past day, week or month. Alternatively, select Select range... to specify a time period the report will span. You can also select the number of results you want to view in a table. |
Email report | Click this button to send summary reports by email, change the logo and set email schedules. |
WAN1/WAN2 usage | |
y-axis | The y-axis shows the transmission speed of data sent or received through the WAN connection in kilobits per second (kbps). |
x-axis | The x-axis shows the time period over which the traffic flow occurred. |
VPN usage | |
y-axis | The y-axis shows the transmission speed of data sent or received through the VPN tunnel in kilobits per second (kbps). |
x-axis | The x-axis shows the time period over which the traffic flow occurred. |
Security gateway by usage | |
This shows the index number of the Nebula gateway. | |
Name | This shows the descriptive name of the Nebula gateway. |
Model | This shows the model number of the Nebula gateway. |
Usage | This shows the amount of data that has been transmitted through the gateway’s WAN port. |
Client | This shows the number of clients currently connected to the gateway. |
Location This shows the location of the Nebula gateways on the map. | |
Top applications by usage | |
This shows the index number of the application. | |
Application | This shows the application name. |
Usage | This shows the amount of data consumed by the application. |
% Usage | This shows the percentage of usage for the application. |
Clients | |
Total | This shows the total number of clients connected to the Nebula device within the specified time period. |
Daily Average | This shows the average daily number of clients within the specified time period. |
Clients per day | |
y-axis | The y-axis represents the number of clients. |
x-axis | The x-axis represents the date. |
Top operating systems by usage | |
This shows the index number of the operating system. | |
OS | This shows the operating system of the client device. |
# Client | This shows how many client devices use this operating system. |
% Client | This shows the percentage of top client devices which use this operating system. |
# Usage | This shows the amount of data consumed by the client device on which this operating system is running. |
% Usage | This shows the percentage of usage for top client devices which use this operating system. |
Top clients by usage | |
This shows the index number of the client. | |
Description | This shows the descriptive name or MAC address of the client. |
Usage | This shows the total amount of data transmitted and received by the client. |
% Usage | This shows the percentage of usage for the client. |
Top client device manufacturers by usage | |
This shows the index number of the client device. | |
Manufacturer | This shows the manufacturer name of the client device. |
Client | This shows how many client devices are made by the manufacturer. |
% Client | This shows the percentage of top client devices which are made by the manufacturer. |
Usage | This shows the total amount of data transmitted and received by the client device. |
% Usage | his shows the percentage of usage for the client device. |
Configure
Use the Configure menus to configure interface addressing, firewall, site-to-site VPN, captive portal, traffic shaping, authentication server and other gateway settings for gateway of the selected site.
Interfaces Addressing
Use this screen to configure network mode, port grouping, interface address, static route and DDNS settings on the gateway.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Network wide | |
Mode | Select Network address translation (NAT) to have the gateway automatically use SNAT for traffic it routes from internal interfaces to external interfaces. Select Router to have the gateway forward packets according to the routing policies. The gateway doesn’t automatically convert a packet’s source IP address. |
Port Group Setting | Port groups create a hardware connection between physical ports at the layer-2 (data link, MAC address) level. The physical Ethernet ports are shown at the top and the port groups are shown at the bottom of the screen. Use the radio buttons to select for which port group (network) you want to use each physical port. For example, select a port’s Port Group 1 radio button to use the port as part of the first port group. The port will use the first group’s IP address. |
Interface | By default, LAN1 is created on top of port group 1 and LAN2 is on top of port group 2. |
Name | This shows the name of the interface (network) on the gateway. |
IP address | This shows the IP address of the interface (network). |
Subnet mask | This shows the subnet mask of the interface (network). |
VLAN ID | This shows the ID number of the VLAN with which the interface (network) is associated. |
Port group | This shows the name of the port group to which the interface (network) belongs. |
Guest | Select On to configure the interface as a Guest interface. Devices connected to a Guest interface will have Internet access but cannot communicate with each other directly or access network sources behind the gateway, Otherwise, select Off to not use the interface as a Guest interface. |
Edit | Click this button to modify the network settings. See Local LAN for detailed information. |
 | Click this icon to remove a VLAN entry. |
Add | Click this button to create a VLAN, which is then associated with one Ethernet interface (network). See Local LAN for detailed information. |
Static Route | |
Name | This shows the name of the static route. |
Destination | This shows the destination IP address. |
Subnet mask | This shows the IP subnet mask. |
Next hop IP | This shows the IP address of the next-hop gateway or the interface through which the traffic is routed. The gateway is a router or switch on the same segment as your security gateway's interface(s). It helps forward packets to their destinations. |
| Click this icon to remove a static route. |
Add | Click this button to create a new static route. See Static Route for detailed information |
Dynamic DNS | |
Automatic registration | Click On to use dynamic DNS. Otherwise, select Off to disable it. |
General Settings | |
DDNS provider | Select your Dynamic DNS service provider from the drop-down list box. If you select User custom, create your own DDNS service |
DDNS type | Select the type of DDNS service you are using. Select User custom to create your own DDNS service and configure the DYNDNS Server, URL, and Additional DDNS Options fields below. |
DDNS account | |
Username | Enter the user name used when you registered your domain name. |
Password | Enter the password provided by the DDNS provider. |
Confirm password | Enter the password again to confirm it. |
DDNS settings | |
Domain name | Enter the domain name you registered. |
Primary binding address | Use these fields to set how the security gateway determines the IP address that is mapped to your domain name in the DDNS server. The security gateway uses the Backup binding address if the interface specified by these settings is not available. |
Interface | Select the interface to use for updating the IP address mapped to the domain name. |
IP address | Select Auto if the interface has a dynamic IP address. The DDNS server checks the source IP address of the packets from the gateway for the IP address to use for the domain name. You may want to use this if there are one or more NAT routers between the gateway and the DDNS server.  The gateway may not determine the proper IP address if there is an HTTP proxy server between the gateway and the DDNS server.Select Custom if you have a static IP address. Enter the IP address to use it for the domain name. Select Interface to have the security gateway use the IP address of the specified interface. |
Backup binding address | Use these fields to set an alternate interface to map the domain name to when the interface specified by the Primary binding address settings is not available. |
Interface | Select the interface to use for updating the IP address mapped to the domain name. |
IP address | Select Auto if the interface has a dynamic IP address. The DDNS server checks the source IP address of the packets from the gateway for the IP address to use for the domain name. You may want to use this if there are one or more NAT routers between the gateway and the DDNS server. The gateway may not determine the proper IP address if there is an HTTP proxy server between the gateway and the DDNS server.Select Custom if you have a static IP address. Enter the IP address to use it for the domain name. Select Interface to have the security gateway use the IP address of the specified interface. |
Enable wildcard | This option is only available with a DynDNS account. Enable the wildcard feature to alias subdomains to be aliased to the same IP address as your (dynamic) domain name. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname. |
Mail exchanger | This option is only available with a DynDNS account. DynDNS can route e-mail for your domain name to a mail server (called a mail exchanger). For example, DynDNS routes e-mail for john-doe@yourhost.dyndns.org to the host record specified as the mail exchanger. If you are using this service, type the host record of your mail server here. Otherwise, leave the field blank. |
Backup mail exchanger | This option is only available with a DynDNS account. Select this check box if you are using DynDNS’s backup service for e-mail. With this service, DynDNS holds onto your e-mail if your mail server is not available. Once your mail server is available again, the DynDNS server delivers the mail to you. See www.dyndns.org for more information about this service. |
DYNDNS Server | This field displays when you select User custom from the DDNS provider field above. Type the IP address of the server that will host the DDSN service. |
URL | This field displays when you select User custom from the DDNS provider field above. Type the URL that can be used to access the server that will host the DDSN service. |
Additional DDNS Options | This field displays when you select User custom from the DDNS provider field above. These are the options supported at the time of writing: • dyndns_system to specify the DYNDNS Server type - for example, dyndns@dyndns.org • ip_server_name which should be the URL to get the server’s public IP address - for example, http://myip.easylife.tw/ |
Local LAN
The following table describes the labels in this screen.
Label | Description |
|---|---|
Interface properties | |
Interface name | This field is read-only if you are editing an existing interface. Specify a name for the interface. The format of interface names is strict. Each name consists of 2-4 letters (interface type), followed by a number (x). For most interfaces, x is limited by the maximum number of the type of interface. For VLAN interfaces, x is defined by the number you enter in the VLAN name field. For example, VLAN interfaces are vlan0, vlan1, vlan2, ...; and so on. |
IP address assignment | |
IP address | Enter the IP address for this interface. |
Subnet mask | Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. |
VLAN ID | Enter the VLAN ID. This 12-bit number uniquely identifies each VLAN. Allowed values are 1 - 4094. (0 and 4095 are reserved.) |
Port group | Select the name of the port group to which you want the interface to (network) belong. |
DHCP setting | |
DHCP | Select what type of DHCP service the security gateway provides to the network. Choices are: None - the security gateway does not provide any DHCP services. There is already a DHCP server on the network. DHCP Relay - the security gateway routes DHCP requests to one or more DHCP servers you specify. The DHCP server(s) may be on another network. DHCP Server - the security gateway assigns IP addresses and provides subnet mask, gateway, and DNS server information to the network. The security gateway is the DHCP server for the network. |
These fields appear if the security gateway is a DHCP Relay. | |
Relay server 1 | Enter the IP address of a DHCP server for the network. |
Relay server 2 | This field is optional. Enter the IP address of another DHCP server for the network. |
These fields appear if the security gateway is a DHCP Server. | |
IP pool start address | Enter the IP address from which the security gateway begins allocating IP addresses. If you want to assign a static IP address to a specific computer, click Add new under Static DHCP Table. |
Pool size | Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet mask. For example, if the Subnet mask is 255.255.255.0 and IP pool start address is 10.10.10.10, the security gateway can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses. |
First DNS server Second DNS server Third DNS server | Specify the IP addresses up to three DNS servers for the DHCP clients to use. Use one of the following ways to specify these IP addresses. Custom Defined - enter a static IP address. From ISP - select the DNS server that another interface received from its DHCP server. NSG - the DHCP clients use the IP address of this interface and the security gateway works as a DNS relay. |
First WINS server Second WINS server | Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. |
Lease time | Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, minutes - select this to enter how long IP addresses are valid. |
Extended options | This table is available if you selected DHCP server. Configure this table if you want to send more information to DHCP clients through DHCP packets. Click Add new to create an entry in this table. See DHCP Option for detailed information |
Name | This is the option’s name. |
Code | This is the option’s code number. |
Type | This is the option’s type. |
Value | This is the option’s value. |
Click the edit icon to modify it. Click the remove icon to delete it. | |
Static DHCP Table | Configure a list of static IP addresses the security gateway assigns to computers connected to the interface. Otherwise, the security gateway assigns an IP address dynamically using the interface’s IP pool start address and Pool size. Click Add new to create an entry in this table. |
IP address | Enter the IP address to assign to a device with this entry’s MAC address. |
MAC | Enter the MAC address to which to assign this entry’s IP address. |
Description | Enter a description to help identify this static DHCP entry. |
Close | Click Close to exit this screen without saving. |
OK | Click OK to save your changes. |
DHCP Option
The following table describes the labels in this screen.
Label | Description |
|---|---|
Option | Select which DHCP option that you want to add in the DHCP packets sent through the interface. |
Name | This field displays the name of the selected DHCP option. If you selected User_Defined in the Option field, enter a descriptive name to identify the DHCP option. |
Code | This field displays the code number of the selected DHCP option. If you selected User_Defined in the Option field, enter a number for the option. This field is mandatory. |
Type | This is the type of the selected DHCP option. If you selected User_Defined in the Option field, select an appropriate type for the value that you will enter in the next field. Misconfiguration could result in interface lockout. |
Value | Enter the value for the selected DHCP option. For example, if you selected TFTP Server Name (66) and the type is TEXT, enter the DNS domain name of a TFTP server here. This field is mandatory. |
First IP address Second IP address Third IP address | If you selected Time Server (4), NTP Server (41), SIP Server (120), CAPWAP AC (138), or TFTP Server (150), you have to enter at least one IP address of the corresponding servers in these fields. The servers should be listed in order of your preference. |
First enterprise ID Second enterprise ID | If you selected VIVC (124) or VIVS (125), you have to enter at least one vendor’s 32-bit enterprise number in these fields. An enterprise number is a unique number that identifies a company. |
First class Second class | If you selected VIVC (124), enter the details of the hardware configuration of the host on which the client is running, or of industry consortium compliance. |
First information Second information | If you selected VIVS (125), enter additional information for the corresponding enterprise number in these fields. |
First FQDN Second FQDN Third FQDN | If the Type is FQDN, you have to enter at least one domain name of the corresponding servers in these fields. The servers should be listed in order of your preference. |
Close | Click Close to exit this screen without saving. |
OK | Click OK to save your changes. |
Static Route
The following table describes the labels in this screen.
Label | Description |
|---|---|
Name | Enter a descriptive name for this route. |
Destination | Specifies the IP network address of the final destination. Routing is always based on network number. |
Subnet mask | Enter the IP subnet mask. |
Next hop IP address | Enter the IP address of the next-hop gateway. |
Close | Click Close to exit this screen without saving. |
OK | Click OK to save your changes. |
Firewall
By default, a LAN user can initiate a session from within the LAN zone and the security gateway allows the response. However, the security gateway blocks incoming traffic initiated from the WAN zone and destined for the LAN zone. Use this screen to configure firewall rules for outbound traffic, application patrol, schedule profiles and port forwarding rules for inbound traffic.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Security Policy | |
Outbound rules | |
 | Click the icon of a rule and drag the rule up or down to change the order. |
Enabled | Select the check box to turn on the rule. Otherwise, clear the check box to turn off the rule. |
Policy | Select what the firewall is to do with packets that match this rule. Select Deny to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender. Select Allow to permit the passage of the packets. Select a pre-defined application patrol profile to have the firewall takes the action set in the profile when traffic matches the application patrol signature(s). See Add application patrol profile for how to create an application patrol profile. |
Protocol | Select the IP protocol to which this rule applies. Choices are: TCP, UDP, and Any. |
Source | Specify the source IP address(es) to which this rule applies. You can specify multiple IP addresses or subnets in the field separated by a comma (","). Enter any to apply the rule to all IP addresses. |
Destination | Specify the destination IP address(es) or subnet to which this rule applies. You can specify multiple IP addresses or subnets in the field separated by a comma (","). Enter any to apply the rule to all IP addresses. |
Dst Port | Specify the destination port(s) to which this rule applies. You can specify multiple ports separated by a comma (","). Enter any to apply the rule to all ports. |
Schedule | Select the name of the schedule profile that the rule uses. Always means the rule is active at all times if enabled. |
Description | Enter a descriptive name of up to 60 printable ASCII characters for the rule. |
| Click this icon to remove the rule. |
Add | Click this button to create a new rule. |
Security gateway services | |
Service | This shows the name of the service. |
Allowed remote IPs | Specify the IP address with which the computer is allowed to access the security gateway using the service. You can specify a range of IP addresses. any means any IP address. |
Application Patrol | |
Application monitor | Click On to enable traffic analysis for all applications and display information about top 10 applications in the SITE-WIDE > Monitor > Dashboard: Traffic Summary screen. Otherwise, select Off to disable traffic analysis for applications. |
Application profiles | |
Name | This shows the name of the application patrol profile. |
Description | This shows the description of the application patrol profile. |
 | Click this icon to change the profile settings. |
| Click this icon to remove the profile. |
Add | Click this button to create a new application patrol profile. See Add application patrol profile for more information. |
Schedule profiles | |
This shows the name of the schedule profile and the number of the outbound rules that are using this schedule profile. | |
| Click this icon to change the profile settings. |
| Click this icon to remove the profile. |
Add | Click this button to create a new schedule profile. See Create new schedule for more information. |
NAT | |
1:1 NAT | |
| Click the icon of a rule and drag the rule up or down to change the order. |
Enabled | Select the check box to turn on the rule. Otherwise, clear the check box to turn off the rule. |
Uplink | Select the interface of the security gateway on which packets for the NAT rule must be received. |
Public IP | Specify to which translated destination IP address this NAT rule forwards packets. |
LAN IP | Specify the destination IP address of the packets received by this NAT rule’s specified interface. |
Allowed remote IP | Specify the remote IP address with which the computer is allowed to use the public IP address to access the private network server. You can specify a range of IP addresses. any means any IP address. |
Description | Enter a description for the rule. |
| Click this icon to remove the rule. |
Add | Click this button to create a new 1:1 NAT mapping rule. |
Virtual server | |
| Click the icon of a rule and drag the rule up or down to change the order. |
Enabled | Select the check box to turn on the rule. Otherwise, clear the check box to turn off the rule. |
Uplink | Select the interface of the security gateway on which packets for the NAT rule must be received. |
Public IP | Specify to which translated destination IP address this NAT rule forwards packets. |
Public port | Enter the translated destination port or range of translated destination ports if this NAT rule forwards the packet. |
LAN IP | Specify the destination IP address of the packets received by this NAT rule’s specified interface. |
Local port | Enter the original destination port or range of destination ports this NAT rule supports. |
Allowed remote IP | Specify the remote IP address with which the computer is allowed to use the public IP address to access the private network server. You can specify a range of IP addresses. any means any IP address. |
Description | Enter a description for the rule. |
| Click this icon to remove the rule. |
Add | Click this button to create a new virtual server mapping rule. |
Add application patrol profile
Use the application patrol profile screens to customize action and log settings for a group of application patrol signatures.
The following table describes the labels in this screen.
Label | Description |
|---|---|
General settings | |
Name | Enter a name for this profile for identifying purposes. |
Description | Enter a description for this profile. |
Log | Select whether to have the security gateway generate a log (ON) or not (OFF) by default when traffic matches an application signature in this category. |
Application management | |
Enabled | Select the check box to turn on the rule. Otherwise, clear the check box to turn off the rule. |
Category | Select an application category. |
Application | Select All or select an application within the category to apply the policy. |
Policy | Select the default action for the applications selected in this category. Forward - the security gateway routes packets that matches these application signatures. Drop - the security gateway silently drops packets that matches these application signatures without notification. Reject - the security gateway drops packets that matches these application signatures and sends notification to clients. |
 | Click this icon to remove the entry. |
Add | Click this button to create a new application category and set actions for specific applications within the category. |
Enter a name to search for relevant applications and click Add to create an entry. | |
Close | Click this button to exit this screen without saving. |
Create | Click this button to save your changes and close the screen. |
Create new schedule
The following table describes the labels in this screen.
Label | Description |
|---|---|
Name | Enter a descriptive name for this schedule for identifying purposes. |
Templates | Select a pre-defined schedule template or select Custom schedule and manually configure the day and time at which the associated firewall outbound rule is enabled. |
Day | This shows the day of the week. |
Availability | Click On to enable the associated rule on this day. Otherwise, select Off to turn the associated rule off. |
From - To | Specify the hour and minute when the schedule begins and ends each day |
Time display | Select the time format in which the time is displayed. |
Close | Click this button to exit this screen without saving. |
Add | Click this button to save your changes and close the screen. |
Policy Route
Use policy routes and static routes to override the security gateway’s default routing behavior in order to send packets through the appropriate next-hop gateway, interface or VPN tunnel.
A policy route defines the matching criteria and the action to take when a packet meets the criteria. The action is taken only when all the criteria are met. Use this screen to configure policy routes.
The following table describes the labels in this screen.
Label | Description |
|---|---|
 | Click the icon of a rule and drag the rule up or down to change the order. |
Enabled | Select the check box to turn on the rule. Otherwise, clear the check box to turn off the rule. |
Type | This shows whether the packets will be routed to a different gateway (INTRANET), VPN tunnel (VPN) or outgoing interface (INTERNET). |
Protocol | This displays the IP protocol that defines the service used by the packets. Any means all services. |
Source IP | This is the source IP address(es) from which the packets are sent. |
Source Port | This displays the port the source IP address(es) are using in this policy route rule. The gateway applies the policy route to the packets sent from the corresponding service port. Any means all service ports. |
Destination IP | This is the destination IP address(es) to which the packets are transmitted. |
Destination Port | This displays the port the destination IP address(es) are using in this policy route rule. Any means all services. |
Next-Hop | This is the next hop to which packets are directed. It helps forward packets to their destinations and can be a router, VPN tunnel or outgoing interface. |
| Click this icon to change the profile settings. |
| Click this icon to remove the profile. |
Add | Click this button to create a new policy route. See Add application patrol profile for more information. |
Add/Edit policy route
The following table describes the labels in this screen.
Label | Description |
|---|---|
Type | Select Internet Traffic to route the matched packets through the specified outgoing interface to a gateway (which is connected to the interface). Select Intranet Traffic to route the matched packets to the next-hop router or switch you specified in the Next-Hop field. Select VPN Traffic to route the matched packets via the VPN tunnel you specified in the Next-Hop field. |
Protocol | Select TCP or UDP if you want to specify a protocol for the policy route. Otherwise select Any. |
Source IP | Enter a source IP address from which the packets are sent. |
Source Port | Enter the port number (1-65535) from which the packets are sent. The gateway applies the policy route to the packets sent from the corresponding service port. Any means all service ports. |
Destination IP | Enter a destination IP address to which the packets go. |
Destination Port | Enter the port number (1-65535) to which the packets go. The gateway applies the policy route to the packets that go to the corresponding service port. Any means all service ports. |
Next-Hop | If you select Internet Traffic in the Type field, select the WAN interface to route the matched packets through the specified outgoing interface to a gateway (which is connected to the interface). If you select Intranet Traffic in the Type field, enter the IP address of the next-hop router or switch. If you select VPN Traffic in the Type field, select the remote VPN gateway’s site name. |
Close | Click this button to exit this screen without saving. |
Create | Click this button to save your changes and close the screen. |
Content Filtering
Content filtering allows you to block access to specific web sites. It can also block access to specific categories of web site content.
The following table describes the labels in this screen.
Label | Description |
|---|---|
General setting | |
Enabled | Click ON to enable the content filtering feature on the security gateway. Otherwise, click OFF to disable it. |
Denied access message | Enter a message to be displayed when content filter blocks access to a web page. Use up to 127 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%,”). For example, “Access to this web page is not allowed. Please contact the network administrator”. It is also possible to leave this field blank if you have a URL specified in the Redirect URL field. In this case if the content filter blocks access to a web page, the security gateway just opens the web page you specified without showing a denied access message. |
Redirect URL | Enter the URL of the web page to which you want to send users when their web access is blocked by content filter. The web page you specify here opens in a new frame below the denied access message. Use “http://” or “https://” followed by up to 262 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/blocked access. |
Black/White list | |
Black | Sites that you want to block access to, regardless of their content rating, can be blocked by adding them to this list. Enter host names such as www.bad-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are also blocked. For example, entering “bad-site.com” also blocks “www.badsite.com”, “partner.bad-site.com”, “press.bad-site.com”, and do on. You can also enter just a top level domain. For example, enter .com to block all .com domains. Use up to 127 characters (0-9a-z-). The casing does not matter. |
White | Sites that you want to allow access to, regardless of their content rating, can be allowed by adding them to this list. Enter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, and so on. You can also enter just a top level domain. For example, enter .com to allow all .com domains. Use up to 127 characters (0-9a-z-). The casing does not matter. |
Category | |
Action | Select Pass to allow users to access web pages that match the categories that you select below. Select Block to prevent users from accessing web pages that match the categories that you select below. When external database content filtering blocks access to a web page, it displays the denied access message that you configured in the Denied access message field along with the category of the blocked web page. |
Test URL | You can check which category a web page belongs to. Enter a web site URL in the text box. When the content filter is active, you should see the web page’s category. The query fails if the content filter is not active. Content Filtering can query a category by full URL string (for example, http://www.google.com/picture/index.htm), but HTTPS Domain Filter can only query a category by domain name ('www.google.com'), so the category may be different in the query result. Test URL displays both results in the test. |
Templates | Web pages are classified into a category based on their content. You can choose a pre-defined template that has already selected certain categories. Alternatively, choose Custom and manually select categories in this section to control access to specific types of Internet content. |
Site-to-Site VPN
A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. Use this screen to configure a VPN rule.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Outgoing Interface | Select the WAN interface to which the VPN connection is going. Select AUTO to send VPN traffic through a different WAN interface when the primary WAN interface is down or disabled. |
Prefer uplink | Specify the primary WAN interface through which the security gateway forwards VPN traffic when you set Outgoing Interface to AUTO. |
Local networks | This shows the local networks behind the security gateway. |
Name | This shows the network name. |
Subnet | This shows the IP address and subnet mask of the computer on the network. |
Use VPN | Select ON to allow the computers on the network to use the VPN tunnel. Otherwise, select OFF. |
Nebula VPN Topology | This shows the VPN mode supported by the security gateway. Select a VPN topology. Select Disable to not set a VPN connection. In the Site-to-Site VPN topology, the remote IPSec device has a static IP address or a domain name. This security gateway can initiate the VPN tunnel. In the Hub-and-Spoke VPN topology, there is a VPN connection between each spoke router and the hub router, which uses the VPN concentrator. The VPN concentrator routes VPN traffic between the spoke routers and itself. In the Server-and-Client VPN topology, incoming connections from IPSec VPN clients are allowed. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel. |
Hubs (peers to connect to) | This field is available when you set Topology to Hub-and-Spoke. The field is configurable only when the security gateway of the selected site is the hub router. You can select another site’s name to have the gateway of that site act as the hub router in the Hub-and-Spoke VPN topology. |
NAT traversal | If the security gateway is behind a NAT router, enter the public IP address or the domain name that is configured and mapped to the security gateway on the NAT router. |
Server (client to connect to) | This field is available when you set Topology to Server-and-Client. The field is configurable only when the security gateway of the selected site is the VPN server. You can select another site’s name to have the gateway of that site act as the VPN server. |
Client-to-Client communication | Select On to allow VPN traffic to transmit between VPN clients by going through the server. The field is configurable only when the security gateway of the selected site is the VPN server. |
Remote VPN participants | This shows the remote (peer) Nebula gateway’s network name and address. |
Non-Nebula VPN peers | If the remote VPN gateway is not a Nebula device, use this section to set up a VPN connection between it and the Nebula security gateway. |
Enabled | Select the check box to turn on the rule. Otherwise, clear the check box to turn off the rule. |
Name | Enter the name of the peer gateway. |
Public IP | Enter the public IP address of the peer gateway. |
Private Subnet | Enter the local network address or subnet behind the peer gateway. |
IPSec policy | Click to select a pre-defined policy or have a custom one. See Custom IPSec Policy for detailed information. |
Preshared secret | Enter a pre-shared key (password). The Nebula security gateway and peer gateway use the key to identify each other when they negotiate the IKE SA. |
Availability | Select All Network to allow the peer gateway to connect to any Nebula security gateway in the organization via a VPN tunnel. Select This site and the peer gateway can only connect to the Nebula security gateway in this site via a VPN tunnel. You can also configure any specific sites in the organization, |
Action | Click the remove icon to delete the entry. |
Add | Click this button to add a peer VPN gateway to the list. |
Custom IPSec Policy
Click the IPSec Policy column in the Non-Nebula VPN peers section of the Gateway > Configure > Site-to-Site VPN screen to access this screen.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Preset | Select a pre-defined IPSec policy, or select Custom to configure the policy settings yourself. |
Phase 1 | IPSec VPN consists of two phases: Phase 1 (Authentication) and Phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association). |
Encryption | Select which key size and encryption algorithm to use in the IKE SA. Choices are: DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm AES128 - a 128-bit key with the AES encryption algorithm AES192 - a 192-bit key with the AES encryption algorithm AES256 - a 256-bit key with the AES encryption algorithm The security gateway and the remote IPSec router must use the same key size and encryption algorithm. Longer keys require more processing power, resulting in increased latency and decreased throughput. |
Authentication | Select which hash algorithm to use to authenticate packet data in the IKE SA. Choices are SHA128, SHA256, SHA512 and MD5. SHA is generally considered stronger than MD5, but it is also slower. The remote IPSec router must use the same authentication algorithm. |
Diffie-Hellman group | Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are: 1 - use a 768-bit random number 2 - use a 1024-bit random number 5 - use a 1536-bit random number 14 - use a 2048-bit random number The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. |
Lifetime (seconds) | Type the maximum number of seconds the IKE SA can last. When this time has passed, the security gateway and remote IPSec router have to update the encryption and authentication keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however. |
Advanced | Click this to display a greater or lesser number of configuration fields. |
Mode | Select the negotiation mode to use to negotiate the IKE SA. Choices are: Main - this encrypts the security gateway’s and remote IPSec router’s identities but takes more time to establish the IKE SA Aggressive - this is faster but does not encrypt the identities The security gateway and the remote IPSec router must use the same negotiation mode. |
Local ID | Type the identity of the security gateway during authentication. Any indicates that the remote IPSec router does not check the identity of the security gateway. |
Peer ID | Type the identity of the remote IPSec router during authentication. Any indicates that the security gateway does not check the identity of the remote IPSec router. |
Phase 2 | Phase 2 uses the SA that was established in phase 1 to negotiate SAs for IPSec. |
Encryption | Select which key size and encryption algorithm to use in the IPSec SA. Choices are: (none) - no encryption key or algorithm DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm AES128 - a 128-bit key with the AES encryption algorithm AES192 - a 192-bit key with the AES encryption algorithm AES256 - a 256-bit key with the AES encryption algorithm The security gateway and the remote IPSec router must both have at least one proposal that uses use the same encryption and the same key. Longer keys are more secure, but require more processing power, resulting in increased latency and decreased throughput. |
Authentication | Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are (none), MD5, SHA128, SHA256, and SHA512. SHA is generally considered stronger than MD5, but it is also slower. The security gateway and the remote IPSec router must both have a proposal that uses the same authentication algorithm. |
PFS group | Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are: Off - disable PFS 1 - enable PFS and use a 768-bit random number 2 - enable PFS and use a 1024-bit random number 5 - enable PFS and use a 1536-bit random number 14 - enable PFS and use a 2048-bit random number PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. PFS is ignored in initial IKEv2 authentication but is used when reauthenticating. |
Lifetime (seconds) | Type the maximum number of seconds the IPSec SA can last. Shorter life times provide better security. The security gateway automatically negotiates a new IPSec SA before the current one expires, if there are users who are accessing remote resources. |
Close | Click this button to exit this screen without saving. |
OK | Click this button to save your changes and close the screen. |
L2TP over IPSec Client
Use this screen to configure the L2TP VPN settings.
The Layer 2 Tunneling Protocol (L2TP) works at layer 2 (the data link layer) to tunnel network traffic between two peers over another network (like the Internet). In L2TP VPN, an IPSec VPN tunnel is established first and then an L2TP tunnel is built inside it.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Client VPN server | Click ON to enable the L2TP/IPSec VPN server feature on the security gateway. Otherwise, click OFF to disable it. |
Client VPN subnet | Specify the IP addresses that the security gateway uses to assign to the L2TP VPN clients. |
DNS name servers | Specify the IP addresses of DNS servers to assign to the remote users. Select Use Google Public DNS to use the DNS service offered by Google. Otherwise, select Specify nameserver to enter a static IP address. |
Custom nameservers | If you select Specify nameserver in the DNS name servers field, manually enter the DNS server IP address(es). |
WINS | The WINS (Windows Internet Naming Service) server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. Select No WINS Servers to not send WINS server addresses to the users. Otherwise, select Specify nameserver to type the IP addresses of WINS servers to assign to the remote users. |
Custom nameservers | If you select Specify nameserver in the WINS field, manually enter the WINS server IP address(es). |
Secret | Enter the pre-shared key (password) which is used to set up the IPSec VPN tunnel. |
Authentication | Select how the security gateway authenticates a remote user before allowing access to the L2TP VPN tunnel. |
Network Access Method
Use this screen to enable or disable web authentication on an interface.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Interfaces | Select the gateway’s interface (network) to which the settings you configure here is applied. |
Network Access | Select Direct access to turn off web authentication. Select Click-to-continue to block network traffic until a client agrees to the policy of user agreement. Select Sign-on with to block network traffic until a client authenticates with an external RADIUS or AD server through the specifically designated web portal page. Select an authentication server that you have configured in the Gateway > Configure > Network Servers screen (see Network Servers). |
Walled garden | Select to turn on or off the walled garden feature. This field is not configurable if you set Network Access to Direct access. With a walled garden, you can define one or more web site addresses that all users can access without logging in. These can be used for advertisements for example. |
Walled garden ranges | Specify walled garden web site links, which use a domain name or an IP address for web sites that all users are allowed to access without logging in. |
Captive portal access attribute | |
Self-registration | This field is available only when you select Sign-on with Nebula Cloud authentication in the Network Access field. Select Allow users to create accounts with auto authorized or Allow users to create accounts with manual authorized to display a link in the captive portal login page. The link directs users to a page where they can create an account before they authenticate with the NCC. For Allow users to create accounts with manual authorized, users cannot log in with the account until the account is authorized and granted access. For Allow users to create accounts with auto authorized, users can just use the registered account to log in without administrator approval. Select Don’t allow users to create accounts to not display a link for account creation in the captive portal login page. |
Login on multiple client devices | This field is available only when you select Sign-on with in the Network Access field. Select Multiple devices access simultaneously if you allow users to log in as many times as they want as long as they use different IP addresses. Select One device at a time if you don’t allow users to have simultaneous logins. |
NCAS disconnection behavior | This field is available only when you select Sign-on with Nebula Cloud Authentication in the Network Access field. Select Allowed to allow any users to access the network without authentication when the NCAS (Nebula Cloud Authentication Server) is not reachable. Select Limited to allow only the currently connected users or the users in the white list to access the network. |
Walled Garden
Use this screen to configure the addresses of walled garden web sites that users can access without logging into the gateway. The settings in this screen apply to all networks (interfaces) on the security gateway. If you want to configure walled garden web site links for a specific interface, use the Network access method screen.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Walled garden | With a walled garden, you can define one or more web site addresses that all users can access without logging in. These can be used for advertisements for example. |
Walled garden ranges | Specify walled garden web site links, which use a domain name or an IP address for web sites that all users are allowed to access without logging in. |
Captive Portal
Use this screen to configure captive portal settings for each interface. A captive portal can intercepts network traffic until the user authenticates his or her connection, usually through a specifically designated login web page.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Interface | Select the gateway’s interface (network) to which the settings you configure here is applied. |
Themes | Click the Copy icon at the upper right corner of the default theme image to create a new custom theme (portal page). Click the Edit icon of a custom theme to go to a screen, where you can view and configure the details of the custom portal page(s). See Custom Theme Edit. Click the Remove icon to delete a custom theme. |
Click-to-continue/Sign-on page | |
Logo | This shows the logo image that you uploaded for the customized login page. Click Upload a logo and specify the location and file name of the logo graphic or click Browse to locate it. You can use the following image file formats: GIF, PNG, or JPG. |
Message | Enter a note to display below the title. Use up to 1024 printable ASCII characters. Spaces are allowed. |
Success page | |
Message | Enter a note to display on the page that displays when a user logs in successfully. Use up to 1024 printable ASCII characters. Spaces are allowed. |
External captive portal URL | |
Use URL | Select On to use a custom login page from an external web portal instead of the one built into the NCC. You can configure the look and feel of the web portal page. Specify the login page’s URL; for example, http://IIS server IP Address/login.asp. The Internet Information Server (IIS) is the web server on which the web portal files are installed. |
Captive portal behavior | |
After the captive portal page where the user should go? | Select To promotion URL and specify the URL of the web site/page to which the user is redirected after a successful login. Otherwise, select Stay on Captive portal authenticated successfully page. |
Custom Theme Edit
Use this screen to check what the custom portal pages look like. You can also view and modify the CSS values of the selected HTML file.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Back to config | Click this button to return to the Captive portal screen. |
Copy of Modern | This shows the name of the theme. Click the edit icon the change it. |
Custom themes color | Customize the colors on the selected custom portal page (HTML file), such as the color of the button, text, window’s background, links, borders, and etc. Select a color that you want to use and click the Choose button. |
HTML | This shows the HTML file name of the portal page created for the selected custom theme. Click a HTML file to display the portal page on the right side of the screen. You can also change colors and modify the CSS values of the selected HTML file. |
Stylesheets | This shows the name of the main CSS file created for the selected custom theme. |
Edit/Preview | Click Edit to view and modify the CSS values of the selected HTML file. It is recommended that you do NOT change the script code to ensure proper operation of the portal page. Click Preview to display the corresponding portal page. |
Save | Click this button to save your color settings for the selected HTML file. |
Apply | Click this button to apply your color settings to the selected HTML file. |
Popout | Click this button to display the corresponding portal page in a popup window. |
Traffic Shaping
Use this screen to configure the maximum bandwidth and load balancing.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Uplink configuration | |
WAN 1 WAN 2 | Set the amount of upstream/downstream bandwidth for the WAN interface. Click a lock icon to change the lock state. If the lock icon for a WAN interface is locked, the bandwidth limit you set applies to both inbound and outbound traffic. If the lock is unlocked, you can set inbound and outbound traffic to have different transmission speeds. |
WAN load balancing algorithm | Select a load balancing method to use from the drop-down list box. • Select Least Load First to send new session traffic through the least utilized WAN interface. • Select Weighted Round Robin to balance the traffic load between interfaces based on their respective weights (bandwidth). An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight. For example, if the weight ratio of WAN 1 and WAN 2 interfaces is 2:1, the security gateway chooses WAN 1 for 2 sessions’ traffic and WAN 2 for 1 session’s traffic in each round of 3 new sessions. • Select Failover to send traffic through a second WAN interface when the primary WAN interface is down or disabled. |
Prefer WAN | Specify the primary WAN interface through which the security gateway forwards traffic. This field is available when you set WAN load balancing algorithm to Failover. |
WAN Connectivity check | The interface can regularly check the connection to the gateway you specified to make sure it is still available. The Nebula security gateway resumes routing to the gateway the first time the gateway passes the connectivity check. If the WAN connection is down (the check fails), the Nebula security gateway will switch (failover) to use a redundant WAN connection. • Select Check Default Gateway to use the default gateway for the connectivity check. • Select Check this address to specify a domain name or IP address for the connectivity check. If you select Check this address but the IP address you specified can not be reached through the primary WAN interface, the security gateway will switch to the other one even if the primary WAN connection is still up. Make sure your security gateway supports multiple WAN interfaces and both WAN connections are configured properly before you select Check this address.This field is available when you set WAN load balancing algorithm to Failover. |
Global bandwidth limits | |
Per-client limit | You can limit a client’s outbound or inbound bandwidth. |
Source First IP | Enter the first IP address in a range of source IP addresses for which the security gateway applies the rule. |
Source Last IP | Enter the last IP address in a range of source IP addresses for which the security gateway applies the rule. |
Destination IPs | Enter the destination IP address(es) for which the security gateway applies the rule. Enter any if the rule is effective for every destination. |
Port(s) | Enter the port number(s) (1-65535) to which the packets go. The security gateway applies the rule to the packets that go to the corresponding service port. any means all service ports. |
Protocol | Select TCP or UDP if you want to specify a protocol for the rule. Otherwise select Any. Any means all services. |
Down/Up | Set the maximum upstream/downstream bandwidth for traffic from an individual source IP address. Click a lock icon to change the lock state. If the lock icon is locked, the bandwidth limit you set applies to both inbound and outbound traffic. If the lock is unlocked, you can set inbound and outbound traffic to have different transmission speeds. |
Priority | Enter a number between 1 and 7 to set the priority for traffic that matches this policy. The smaller the number, the higher the priority. Traffic with a higher priority is given bandwidth before traffic with a lower priority. |
| Click this icon to remove the rule. |
Add | Click this button to create a new rule. |
Session Control | |
UDP Session Time Out | Set how many seconds the security gateway will allow a UDP session to remain idle (without UDP traffic) before closing it. |
Default Session per Host | Set a common limit to the number of concurrent NAT/Security Policy sessions each client computer can have. If only a few clients use peer to peer applications, you can raise this number to improve their performance. With heavy peer to peer application use, lower this number to ensure no single client uses too many of the available NAT sessions. |
Security Filtering
Use this screen to enable or disable Intrusion Detection and Prevention (IDP) and/or anti-virus on the security gateway. IDP can detect malicious or suspicious packets used in network-based intrusions and respond instantaneously. Anti-virus helps protect your connected network from virus/spyware infection.
Note: Packet inspection signatures examine packet content for malicious data. Packet inspection applies to OSI (Open System Interconnection) layer-4 to layer-7 contents. You need to subscribe for IDP service in order to be able to download new signatures.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Intrusion Detection / Prevention | |
Detection | Click On to detect malicious or suspicious packets. Otherwise, select Off to disable it. |
Prevention | Click On to identify and respond to intrusions. Otherwise, select Off to disable it. |
Anti-Virus | |
Enable | Click On to enable anti-virus on the security gateway. Otherwise, select Off to disable it. |
Black/White List | Use this to to set up anti-virus black (blocked) and white (allowed) lists of virus file patterns. |
File Pattern | For a black list entry, specify a pattern to identify the names of files that the security gateway should log and delete. For a white list entry, specify a pattern to identify the names of files that the security gateway should not scan for viruses. • Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question marks (?) and asterisks (*) are allowed. • A question mark (?) lets a single character in the file name vary. For example, use “a?.zip” (without the quotation marks) to specify aa.zip, ab.zip and so on. • Wildcards (*) let multiple files match the pattern. For example, use “*a.zip” (without the quotation marks) to specify any file that ends with “a.zip”. A file named “testa.zip would match. There could be any number (of any type) of characters in front of the “a.zip” at the end and the file name would still match. A file named “test.zipa” for example would not match. • A * in the middle of a pattern has the security gateway check the beginning and end of the file name and ignore the middle. For example, with “abc*.zip”, any file starting with “abc” and ending in “.zip” matches, no matter how many characters are in between. • The whole file name has to match if you do not use a question mark or asterisk. • If you do not use a wildcard, the security gateway checks up to the first 80 characters of a file name. |
Network Servers
Use this screen to configure DNS settings and external AD (Active Directory) server or RADIUS server that the security gateway can use in authenticating users.
AD (Active Directory) is a directory service that is both a directory and a protocol for controlling access to a network. The directory consists of a database specialized for fast information retrieval and filtering activities. You create and store user profile and login information on the external server.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Address Record | This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain. |
FQDN | Enter a host’s fully qualified domain name. Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com). |
IP Address | Enter the host’s IP address. |
| Click this icon to remove the entry. |
Add | Click this button to create a new entry. |
Domain Zone Forwarder | This specifies a DNS server’s IP address. The security gateway can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server. When the security gateway needs to resolve a domain zone, it checks it against the domain zone forwarder entries in the order that they appear in this list. |
Domain Zone | A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. Whenever the security gateway receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address. Enter * if all domain zones are served by the specified DNS server(s). |
IP Address | Enter the DNS server's IP address. |
Interface | Select the interface through which the security gateway sends DNS queries to the specified DNS server. |
| Click this icon to remove the entry. |
Add | Click this button to create a new entry. |
My AD Server | |
Name | Enter a descriptive name for the server. |
Server address | Enter the address of the AD server. |
Backup server address | If the AD server has a backup server, enter its address here. |
Port | Specify the port number on the AD server to which the security gateway sends authentication requests. Enter a number between 1 and 65535. |
AD domain | Specify the Active Directory forest root domain name. |
Domain admin | Enter the name of the user that is located in the container for Active Directory Users, who is a member of the Domain Admin group. |
Password | Enter the password of the Domain Admin user account. |
Advanced | Click to open a screen where you can select to use Default or Custom advanced settings. See Advanced Settings. |
| Click this icon to remove the server. |
Add | Click this button to create a new server. |
My RADIUS server | |
Name | Enter a descriptive name for the server. |
Server address | Enter the address of the RADIUS server. |
Backup server address | If the RADIUS server has a backup server, enter its address here. |
Port | Specify the port number on the RADIUS server to which the security gateway sends authentication requests. Enter a number between 1 and 65535. |
Secret | Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the security gateway. The key is not sent over the network. This key must be the same on the external authentication server and the security gateway. |
Advanced | Click to open a screen where you can select to use Default or Custom advanced settings. See Advanced Settings. |
| Click this icon to remove the server. |
Add | Click this button to create a new server. |
Advanced Settings
The following table describes the labels in this screen.
Label | Description |
|---|---|
Preset | Select Default to use the pre-defined settings, or select Custom to configure your own settings. |
Timeout | Specify the timeout period (between 1 and 300 seconds) before the security gateway disconnects from the server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the server(s) or the AD or server(s) is down. |
Case-Sensitive User Name | Click ON if the server checks the case of the user name. Otherwise, click OFF to not configure your user name as case-sensitive. |
NAS IP Address | This field is only for RADIUS. Type the IP address of the NAS (Network Access Server). |
Close | Click this button to exit this screen without saving. |
OK | Click this button to save your changes and close the screen. |