Configuration

Click the edit icon to change the Nebula Device name, description, tags and address (physical location). You can also move the Nebula Device to another site or remove.

Name

This shows the descriptive name of the Nebula Device.

MAC address

This shows the MAC address of the Nebula Device’s WAN port.

Serial number

This shows the serial number of the Nebula Device.

Description

This shows the user-specified description for the Nebula Device.

Address

This shows the user-specified address (physical location) for the Nebula Device.

Tags

This shows the user-specified tags for the Nebula Device.

Port

This shows the ports on the Nebula Device.

The port is highlighted in green color when it is connected and the link is up.

Move the pointer over a port to see additional port information, such as its name, connection status, MAC address, and connection speed.

This shows the identity number of the selected port.

This shows the name of the port group that the port belongs to.

This shows the connection status of the port.

Map

This shows the location of the Nebula Device on Google Maps (Map view or Satellite imagery view) or on a floor plan. Click Floor plan to display a list of existing floor plans. Each floor plan has a drawing that shows the rooms scaled and viewed from above. Drag-and-drop your Nebula Device directly on the Google map or click Position device to update the Nebula Device’s address (physical location).

Photo

This shows the photo of the Nebula Device. Click Add to upload one or more photos. Click x to remove a photo.

Status

CPU usage

This shows what percentage of the Nebula Device’s processing capability is currently being used.

Memory usage

This shows what percentage of the Nebula Device’s RAM is currently being used.

Session

This shows how many sessions the Nebula Device currently has. A session is a unique established connection that passes through, from, to, or within the Nebula Device.

Channel (Band)

This shows the channel ID and WiFi frequency band currently being used by the Nebula Device.

Usage

This shows the amount of data that has been transmitted or received by the Nebula Device’s clients.

Topology

Click Show to go to the Site-Wide > Monitor > Topology screen. See Topology.

History

Click Event log to go to the Firewall > Monitor > Event log screen.

Configuration status

This shows whether the configuration on the Nebula Device is Up-to-date.

Firmware availability

This shows whether the firmware installed on the Nebula Device is Up-to-date.

Current version

This shows the firmware version currently installed on the Nebula Device.

WAN status

WAN Interface

This shows the descriptive name of the active WAN connection.

Status

This shows the connection status of the WAN interface (up or down).

IP

This shows the IP address of the WAN interface, and whether it was assigned automatically (DHCP), manually (Static IP), or by PPPoE.

Gateway

This shows the IP address of the default Nebula Device assigned to the WAN interface.

DNS Server

This shows the IP addresses of the DNS servers assigned to the WAN interface.

Network usage and connectivity

Move the cursor over the chart to see the transmission rate at a specific time.

Zoom

Select to view the statistics in the past 2 hours, 24 hours, 7 days, or 30 days.

Pan

Click to move backward or forward by one day or week.

Live tools

Traffic

This shows the WAN port statistics.

The y-axis represents the transmission rate for uploads and downloads.

The x-axis shows the time period over which the traffic flow occurred.

DHCP leases

This shows the IP addresses currently assigned to DHCP clients.

Ping

Enter the host name or IP address of a computer that you want to perform ping in order to test a connection and click Ping. You can select the interface (WAN, LAN, or VLAN) through which the Security Firewall sends queries for ping.

Traceroute

Enter the host name or IP address of a computer that you want to perform the traceroute function. This determines the path a packet takes to the specified computer.

DNS lookup

Enter a host name and click Run to resolve the IP address for the specified domain name.

Reboot device

Click the Reboot button to restart the Nebula Device.

Remote Access

This option is available only for the Nebula Device owner.

Establish a remote command line interface (CLI) connection to the Nebula Device by specifying the Port number and clicking Establish.

Click this button to reload the data on this page.

Connection Status

Configuration

This shows the number and address of the local networks behind the Nebula Device, on which the computers are allowed to use the VPN tunnel.

Site Connectivity

Location

This shows the name of the site to which the Nebula peer gateway is assigned.

Click the name to view the VPN usage and connectivity status screen.

Subnet

This shows the address of the local networks behind the Nebula peer gateway.

Status

This shows whether the VPN tunnel is connected or disconnected.

Last heartbeat

This shows the last date and time a heartbeat packet is sent to determine if the VPN tunnel is up or down.

Non-Nebula VPN peers connectivity

Location

This shows the name of the site to which the Non-Nebula peer gateway (Zyxel or non-Zyxel IPSec VPN gateway and Cloud VPN (Azure VPN or AWS VPN)) is assigned.

Click the name to go to the Firewall > Configure > Site-to-Site VPN screen, where you can modify the VPN settings.

Subnet

This shows the address of the local networks behind the Non-Nebula peer gateway.

Status

This shows whether the VPN tunnel is connected or disconnected.

Inbound

This shows the amount of traffic that has gone through the VPN tunnel from the Non-Nebula peer gateway to the Nebula Device since the VPN tunnel was established.

Outbound

This shows the amount of traffic that has gone through the VPN tunnel from the Nebula Device to the Non-Nebula peer gateway since the VPN tunnel was established.

Tunnel up time

This shows how many seconds the VPN tunnel has been active.

This shows the last date and time a heartbeat packet was sent to determine if the VPN tunnel is up or down.

Remote AP VPN

Name

This shows the name of the remote access point (AP).

Status

This shows whether the VPN tunnel is connected or disconnected.

Inbound

This shows the amount of traffic that has gone through the VPN tunnel from the remote AP to the Nebula Device since the VPN tunnel was established.

Outbound

This shows the amount of traffic that has gone through the VPN tunnel from the Nebula Device to the remote AP since the VPN tunnel was established.

Tunnel up time

This shows how many seconds the VPN tunnel has been active.

Last heartbeat

This shows the last date and time a heartbeat packet is sent to determine if the VPN tunnel is up or down.

Client to site VPN login account

User Name

This shows the remote user’s login account name.

Hostname

This shows the name of the computer that has this L2TP VPN connection with the Nebula Device.

Tunnel up time

This shows how many seconds the VPN tunnel has been active.

Assigned IP

This shows the IP address that the Nebula Device assigned for the remote user’s computer to use within the L2TP VPN tunnel.

Public IP

This shows the public IP address that the remote user is using to connect to the Internet.

Security gateway – Summary report

Select to view the report for the past day, week or month. Alternatively, select Custom range... to specify a time period the report will span. You can also select the number of results you want to view in a table.

Email report

Click this button to send summary reports by email, change the logo and set email schedules.

WAN usage

y-axis

The y-axis shows the transmission speed of data sent or received through the WAN connection in kilobits per second (Kbps).

x-axis

The x-axis shows the time period over which the traffic flow occurred.

VPN usage

y-axis

The y-axis shows the transmission speed of data sent or received through the VPN tunnel in kilobits per second (Kbps).

x-axis

The x-axis shows the time period over which the traffic flow occurred.

Nebula VPN usage

y-axis

The y-axis shows the transmission speed of data sent or received through the VPN tunnels, in kilobits per second (Kbps).

x-axis

The x-axis shows the time period over which the traffic flow occurred.

Non-Nebula VPN usage

y-axis

The y-axis shows the transmission speed of data sent or received through VPN tunnels, in kilobits per second (Kbps).

x-axis

The x-axis shows the time period over which the traffic flow occurred.

Remote AP VPN usage

y-axis

The y-axis shows the transmission speed of data sent or received through the VPN tunnel between the Nebula Device and remote APs, in kilobits per second (Kbps).

x-axis

The x-axis shows the time period over which the traffic flow occurred.

Security gateway by usage

 

This shows the index number of the Nebula Device.

Name

This shows the descriptive name of the Nebula Device.

Model

This shows the model number of the Nebula Device.

Usage

This shows the amount of data that has been transmitted through the Nebula Device’s WAN port.

Client

This shows the number of clients currently connected to the Nebula Device.

Location

This shows the location of the Nebula Devices on the map.

Top applications by usage

 

This shows the index number of the application.

Application

This shows the application name.

Category

This shows the name of the category to which the application belongs.

Usage

This shows the amount of data consumed by the application.

% Usage

This shows the percentage of usage for the application.

Top ports by usage

 

This shows the top ten applications/services and the ports that identify a service.

Name

This shows the service name and the associated port numbers.

Usage

This shows the amount of data consumed by the service.

% Usage

This shows the percentage of usage for the service.

Clients per day

y-axis

The y-axis represents the number of clients.

x-axis

The x-axis represents the date.

Top clients by usage

 

This shows the index number of the client.

Description

This shows the descriptive name or MAC address of the client.

Usage

This shows the total amount of data transmitted and received by the client.

% Usage

This shows the percentage of usage for the client.

Top operating systems by usage

 

This shows the index number of the operating system.

OS

This shows the operating system of the client device.

# Client

This shows how many client devices use this operating system.

% Client

This shows the percentage of top client devices which use this operating system.

% Usage

This shows the percentage of usage for top client devices which use this operating system.

Top client device manufacturers by usage

 

This shows the index number of the client device.

Manufacturer

This shows the manufacturer name of the client device.

Client

This shows how many client devices are made by the manufacturer.

% Client

This shows the percentage of top client devices which are made by the manufacturer.

Usage

This shows the total amount of data transmitted and received by the client device.

% Usage

This shows the percentage of usage for the client device.

CPU usage

y-axis

The y-axis shows what percentage of the Nebula Device’s processing capability is currently being used.

x-axis

The x-axis shows the time period over which the traffic flow occurred.

Memory usage

 

y-axis

The y-axis shows what percentage of the Nebula Device’s RAM is currently being used.

x-axis

The x-axis shows the time period over which the traffic flow occurred.

Sessions usage

y-axis

The y-axis shows how many sessions, both established and non-established, that were create from, to, or within the Nebula Device, or passed through the Nebula Device.

x-axis

The x-axis shows the time period over which the traffic flow occurred.

Port Group

Port groups create a hardware connection between physical ports at the layer-2 (data link, MAC address) level.

The physical LAN Ethernet ports, for example P1, P2, P3, are shown at the top of the screen. The port groups are shown at the left of the screen. Use the radio buttons to select which ports are in each port group.

For example, to add port P3 to LAN Group 1, select P3’s radio button in the LAN Group 1 row.

Port Type

This shows whether the port is a WAN port or a LAN port. Optional means the port can be assigned as either WAN or LAN, by adding it to a WAN or LAN group.

WAN Port Group

WAN Group 1

This shows the name of the WAN port group.

Click this icon to remove a WAN port group.

Add

Click this button to create a new WAN port group.

LAN Port Group

LAN Group 1

This shows the name of the LAN port group.

Click this icon to remove a LAN port group.

Add

Click this button to create a new LAN port group.

Close

Click Close to exit this screen without saving.

OK

Click OK to save your changes.

WAN Interface

 

Name

This field is read-only if you are editing an existing WAN interface.

Specify a name for the interface.

The format of interface names is strict. Each name consists of 2 – 4 letters (interface type), followed by a number (x). For most interfaces, x is limited by the maximum number of the type of interface. For VLAN interfaces, x is defined by the number you enter in the VLAN name field. For example, VLAN interfaces are vlan0, vlan1, vlan2, and so on.

Status

Select this to activate the selected WAN interface.

IP address

This shows the IP address for this interface.

Subnet mask

This shows the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.

VLAN ID

This shows the VLAN ID. This 12-bit number uniquely identifies each VLAN. Allowed values are 1 – 4094. (0 and 4095 are reserved.)

Port group

Select the name of the port group to which you want the interface to (network) belong.

Click the edit icon to modify the interface.

Click the remove icon to delete the interface.

Add

Click this button to create a virtual WAN interface, which associates a VLAN with a WAN port group.

LAN Interface

Name

This field is read-only if you are editing an existing LAN interface.

Specify a name for the interface.

The format of interface names is strict. Each name consists of 2 – 4 letters (interface type), followed by a number (x). For most interfaces, x is limited by the maximum number of the type of interface. For VLAN interfaces, x is defined by the number you enter in the VLAN name field. For example, VLAN interfaces are vlan0, vlan1, vlan2, and so on.

Status

Select this to activate the LAN interface.

IP address

This is the IP address for this interface.

Subnet mask

This is the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.

VLAN ID

This is the VLAN ID. This 12-bit number uniquely identifies each VLAN. Allowed values are 1 – 4094. (0 and 4095 are reserved.)

Port group

Select the name of the port group to which you want the interface to (network) belong.

Guest

Select On to configure the interface as a Guest interface. Client devices connected to a Guest interface have Internet access but cannot communicate with each other directly or access networks behind the Nebula Device.

Click the edit icon to modify it.

Click the remove icon to delete it.

Add

Click this button to create a virtual LAN interface, which associates a VLAN with a LAN port group.

Enable

Select this to enable the WAN interface.

Interface properties

Interface name

Specify a name for the WAN interface.

Port group

Select the name of the port group to which you want the interface to (network) belong.

SNAT

Select this to enable SNAT. When enabled, the Nebula Device rewrites the source address of packets being sent from this interface to the interface's IP address.

VLAN ID

Enter the VLAN ID. This 12-bit number uniquely identifies each VLAN. Allowed values are 1 – 4094. (0 and 4095 are reserved.)

Type

Select the type of interface to create.

DHCP: The interface will automatically get an IP address and other network settings from a DHCP server.

Static: You must manually configure an IP address and other network settings for the interface.

PPPoE: The interface will authenticate with an Internet Service Provider, and then automatically get an IP address from the ISP's DHCP server. You can use this type of interface to connect to a DSL modem.

PPPoE with static IP: Assign a static IP address to the WAN interface and your WAN interface is getting an Internet connection from a PPPoE server.

IP address assignment

These fields are displayed if you select Static.

Enter the static IP address of this interface.

Enter the subnet mask for this interface’s IP address.

Enter the IP address of the Nebula Device through which this interface sends traffic.

Enter a DNS server's IP address.

The Domain Name System (DNS) maps a domain name to an IP address and vice versa. The Nebula Device uses the first and second DNS servers, in that order to resolve domain names for VPN, DDNS and the time server. Leave the field blank if you do not want to configure DNS servers.

Enter the IP address of another DNS server. This field is optional.

These fields are displayed if you selected PPPoE or PPPoE with static IP.

Select an authentication protocol for outgoing connection requests. Options are:

Enter the user name provided by your ISP. You can use up to 31 alphanumeric characters and the underscore. Spaces are not allowed.

Enter the password provided by your ISP. You can use up to 64 alphanumeric characters and the underscore. Spaces are not allowed.

Enter the password again to confirm it.

Downstream bandwidth

Enter the downstream bandwidth of the WAN connection. This value is used for WAN load balancing by algorithms such as weighed round robin.

Upstream bandwidth

Enter the upstream bandwidth of the WAN connection. This value is used for WAN load balancing by algorithms such as weighed round robin.

MTU

Maximum Transmission Unit. Enter the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the Nebula Device divides it into smaller fragments. Allowed values are 576 – 1500.

ADVANCED OPTIONS

Connectivity check

The interface can periodically check whether it can connect to its default gateway (Default gateway), or to two user-specified servers (Check the two addresses below). If the check fails, the interface's status changes to Down.

You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the Nebula Device stops routing to the gateway.

Probe Succeeds When

This field applies when you select Check the two addresses and specify two domain names or IP addresses for the connectivity check.

Select any one if you want the check to pass if at least one of the domain names or IP addresses responds.

Select all if you want the check to pass only if both domain names or IP addresses respond.

Proxy ARP

Proxy ARP (RFC 1027) allows the Nebula Device to answer external interface ARP requests on behalf of a device on its internal interface.

Click Add new to add the IP address or IP range of devices that the interface will answer proxy ARP requests for.

IP Address

Enter a single IPv4 address, an IPv4 CIDR (for example, 192.168.1.1/24) or an IPv4 Range (for example, 192.168.1.2–192.168.1.100).

The Nebula Device answers external ARP requests if they match one of these target IP addresses. For example, if the IPv4 address is 192.168.1.5, then the Nebula Device will answer ARP requests coming from the WAN only if it contains 192.168.1.5 as the target IP address.

Click the remove icon to delete the proxy ARP IP address.

MAC address Setting

Have the interface use either the factory-assigned default MAC address, or a manually specified MAC address.

DHCP client mode

Choices are Auto, Unicast and Broadcast.

DHCP option 60

DHCP Option 60 is used by the Security Firewall for identification to the DHCP server using the VCI (Vendor Class Identifier) on the DHCP server. The Nebula Device adds it in the initial DHCP discovery message that a DHCP client broadcasts in search of an IP address. The DHCP server can assign different IP addresses or options to clients with the specific VCI or reject the request from clients without the specific VCI.

Enter a string using up to 63 of these characters [a–z A–Z 0–9 !\"#$%&\'()*+,-./:;<=>?@\[\\\]^_`{}] to identify this Nebula Device to the DHCP server. For example, Zyxel-TW.

IGMP proxy

Select this to allow the Nebula Device to act as an IGMP proxy for hosts connected on the IGMP downstream interface.

Enable IGMP Upstream on the interface which connects to a router running IGMP that is closer to the multicast server.

Enable IGMP Downstream on the interface which connects to the multicast hosts.

Close

Click Close to exit this screen without saving.

OK

Click OK to save your changes.

Enable

Select this to enable the LAN interface.

Interface properties

Interface name

Specify a name for the LAN interface.

Port group

Select the name of the port group to which you want the interface to (network) belong.

VLAN ID

Enter the VLAN ID. This 12-bit number uniquely identifies each VLAN. Allowed values are 1 – 4094. (0 and 4095 are reserved.)

IP address assignment

IP address

Enter the IP address for this interface.

Subnet mask

Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.

DHCP setting

Select what type of DHCP service the Nebula Device provides to the network. Choices are:

None – the Nebula Device does not provide any DHCP services. There is already a DHCP server on the network.

DHCP Relay – the Nebula Device routes DHCP requests to one or more DHCP servers you specify. The DHCP servers may be on another network.

DHCP Server – the Nebula Device assigns IP addresses and provides subnet mask, gateway, and DNS server information to the network. The Nebula Device is the DHCP server for the network.

These fields appear if the Nebula Device is a DHCP Relay.

DHCP server 1

Enter the IP address of a DHCP server for the network.

DHCP server 2

This field is optional. Enter the IP address of another DHCP server for the network.

These fields appear if the Nebula Device is a DHCP Server.

IP pool start address

Enter the IP address from which the Nebula Device begins allocating IP addresses. If you want to assign a static IP address to a specific computer, use the Static DHCP Table.

If this field is blank, the Pool Size must also be blank. In this case, the Nebula Device can assign every IP address allowed by the interface’s IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface’s IP address.

First DNS Server, Second DNS Server, Third DNS Server

Specify the IP addresses of up to three DNS servers for the DHCP clients to use. Use one of the following ways to specify these IP addresses.

Custom Defined – enter a static IP address.

From ISP – select the DNS server that another interface received from its DHCP server.

This Gateway – the DHCP clients use the IP address of this interface and the Nebula Device works as a DNS relay.

Lease Time

Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are:

infinite – select this if IP addresses never expire.

days, hours, and minutes (Optional) – select this to enter how long IP addresses are valid.

Static DHCP table

Configure a list of static IP addresses the Nebula Device assigns to computers connected to the interface. Otherwise, the Nebula Device assigns an IP address dynamically using the interface’s IP Pool Start Address and Pool Size.

Enter the IP address to assign to a device with this entry’s MAC address.

Enter the MAC address to which to assign this entry’s IP address.

Enter a description to help identify this static DHCP entry. You can use alphanumeric and ()+/:=?!*#@$_%– characters, and it can be up to 60 characters long.

Select an entry in this table and click this to delete it.

Add New

Click this to create an entry in the Static DHCP table.

MTU

Maximum Transmission Unit. Enter the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the Nebula Device divides it into smaller fragments. Allowed values are 576 – 1500. Usually, this value is 1500.

ADVANCED OPTIONS

DHCP extended options

This table is available if you select ADVANCED OPTIONS.

Configure this table if you want to send more information to DHCP clients through DHCP packets.

Click Add new to create an entry in this table. See Section 7.3.2.3 on page 189 for detailed information.

First WINS server

Second WINS server

Enter the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.

PXE server

PXE (Preboot eXecution Environment) allows a client computer to use the network to boot up and install an operating system through a PXE-capable Network Interface Card (NIC).

PXE is available for computers on internal interfaces to allow them to boot up using boot software on a PXE server. The Nebula Device acts as an intermediary between the PXE server and the computers that need boot software.

The PXE server must have a public IPv4 address. You must enable DHCP server on the Nebula Device so that it can receive information from the PXE server.

PXE Boot loader file

A boot loader is a computer program that loads the operating system for the computer. Enter the exact file name of the boot loader software file, including filename extension, that is on the PXE server. If the wrong filename is entered, then the client computers cannot boot.

Default gateway

If you set this interface to DHCP server, you can select to use either the interface’s IP address or another IP address as the default router. This default router will become the DHCP clients’ default gateway.

IGMP proxy

Select this to allow the Nebula Device to act as an IGMP proxy for hosts connected on the IGMP downstream interface.

Enable IGMP Upstream on the interface which connects to a router running IGMP that is closer to the multicast server.

Enable IGMP Downstream on the interface which connects to the multicast hosts.

Close

Click Close to exit this screen without saving.

OK

Click OK to save your changes.

Option

Select which DHCP option that you want to add in the DHCP packets sent through the interface.

Name

This field displays the name of the selected DHCP option. If you selected User defined in the Option field, enter a descriptive name to identify the DHCP option.

Code

This field displays the code number of the selected DHCP option. If you selected User defined in the Option field, enter a number for the option. This field is mandatory.

Type

This is the type of the selected DHCP option. If you selected User defined in the Option field, select an appropriate type for the value that you will enter in the next field. Misconfiguration could result in interface lockout.

Value

Enter the value for the selected DHCP option. For example, if you selected TFTP Server Name (66) and the type is TEXT, enter the DNS domain name of a TFTP server here. This field is mandatory.

First/Second/Third IP address

If you selected User defined / Time/NTP/SIP/TFTP server / CAPWAP AC in the Option field, enter up to three IP addresses.

Close

Click Close to exit this screen without saving.

OK

Click OK to save your changes.

Click the icon of a rule and drag the rule up or down to change the order.

Enabled

Select the check box to turn on the rule. Otherwise, clear the check box to turn off the rule.

Source

This shows the source IP addresses to which this rule applies. This could be an IP, CIDR, FQDN, or GEO IP (country) object.

Destination

This shows the destination IP addresses to which this rule applies. This could be an IP, CIDR, FQDN, or GEO IP (country) object.

Service

This is the name of the service object (port) or application. Any means all services.

Select Protocol to specify a protocol by protocol ID number, as defined in the IPv4 header. For example, 1 = ICMP, 2 = IGMP.

Next Hop

This is the next hop to which packets are directed. It helps forward packets to their destinations and can be a router, VPN tunnel, or outgoing interface.

Traffic Shaping

This displays the maximum downstream and upstream bandwidth for traffic from an individual source IP address and the priority level.

Description

This is the descriptive name of the policy.

Click this icon to change the profile settings.

Click this icon to remove the profile.

Add

Click this button to create a new policy route. See Add an Application Patrol Profile for more information.

Matching Criteria

Description

Enter a descriptive name for the rule.

Source

Specify the source IP addresses (LAN interface / country) to which this rule applies. You can add multiple IP, CIDR, GEO IP (country) objects or a single FQDN object by pressing ‘Enter’, or enter a new IP address by clicking Add. Select Any to apply the rule to all IP addresses.

Destination

Specify the destination IP addresses (LAN interface / country) or subnet to which this rule applies. You can add multiple IP, CIDR, GEO IP (country) objects or a single FQDN object by pressing ‘Enter’, or enter a new IP address by clicking Add. Select Any to apply the rule to all IP addresses.

Service

Select a protocol to apply the policy route to.

TCP, UDP, TCP & UDP, ICMP – Match packets from the specified network protocol, going to the optional destination port.

Protocol – Match packets for the specified custom protocol. Enter the Protocol ID, 1 – 143 (1 for ICMP, 6 for TCP, 17 for UDP; the Service will automatically select ICMP / TCP / UDP respectively).

Application – Match packets from the application.

Otherwise, select Any.

Policy Route

Select this to enable policy route.

Type

Select Internet Traffic to route the matched packets through the specified outgoing interface to a gateway (which is connected to the interface).

Select Intranet Traffic to route the matched packets to the next-hop router or Switch you specified in the Next-Hop field.

Select VPN Traffic to route the matched packets through the VPN tunnel you specified in the Next-Hop field.

Next-Hop

If you select Internet Traffic in the Type field, select the WAN interface to route the matched packets through the specified outgoing interface to a gateway connected to the interface.

If you select Intranet Traffic in the Type field, enter the IP address of the next-hop router or Switch.

If you select VPN Traffic in the Type field, select the remote VPN gateway’s site name.

Traffic Shaping

Select this to restrict maximum downstream and upstream bandwidth for traffic in the policy route.

Download Limit

Set the maximum downstream bandwidth for traffic that matches the policy.

Upload limit

Set the maximum upstream bandwidth for traffic that matches the policy.

Priority

Enter a number between 1 and 6 to set the priority for traffic that matches this policy. The lower the number, the higher the priority.

Traffic with a higher priority is given bandwidth before traffic with a lower priority.

Close

Click this button to exit this screen without saving.

Create

Click this button to save your changes and close the screen.

Subnet

Enter an IP subnet mask. The route applies to all IP addresses in the subnet.

Next Hop Type

Select IP Address or Interface to specify if you want to send all traffic to the gateway or interface.

Next Hop

Enter the IP address of the next-hop gateway.

Metric (0–127)

Metric represents the “cost” of transmission for routing purposes.

IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be 0 – 127. In practice, 2 or 3 is usually a good number.

Description

This is the descriptive name of the static route.

Click this icon to remove a static route.

Add

Click this button to create a new static route.

Weight Round Robin

Displays the WAN interfaces that are in the WAN load balancing group.

Backup interface

Select this to assign one WAN interface as the backup interface.

The backup interface is removed from the WAN load balancing group, and handles all traffic if all load balancing interfaces are down.

Virtual Server

Click the icon of a rule and drag the rule up or down to change the order.

Enable

Select the check box to turn on the rule. Otherwise, clear the check box to turn off the rule.

Uplink

Select the interface of the Nebula Device on which packets for the NAT rule must be received.

Protocol

Select the IP protocol to which this rule applies. Choices are: TCP, UDP, and Both.

Public IP

Enter the destination IP address of the packets received by the interface specified in this NAT rule.

Public Port

Enter the translated destination port or range of translated destination ports if this NAT rule forwards the packet.

LAN IP

Specify to which translated destination IP address this NAT rule forwards packets.

Local Port

Enter the original destination port or range of destination ports this NAT rule supports.

Allow Remote IPs

Specify the remote IP addresses that are allowed to access the public IP address. You can add multiple IP, specify a range of IP addresses (CIDR), or GEO IP (country) objects.

Select Any to allow all IP addresses.

Description

This is the descriptive name of the policy.

Click the remove icon to delete it.

Add

Click this to create a new entry.

1:1 NAT

Enable

Select this to turn on the rule. Otherwise, turn off the rule.

Name

Enter the name of the NAT rule. The name is used to refer to the NAT rule. You may use 1 – 31 alphanumeric characters, underscores(_), or dashes (-). This value is case-sensitive.

Public IP

Enter the destination IP address of the packets received by the interface specified in this NAT rule.

LAN IP

Specify to which translated destination IP address this NAT rule forwards packets.

Uplink

Select the interface of the Security Firewall on which packets for the NAT rule must be received.

Allowed Inbound connections

Click the icon of a rule and drag the rule up or down to change the order.

Enable

Select the check box to turn on the rule. Otherwise, clear the check box to turn off the rule.

Protocol

Select the IP protocol to which this rule applies. Choices are: TCP, UDP, and Both.

Local Port

Enter the original destination port or range of destination ports this NAT rule supports.

Remote IPs

Specify the remote IP addresses that are allowed to access the public IP address. You can add multiple IP, specify a range of IP addresses (CIDR), or GEO IP (country) objects.

Select Any to allow all IP addresses.

Click the remove icon to delete it.

Add

Click this to create a new entry.

Outgoing Interface

Select the WAN interface to which the VPN connection is going.

Select AUTO to use all available WAN interfaces to build the VPN tunnel.

Preferred uplink

Specify the primary WAN interface through which the Nebula Device forwards VPN traffic when you set Outgoing Interface to AUTO.

Local networks

This shows the local networks behind the Nebula Device.

This shows the network name.

This shows the IP address and subnet mask of the computer on the network.

Select ON to allow the computers on the network to use the VPN tunnel. Otherwise, select OFF.

VPN Area

Select the VPN area of the site.

For details, see VPN Areas.

Nebula VPN enable

Click this to enable or disable site-to-site VPN on the site’s Nebula Device.

If you disable this setting, the site will leave the VPN area.

Click this to select a topology for the VPN area. For details on topologies, see Topology Overview.

Select disable to disable VPN connections for all sites in the VPN area.

Enable this to allow spoke sites to communicate with each other in the VPN area. When disabled, spoke sites can only communicate with hub sites.

This field displays the hub sites that the current site is connected to, when Topology is set to Hub-and-Spoke.

You can configure hub sites at Organization-wide > Configure > VPN Orchestrator.

Enable this to allow the site to communicate with sites in different VPN areas within the organization.

If the Nebula Device is behind a NAT router, select Custom to enter the public IP address or the domain name that is configured and mapped to the Nebula Device on the NAT router.

This shows all sites within the VPN area.

Non-Nebula VPN peers

Configure this section to add a non-Nebula gateway to the VPN area.

Click this button to add a non-Nebula gateway to the VPN area.

Select the check box to enable VPN connections to the non-Nebula gateway.

Enter the name of the non-Nebula gateway.

Enter the public IPv4 address or FQDN of the non-Nebula gateway.

Enter the IP subnet that will be used for VPN connections. The IP range must be reachable from other devices in the VPN area.

Click to select a pre-defined policy or have a custom one. See Create a Content Filtering Profile for detailed information.

Enter a pre-shared key (password). The Nebula Device and peer gateway use the key to identify each other when they negotiate the IKE SA.

Select which sites the non-Nebula gateway can connect to in the VPN area.

Select All sites to allow the non-Nebula gateway to connect to any site in the VPN area.

Select This site and the non-Nebula gateway can only connect to the Nebula Device in this site.

Enter the address (physical location) of the device.

Preset

Select a pre-defined IPSec policy, or select Custom to configure the policy settings yourself.

Phase1

IPSec VPN consists of two phases: Phase 1 (Authentication) and Phase 2 (Key Exchange).

A phase 1 exchange establishes an IKE SA (Security Association).

IKE version

Select IKEv1 or IKEv2.

IKEv1 and IKEv2 applies to IPv4 traffic only. IKE (Internet Key Exchange) is a protocol used in setting up security associations that allows two parties to send data securely.

Encryption

Select which key size and encryption algorithm to use in the IKE SA. Choices are:

DES – a 56-bit key with the DES encryption algorithm

3DES – a 168-bit key with the DES encryption algorithm

AES128 – a 128-bit key with the AES encryption algorithm

AES192 – a 192-bit key with the AES encryption algorithm

AES256 – a 256-bit key with the AES encryption algorithm

The Nebula Device and the remote IPSec router must use the same key size and encryption algorithm. Longer keys require more processing power, resulting in increased latency and decreased throughput.

Authentication

Select which hash algorithm to use to authenticate packet data in the IKE SA.

Choices are SHA128, SHA256, SHA512 and MD5. SHA is generally considered stronger than MD5, but it is also slower.

The remote IPSec router must use the same authentication algorithm.

Diffie-Hellman group

Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are:

DH1 – use a 768-bit random number

DH2 – use a 1024-bit random number

DH5 – use a 1536-bit random number

DH14 – use a 2048-bit random number

The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group.

Lifetime (seconds)

Enter the maximum number of seconds the IKE SA can last. When this time has passed, the Nebula Device and remote IPSec router have to update the encryption and authentication keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however.

Advanced

Click this to display a greater or lesser number of configuration fields.

Mode

Set the negotiation mode.

Main encrypts the Nebula Device’s and remote IPSec router’s identities but takes more time to establish the IKE SA.

Aggressive is faster but does not encrypt the identities.

Local ID

Enter an identifier used to identify the Nebula Device during authentication.

This can be an IP address or hostname.

Peer ID

Enter an identifier used to identify the remote IPSec router during authentication.

This can be an IP address or hostname.

Phase2

Phase 2 uses the SA that was established in phase 1 to negotiate SAs for IPSec.

Encryption

Select which key size and encryption algorithm to use in the IPSec SA. Choices are:

(None) – no encryption key or algorithm

DES – a 56-bit key with the DES encryption algorithm

3DES – a 168-bit key with the DES encryption algorithm

AES128 – a 128-bit key with the AES encryption algorithm

AES192 – a 192-bit key with the AES encryption algorithm

AES256 – a 256-bit key with the AES encryption algorithm

The Nebula Device and the remote IPSec router must both have at least one proposal that uses the same encryption and the same key.

Longer keys are more secure, but require more processing power, resulting in increased latency and decreased throughput.

PFS group

Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are:

None – disable PFS

DH1 – enable PFS and use a 768-bit random number

DH2 – enable PFS and use a 1024-bit random number

DH5 – enable PFS and use a 1536-bit random number

DH14 – enable PFS and use a 2048-bit random number

PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group.

PFS is ignored in initial IKEv2 authentication but is used when re-authenticating.

Lifetime (seconds)

Enter the maximum number of seconds the IPSec SA can last. Shorter life times provide better security. The Nebula Device automatically negotiates a new IPSec SA before the current one expires, if there are users who are accessing remote resources.

Connectivity check

Enter an IP address that the Nebula Device can ping, to check whether the non-Nebula VPN peer gateway is available.

Close

Click this button to exit this screen without saving.

OK

Click this button to save your changes and close the screen.

WAN interface

Select the WAN interface which VPN users connect to.

Domain name

This displays the domain name that maps to a WAN interface IP address.

This field is available only when you select AUTO in the WAN interface field.

IPsec VPN server

Select this to enable the IPsec VPN server.

Specify the IP addresses that the Nebula Device uses to assign to the VPN clients.

Select IKEv1 or IKEv2.

IKE (Internet Key Exchange) is a protocol used in setting up security associations that allows two parties to send data securely.

Specify the DNS servers to assign to the remote users. Or select Specify nameserver to enter a static IP address.

If you select Specify nameserver in the DNS name servers field, manually enter the DNS server IP addresses.

This field is available only if you select IKEv2 in IKE version. Enter the maximum traffic load between VPN clients, 1 – 100 Mbps.

Enter the pre-shared key (password) which is used to set up the VPN tunnel. The password should be 8 – 32 characters.

Configure custom VPN tunnel settings.

For details, see Remote Access VPN > Custom VPN Policy.

Select how the Nebula Device authenticates a remote user before allowing access to the VPN tunnel.

Select this to require two-factor authentication for a user to access the Nebula Device through VPN.

Enter the email address to send new IKEv2 Remote Access VPN configuration file to VPN client. Then click Send Email. The VPN client needs to replace the IPSec VPN client configuration by importing the configuration file.

L2TP over IPSec VPN server

Select this to enable the L2TP over IPSec VPN server.

Specify the IP addresses that the Nebula Device uses to assign to the VPN clients.

Specify the DNS servers to assign to the remote users. Or select Specify nameserver to enter a static IP address.

If you select Specify nameserver in the DNS name servers field, manually enter the DNS server IP addresses.

This field is available only if you select IKEv1 in IKE version. Enter the pre-shared key (password) which is used to set up the VPN tunnel. The password should be 8 – 32 characters.

Select how the Nebula Device authenticates a remote user before allowing access to the VPN tunnel.

Configure custom VPN tunnel settings.

For details, see Remote Access VPN > Custom VPN Policy.

Send an email to help automatically configure VPN settings on client devices so that the devices can remotely access this Nebula Device. The email contains two scripts; one for mac OS and iOS devices, and one for Windows 8 and Windows 10 devices.

You can send the email to one or more email addresses.

This field is available only when you select L2TP over IPSec client in the Client VPN server field.

Custom

Preset

Select a pre-defined IPSec policy, or select Custom to configure the policy settings yourself.

Phase 1

Encryption

Select which key size and encryption algorithm to use in the IPSec SA. Choices are:

(None) – no encryption key or algorithm

DES – a 56-bit key with the DES encryption algorithm

3DES – a 168-bit key with the DES encryption algorithm

AES128 – a 128-bit key with the AES encryption algorithm

AES192 – a 192-bit key with the AES encryption algorithm

AES256 – a 256-bit key with the AES encryption algorithm

The Nebula Device and the remote IPSec router must both have at least one proposal that use the same encryption and the same key.

Longer keys are more secure, but require more processing power, resulting in increased latency and decreased throughput.

Authentication

Select which hash algorithm to use to authenticate packet data in the IKE SA.

Choices are SHA128, SHA256, SHA512 and MD5. SHA is generally considered stronger than MD5, but it is also slower.

The remote IPSec router must use the same authentication algorithm.

Diffie-Hellman group

Select the Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are:

DH1 – use a 768-bit random number

DH2 – use a 1024-bit random number

DH5 – use a 1536-bit random number

DH14 – use a 2048-bit random number

The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group.

Lifetime (seconds)

Enter the maximum number of seconds the IPSec SA can last. Shorter life times provide better security. The Nebula Device automatically negotiates a new IPSec SA before the current one expires, if there are users who are accessing remote resources.

Phase 2

Set

This shows the index number of the IPSec policy.

Encryption

Select which key size and encryption algorithm to use in the IPSec SA. Choices are:

(None) – no encryption key or algorithm

DES – a 56-bit key with the DES encryption algorithm

3DES – a 168-bit key with the DES encryption algorithm

AES128 – a 128-bit key with the AES encryption algorithm

AES192 – a 192-bit key with the AES encryption algorithm

AES256 – a 256-bit key with the AES encryption algorithm

The Nebula Device and the remote IPSec router must both have at least one proposal that use the same encryption and the same key.

Longer keys are more secure, but require more processing power, resulting in increased latency and decreased throughput.

Authentication

Select which hash algorithm to use to authenticate packet data in the IKE SA.

Choices are None, SHA128, SHA256, SHA512 and MD5. SHA is generally considered stronger than MD5, but it is also slower.

The remote IPSec router must use the same authentication algorithm.

PFS group

Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are:

None – disable PFS

DH1 – enable PFS and use a 768-bit random number

DH2 – enable PFS and use a 1024-bit random number

DH5 – enable PFS and use a 1536-bit random number

DH14 – enable PFS and use a 2048 bit random number

PFS changes the root key that is used to generate encryption keys for each IPSec SA. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group.

PFS is ignored in initial IKEv2 authentication but is used when re-authenticating.

Lifetime (seconds)

Enter the maximum number of seconds the IPSec SA can last. Shorter life times provide better security. The Security Firewall automatically negotiates a new IPSec SA before the current one expires, if there are users who are accessing remote resources.

Close

Click this button to exit this screen without saving.

OK

Click this button to save your changes and close the screen.

Security policy

Click the icon of a rule and drag the rule up or down to change the order.

Enabled

Select the check box to turn on the rule. Otherwise, clear the check box to turn off the rule.

Name

Enter the name of the security policy.

Action

Select what the Nebula Device is to do with packets that match this rule.

Select Deny to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.

Select Allow to permit the passage of the packets.

Application Patrol/Content Filtering Policy

Click the “+” to add an Application Patrol or Content Filtering profile. The firewall takes the action set in the profile when traffic matches the profile’s policy.

Content Filtering controls access to specific web sites or web content. See Add a Content Filtering Profile for how to create a Content Filtering profile.

Protocol

Select the IP protocol to which this rule applies. Choices are: ICMP, TCP, UDP, TCP and UDP and Any.

Source

Specify the source IP addresses (LAN interface / country) to which this rule applies. You can add multiple IP, CIDR, FQDN, GEO IP (country) objects, or a single FQDN object by pressing ‘Enter’, or enter a new IP address by clicking Add. Enter any to apply the rule to all IP addresses.

Destination

Specify the destination IP addresses (LAN interface / country) or subnet to which this rule applies. You can add multiple IP, CIDR, GEO IP (country) objects or a single FQDN object by pressing ‘Enter’, or enter a new IP address by clicking Add. Enter any to apply the rule to all IP addresses.

Dst Port

Specify the destination ports to which this rule applies. You can specify multiple ports by pressing ‘Enter’, or enter a new port by clicking Add. Enter any to apply the rule to all ports.

User

Select the External User Group name configured in Firewall > Configure > Firewall settings.

Schedule

Select the name of the schedule profile that the rule uses. Always means the rule is active at all times if enabled.

Description

Enter a descriptive name of up to 60 printable ASCII characters for the rule.

Log

Select whether to have the Nebula Device generate a log (ON) or not (OFF) when traffic matches the profile’s policy.

Click this icon to remove the rule.

Implicit allow rules

This shows the system generated Allow rules.

Implicit deny rule

This shows the system generated Deny rule.

Add

Click this button to create a new rule.

Anomaly Detection and Prevention

Enable Anomaly Detection and Prevention

Select this to enable traffic anomaly and protocol anomaly detection and prevention.

Session Control

UDP Session Time Out

Set how many seconds the Nebula Device will allow a UDP session to remain idle (without UDP traffic) before closing it.

Session per Host

Use this field to set a common limit to the number of concurrent NAT/Security Policy sessions each client computer can have.

If only a few clients use peer to peer applications, you can raise this number to improve their performance. With heavy peer to peer application use, lower this number to ensure no single client uses too many of the available NAT sessions.

Schedule profiles

Schedule name

This shows the name of the schedule profile and the number of the outbound rules that are using this schedule profile.

Click this icon to change the profile settings.

Click this icon to remove the profile.

Add

Click this button to create a new schedule profile. See Create a New Schedule for more information.

Name

Enter a name for this profile for identification purposes.

Description (Optional)

Enter a description for this profile.

Log

Select whether to have the Nebula Device generate a log (ON) or not (OFF) by default when traffic matches an application signature in this category.

Application Management

Enabled

Select the check box to turn on the rule. Otherwise, clear the check box to turn off the rule.

Category

Select an application category.

Application

Select All or select an application within the category to apply the policy.

Action

Select the default action for the applications selected in this category.

Reject – the Nebula Device drops packets that matches these application signatures and sends notification to clients.

Click this icon to remove the entry.

Add

Click this button to create a new application category and set actions for specific applications within the category.

 

Enter a name to search for relevant applications and click Add to create an entry.

Close

Click this button to exit this screen without saving.

Create

Click this button to save your changes and close the screen.

Name

Enter a name for this profile for identification purposes.

Description (Optional)

Enter a description for this profile.

Log

Select whether to have the Nebula Device generate a log (ON) or not (OFF) by default when traffic matches an application signature in this category.

DNS Content Filtering

Select whether to enable DNS content filtering, in addition to web content filtering.

The DNS Content Filter allows the Nebula Device to block access to specific websites by inspecting DNS queries made by users on your network.

Block Web Pages

Action for Unrated Web Pages

Select Pass to allow users to access web pages that the external web filtering service has not categorized.

Select Block to prevent users from accessing web pages that the external web filtering service has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the Content Filter General screen along with the category of the blocked web page.

Select Warn to display a warning message before allowing users to access web pages that the external web filtering service has not categorized.

Action When Service is Unavailable

Select Pass to allow users to access any requested web page if the external content filtering database is unavailable.

Select Block to block access to any requested web page if the external content filtering database is unavailable.

Select Warn to display a warning message before allowing users to access any requested web page if the external content filtering database is unavailable.

The following are possible causes for the external content filtering server not being available:

Block Category

Templates

Select the block category. Choices are Parental control, Productivity and Custom.

Test URL

You can check which category a web page belongs to. Enter a web site URL in the text box.

When the content filter is active, you should see the web page’s category. The query fails if the content filter is not active.

Content Filtering can query a category by full URL string (for example, http://www.google.com/picture/index.htm), but HTTPS Domain Filter can only query a category by domain name ('www.google.com'), so the category may be different in the query result. URL to test displays both results in the test.

Search category

Click to display or hide the category list.

These are categories of web pages based on their content. Select categories in this section to control access to specific types of Internet content.

Custom block web site

Sites that you want to block access to, regardless of their content rating, can be blocked by adding them to this list.

Enter host names such as www.bad-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All sub-domains are also blocked. For example, entering “bad-site.com” also blocks “www.badsite.com”, “partner.bad-site.com”, “press.bad-site.com”, and so on. You can also enter just a top level domain. For example, enter .com to block all .com domains.

Use up to 127 characters (0 – 9 a – z). The casing does not matter.

Add

Click this button to create a new application category and set actions for specific applications within the category.

Click this icon to remove the entry.

Custom allow web site

Sites that you want to allow access to, regardless of their content rating, can be allowed by adding them to this list.

Enter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All sub-domains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, and so on. You can also enter just a top level domain. For example, enter .com to allow all .com domains.

Use up to 127 characters (0 – 9 a – z). The casing does not matter.

Add

Click this button to create a new application category and set actions for specific applications within the category.

Click this icon to remove the entry.

Cancel

Click this button to exit this screen without saving.

Create

Click this button to save your changes and close the screen.

Name

Enter a descriptive name for this schedule for identification purposes.

Templates

Select a pre-defined schedule template or select Custom schedule and manually configure the day and time at which the associated firewall outbound rule is enabled.

Day

This shows the day of the week.

Availability

Click On to enable the associated rule at the specified time on this day. Otherwise, select Off to turn the associated rule off at the specified time on this day.

Specify the hour and minute when the schedule begins and ends each day.

Close

Click this button to exit this screen without saving.

Add

Click this button to save your changes and close the screen.

Content Filtering

Drop connection when HTTPS connection with SSL V3 or previous version

Select On to have the Nebula Device block HTTPS web pages using SSL V3 or a previous version.

Denied Access Message

Enter a message to be displayed when content filter blocks access to a web page. Use up to 127 characters (0–9 a–z A–Z;/?:@&=+$\.-_!~*'()%,”). For example, “Access to this web page is not allowed. Please contact the network administrator”.

It is also possible to leave this field blank if you have a URL specified in the Redirect URL field. In this case if the content filter blocks access to a web page, the Nebula Device just opens the web page you specified without showing a denied access message.

Redirect URL

Enter the URL of the web page to which you want to send users when their web access is blocked by content filter. The web page you specify here opens in a new frame below the denied access message.

Use “http://” or “https://” followed by up to 262 characters (0–9 a–z A–Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/blocked access.

Name

This shows the name of this content filtering profile.

Description

This shows the description for this profile.

Click this icon to change the profile settings.

Click this icon to remove the profile.

Add

Click this to create a content filtering profile. See Add a Content Filtering Profile for more information.

Application Patrol

Application profiles

Name

This shows the name of this Application Patrol profile.

Description

This shows the description for this profile.

Click this icon to change the profile settings.

Click this icon to remove the profile.

Add

Click this to create an Application Patrol profile. See Add Application Patrol Profile for more information.

IP Exception

Enabled

Select the check box to enable IP Exception.

IP addresses listed here are not checked by security services.

Source IP

This field displays the source IP address of incoming traffic. It displays any if there is no restriction on the source IP address.

Destination IP

This field displays the destination IP address of incoming traffic. It displays any if there is no restriction on the destination IP address.

Description

Enter a description for this profile.

Click this icon to remove the entry.

Add

Click this button to create a new entry.

DNS/URL Threat Filter

DNS filtering inspects DNS queries made by clients on your network and compares the queries against a database of blocked or allowed Fully Qualified Domain Names (FQDNs). If a user attempts to connect to a suspect site, where the DNS query packet contains an FQDN with a bad reputation, then a DNS query is sent from the user’s computer and detected by the DNS Filter. The Nebula Device DNS filter will either drop the DNS query or reply to the user with a fake DNS response using the default dnsft.cloud.zyxel.com IP address (where the user will see a “Web Page Blocked!” page) or a custom IP address.

When you enable the URL Threat filtering service, your Nebula Device downloads signature files that contain known URL Threat domain names and IP addresses. The Nebula Device will also access an external database, Cloud Query, that has millions of web sites categorized based on content. You can have the Nebula Device allow, block, warn and/or log access to web sites or hosts based on these signatures and categories.

Signature information

This shows the Current Version of the DNS/URL threat definition and the Released Date.

Log

Select whether to have the Nebula Device generate a log when the policy is matched to the criteria listed above.

DNS Threat Filter

Select On to turn on the rule. Otherwise, select Off to turn off the rule.

DNS Threat Filter Policy

Select Pass to have the Nebula Device allow the DNS query packet and not reply with a DNS reply packet containing a default or custom-defined IP address.

Select Redirect to have the Nebula Device reply with a DNS reply packet containing a default or custom-defined IP address.

DNS Threat Filter Redirect IP

Enter the IP address to have the Nebula Device reply with a DNS reply packet containing a default or custom-defined IP address when a DNS query packet contains an FQDN with a bad reputation. The default IP is the dnsft.cloud.zyxel.com IP address. If you select a custom-defined IP, then enter a valid IPv4 address in the text box.

URL Threat Filter

Select On to turn on the rule. Otherwise, select Off to turn off the rule.

URL Threat Filter Policy

Select Pass to allow users to access web pages that the external web filtering service has not categorized.

Select Block to prevent users from accessing web pages that the external web filtering service has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the Content Filter General screen along with the category of the blocked web page.

Select Warn to display a warning message before allowing users to access web pages that the external web filtering service has not categorized.

URL Threat Filter Denied Access Message

Enter a message to be displayed when content filter blocks access to a web page. Use up to 127 characters (0–9 a–z A–Z;/?:@&=+$\.-_!~*'()%,”). For example, “Access to this web page is not allowed. Please contact the network administrator”.

It is also possible to leave this field blank if you have a URL specified in the Redirect URL field. In this case if the content filter blocks access to a web page, the Nebula Device just opens the web page you specified without showing a denied access message.

URL Threat Filter Redirect URL

Enter the URL of the web page to which you want to send users when their web access is blocked by content filter. The web page you specify here opens in a new frame below the denied access message.

Use “http://” or “https://” followed by up to 262 characters (0–9 a–z A–Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/blocked access.

Test Threat Category

Enter a URL using http://domain or https://domain and click the Test button to check if the domain belongs to a URL threat category.

Category List

These are categories of web pages based on their content. Select categories in this section to control access to specific types of Internet content.

Block list

Sites that you want to block access to, regardless of their content rating, can be blocked by adding them to this list.

Enter host names such as www.bad-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All sub-domains are also blocked. For example, entering “bad-site.com” also blocks “www.badsite.com”, “partner.bad-site.com”, “press.bad-site.com”, and so on. You can also enter just a top level domain. For example, enter .com to block all .com domains.

Use up to 127 characters (0–9 a–z). The casing does not matter.

Allow list

Sites that you want to allow access to, regardless of their content rating, can be allowed by adding them to this list.

Enter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All sub-domains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, and so on. You can also enter just a top level domain. For example, enter .com to allow all .com domains.

Use up to 127 characters (0–9 a–z). The casing does not matter.

URL Threat Filter external block list

The Nebula Device uses black list entries stored in a file on a web server that supports HTTP or HTTPS. The Nebula Device blocks incoming and outgoing packets from the black list entries in this file.

Enabled

Select this to have the Nebula Device block the incoming packets that come from the listed addresses in the block list file on the server.

Name

Enter an identifying name for the block list file. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.

External DB

Enter the exact file name, path and IP address of the server containing the block list file. The file type must be ‘txt’.

For example, http://172.16.107.20/blacklist-files/myip-ebl.txt

The server must be reachable from the Nebula Device.

Description

Enter a description of the block list file. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.

Click this icon to remove the entry.

Add

Click this button to create a new entry.

Schedule update

The signatures for DNS Filter and URL Threat Filter are the same. These signatures are continually updated as new malware evolves. New signatures can be downloaded to the Nebula Device periodically if you have subscribed for the URL Threat filter signatures service.

You need to create an account at myZyxel, register your Nebula Device and then subscribe for URL Threat filter service in order to be able to download new signatures from myZyxel.

Select Daily to set the time of the day, or Weekly to set the day of the week and the time of the day.

Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network.

IP Reputation

Signature information

This shows the Current Version of the signature set the Nebula Device is using and the Released Date.

Enabled

Select this option to turn on IP blocking on the Nebula Device.

Log

Select this option to create a log on the Nebula Device when the packet comes from an IPv4 address with bad reputation.

Policy

Select Pass to have the Nebula Device allow the packet to go through.

Select Block to have the Nebula Device deny the packets and send a TCP RST to both the sender and receiver when a packet comes from an IPv4 address with bad reputation.

Threat level threshold

Select the threshold threat level to which the Nebula Device will take action (High, Medium and above, Low and above).

The threat level is determined by the IP reputation engine. It grades IPv4 addresses.

For example, a score of “10” will cause the Nebula Device to take action whether you set the Threat level threshold at High, Medium and above, or Low and above.

But a score of “61” will not cause the Nebula Device to take any action if you set the Threat level threshold at Medium and above.

Test Category

Enter an IPv4 address of a website, and click the Test button to check if the website associates with suspicious activities that could pose a security threat to users or their computers.

Category list

Select the categories of packets that come from the Internet and are known to pose a security threat to users or their computers.

Block list

Sites that you want to block access to, regardless of their content rating, can be blocked by adding them to this list.

Add the IPv4 addresses that the Nebula Device will block the incoming packets.

Allow list

Sites that you want to allow access to, regardless of their content rating, can be allowed by adding them to this list.

Add the IPv4 addresses that the Nebula Device will allow the incoming packets.

External block list

Enabled

Select this check box to have the Nebula Device block the incoming packets that come from the listed addresses in the block list file on the server.

Name

Enter the identifying name for the block list file. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.

External DB

Enter the file name, path and IP address of the server containing the block list file. For example, http://172.16.107.20/blacklist-files/myip-ebl.txt

Description

Enter a description of the block list file. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.

Click this icon to remove the entry.

Add

Click this button to create a new entry.

Schedule update

New IP reputation signatures can be downloaded to the Nebula Device periodically if you have subscribed for the IP reputation signatures service.You need to create an account at myZyxel, register your Nebula Device and then subscribe for IP reputation service in order to be able to download new signatures from myZyxel.

Select Daily to set the time of the day, or Weekly to set the day of the week and the time of the day.

Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network.

Anti-Malware

Signature information

This shows the Current Version of the signature set the Nebula Device is using and the Released Date.

Enabled

Select On to turn on the rule. Otherwise, select Off to turn off the rule.

Log

Select whether to have the Nebula Device generate a log when the policy is matched to the criteria listed above.

Scan Mode

In this mode you can define which types of files are scanned using the File Type For Scan fields. The Nebula Device then scans files by sending each file’s hash value to a cloud database using cloud query. This is the fastest scan mode.

In this mode the Nebula Device scans all files for viruses using its anti-malware signatures to detect known virus pattens. This is the deepest scan mode.

In this mode you can define which types of files are scanned using the File Type For Scan fields. The Nebula Device then scans files by sending each file’s hash value to a cloud database using cloud query. It also scans files using anti-malware signatures, and Threat Intelligence Machine Learning. This mode combines Express Mode and Stream Mode to offer a balance of speed and security.

File decompression (ZIP and RAR)

Select this check box to have the Nebula Device scan a compressed file (the file does not need to have a “zip” or “rar” file extension). The Nebula Device first decompresses the file and then scans the contents for malware.

Destroy compressed files that could not be decompressed

When you select this check box, the Nebula Device deletes compressed files that use password encryption.

Select this check box to have the Nebula Device delete any compressed files that it cannot decompress. The Nebula Device cannot decompress password protected files or a file within another compressed file. There are also limits to the number of compressed files that the Nebula Device can concurrently decompress.

Cloud Query

Select the Cloud Query supported file types for the Nebula Device to scan for viruses.

Block list

This field displays the file or encryption pattern of the entry. Enter an MD5 hash or file pattern that would cause the Nebula Device to log and modify this file.

File patterns:

•Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question marks (?) and asterisks (*) are allowed.

•A question mark (?) lets a single character in the file name vary. For example, use “a?.zip” (without the quotation marks) to specify aa.zip, ab.zip and so on.

•Wildcards (*) let multiple files match the pattern. For example, use “*a.zip” (without the quotation marks) to specify any file that ends with “a.zip”. A file named “testa.zip would match. There could be any number (of any type) of characters in front of the “a.zip” at the end and the file name would still match. A file named “test.zipa” for example would not match.

•A * in the middle of a pattern has the Nebula Device check the beginning and end of the file name and ignore the middle. For example, with “abc*.zip”, any file starting with “abc” and ending in “.zip” matches, no matter how many characters are in between.

•The whole file name has to match if you do not use a question mark or asterisk.

•If you do not use a wildcard, the Security Firewall checks up to the first 80 characters of a file name.

Allow list

Enter the file or encryption pattern for this entry. Enter an MD5 hash or file pattern to identify the names of files that the Nebula Device should not scan for viruses.

File patterns:

•Use up to 80 characters. Alphanumeric characters, underscores (_), dashes (-), question marks (?) and asterisks (*) are allowed.

•A question mark (?) lets a single character in the file name vary. For example, use “a?.zip” (without the quotation marks) to specify aa.zip, ab.zip and so on.

•Wildcards (*) let multiple files match the pattern. For example, use “*a.zip” (without the quotation marks) to specify any file that ends with “a.zip”. A file named “testa.zip would match. There could be any number (of any type) of characters in front of the “a.zip” at the end and the file name would still match. A file named “test.zipa” for example would not match.

•A * in the middle of a pattern has the Nebula Device check the beginning and end of the file name and ignore the middle. For example, with “abc*.zip”, any file starting with “abc” and ending in “.zip” matches, no matter how many characters are in between.

•The whole file name has to match if you do not use a question mark or asterisk.

•If you do not use a wildcard, the Nebula Device checks up to the first 80 characters of a file name.

Sandboxing

Sandboxing provides a safe environment to separate running programs from your network and host devices. Unknown or untrusted programs/codes are uploaded to the Defend Center and executed within an isolated virtual machine (VM) to monitor and analyze the zero-day malware and advanced persistent threats (APTs) that may evade the Nebula Device’s detection, such as anti-malware. Results of cloud sandboxing are sent from the server to the Nebula Device.

Enabled

Select this option to turn on sandboxing on the Nebula Device

Log

Enable this option to allow the Security Firewall to create a log when a suspicious file is detected.

Policy

Specify whether the Nebula Device deletes (Destroy) or forwards (Allow) malicious files. Malicious files are files given a high score for malware characteristics by the Defend Center.

Inspect selected downloaded files

Select this option to have the Nebula Device hold the downloaded file for up to 2 seconds if the downloaded file has never been inspected before. The Nebula Device will wait for the Defend Center’s result and forward the file in 2 seconds. Sandbox detection may take longer than 2 seconds, so infected files could still possibly be forwarded to the user.

File submission options

Specify the type of files to be sent for sandbox inspection.

Intrusion Detection/Prevention

Signature information

This shows the Current Version of the signature set the Nebula Device is using and the Released Date.

Detection

Select On to enable Detection.

Prevention

Select On to enable Prevention.

Add profile

This column lists the names of the content filter profile rule.

This column lists the description of the content filter profile rule.

Select whether to have the Nebula Device generate a log when the policy is matched to the criteria listed above.

DNS content filtering

Select this option to turn on DNS filtering on the Nebula Device.

DNS filtering inspects DNS queries made by clients on your network and compares the queries against a database of blocked or allowed Fully Qualified Domain Names (FQDNs). The Nebula Device DNS content filtering will either drop the DNS query or reply to the user with a fake DNS response.

Block Web Pages

Select Pass to allow users to access web pages that the external web filtering service has not categorized.

Select Block to prevent users from accessing web pages that the external web filtering service has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the Content Filter General screen along with the category of the blocked web page.

Select Warn to display a warning message before allowing users to access web pages that the external web filtering service has not categorized.

Select Pass to allow users to access any requested web page if the external content filtering database is unavailable.

Select Block to block access to any requested web page if the external content filtering database is unavailable.

Select Warn to display a warning message before allowing users to access any requested web page if the external content filtering database is unavailable.

The following are possible causes for the external content filtering server not being available:

•There is no response from the external content filtering server within the time period specified in the Content Filter Server Unavailable Timeout field.

•The Nebula Device is not able to resolve the domain name of the external content filtering database.

•There is an error response from the external content filtering database. This can be caused by an expired content filtering registration (External content filtering’s license key is invalid”).

Block Category

The Nebula Device prevents users from accessing web pages that match the categories that you select below. When external database content filtering blocks access to a web page, it displays the denied access message that you configured in the Denied access message field along with the category of the blocked web page.

Web pages are classified into a category based on their content. You can choose a pre-defined template that has already selected certain categories. Alternatively, choose Custom and manually select categories in this section to control access to specific types of Internet content.

You can check which category a web page belongs to. Enter a web site URL in the text box.

When the content filter is active, you should see the web page’s category. The query fails if the content filter is not active.

Content Filtering can query a category by full URL string (for example, http://www.google.com/picture/index.htm), but HTTPS Domain Filter can only query a category by domain name ('www.google.com'), so the category may be different in the query result. Test URL displays both results in the test.

Specify your desired filter criteria to filter the list of categories.

Click to display or hide the category list.

These are categories of web pages based on their content. Select categories in this section to control access to specific types of Internet content.

Sites that you want to block access to, regardless of their content rating, can be blocked by adding them to this list.

Enter host names such as www.bad-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All sub-domains are also blocked. For example, entering “bad-site.com” also blocks “www.badsite.com”, “partner.bad-site.com”, “press.bad-site.com”, and so on. You can also enter just a top level domain. For example, enter .com to block all .com domains.

Use up to 127 characters (0–9 a–z). The casing does not matter.

Click this button to add a new entry.

Sites that you want to allow access to, regardless of their content rating, can be allowed by adding them to this list.

Enter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All sub-domains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, and so on. You can also enter just a top level domain. For example, enter .com to allow all .com domains.

Use up to 127 characters (0–9 a–z). The casing does not matter.

Click this button to add a new entry.

Click this icon to remove the entry.

Cancel

Click this button to exit this screen without saving.

Create

Click this button to save your changes and close the screen.

Add profile

 

Name

This column lists the names of the application patrol profile rule.

Description (Optional)

This column lists the description of the application patrol profile rule.

Log

Select whether to have the Nebula Device generate a log when the policy is matched to the criteria listed above.

Application Management

Enabled

Select the check box to turn on the rule. Otherwise, clear the check box to turn off the rule.

Category

Select an application category.

Application

Select All or select an application within the category to apply the policy.

Action

Displays the default action for the applications selected in this category.

Reject – the Nebula Device drops packets that matches these application signatures and sends notification to clients.

Click this icon to remove the entry.

Add

Click this button to create a new application category and set actions for specific applications within the category.

Search Application

Enter a name to search for relevant applications and click Add to create an entry.

Close

Click this button to exit this screen without saving.

Create

Click this button to save your changes and close the screen.

Interface

Select the Nebula Device’s interface (network) to which the settings you configure here is applied.

Themes

This section is not configurable when External captive portal URL is set to ON.

Select the theme you want to use on the specified interface.

Click-to-continue/Sign-on page

This section is not configurable when External captive portal URL is set to ON.

This shows the logo image that you uploaded for the customized login page.

Click Upload a logo and specify the location and file name of the logo graphic or click Browse to locate it. You can use the following image file formats: GIF, PNG, or JPG.

Enter a note to display below the title. Use up to 1024 printable ASCII characters. Spaces are allowed.

Success page

Enter a note to display on the page that displays when a user logs in successfully. Use up to 1024 printable ASCII characters. Spaces are allowed.

External captive portal URL

Select On to use a custom login page from an external web portal instead of the one built into the NCC. You can configure the look and feel of the web portal page.

Specify the login page’s URL; for example, http://IIS server IP Address/login.asp. The Internet Information Server (IIS) is the web server on which the web portal files are installed.

Captive portal behavior

Select To promotion URL and specify the URL of the web site/page to which the user is redirected after a successful login. Otherwise, select Stay on Captive portal authenticated successfully page.

Back to config

Click this button to return to the Captive portal screen.

Theme name

This shows the name of the theme. Click the edit icon to change it.

Font

Click the arrow to hide or display the configuration fields.

To display this section and customize the font type and/or size, click an item with text in the preview of the selected custom portal page (HTML file).

Color

Click the arrow to hide or display the configuration fields.

Click an item in the preview of the selected custom portal page (HTML file) to display this section and customize its color, such as the color of the button, text, window’s background, links, borders, and so on.

Select a color that you want to use and click the Select button.

HTML/CSS

This shows the HTML file name of the portal page created for the selected custom theme. This also shows the name of the CSS files created for the selected custom theme.

Click an HTML file to display the portal page. You can also change colors and modify the CSS values of the selected HTML file.

Click this button to view and modify the CSS values of the selected HTML file. It is recommended that you do NOT change the script code to ensure proper operation of the portal page.

Click this button to preview the portal page (the selected HTML file).

Save

Click this button to save your settings for the selected HTML file to the NCC.

Apply

Click this button to save your settings for the selected HTML file to the NCC and apply them to the Nebula Device in the site.

Interfaces

Select the Nebula Device’s interface (network) to which the settings you configure here is applied.

Network Access

Select Disable to turn off web authentication.

Select Click-to-continue to block network traffic until a client agrees to the policy of user agreement.

Select Sign-on with to block network traffic until a client authenticates with an external RADIUS or AD server through the specifically designated web portal page. Select Nebula Cloud Authentication or an authentication server that you have configured in the Firewall > Configure > Firewall settings screen (see Firewall Settings).

Select Two-Factor Authentication to require that the user log in using both their password and a Google Authenticator code. To log in, users must have Two-Factor Authentication enabled on their account and have setup Google Authenticator on their mobile device.

Walled garden

This field is not configurable if you set Network Access to Disable.

Select to turn on or off the walled garden feature.

With a walled garden, you can define one or more web site addresses that all users can access without logging in. These can be used for advertisements for example.

Specify walled garden web site links, which use a domain name or an IP address for web sites that all users are allowed to access without logging in.

Captive portal access attribute

This field is available only when you select Sign-on with Nebula Cloud authentication in the Network Access field.

Select Allow users to create accounts with auto authorized or Allow users to create accounts with manual authorized to display a link in the captive portal login page. The link directs users to a page where they can create an account before they authenticate with the NCC. For Allow users to create accounts with manual authorized, users cannot log in with the account until the account is authorized and granted access. For Allow users to create accounts with auto authorized, users can just use the registered account to log in without administrator approval.

Select Don’t allow users to create accounts to not display a link for account creation in the captive portal login page.

This field is available only when you select Sign-on with in the Network Access field.

Select Multiple devices access simultaneously if you allow users to log in as many times as they want as long as they use different IP addresses.

Select One device at a time if you do not allow users to have simultaneous logins.

NCAS disconnection behavior

This field is available only when you select Sign-on with Nebula Cloud Authentication in the Network Access field.

Select Allowed to allow any users to access the network without authentication when the NCAS (Nebula Cloud Authentication Server) is not reachable.

Select Limited to allow only the currently connected users or the users in the white list to access the network.

SSID Settings

No.

This shows the SSID number.

Name

This shows the SSID name as it appears to WiFi clients.

Enabled

Click this to enable the SSID to be discoverable by WiFi clients.

Authentication

Select Open to allow any WiFi client to associate with this network without any data encryption nor authentication.

Select WPA2-PSK to enable WPA2-PSK data encryption.

Enter a pre-shared key from 8 to 64 case-sensitive keyboard characters to enable WPA2-PSK data encryption.

Select to have the SSID use either 2.4 GHz band only or the 5 GHz band only.

If you select Concurrent operation (2.4 GHz and 5 GHz), the SSID uses both frequency bands.

Select the interface for outgoing traffic from the Nebula Device to the Internet.

Radio Settings

Enter the maximum output power of the radio (in dBm).

Select the WiFi channel bandwidth you want the Nebula Device to use.

A standard 20 MHz channel offers transfer speeds of up to 144 Mbps (2.4 GHz) or 217 Mbps (5 GHz) whereas a 40 MHz channel uses two standard channels and offers speeds of up to 300 Mbps (2.4 GHz) or 450 Mbps (5 GHz). An IEEE 802.11ac-specific 80 MHz channel offers speeds of up to 1.3 Gbps.

40 MHz (channel bonding or dual channel) bonds two adjacent radio channels to increase throughput. An 80 MHz channel consists of two adjacent 40 MHz channels. The WiFi clients must also support 40 MHz or 80 MHz. It is often better to use the 20 MHz setting in a location where the environment hinders the WiFi signal.

Select Three-Channel Deployment to limit channel switching to channels 1, 6, and 11, the three channels that are sufficiently attenuated to have almost no impact on one another. In other words, this allows you to minimize channel interference by limiting channel-hopping to these three “safe” channels.

Select Four-Channel Deployment to limit channel switching to four channels. Depending on the country domain, if the only allowable channels are 1 – 11 then the Nebula Device uses channels 1, 4, 7, 11 in this configuration; otherwise, the Nebula Device uses channels 1, 5, 9, 13 in this configuration. Four-Channel Deployment expands your pool of possible channels while keeping the channel interference to a minimum.

Select Manual to choose the allowable channels 1 – 11.

Select how you want to specify the channels the Nebula Device switches between for 5 GHz operation.

Select Auto to have the Nebula Device automatically select the best channel.

Select Manual to choose from the allowable channels.

DNS

This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.

Enter a host’s fully qualified domain name.

Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com).

Enter the host’s IP address.

Click this icon to remove the entry.

Click this button to create a new entry.

This specifies a DNS server’s IP address. The Nebula Device can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server. When the Nebula Device needs to resolve a domain zone, it checks it against the domain zone forwarder entries in the order that they appear in this list.

A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. Whenever the Nebula Device receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address.

Enter the DNS server's IP address.

Select the interface through which the Nebula Device sends DNS queries to the specified DNS server.

Click this icon to remove the entry.

Click this button to create a new entry.

Authentication Server

My AD Server

Enter a descriptive name for the server.

Enter the address of the AD server.

If the AD server has a backup server, enter its address here.

Specify the port number on the AD server to which the Nebula Device sends authentication requests. Enter a number between 1 and 65535.

Specify the Active Directory forest root domain name.

Enter the name of the user that is located in the container for Active Directory Users, who is a member of the Domain Admin group.

Enter the password of the Domain Admin user account.

Click to open a screen where you can select to use Default or Custom advanced settings. See Advanced Settings.

Click this icon to remove the server.

Add

Click this button to create a new server.

My LDAP Server

 

Enter the description of each server, if any. You can use up to 60 printable ASCII characters.

Enter the address of the LDAP server.

If the LDAP server has a backup server, enter its address here.

Specify the port number on the LDAP server to which the Nebula Device sends authentication requests. Enter a number between 1 and 65535.

Specify the directory (up to 127 alphanumerical characters). For example, o=Zyxel, c=US.

Specify the bind DN for logging into the AD or LDAP server. Enter up to 127 alphanumerical characters.

For example, cn=zywallAdmin specifies zywallAdmin as the user name.

If required, enter the password (up to 15 alphanumerical characters) required to bind or log in to the LDAP server.

Click to open a screen where you can select to use Default or Custom advanced settings. See Advanced Settings.

Click this icon to remove the entry.

Add

Click this button to create a new server.

My RADIUS Server

Enter a descriptive name for the server.

Enter the address of the RADIUS server.

If the RADIUS server has a backup server, enter its address here.

Specify the port number on the RADIUS server to which the Nebula Device sends authentication requests. Enter a number between 1 and 65535.

Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the Nebula Device.

The key is not sent over the network. This key must be the same on the external authentication server and the Security Firewall.

Click to open a screen where you can select to use Default or Custom advanced settings. See Advanced Settings.

Click this icon to remove the server.

Click this button to create a new server.

External User Group

 

Enter a descriptive name for the group, up to 31 characters [0–9][a–z][A–Z][@.-_] but the first character must be an alphabet.

Select the Name of the Authentication Server you added in My AD Server, My LDAP Server, or My RADIUS Server.

Enter the name of the attribute that the Nebula Device checks to determine to which group an external user belongs. The value for this attribute is called a group identifier; it determines to which group an external user belongs.

Click this button to create a new group. The maximum number of external user groups is 20.

Walled garden

With a walled garden, you can define one or more web site addresses that all users can access without logging in. These can be used for advertisements for example.

Specify walled garden web site links, which use a domain name or an IP address for web sites that all users are allowed to access without logging in.

Advanced Options

 

Select On to block broadcast and multicast traffic coming from Remote APs (RAPs).

Dynamic DNS

Automatic registration

Click On to use dynamic DNS. Otherwise, select Off to disable it.

General Settings

DDNS provider

Select your Dynamic DNS service provider from the drop-down list box.

If you select User customize, create your own DDNS service.

DDNS type

Select the type of DDNS service you are using.

Select DynDNS custom to create your own DDNS service and configure the DynDNS and DDNS static fields below.

If the DDNS provider is Dynu, you can select the account type of DynuBasic or DynuPremium.

DDNS account

Username

Enter the user name used when you registered your domain name.

Password

Enter the password provided by the DDNS provider.

Confirm password

Enter the password again to confirm it.

DDNS settings

Domain name

Enter the domain name you registered.

Primary binding address

Use these fields to set how the Nebula Device determines the IP address that is mapped to your domain name in the DDNS server. The Nebula Device uses the Backup binding address if the interface specified by these settings is not available.

Interface

Select the interface to use for updating the IP address mapped to the domain name.

IP address

Select Auto if the interface has a dynamic IP address. The DDNS server checks the source IP address of the packets from the Nebula Device for the IP address to use for the domain name. You may want to use this if there are one or more NAT routers between the Nebula Device and the DDNS server.

Note: The Nebula Device may not determine the proper IP address if there is an HTTP proxy server between the Nebula Device and the DDNS server.

Select Custom if you have a static IP address. Enter the IP address to use it for the domain name.

Select Interface to have the Nebula Device use the IP address of the specified interface.

Backup binding address

Use these fields to set an alternate interface to map the domain name to when the interface specified by the Primary binding address settings is not available.

Interface

Select the interface to use for updating the IP address mapped to the domain name.

IP address

Select Auto if the interface has a dynamic IP address. The DDNS server checks the source IP address of the packets from the Nebula Device for the IP address to use for the domain name. You may want to use this if there are one or more NAT routers between the Nebula Device and the DDNS server.

Select Custom if you have a static IP address. Enter the IP address to use it for the domain name.

Select Interface to have the Security Firewall use the IP address of the specified interface.

Enable wildcard

This option is only available with a DynDNS account.

Enable the wildcard feature to alias sub-domains to be aliased to the same IP address as your (dynamic) domain name. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.

Mail exchanger

This option is only available with a DynDNS account.

DynDNS can route email for your domain name to a mail server (called a mail exchanger). For example, DynDNS routes email for john-doe@yourhost.dyndns.org to the host record specified as the mail exchanger.

If you are using this service, type the host record of your mail server here. Otherwise, leave the field blank.

Backup mail exchanger

This option is only available with a DynDNS account.

Select this check box if you are using DynDNS’s backup service for email. With this service, DynDNS holds onto your email if your mail server is not available. Once your mail server is available again, the DynDNS server delivers the mail to you. See www.dyndns.org for more information about this service.

DYNDNS Server

This field displays when you select User customize from the DDNS provider field above. Enter the IP address of the server that will host the DDNS service.

URL

This field displays when you select User customize from the DDNS provider field above. Enter the URL that can be used to access the server that will host the DDNS service.

Additional DDNS Options

This field displays when you select User customize from the DDNS provider field above. These are the options supported at the time of writing:

SIP ALG

Turn on SIP ALG to detect SIP traffic and help build SIP sessions through the Nebula Device’s NAT. Enabling the SIP ALG also allows you to use the application patrol to detect SIP traffic and manage SIP traffic bandwidth.

SIP Signaling Port

If you are using a custom UDP port number (not 5060) for SIP traffic, enter it here. Use the Add icon to add fields if you are also using SIP on additional UDP port numbers.

ADVANCED OPTIONS

Click the arrow to show the fields for setting the SIP inactivity timeout and restrict peer-to-peer connection.

SIP Inactivity Timeout

Select this to have the Nebula Device apply SIP media and signaling inactivity time out limits. These timeouts will take priority over the SIP session time out “Expires” value in a SIP registration response packet.

SIP Media Inactivity Timeout

Use this field to set how many seconds (1 – 86400) the Nebula Device will allow a SIP session to remain idle (without voice traffic) before dropping it.

If no voice packets go through SIP ALG before the timeout period expires, the Nebula Device deletes the audio session. You cannot hear anything and you will need to make a new call to continue your conversation.

SIP Signaling Inactivity Timeout

Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the Nebula Device.

If the SIP client does not have this mechanism and makes no calls during the Nebula Device SIP timeout, the Nebula Device deletes the signaling session after the timeout period. Enter the SIP signaling session timeout value (1 – 86400).

Restrict Peer to Peer Signaling Connection

A signaling connection is used to set up the SIP connection.

Enable this if you want signaling connections to only arrive from the IP addresses you have already registered with. Signaling connections from other IP addresses will be dropped.

Restrict Peer to Peer Media Connection

A media connection is the audio transfer in a SIP connection.

Enable this if you want media connections to only arrive from the IP addresses you registered with. Media connections from other IP addresses will be dropped.

Preset

Select Default to use the pre-defined settings, or select Custom to configure your own settings.

Timeout

Specify the timeout period (between 1 and 300 seconds) before the Nebula Device disconnects from the server. In this case, user authentication fails.

Search timeout occurs when either the user information is not in the servers or the AD or server is down.

Case-Sensitive User Name

Click ON if the server checks the case of the user name. Otherwise, click OFF to not configure your user name as case-sensitive.

Group Membership Attribute

Enter the name of the attribute that the gateway checks to determine to which group a user belongs. The value for this attribute is called a group identifier; it determines to which group a user belongs. You can add ext-group-user user objects to identify groups based on these group identifier values.

For example you could have an attribute named “memberOf” with values like “sales”, “RD”, and “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”.

LDAP-only Fields

Login Name Attribute

Enter the type of identifier the users are to use to log in. For example “name” or “email address”.

RADIUS-only Fields

NAS IP Address

Enter the IP address of the NAS (Network Access Server).

NAS Identifier

If the RADIUS server requires the Nebula Device to provide the Network Access Server identifier attribute with a specific value, enter it here.

Close

Click this button to exit this screen without saving.

OK

Click this button to save your changes and close the screen.