NEC ZA-SA3500G, Function Manual

Page 1: ...SA3500G Function Manual 1th edition October 2018 NEC Platforms Ltd Explained based on the target firmware Ver 5 0 10 Model Name ZA SA3500G ...

Page 2: ...t 20 1 13 Precaution for Data and Wireless LAN Security 21 2 About the Product 22 2 1 Overview 22 2 2 Features 23 2 3 Product Specification 24 2 3 1 Product Exterior 24 2 3 2 Basic Specifications 26 2 3 3 Lamp Indicator 28 2 3 4 Device Label 31 2 4 Components 32 3 Function Specification 33 3 1 Protocol Stack 36 3 1 1 Bridge Mode 36 3 1 2 Router Mode 37 3 2 Installable Network 38 3 2 1 Bridge Mode ...

Page 3: ...ing Network Reachability by Ping Transmission 84 3 4 8 Network Route Confirmation by Sending Traceroute 84 3 4 9 Self Diagnosis Function 84 3 4 10 Packet Dump Function 84 3 4 11 Event Log 85 3 4 12 Logout Function 86 3 4 13 SNMP 87 3 4 14 Home IP Location Function 89 3 5 Bridge Mode Function 90 3 5 1 Physical Interface Specification 90 3 5 2 IP Address 91 3 5 3 IPv4 Static Routing Function 91 3 5 ...

Page 4: ...119 4 1 2 Installation Place 119 4 1 3 Installation Procedure 120 4 2 Using the Anti theft Hook 121 4 3 Connection of Cables 122 5 Setting Setting Confirmation 123 5 1 Account 124 5 2 Setting Flow at Initial Startup 125 5 2 1 Bridge Mode Operation 125 5 2 2 Router Mode Operation 131 5 2 3 Activation 136 5 3 Setup Screen Configuration 138 5 4 Login 139 5 5 Save Settings 141 5 6 Maintenance Setting ...

Page 5: ...92 5 7 11 DNS Server Setting 194 5 7 12 IPv4 Statistic Routing Setting 196 5 7 13 Ethernet Port Setting 198 5 7 14 ICMP Redirect Message Setting 198 5 7 15 Cloud Service Setting 199 5 7 16 IPsec Setting 208 5 7 17 Packet Filter Entry Setting 236 5 7 18 MAC Address Filtering Setup 238 5 7 19 SNMP Agent Setting 238 5 7 20 Access Web Setting Management 241 5 7 21 Time Setting 241 5 7 22 Save and Rest...

Page 6: ...ork Information Bridge Mode 299 6 1 2 Confirmation of Firmware Version and Network Information Router Mode 301 6 1 3 Security Scan Function Status 304 6 1 4 Routing Table 306 6 1 5 BGP Peer Status 308 6 1 6 DHCP Leased Address Wi Fi and ARP Table Information 311 6 1 7 IPsec SA Information 313 6 1 8 Statistical Information of IPsec Tunnel Traffic 316 6 1 9 SNMP MIB Information 318 6 1 10 Event Log ...

Page 7: ...P is Not Transferred in Bridge Mode 348 7 1 19 Cannot Connect to Remote Desktop 348 7 1 20 To Access the Web Setting of this Product from a Remote PC 350 7 1 21 Cannot Access a Specific Site 351 7 1 22 Specific Application Cannot Communicate 351 7 1 23 Unknown Log is Outputted to Security Log 351 7 1 24 Attachment of Received Email Cannot be Opened 351 7 1 25 Device Authentication with MAC Address...

Page 8: ...t contact us 4 We assume no responsibility whatsoever for pure economic losses such as damage incurred from miscommunication resulting from external causes such as malfunction of this product user mishandling natural disasters faults and power outages 5 Note that we shall not be responsible for any damage resulting from security problems if no security measures are in place or the specification is...

Page 9: ...carried out with other devices with the same configuration as this product The standard values may not indicate the actual data transfer rate The interconnectivity of this product with third party products is not guaranteed Wireless LAN transmission distance and speed varies greatly depending on objects such as walls and furniture ...

Page 10: ...M methods 4 Assumed interference distance of 40m or less It means all bandwidth can be used and the bandwidth of mobile identification device can be avoided When this product is used with 2 4GHz band and the channel is set manually the following content is recommended by the ARIB standard of Association of Radio Industries and Businesses When using this equipment with 2 4GHz band it is recommended...

Page 11: ...t was connected will be disconnected In addition for metered billing contracts communication cost may be incurred due to software downloads and speed limit may occur due to packet transmission excess Communication costs incurred will be charged to the customer In this function among the information related to this product we notify the server of the minimum required device and network information ...

Page 12: ...t is assumed that the customer has agreed with the terms of use Home IP location function is a function to enable the customer to access this product more conveniently from the Internet by Home IP Location name This function is enabled in the following cases Set to router mode Initial value Bridge mode Global IP address is assigned to the WAN Maintenance upgrade function is ON Initial value ON Hom...

Page 13: ...otification 4 Change in terms Terms may be revised without prior notice 4 Handling of device information Our server will be notified of this product s device information necessary for this function 1 Notified device information This product s device information used by the customer This product s network information used by the customer 2 Purpose of available information Customer s device informat...

Page 14: ...product vi Provide all or part of this software separately from this product vii Use this software to develop software application for customer s business viii Using the licensed product in other usage such as life support systems implants nuclear facilities and systems or any othe application in which a failure can lead to death or cause catastrophic property damage ix Make a third party execute ...

Page 15: ...hall be the amount equivalent to the price of the licensed product considering the Product paid by the customer 7 Third party Software This software includes software components licensed from third parties The provisions of this contract are not applicable to these software components and their respective license conditions shall apply For the details of these software and their terms of use pleas...

Page 16: ...Microsoft Corporation in the United States and other countries Microsoft Azure is a registered trademark of Microsoft Corporation in the United States and other countries OSX and Safari are trademarks of Apple Inc registered in the United States and other countries Internet Explorer is a registered trademark of Microsoft Corporation in the United States and other countries Bluetooth is a registere...

Page 17: ...ock or malfunction may occur Do not scratch damage or modify the power cord Also do not forcibly bend pull twist or tie the cord Otherwise a fire or electric shock may occur If the power cord is excessively pressed or heated up the cord may be damaged and a fire and electric shock may occur Do not use an overloaded multi plug adapter Otherwise the multi plug adapter may heat up and be degraded and...

Page 18: ...ine communications devices calculation systems etc Otherwise this may cause death or serious injury and panic may also occur Do not disassemble or convert this product Otherwise a fire electric shock or malfunction may occur Do not operate or connect this product with wet hands Otherwise an electric shock may occur Do not use flammable gases such as an air duster or dust spray inside or around thi...

Page 19: ...es such as storage racks bookshelves and boxes Placing this product on a carpet and a mat Covering this product with a tablecloth etc Do not stack this product Stacking this product may cause a fire because of overheating inside this product When using in the vertical position always use the stand provided and ensure that there is enough space at either side of this product POWER SUPPLY When using...

Page 20: ...or may occur if this product and the wireless LAN terminal are very close to each other Keep this product at least a meter away from other devices RESTRICTIONS Do not drop or hit this product Otherwise it may malfunction Do not leave this product in a cold place such as an ice warehouse Otherwise this product may operate abnormally Disconnect all cords before moving this product Otherwise it may m...

Page 21: ...iscover IDs passwords credit card numbers emails etc Unauthorized intrusion Some malicious computer users may access personal or office networks to gain personal or confidential information and send out false data Also they may intercept communication content rewrite it and then send it out Furthermore they may send out computer viruses to destroy data and systems Wireless LAN products already hav...

Page 22: ...s the overview and specification of this product 2 1 Overview A device which takes pride in its high speed transmission implements security scan function that can process at high speed It is a security appliance for small and medium sized businesses SMBs that enables construction of high network security while enabling high speed transmission It is suitable for customers who want to improve securi...

Page 23: ...sed as a simple RADIUS server To prevent unauthorized devices from connecting to the company LAN authentication can be provided It is unnecessary to build a separate server for authentication and have a secure connection environment at low cost Notification function When a threat is detected a license expiration warning or a firmware update is required it can be displayed on the Web browser on the...

Page 24: ...24 About the Product 2 3 Product Specification 2 3 1 Product Exterior Perspective view Bottom view When the stand is installed ...

Page 25: ... ALERT2 lamp USB port WPS switch WAN port WAN port status indicator lamp LAN port LAN port status indicator OPT1 switch INFO lamp OPT1 lamp OPT2 lamp Antenna connector Not support Anti theft hook AC adapter connector RESET switch OPT2 switch Front view Back view ...

Page 26: ...nnector Number of ports 1 port Type USB2 0 Bus Power support 500mA power supply Lamp Function display 3 colors Green Red Orange x8 POWER NETWORK WIRELESS ALERT1 ALERT2 INFO OPT1 OPT2 LAN WAN status display LAN Link ACT status indicator Green x4 WAN Link ACT status indicator Green x1 Switch Push switch RESET OPT1 OPT2 WPS Operating conditions Temperature 0 to 40 Humidity 10 to 90 With no condensati...

Page 27: ...face For the setting items refer to Section 5 6 6 MAC address filtering Wired LAN terminal 60 entries For the setting items refer to Section 5 6 7 Wireless LAN terminal 60 entries Number of IPv4 static routing tables 50 entries For the setting items check the Section 5 7 12 NAT entry port mapping entry 50 entries For the setting items see Section 5 7 10 Individu al permissi on of security scan fun...

Page 28: ... Link is established in neither WAN port nor LAN port NETWORK At router mode Illuminating in green IP address has been acquired Blinking in green Processing IP address acquisition OFF Link is not established in WAN port WIRELESS Illuminating in green Wireless LAN communication is available Blinking in green During sending and receiving of data Blinking in orange Wireless LAN is being set WPS Blink...

Page 29: ...PT1 2 Illuminating in green IPsec including cloud service connection communication is available IPsec tunnel has been established Illuminating in orange Processing IPsec including cloud service connection connection IPsec tunnel has not been established OFF IPsec including cloud service connection is not used OPT2 Illuminating in orange USB storage is available Illuminating in green USB is availab...

Page 30: ...mitting and receiving data OFF LAN port link is not established 1 ALERT1 lamp lights blinks orange for threats related to the Antivirus AV and Web Guard WG functions Even if this lamp is lit or flashing orange the threat has already been removed 2 IPsec is a router mode function Note All lamps light up green when the power supply is turned on until before the system starts The flashing cycle of th...

Page 31: ... About the Product 31 2 3 4 Device Label Sample Product Type ZA SA3500G 1B ...

Page 32: ...Stand Ethernet cable Straight about 2m AC adapter AC power cord Terms and Conditions Rubber footing 4 pieces Stand screw 1 piece Always use the included AC adapter and power cord on this product Moreover do not use the AC adapter on other products It may cause fire electric shock or malfunction ...

Page 33: ...ctions Transparent bridge function Router function NAT NAPT DHCP client DHCP server PPPoE IP packet filtering IPsec IKEv1 IKEv2 MAC address filtering Cloud service setting Maintenance functions Network setting confirmation Firmware update Save and restore setup values Initialization of setting HTTP proxy server SNMPv1 SNMPv2c Packet dump Management function Device management Device map Simple RADI...

Page 34: ...nded scan Intrusion Prevention System IPS Web Guard WG URL Filter UF URL Keyword Filter KF Application Guard APG Security Log Mail Notification PATLITE Statistics Threat detection LED indication Device Management Device Map Simple RADIUS Function Maintenance Function Firmware update Maintenance upgrade Scheduled upgrade Manual firmware update Online upgrade Manual firmware update Specify local fil...

Page 35: ...unction IPv4 Static Routing NAPT PPPoE DHCP Client DHCP Server Proxy DNS IPsec IKEv1 IKEv2 SNMPv1 SNMPv2c Home IP Location Function Cloud Service Setting Wireless LAN Function Wireless Automatic Setting Function WPS Wireless encryption Multi SSID function Network Isolation Information Display Function Device Status Device Information Routing Table BGP Peer State VPN Status VPN Statistics MIB Infor...

Page 36: ... PHY PHY Air PHY PHY PHY Node SA3500G Node Detection target of the security scan function is an IPv4 or IPv6 packet Supports IPv4 over PPP over PPPoE IPv6 over PPPv6 over PPPoE frames Only some of the security scan functions support SSL TLS packets IP in IP packet supports the following types IPv4 in IPv6 IPv6 in IPv4 Bridge frame APL APL IPv4 IPv6 IPv4 IPv6 VLAN PPP etc MAC Relay Frame forwarding...

Page 37: ...EE802 11 MAC PHY Air PHY PHY Air PHY PHY PHY Node SA3500G Node When PPPoE is used APL Scan function APL IPv4 IPv4 IPv4 IEEE802 1 Bridge IEEE802 1 Bridge PPP PPP IEEE802 3 MAC IEEE802 3 MAC IEEE802 3 MAC IEEE802 11 MAC IEEE802 3 MAC IEEE802 11 MAC PHY Air PHY PHY Air PHY PHY PHY Node SA3500G Node Detection target of the security scan function is an IPv4 packet Only some of the security scan functio...

Page 38: ...d update of firmware For the port used by the URL filtering function see section 3 3 10 TCP Port 443 HTTPS UDP Port 53 DNS UDP Port 67 DHCP Obtain IP address automatically UDP Port 123 NTP Time adjustment UDP Port 500 ISAKMP IPsec function and cloud service connection UDP Port 4500 ISAKMP TCP Port 179 BGP Protocol 50 ESP Protocol 1 ICMP When using self diagnosis function The WAN LAN port of this p...

Page 39: ...o connect to the Internet using the IPv4 protocol VLAN is used Install this product outside the VLAN network Terminal is IEEE802 1X certified Install this product outside the IEEE802 1X certified network This product does not transmit EAPoL EAP frame Refer to Section 8 1 for the network connection configuration examples This product inspects IPv6 packets only in bridge mode For some restrictions o...

Page 40: ...IPv6 network only To operate this product it is necessary to be able to connect to the Internet using the IPv4 protocol UPnP is used This product does not support UPnP VLAN is used Install this product outside the VLAN network Terminal is IEEE802 1X certified Install this product outside the IEEE802 1X certified network This product does not transmit the EAPoL EAP frame VPN is used Set up this pro...

Page 41: ... Filter UF URL Keyword Filter KF and Application Guard APG There is also a function to leave detection information in the log without interrupting communication at the time of threat detection Use this to check only the threat situation of the environment However since it does not block operation use it after considering the security policy of the environment 3 3 2 Scanned Traffic Scanned traffic ...

Page 42: ... traffic of each terminal Therefore the processing performance of this product might decrease when the number of terminals increases 3 3 4 Working with the Server This product does the following in cooperation with the server File Description Supplementary License This product s security scan function license When connected to the Internet for the first time this product accesses the license serve...

Page 43: ...activation begins 4 When the activation is complete and the security scan function is available the Alert2 lamp will turn off and the product will enable the bridging operation routing function 5 Refer to Section 5 2 3 for the activation operation 4 Orange ALERT2 lamp indicates that the activation process is not finished 5 The updated signature information of this product is regularly confirmed af...

Page 44: ...ing of the license is executed at the same time 3 The ALERT2 lamp is turned off when the startup of the security scan function is completed and this product enables the bridging routing operation 4 The updated signature information is regularly confirmed after this 6 Green ALERT2 lamp indicates that the security scan function is disabled Product Server Security scan function is enabled IP setup Co...

Page 45: ...r of terminals connected to the product is displayed as 0 Section 5 9 2 Device Management Automatic addition of device managed devices stops There is no device available to add will be displayed in the access history Section 5 9 3 Status of the security scan function The information column is in the signature version display of the security function Regular update of the signature stops Section 6 ...

Page 46: ... red and the user will be informed that the license expiration is approaching When purchasing an additional license 1 year it is necessary to include the product s production number device ID and license expiration date in the Special Purchase application form Additional License 1 year confirmation of license expiration date after purchase After the purchase of an additional license 1 year we will...

Page 47: ...ck Smurf attack and IP spoofing attack Behavior of operation and notification when threat is detected Operation during detection How to notify during detection How to cancel detection state Unauthorized access from outside is blocked as well as log output Log is displayed in the security log It is necessary to view it in Web setting How to stop the security function Stopping the operation of the s...

Page 48: ...sed file Detection targets Virus spyware Trojan horse and worm Protocols to be detected Protocol Description HTTP Port number to be detected 1 65535 HTTP detection method GET upstream downstream POST upstream FTP Port number to be detected 20 21 SMTP Port number to be detected 25 587 Encoding to be detected base64 quoted printable Uuencode File format to be detected eml POP3 Port number to be dete...

Page 49: ...can be set Behavior of operation and notification when threat is detected In case of block setting Operation during detection How to notify during detection How to cancel detection state Virus mixing file is cleaned ALERT1 lamp 1 blinking orange 60 seconds orange lights up Log is displayed in the security log It is necessary to view it in Web setting E mail notification 2 Lamp display of PATLITE d...

Page 50: ...er to Section 5 8 4 Extended scanning When the extended scanning is enabled the following files not covered by signature are scanned Files for extended scanning doc doc x ppt x xls x msi pdf bat cmd com vbs wsf js Extended scan transmits the calculated value from the target file to the database server and performs the scanning process on the database server As a result packet transfer speed may be...

Page 51: ...played in the security log It is necessary to view it in Web setting Mail notification 2 Lamp display of PATLITE device 2 1 When an illegal protocol is detected log message is outputted without cutting off the communication Illegal protocol refers to the communication that is not completely in accordance with the TCP IP protocol among the communication where the threat is not detected Since there ...

Page 52: ...the function temporarily using the following method Stopping the operation of the security function increases security risk Therefore stop the function after confirming your risks and responsibility How to stop Remarks Remove the check on Enable Intrusion Prevention from Intrusion Prevention setting Refer to Section 5 8 5 ...

Page 53: ...ite access to the concerned website is intercepted according to the following Type of Traffic Description HTTP traffic GET The screen Page Forbidden Category Malicious Website is displayed HTTP traffic POST Communication to the concerned website is blocked HTTPS traffic GET POST SSL handshake with the concerned website fails Protocol to be detected Protocol Description HTTP Port number to be detec...

Page 54: ... display by closing the browser 1 It notifies similarly as the Antivirus function during detection Therefore check the security log to see which either function detection 2 HTTPS block display is different depending on the browser In case of the sample display the browser is Internet Explorer 11 3 It must be set from Web setting Log only setting Operation during detection How to notify during dete...

Page 55: ...PS traffic it refers only to the host part of URL Do not refer to the path part From this difference the detection result is the same when the host part is the same even if the path part is different for HTTPS traffic while the result may be different for different paths even if the host part is the same traffic for HTTP ...

Page 56: ...egory is detected and access to the concerned website is blocked Type of Traffic Description HTTP traffic The URL host name and path name are used to determine whether traffic is to a dangerous website HTTPS traffic The URL host name is used to determine whether traffic is to a dangerous website When it is determined it is traffic to a website of a specified category access to the concerned websit...

Page 57: ...isplay of blocked HTTPS 2 Log is displayed in the security log It is necessary to view it in Web setting E mail notification 3 Lamp display of PATLITE device 3 Cancel blocked display browser by closing the browser Safety unconfirmed Access to concerned website is intercepted Page Forbidden is displayed in the browser Sample display of unconfirmed safety Close the blocked display browser and access...

Page 58: ...st and path parts of the URL For this product for HTTPS traffic it refers only to the host part of the URL It does not refer to the path part From this difference the detection result is the same when the host part is the same even if the path part is different for HTTPS traffic while the detection result may be different for different paths even if the host part is the same traffic for HTTP Categ...

Page 59: ... the Entertainment site category is blocked 12 Instant Messaging Selected automatically when the SNS site category is blocked 13 Dating Selected automatically when the Adult site category is blocked 14 Social Network Selected automatically when the SNS site category is blocked 15 Web Chat Room Selected automatically when the SNS site category is blocked 16 Shopping and Auction Selected automatical...

Page 60: ...omputers and Information Technology 42 Business and Service 43 Reference and Research 44 Education 45 Military and Weapons 46 Politics and Government 47 Associations and Charitable Organizations 48 Travel 49 Food and Drink 50 Home and Garden 51 Health and Medicine 52 Religion and Numerology 53 Sports 54 Automobile and Vehicles 55 Job Search 56 News and Media 57 Forums and Newsgroups Selected autom...

Page 61: ...lence is blocked HTTPS Make sure that the keyword is included in the host name of the URL It does not judge even if the path name contains the keyword example com is set as keyword https example com is blocked violence is set as keyword https example com violence is not blocked When the corresponding character string is included in the URL the access to the concerned website is blocked according t...

Page 62: ...ted Block setting Operation during detection How to notify during detection How to cancel detection state Access to a website that contains a keyword in its URL is blocked It is displayed in the browser that it has been blocked Sample display of blocked HTTP Sample display of blocked HTTPS 1 Log is displayed in the security log It is necessary to view it in Web setting Mail Notification 2 Lamp dis...

Page 63: ...marks Stop by using either of the following methods Delete the keyword set at Keyword List with the Delete button from URL Keyword Filter setup Refer to Section 5 8 8 Remove the check on Enable Keyword Filter from URL Keyword Filter setup to disable it Refer to Section 5 8 8 ...

Page 64: ...lock setting Operation during detection How to notify during detection How to cancel detection state Communication of a specific application and protocol is blocked Log is displayed in the security log It is necessary to view it in Web Setting Mail Notification 1 Lamp display of PATLITE device 1 1 It must be set at Web setting Log only setting Operation during detection How to notify during detect...

Page 65: ... The POWER lamp blinks orange while saving log files so do not turn off the power supply Other than the abovementioned a log file is saved depending on the timing of device restart by Web setting operation In case of a power outage and power cutoff the log message that was not saved in memory is lost Web setting operation 1 000 worth of log messages from the most recent can be confirmed at Web set...

Page 66: ... mail is sent to administrator and user B Notification timing During Antivirus AV detection During Intrusion Prevention System IPS detection When Web Guard WG threat is detected When URL Filter UF threat is detected When URL Keyword Filter KF threat is detected During Application Guard APG detection When firmware update is detected When the license expiration date expires 60 days before the expira...

Page 67: ...t Administrator User Threat detection Guarded by AV WG UF KF and APG When an event occurs Lighting of ALERT1 lamp when the unit restarts is not included Guarded by IPS When an event occurs License information License expiration is near 60 days before 1 When license expiration becomes near while the device is in operation 2 License expiration is near when the device starts 3 After executing the abo...

Page 68: ...rwarded For IP address Date date Subject subject From from To to Device LAN terminal Protocol Threat detected protocols in AV function Comment Comment on device management screen setting item Threat detection WG KF SA3500G Blocking Report Blocked the following threat Type Function URL url Time yyyy mm dd hh mm ss Device IP address MAC Comment X Forwarded For IP address Type WG KF Device LAN termin...

Page 69: ...nse information Expire date SA3500G Information License expired DeviceID xxxx Firmware update SA3500G Information Release new firmware DeviceID xxxx Ver x x x Monthly report SA3500G Monthly Report yyyy mm reports Device Information DeviceID xxxx Statistics AV block count scan count IPS block count scan count WG block count scan count UF block count scan count KF block count scan count APG block co...

Page 70: ...ve it empty Subject The title of the threat detected mail Described in the case of SMTP POP3 IMAP protocol If the value is empty leave it empty From Source email address Described in the case of SMTP POP3 IMAP protocol If the value is empty leave it empty To Destination email address Described in the case of SMTP POP3 IMAP protocol If the value is empty leave it empty Even if To is undisclosed rec...

Page 71: ...unt Historical average Number of blocks 1 News Media 1000 800 0 2 Blog personal site 900 300 0 3 Sports 400 500 400 4 Computer IT 300 600 0 5 Gambling Lottery 200 20 0 Application Top 5 Applications No Category Access count Historical average Number of blocks 1 Google Drive FileTransfer 1000 800 0 2 Outlook com DataFlow 900 300 900 3 Skype for Buisiness Login Me 400 500 0 4 App 300 600 300 5 Trans...

Page 72: ...5 minutes when threat is detected PATLITE is optional Red lights up Red lights up in case of a five color display PATLITE Tested PATLITE products 9 NHS FV1 NHP FV1 NHL FV1 NHS FB1 NHP FB1 NHL FB1 PHN 3FBE1 Setup method Set the IP address port number and communication protocol TCP UDP of PATLITE on this product Refer to Section 5 9 4 for the details of PATLITE setting 9As of October 2018 ...

Page 73: ...raffic flow scanned by IPS function Number of blocked flows Number of traffic flow intercepted by IPS function Web Guard WG Number of scanned URLs Number of URL scanned by WG function Number of blocked URLs Number of URL intercepted by WG function URL Filter UF Number of scanned URLs Number of URL scanned by UF function Number of blocked URLs Number of URL intercepted by UF function Number of acce...

Page 74: ...for the system time of this product 3 3 17 Threat Detection When detecting a threat such as a virus the ALERT1 lamp lights up orange to indicate that a threat has been detected It is a function to notify when a threat is detected and the security scan function keeps operating in this state Target function When the Antivirus function detected a virus When the Web Guard function blocked traffic Oper...

Page 75: ...P addresses on the network The device management method should be selected at the beginning of the operation of the product See Section 5 9 3 for the instructions on how to set it up Timing of update of terminal information This product detects communication with the WAN of the wired LAN port or the terminal connected to the wireless LAN and displays it on the device management screen When the dev...

Page 76: ...l can be selected from the Web setting and check the detailed information of the selected terminal Communication with a wired LAN port or a terminal connected to a wireless LAN can be detected and visually displayed Terminal information update timing The terminal that communicated from the wired LAN port or wireless LAN to the WAN port is detected and displayed on the device map Communication betw...

Page 77: ...rtificates after user registration Up to 20 external RADIUS clients can be registered when this product is operated as a RADIUS server The maximum number of users that can be registered in this product is 200 users Up to two client certificates can be issued per user account When the wireless LAN function of this product is enabled and the encryption mode is set to 802 1x EAP this product will ope...

Page 78: ...e two kinds of firmware update operation of maintenance upgrade function Update the firmware of this product at the time set on the Web setting Let the INFO lamp light orange to indicate that updated firmware exists in the server In the firmware update operation this product restarts so the network where this product is installed will be shut down for about 3 minutes It is recommended to set the t...

Page 79: ...started up Product Server Power supply ON Startup check Information notification New firmware available INFO lamp is Press OPT2 switch Regular check Information notification INFO lamp is blinking orange Acquiring firmware Firmware writing POWER lamp is orange Device restart INFO lamp OFF IP setup Random period 0 60 minutes Random period Random period of 3 5 10 5 days but may change Check when devi...

Page 80: ... 10 1 for the operating procedures Note If necessary initialize after saving the following information to a computer Setting values set at Web setting Log message statistical information and event log of the security scanning function Refer to Section 3 4 3 for the procedure to save Switch between bridge mode and router mode refer to Section 5 6 17 or 5 7 28 Firmware version down see Section 5 6 1...

Page 81: ...ting Saved at the Save and restore setting values screen of the Web setting Refer to Section 5 6 12 Log message and statistical information of security scan function Saved at the Security log Statistics information screen of the Web setting see Sections 6 1 11 and 6 1 12 Event log and device status information Saved at the Event Log Maintenance Function Packet dump screen of the Web setting see Se...

Page 82: ...et by either method use the NTP function When the time is set directly at Web setting without using the NTP function the time needs to be set every time this product is started Note When this product is started the device time is 2015 11 14 00 00 00 JST Refer to Section 5 6 11 for the time setting of this product If the time of the product is incorrect the security scan function may not work Use t...

Page 83: ...ransmitted in the following manner When the communication with the NTP server fails it will initially retry in 15 seconds The number of retries is 5 times and the retry interval is the previous time doubled Afterwards it retries every 60 minutes The retry interval is as follows 15 30 60 120 240 3600 3600 seconds Device startup System start complete IP address Random period of 60 seconds Product NT...

Page 84: ...ange the IPv4 static routing setting in the environment where this product is used 3 4 9 Self Diagnosis Function The self diagnosis function is a function to check whether this product is in normal operation state It is used to isolate problems caused by settings and network configuration of this product Communication status to check Connection status on the WAN Setting status of this product Comm...

Page 85: ...orage is 200 Mbytes If the log storage is exceeded the old log is deleted and the new log is saved While saving the log file the POWER lamp blinks orange do not turn off the power In addition to the above save the event log file to the memory during restart of the device by Web setting operation In case of power failure event log files not saved in memory will be lost Web setting operation 1 000 e...

Page 86: ... parties while they are away The automatic logout time can be changed For the setting method refer to Section 5 6 10 Logout timing When the Logout button is clicked at the top right of the TOP screen Automatic logout when there is no operation for 30 minutes after operating the Web setting screen Click here to logout ...

Page 87: ...on can be sent to multiple SNMP managers Refer to the SNMP specifications for the trap information supported by this product Private MIB There is no information that can be acquired in the current version Information that can be acquired Supported MIB groups of RFC1213 MIB II are as follows System Interface Address Translation IP ICMP TCP UDP Transmission dot3 only SNMP ifMIB MIB Group Managed Inf...

Page 88: ...rmation Checking of MIB information Device MIB information can be retrieved through Web Setting Clearing SNMP statistical information Clears SNMP statistical information Use case In a configuration using SA3500G in addition to its own network SA3500G MIB information can be acquired and trap can be notified Trap notification conditions Cold start is notified after restarting by means restart operat...

Page 89: ...ue Enabled Home IP Location function is Enabled Initial value Disabled If the Home IP Location function is to be used check Section 1 8 Terms of Use of Home IP Location Function before enabling this function If the function is enabled it is assumed that the user has agreed with the terms of use Note Check the home IP location name at Web setting Refer to Section 6 1 2 The Home IP Location name is ...

Page 90: ...ollowing MAC frame does not pass through this product 01 80 C2 00 00 03 IEEE802 1X EAPoL Frame Caution This product discards the IP packet when any of the fragmented IP packets is not received 11 3 5 1 Physical Interface Specification The IP address is managed in synchronization with link up and link down of the physical interface The IP address to be used in this product s maintenance function is...

Page 91: ...h Web setting DHCP client DHCP client function is basically in accordance with RFC2131 and RFC2132 Also it supports the DHCP relay function It works on both LAN and WAN interfaces The supported messages are as follows Packet Direction DHCP Message Transmit DISCOVER REQUEST RELEASE DECLINE Receive OFFER ACK 3 5 3 IPv4 Static Routing Function Basic specifications This product supports IPv4 static ro...

Page 92: ...P address mask length Destination port number When protocol is TCP or UDP the destination port number can be specified Set the following filter setting according to the target packet for filtering IPoE PPPoE IPsec1 can be selected in router mode Target Packet for Filtering Target Interface Filter Type Direction IPoE LAN IPoE Transmission transmission packet in LAN IPoE out IPoE This product Sendin...

Page 93: ...in this product each for wired LAN and wireless LAN Use MAC address filtering in order not to access the Internet from unmanaged devices PC smartphone etc 3 5 6 Ethernet Port Setting Communication may become unstable unless the communication speed 10 or 100 or the communication mode full duplex or half duplex is not the same between the devices on the Ethernet LAN If a device such as a hub connect...

Page 94: ...et using the following methods At Web setting The IPV4 address acquired by DHCP is set It has the DNS cache function A RR and AAAA RR are cached The number of cached entries is at most 60 Cache time is up to 5 minutes When the TTL value is within 5 minutes caching is done according to the TTL value Additional operating specifications Resending is 3 times every 2 seconds A random value is used for ...

Page 95: ... in WAN LAN interface and released when all are link down This product s link down detection timing interface is immediate 3 6 2 IP Address IP address of this product is as follows Interface IP Address Remarks WAN Set by using either of the following methods Fixed setting Through Web setting Acquired by the DHCP client function Acquired by the PPPoE function Among the maintenance functions of this...

Page 96: ...able this function when ICMP redirect message transmission is unnecessary in customer s network For the IPv4 static routing setting refer to Section 5 7 12 3 6 4 IPv4 Packet Filtering Function description is same as bridge mode Refer to Section 3 5 4 3 6 5 MAC Address Filtering Function description is same as bridge mode Refer to Section 3 5 5 3 6 6 Ethernet Port Setting Function description is sa...

Page 97: ... Internal IP Address LAN interface IP address External IP Address WAN interface IP address Remote IP Address Destination IP address Protocol Source and destination port numbers are included NAPT session timer Initial values of the NAPT session timer are as follows TCP 3 600 seconds UDP 300 seconds ICMP 30 seconds Others 600 seconds The TCP UDP ICMP NAPT session timer values can be changed at Web s...

Page 98: ...be used in the ID and password are as follows Alphanumeric characters and symbols ASCII 0x20 0x7e 128 characters or less PPP Keepalive function can be enabled disabled PPPoE transmission timing During link down link up of the WAN interface When the WAN interface IP address is not set Specifications for resending the PADI frame are as follows Retransmission interval 5 seconds Number of retransmissi...

Page 99: ...e time 0 5 unicast 1 T1 unicast resend If the remaining time until T2 is at least 60 seconds it is sent by half REBINDING Lease time 0 875 broadcast 1 T2 broadcast resend If the remaining time until lease time is at least 60 seconds it is sent by half Transmission timing of DISCOVER message is as follows DISCOVER Transmission Timing Description At DHCP startup When there is no response 3 seconds a...

Page 100: ...ansmitting Resending is repeated twice and if there is still no response after 20 seconds processing is redone from DISCOVER If there is no response send in 3 seconds 3 seconds Return to DISCOVER processing when 23 seconds has lapsed RENEWING REBINDING Waits for ACK before sending the next REQUEST Note The WAN interface of this product cannot operate DHCP client and PPPoE functions at the same tim...

Page 101: ...255 0 Setting can be changed Router 3 192 168 110 1 Setting can be changed Domain Name Server 6 192 168 110 1 Set the IP address of the LAN interface when the NAPT function is enabled Domain Name 15 Blank User setting value is used Number of input characters 64 Input characters Alphanumeric characters and _ NetBIOS Name Server 44 Blank User setting value is used IP Address Lease Time 51 24 hours S...

Page 102: ...nected to the LAN wireless LAN interface it is sent to the DNS server Also when the DNS response packet from the DNS server is received it is transmitted to the terminal IP address of the DNS server is managed up to 2 addresses IP address of the DNS server is set using the following methods At Web setting IPv4 address acquired from DHCP is set IPv4 address acquired from PPPoE is set No DNS cache f...

Page 103: ...s an IPsec tunnel with the cloud server so that it can dynamically route it using BGP4 in order to access each site from the headquarters or to access the headquarters and other sites from each site By operating the BGP4 in an IPSec tunnel security and reliability is assured For the setting method of cloud service connection refer to Section 5 7 15 Contact the service provider to use the cloud ser...

Page 104: ...otocol has been clarified and is characterized by the support of authentication methods other than the pre shared key and protocol design considering fault tolerance Refer to Section 5 7 16 for the setting contents Note that the IKEV1 and IKEv2 are very different Encryption Tunnel mode that encrypts the entire IP packet using ESP Encapsulating Security Payload is supported IKEv1 Key exchange type ...

Page 105: ...agement Method IKEv2 requires a pre shared key for the device and a pre shared key setting for the remote device In the case of IKEV1 use a common pre shared key on local device and the remote device IKEv2 Sequence IKE_SA_INIT exchange IKE_SA negotiation and private key sharing IKE_AUTH exchange Peer authentication CHILD_SA negotiation Connection method To create an IPsec tunnel continuous and on ...

Page 106: ...Psec Operation Mode There are two kinds of operation modes policy based and route based Policy based IPsec communication is performed only for communications that satisfy the policy set on the IPsec setting screen Route based It creates a tunnel interface for IPsec and communicates with IPsec according to the routing setting of that interface The initial value on IPsec setting screen is policy bas...

Page 107: ...n In IPsec the sequence number is monitored and protects from replay attacks by discarding received duplicate packets The anti replay function is always enabled Others NAT NAPT simultaneous operation Split operation IPsec parameter list Item Function IKEv1 Key exchange method Automatic key Key exchange protocol IKEv1 Exchange type Main mode aggressive mode and quick mode Relationship of IKE SA and...

Page 108: ...y specification NAT traversal 1 session Commit bit Phase1 Aggressive mode only Phase2 Responder only IKEv2 Key exchange method Automatic key Key exchange protocol IKEv2 Authentication scheme Pre shared key method pre shared key Electronic certificate EAP MD5 Digital signature site only Supported Algorithm Encryption 3DES AES 128 AES 192 AES 256 Authentication HMAC MD5 HMAC SHA 1 HMAC SHA 2 256 PRF...

Page 109: ...versal 1 session Negotiation direction limitation both initiator responder IPsec Mode Tunnel mode Security protocol ESP Supported algorithm Encryption 3DES AES 128 AES 192 AES 256 NULL Authentication HMAC MD5 96 HMAC SHA 1 96 HMAC SHA 2 256 128 PFS 768bit group1 1024bit group2 1536bit group5 2048bit group14 Disabled Fragmentation method post fragment Send Receive pre fragment Send Receive SA IPsec...

Page 110: ... follows When remote ID of IKE Phase2 is registered a static route is automatically registered This route has priority over normal static routes For the route for the IKE Phase2 local ID since a static route is not registered automatically IPv4 routing setting must be added Although the abovementioned is about IKEv1 for IKEv2 IKE_AUTH exchange setting the same applies to local traffic and remote t...

Page 111: ...PA2 PSK AES 802 1x EAP Network Isolation Enable Disable switch Can only be set on router mode Number of concurrent wireless LAN terminal connections Less than 32 are recommended For the number of connected wireless devices and throughput the location of the product building structure and strength of incoming signal etc changes the performance of the client s wireless LAN SSID One primary SSID and ...

Page 112: ...selected This product has a dual channel function that achieves about twice the transmission rate by increasing the communication channel width being used from 20MHz to 40MHz for wireless LAN communication When the dual channel function is enabled select the following channels Control Channel Extension Channel 1 5 2 6 3 7 4 8 5 1 6 2 7 3 8 4 9 5 10 6 11 7 12 8 13 9 Encryption method The encryption...

Page 113: ... isolated Network isolation can be used in the router mode It is not supported in bridge mode By enabling the network isolation function of SSID2 the following network can be built SSID2 terminal can be accessed from a terminal connected to SSID1 and wired LAN Internet as well as this product s Web setting is accessible SSID1 wired LAN terminals are not accessible from SSID2 Web setting of this pr...

Page 114: ...ess LAN terminal compatible with WPS PBC and Wi Fi The WPS function can be enabled disabled through Web setting The WPS function cannot be used under the following conditions The wireless LAN function is disabled The MAC Address Filtering function is enabled The wireless encryption mode of primary SSID is set to TKIP or 802 1x EAP The ESS ID stealth function of the primary SSID is enabled ...

Page 115: ...only one partition Volume size does not exceed 2TB Has no encryption function 20 MB of free space Note OPT2 lamp flashes orange when USB storage is mounted on USB port If OPT2 lamp does not flash orange please confirm USB Device Requirements If the setting values are saved or restored succesfully OPT2 lamp flashes green If OPT2 lamp does not flash green please confirm USB Device Requirements If ot...

Page 116: ...f a USB device is connected to USB port OPT2 lamp flashes orange 3 Click the Save button on Web setting 4 Setting value is saved on USB storage 5 OPT2 lamp flashes green when the setting value is saved successfully If OPT2 lamp does not flash green please confirm USB Device Requirements Note When reading configuration files in USB storage on Windows PC the timestamp is UTC Only setting value can b...

Page 117: ... lamp flashes green When restoring setting value to an uninitialized device 1 Mount the USB storage where setting value is saved on USB port then OPT2 lamp flashes orange 2 Initialize setting value refer to section 5 6 13 then system restarts 3 The setting value is restored from the USB storage during device start up 4 OPT2 lamp flashes green when the setting value is successfully restored If OPT2...

Page 118: ...rding setting in the security scan basic setting Refer to Section 5 8 2 for the setting Also if this product cannot confirm the TCP handshake it will discard the packet of the TCP stream Refer to Section 5 8 2 for setting to cancel the TCP stream strict checking function 3 9 2 MAC Learning The aging timer of the learning table of the MAC address is 300 seconds Up to 256 entries are managed in the ...

Page 119: ... following warnings and precautions before setting Section 1 12 Safety Instructions Section 1 13 Preventing Damage to this Product Installation space This product should be installed and operated with a minimum separation of 7 cm 2 76 inch from any nearby wall or computer On all sides except the bottom Caution Do not store in a small place or close to the wall Heat may be confined inside and cause...

Page 120: ...ed to the side of the main unit Insert the stand into the mounting holes 2 Fasten the stand and the main unit with the attached stand screw 3 Attach the rubber feet at the back of the stand Caution Rubber feet are for temporary installation fix and do not guarantee immobility of the unit When adding an excessive load or when pulling a cable there is a danger of separating the unit from the install...

Page 121: ...ole for theft prevention This product is protected from theft by installing commercially available security wire The security wire may not fit the hook depending on the shape of its key Note the shape of the key in selecting the security wire Hole size of anti theft hook 7 W x 3 D x 1 6 H mm ...

Page 122: ... SA3500G to pass through For the details refer to Section 3 2 1 The WAN LAN port and various networking equipment of this product are connected by Ethernet cable at least category 5e The customer must prepare the Ethernet cable 2 Connect the computer 3 Connect the AC power cord to the AC adapter and then connect the AC adapter to the AC adapter connector 4 Plug the AC power cord into an outlet Aft...

Page 123: ... after initializing The wizard s operation mode selection is whether to operate this product on bridge or router mode Mode can be changed even when the wizard is not executed Supported Web browsers The operation of the Web browsers of the following OS has been confirmed Operating System Web Browser Version Remarks Windows 8 1 7 Internet Explorer 11 Google Chrome 68 Windows 10 Internet Explorer 11 ...

Page 124: ...ing Setting Confirmation 5 1 Account The login account for Web setting is as follows Type Description ID Password User account Web screen that the customer usually accesses admin No initial value User will set ...

Page 125: ...tion Set according to the following procedures 1 Connect the cables to this product Refer to Section 4 5 2 Set the IP address of the computer to set the product to 169 254 xxx xxx 16 xxx is an arbitrary integer from 1 254 Set the IP address except 169 254 254 11 3 Open a Web browser and access http 169 254 254 11 or https 169 254 254 11 4 Open setting wizard Set in the order STEP1 STEP2 STEP3 STEP...

Page 126: ...hanged to IP mode and then restart the Back button will not be displayed 7 STEP3 Set the IP address of the device Be sure to set it according to your environment Option Description IPoE DHCP Selected when the IP address14 of this product is acquired through DHCP IPoE Manual Select this when the IP address of this product is set manually Set the following when this item is selected IPv4 address net...

Page 127: ... Setting Setting Confirmation 127 When IPoE is selected automatic acquisition When IPoE manual setting is selected ...

Page 128: ...e with your security policy Check if packet forwarding is allowed even when the security scan function is disabled The initial value is unchecked The security scanning function may be disabled such as when the security license for this product expires In that case put a check for packet forwarding ...

Page 129: ... Setting Setting Confirmation 129 9 The Web setting login screen of this product will open enter user name and password User name admin Password Password set according to procedure 6 STEP2 ...

Page 130: ...he settings Refer to Section 5 5 15 Activate the product Refer to Section 5 2 3 Activation is executed only at initial startup 16 Confirm availability of new firmware with the online upgrade function If there is new firmware update the firmware Refer to Section 5 6 14 17 Restore the IP address of the computer Set it to its original settings If this is displayed in the screen the following can be c...

Page 131: ...x 16 xxx is an arbitrary integer from 1 254 Set the IP address except 169 254 254 11 3 Open a web browser and access http 169 254 254 11 or https 169 254 254 11 4 Open setting wizard Set in the order STEP1 STEP2 STEP3 STEP4 5 STEP1 Select the operating mode and the management mode of the device managed by this product Select router mode In router mode restart after this procedure Restart by clicki...

Page 132: ...his product is acquired through DHCP IPoE Manual Select this when manually setting the IP address of the WAN interface of this product When this item is selected set the following items IPv4 address netmask bit specification Gateway address IPv4 primary DNS IPv4 secondary DNS optional PPPoE Select this when acquiring the IP address of the WAN interface of this product with PPP When this item is se...

Page 133: ... Setting Setting Confirmation 133 When selecting IPoE automatic acquisition When IPoE manual setting is selected ...

Page 134: ... even when the security scan function is disabled The initial value is unchecked The security scanning feature may be disabled such as when the security license for this product expires In that case put a check for packet forwarding 9 The Web setting login screen of this product will open enter user name password User name admin Password Set password according to procedure 6 STEP2 ...

Page 135: ...er to Section 5 5 15 Activation the product Refer to Section 5 2 3 Activation is executed only at the initial startup 16 Confirm availability of new firmware with the online upgrade function If there is new firmware update the firmware Refer to Section 5 6 14 17 Restore the IP address of the computer Set it to its original settings If this is displayed in the screen the following can be considered...

Page 136: ...to Section 3 6 2 when router mode is to be used Execution of various settings of this product is recommended before the activation operation Operating procedure 1 Confirm that the lamps of this product are in the following state Ignore the lamps not described in the following POWER lamp green NETWORK lamp green or orange ALERT2 lamp orange 2 Hold down the OPT 1 switch security scan function switch...

Page 137: ...ting Confirmation 137 Note The license use start date is the date of successful activation or 31 days after delivery of this product whichever is earlier Activation cannot be canceled after activation is successful ...

Page 138: ...as follows Refer to the following sections for the Maintenance screen structure Bridge mode Section 5 6 1 Router mode Section 5 7 1 Login screen TOP page Security function setting Maintenance function setting Network topology setting The contents displayed on the screen vary depending on the operation mode ...

Page 139: ...169 254 0 0 mask 255 255 0 0 IP address assigned to PC For router mode access http 192 168 110 1 initial value in a web browser As in bridge mode the computer s IP address can also be set to 169 254 xxx xxx 16 1 and http 169 254 254 11 can be accessed through a web browser The Web settings can be accessed with HTTPS Use it if the access to the Web setting needs to be encrypted in the environment A...

Page 140: ...P address is changed return it to its original setting after the completion of the setting of this product By default the login screen cannot be accessed from the WAN port If access is required permission can be set with packet filter setting but be careful in terms of security ...

Page 141: ...linking in orange There is a setting value not saved in memory The Administrator password set during initial login at Web setting is automatically saved in memory The administrator password set at Change Administrator Password screen is not automatically saved in memory Security screen If the Save button is blinking orange it indicates that there is a setting not saved in memory Setting values set...

Page 142: ...blinking orange it indicates that there is a setting item not saved in memory The setting values set in the Security screen are also saved in memory The figure above is an example of the screen in bridge mode Location of the Save button is the same in router mode Save Button ...

Page 143: ...tenance Setting Bridge Mode View settings and information other than the security scan function of this product 1 Click Maintenance from the TOP page 2 Maintenance setup screen opens Click Save Button Navigation Panel Setting information window ...

Page 144: ...on Network IPv4 Static Routing IPv4 static routing setting Filter Setup IPv4 Packet Filter IPv4 packet filter entry setting MAC Address Filtering MAC address filtering setting Detail Settings Other Settings Ethernet port setting Management Management protocol setting SNMP SNMPv1 SNMPv2c agent setting Maintenance Firmware and product setting Access Web Setting Administrator password setting Automat...

Page 145: ...ress of product Device Information Wi Fi Information ARP table MIB Information SNMP MIB information Event Log Operation log of this product Diagnostics Checking of network connectivity ping Verify the connectivity of target node by ping traceroute Verify the connectivity of target node by traceroute Self Diagnosis Confirmation of setting information and server reachability Packet dump Capture pack...

Page 146: ...e DHCP client function of this product is initially enabled When the IPv4 address of this product is acquired from the DHCP client function the setting procedures in this section are unnecessary If the internet connection network is via a proxy server enable the proxy server function of this product This product itself communicates by updating the security scan function firmware update etc 1 Open ...

Page 147: ...er address accessed by this product is acquired by the DHCP client function Manual Set the DNS server address to be accessed by this product on this setting screen When the DHCP client function is not used it will be Manual setting When Manual setting is selected IPv4 Primary DNS is required Automatic setting IPv4 Primary DNS Input the primary DNSv4 server address accessed by this product Not Set ...

Page 148: ...en accessing the Web setting via HTTP Set the proxy server with HTTPS when accessing the Web setting via HTTPS 5 6 3 Wireless LAN Setup The network isolation cannot be used in bridge mode Refer to Section 5 7 8 of maintenance router mode for the explanation of other setting items 5 6 4 WPS Setup Same as maintenance router mode Refer to Section 5 7 9 ...

Page 149: ...on 4 Click the Apply button 5 Click the Save button Setting Item Value Remarks Initial Value IPv4 Static Routing Entry Edit Up to 50 entries Entry No Input the entry number Not set Destination IP Address Specify the destination network of the routing entry Not set Gateway Set the gateway IPv4 address Not set Metric Specify a metric value The setting range is from 1 to 255 Decrease the metric value...

Page 150: ...er mode It differs only in that there is no target interface selection in bridge mode 1 Open the TOP Maintenance Filter Setup IPv4 Packet Filter 2 It redirects to the following screen when Edit is clicked 3 Click the Apply button 4 Click the Save button 16 Set the IPv4 packet filter entry in its initial state Editing and deleting is allowed However it is recommended to use it as it is ...

Page 151: ... product Host For IP packets addressed to this product Not set Direction in For IP packets received by this product out For IP packets sent from this product Not set Protocol All IP All IP packets ICMP TCP UDP Other IP packets other than the above Specify using the protocol number TCP FLAG Select when targeting only TCP packets of a specific flag among TCP packets ICMP MESSAGE Select when targetin...

Page 152: ...N Select the target type and press the Select button to switch the MAC address entry screen Wired LAN MAC address filtering screen 1 Open the TOP Maintenance Filter Setup MAC Address Filtering 2 Select the target type and select Wired LAN 3 Click Edit to enter the edit screen and add the wired MAC address to be connected 4 Check the Use MAC address filtering function 5 Click the Apply button 6 Cli...

Page 153: ...le the MAC address filtering function It cannot be checked if there is no entry Disabled The comment set for the LAN terminal on the device management screen is displayed in the comment field A comment is displayed when the device management method is set in MAC mode The comment is deleted when it is changed to IP mode For the setting of the comment field refer to Section 5 9 3 Wireless LAN MAC ad...

Page 154: ...terface Type Wired LAN Select this to set MAC address filtering for the wired LAN interface Wireless LAN Select this to set the MAC address filtering of the wireless LAN interface Wired LAN Enable MAC Address Filtering Primary SSID Select this to configure the primary SSID Secondary SSID Select this to configure the secondary SSID Disabled The comment set for the LAN terminal on the device managem...

Page 155: ...th access history by clicking the Display Access History button 2 Click the Apply button 3 Click the Save button to save this setting Setting Item Value Remarks Initial Value MAC Address Filtering Edit Entry 60 entries can be registered each for wired LAN and wireless LAN Entry No Enter the number Not set MAC Address Enter the MAC address of the LAN terminal to be connected Not set Click the Displ...

Page 156: ...gs Other Settings 2 Set the communication speed communication mode MDI MDI X and flow control of the Ethernet WAN port and LAN ports 1 4 3 Click the Apply button 4 Click the Save button Setting Item Value Remarks Initial Value Speed Duplex Mode Select the communication mode from the following Automatic Auto Negotiation 1000Mbps Full duplex 100Mbps Full duplex 100Mbps Half duplex 10Mbps Full duplex...

Page 157: ...to the Ethernet port supports IEEE 802 3x Pause frame If a port on which flow control operates and a port where it does not operate are mixed the communication speed may be reduced 5 6 9 SNMP Agent Setting SNMP can be used to monitor and control the status of this product SNMP versions supported by this product are version 1 and version 2c SNMP agent function is supported in bridge mode The settin...

Page 158: ... executing procedure 5 the user name password input screen for login is displayed Refer to Section 5 4 Log in using the new password Setting Item Value Remarks Initial Value Administrator Password Change Current Password Input the currently used password to login to this product The characters that can be used are one byte characters 0 9 a z and A Z hyphen and _ underscore The number of characters...

Page 159: ...t as new password The characters that can be used are one byte characters 0 9 a z and A Z hyphen and _ underscore The number of characters that can be inputted is 1 64 Not set Logout Setting Timeout Time min Enter the time from last Web operation to automatic logout 1 300 minutes 30 minutes ...

Page 160: ...e button to save the setting Change time zone 1 Open TOP Maintenance Maintenance Time 2 Select Specify NTP Server Name for Automatic Time Setup Function 3 Change the time zone 4 Click the Apply button 5 Click the Save button to save the setting When the NTP server is not used 1 Open TOP Maintenance Maintenance Time 2 Select Disable for Automatic Time Setup Function 3 Input the current time 4 Click...

Page 161: ...tup Function Disable when not using NTP server Specify NTP Server Name when using NTP server When an NTP server is not used the time of this product is set to the time entered in the current time field Specify NTP Server Name NTP Server Name Set the NTP server name time google com Time Zone Select time zone GMT 08 00 ...

Page 162: ...s after restoring the setup values Restoration is finished after restart is completed Note The security scan function may not be completely restored The original setting values saved in the computer cannot be restored to a device with older firmware version Save configuration file to USB storage nightly 1 Open TOP Maintenance Maintenance Config File 2 To enable USB storage check Enable in Save con...

Page 163: ...ote Activation contents do not return to its initial state Therefore activation does not need to be done again The signature returns to its initial state The security log statistical information and event logs are deleted The setting value can also be initialized by pressing the device switch The initialized content is the same as the initialization operation at Web setting Refer to Section 5 10 1...

Page 164: ...nance upgrade function The management server operated by our company is notified of the minimum device and network information for this function to operate 18 Depending on specific reasons timing unintended by the customer firmware may be automatically updated firmware update is followed by a restart When the maintenance upgrade function is Disabled confirmation on the availability of new firmware...

Page 165: ... Release OPT2 switch when the light blinks orange 4 This product restarts automatically when firmware update is completed The INFO lamp returns to orange when firmware update has failed Firmware Update 2 When Notification Only is selected as the update method 1 The INFO lamp lights up orange when a new firmware is available 2 Access the Web setting 3 Click the Update Firmware button from the TOP p...

Page 166: ...pecified Update 3 Click the Apply button 4 If a new firmware is available when this product accesses the management server the INFO lamp lights up orange At this time this product downloads the new firmware from the management server 5 Firmware will be rewritten automatically within one hour from the specified time in the Time Specified Update 6 This product automatically restarts when firmware up...

Page 167: ...lized in firmware downgrade When Web setting is used Online upgrade Setup 1 Open the Maintenance screen from TOP Maintenance 2 Select Online Upgrade of Manually Update Firmware 3 Click the Update button 4 Wait for a while until Firmware Version Information is displayed 5 Click the Update Firmware when current firmware version is different from the new firmware version Stop when the Current Firmwar...

Page 168: ...ll restart at the following instances Initialization Restoring setting values Firmware update Switching from bridge to router mode and vice versa Changing the device management mode on the Web setting 1 Open the Restart screen from TOP Maintenance Maintenance 2 Click the Restart button 3 Click the OK button in the popup message window 4 The product restarts 5 When the popup window Restart is compl...

Page 169: ...Maintenance Maintenance 2 Click Acquire with file to collect log information for maintenance to PC collectively When collecting device status a file named sa3500g_maintenance zip is created This file contains the following information Security log Event log Statistics Configuration file of this product Firmware version or serial number which are essential information during operation Setting Item ...

Page 170: ...mode Settings are also initialized 1 Open the Connection Setup screen from TOP Maintenance Basic Setup 2 Select Router for mode setting 3 Click the Apply button 4 Click the OK button on the restart message window 5 After restarting perform STEP2 Administrator Password of the wizard Set it according to Section 5 2 2 ...

Page 171: ...tenance Setting Router Mode View settings and information other than the security scan function of this product 1 Click Maintenance from the TOP page 2 Maintenance setup screen opens Click Navigation Panel Setting Information window Save Button ...

Page 172: ...onnection setting Wireless Setup Wireless LAN setting WPS Setup Enable Disable WPS function Network DNS and static routing setting Port Forwarding Port forwarding entry setting DNS DNS setting IPv4 Static Routing Static routing entry setting Other Settings ICMP redirect packet transmission setting VPN VPN connection setting IPsec IPsec IKEv1 IKEv2 setting Cloud Service Cloud connection setting Fil...

Page 173: ... Device Information DHCP leased address Wi Fi information ARP table Routing Table Information on the routing table of this product BGP Peer Status Information on neighboring routers with which this product exchanges information VPN Status IPsec SA and IKE SA status Deletion of IPsec SA and IKE SA Certificate information and certificate export VPN Statistics Statistical information of IPsec traffic...

Page 174: ...the Apply button 4 Click the Save button Setting Item Value Remarks Initial Value IPv4 Address Netmask 169 254 254 11 16 is the IP address exclusively used by this product IPv4 address Netmask assigned bits Set the IPv4 address and subnet mask of the LAN interface of this product Specify the subnet mask with bits When changing the IP address of the LAN interface also change the assigned address se...

Page 175: ... WAN IPoE screen IPv4 WAN Interface Setting Method Procedure 1 Set Connection Destination on the Connection Setup screen Procedure 2 Setting screen a Fixed setting IPoE IPv4 WAN IPoE setup DNS setup b Set using the DHCP client function IPoE IPv4 WAN IPoE setup c Set using the PPP function PPPoE IPv4 WAN PPPoE setup Procedure 1 Select the type of WAN interface operation Set the IP address of this p...

Page 176: ...WAN interface settings The setting contents will change depending on the contents selected in procedure 1 IPv4 WAN Interface Setting Method Setting Contents a Fixed setting Refer to the following content b Set using the DHCP client function Refer to Section 5 7 5 c Set using the PPP function Refer to Section 5 7 4 If the WAN interface of the product is set with a fixed IP address the default gatew...

Page 177: ...n the IPv4 WAN IPoE screen from TOP Maintenance Basic Setup 2 Remove the check on the DHCP client function check box 3 Input IP address under IPv4 Address Netmask 4 Input the IP address of the default gateway on Fixed Address under Gateway 5 Click the Apply button 6 Click the Save button ...

Page 178: ...ress Netmask IPv4 address of the WAN interface of this product IPv4 Address Netmask bit specification Set the IP4 address and subnet mask of the WAN interface of this product Specify the subnet mask in bits This can be set when the DHCP client function is not used Not set Gateway Gateway address Allocated Address from Server Checked When the default gateway address is acquired from the DHCP server...

Page 179: ...oE Setup The PPP function of this product requires PPP authentication ID password setting 1 Open the PPP Setup screen from TOP Maintenance Basic Setup 2 Set the PPP ID and password for authentication 3 Click the Apply button 4 Click the Save button ...

Page 180: ...with the BAS server can be detected using the PPP Keepalive function On the other hand the function may not operate properly when the load of this product is high and it may lead to the disconnection of the PPP session Disabled LCP ECHO Transmission Interval in seconds Set the transmission interval of the PPP Keepalive packet at 1 255 seconds When the transmission interval is shortened the timing ...

Page 181: ...ve parameters Establish PPP Transmission interval 30 sec Retry interval 10 sec Retry frequency 3 PPP disconnection Transmission interval 30 sec Keepalive Keepalive Keepalive Retry interval 10 sec Retry frequency 3 Transmission interval 30 sec ...

Page 182: ...hrough the DHCP client set it on this screen 1 Open the IPv4 WAN IPoE screen from TOP Maintenance Basic Setup 2 Check the following items DHCP Client Function DHCP client function Gateway Address allocated from server 3 Click the Apply button 4 Click the Save button Refer to Section 5 7 3 for the explanation of each setting item ...

Page 183: ... Setup IPv4 WAN IPoE screen 2 Set the MTU value Change according to customer s network The range is 1000 1500 initial value 3 Click the Apply button 4 Click the Save button Setting Item Value Remarks Initial Value MTU Size 1000 1500 Set the MTU value to be used on the WAN interface of this product MTU can be set when operating in IPoE mode 1500 ...

Page 184: ...address of the LAN interface of this product is changed change the assigned address of the DHCP server function 1 Open the IPv4 LAN screen from TOP Maintenance Basic Setup 2 Change it according to customer s network 3 Click the Apply button 4 Click the Save button ...

Page 185: ...that the DHCP server can distribute 24 Assigned Initial Address Set the initial address within the range of IP addresses distributed to DHCP clients such as computers Assigned address is up to 250 192 168 110 2 Assigned Last Address Set the last address within the range of IP addresses distributed to DHCP clients such as computers Assigned address is up to 250 192 168 110 251 Domain Name Set the d...

Page 186: ...access point Refer to Section 5 10 5 for the WPS switch operation 5 7 8 1 When using this product as a wireless LAN access point 1 Open the Wireless Setup screen from TOP Maintenance Wireless Setup 2 Check Enable under the Wireless Function 3 Click the Apply button 4 Click the Save button ...

Page 187: ...ails refer to Section 5 8 12 1 Open the Wireless Setup screen from TOP Maintenance Wireless Setup 2 Check Enable under the Wireless Function 3 Change the encryption mode to 802 1x EAP 4 Confirm that Internal is selected for Authentication Server Type 5 Click the Apply button 6 Click the Save button 7 Configure RADIUS server on TOP Security Simple RADIUS function screen For the details refer to Sec...

Page 188: ...Wireless Setup screen from TOP Maintenance Wireless Setup 2 Check Enable under the Wireless Function 3 Change the encryption mode to 802 1x EAP 4 Change Authentication Server Type to External 5 Enter the setting value of the external authentication server 6 Click the Apply button 7 Click the Save button ...

Page 189: ...ransmission rate specification 300Mbps or less is achieved by extending the width of the communication channel used by the wireless LAN communication from 20MHz to 40MHz Enabled It can only be set on the primary Used Channel Auto An empty channel between 1 11 is chosen automatically 1 13 When a fixed channel is set Auto It can only be set on the primary Network Isolation Function Not available in ...

Page 190: ...l authentication server configure the server on the Simple RADIUS function screen When using an external authentication server set the following authentication server address authentication server port authentication server key Disabled Authentication Server Address Enter the IP address of the external authentication server Authentication Server Port Enter the external authentication server port n...

Page 191: ...an be done through Web setting 1 Open the WPS Setup screen from TOP Maintenance Wireless Setup 2 Check Enable from WPS PBC to use the WPS function 3 Click the Apply button 4 Click the Save button Setting Item Description Initial Value WPS PBC Check this item to use the WPS function Enabled ...

Page 192: ... Port forwarding entries can be set Port forwarding entry setting 1 Open the Port Forwarding screen from TOP Maintenance Network 2 Click Edit to go to the following screen 3 Set the port forwarding entry information 4 Click the Apply button 5 Click the Save button ...

Page 193: ...cify the IP address of the port forwarding target host e g computer Not set Protocol Select the protocol for port mapping TCP UDP ESP Other When Other is selected input the protocol number for the port forwarding target in Protocol Number Not set Port Number Any All port numbers are specified Set port number Specify the port number for port mapping Set this when either TCP or UDP is selected in Pr...

Page 194: ...ry packet can be set Set the timeout value of the DNS response packet according to customer s network and status DNS Proxy Wait Timer sec Set the timeout value until the reception of response packet of the DNS query packet DNS response Setting range is from 1 50 seconds 10 IPv4 DNS Server Address This product manages up to two DNS server addresses Contents that are manually set are prioritized eve...

Page 195: ... Setting Setting Confirmation 195 IPv4 Primary DNS Set the IPv4 address of the primary DNS server Not set IPv4 Secondary DNS Set the IPv4 address of the secondary DNS server Can be omitted Not set ...

Page 196: ...s selected in the interface The setting of the IPsec 1 interface is enabled only by setting the VPN operation mode to the route base in IPsec setting 1 Open the IPv4 Static Routing screen from TOP Maintenance Network 2 Click Edit to go to the screen below 3 Set the routing entry information 4 Click the Apply button 5 Click the Save button ...

Page 197: ...g a routing destination with an interface Gateway When specifying a routing destination with an IPv4 address Not set Interface Select PPPoE or IPsec1 Take note when IPsec1 is selected in the interface The IPv4 static routing setting is enabled when setting a route base as a VPN operation mode with IPsec setting Not set Gateway Set the IPv4 address of the gateway Not set Metric Specify the metric v...

Page 198: ...eived sending an ICMP Redirect message 1 Open the Other Settings screen from TOP Maintenance Network 2 Check Enable to send ICMP Redirect message 3 Click the Apply button 4 Click the Save button Setting Item Value Remarks Initial Value ICMP Redirect Function Checked Sends an ICMP Redirect message when ICMP Redirect target packet is received Unchecked ICMP Redirect message will not be sent even if ...

Page 199: ... different a separate setting screen for each is prepared 5 7 15 1 Amazon Web Services 1 Open the Cloud Service screen from TOP Maintenance VPN 2 By checking to use the cloud service function the service type can be selected 3 Select Amazon Web Services AWS from the service type 4 Configure the destination and source 5 Click the Apply button 6 Click the Save button ...

Page 200: ...t AS Number BGP Configuration Options Set the customer gateway ASN 1 65535 Not Set Advertising Route Set the route advertised network address and netmask Up to 5 can be set Not Set Encryption Authentication Setting IKE Pre shared Key 1 to 64 single byte characters ASCII symbols 0x21 to 0x7e Excluding space Not Set By setting Amazon Web Services the following fixed values can be set Although IPsec ...

Page 201: ...m AES128 CBC Authentication algorithm HMAC SHA1 DH Group choice 1024 bit Lifetime 28800 seconds DPD Keepalive Use DPD Keepalive Transmission interval 10 seconds DPD Keepalive Retry count 3 times IKE retransmission interval Not specified IKE retransmission count Not specified IKE phase 2 setting Local ID Not specified Remote ID Not specified Encryption algorithm AES128 CBC Authentication algorithm ...

Page 202: ...the Cloud Service screen from TOP Maintenance VPN 2 By checking cloud service function the service type can be selected 3 From the Service type select Microsoft Azure Route Based 4 Set destination and source and IKE pre shared key 5 Click the Apply button 6 Click the Save button ...

Page 203: ...he address of Virtual Private Gateway Not Set BGP Peer IP Address Set the IP address of the peer Not Set AS Number Set the assigned AS number Not Set Own Device SA3500G BGP Peer IP Address Set the BPG peer IP address of the local network gateway The LAN IP address set for this product is automatically entered Not Set AS Number Set the assigned AS number Not Set Advertising Route Set the route adve...

Page 204: ... seconds Maximum route acceptance setting Number of routes 4096 warning only specification BGP peer Multi hop setting Number of hops 255 IPsec IPsec setting IPsec function Use IKE version IKEv2 TCP MSS adjustment Fixed 1350 bytes IKE_SA_INIT exchange setting Local ID specification Not specified Remote ID specification Not specified Encryption algorithm AES256 CBC Authentication algorithm HMAC SHA1...

Page 205: ... time Not specified 5 7 15 3 Microsoft Azure Policy Based 1 Open the Cloud Service screen from TOP Maintenance VPN 2 By checking cloud service function the service type can be selected 3 From the service type select Microsoft Azure Policy Based 4 Set destination and IKE pre shared key 5 Click the Apply button 6 Click the Save button ...

Page 206: ...re Route Based Microsoft Azure Policy Based Not Set Microsoft Azure Policy Based Settings BGP Peer Cloud WAN IP Address Set the address of Virtual Private Gateway Not Set LAN Network Set the network address and netmask of the LAN Not Set Own Device SA3500G LAN Network Set the network address and netmask of the LAN of this product Not Set Encryption Authentication Setting IKE Pre shared Key 1 to 64...

Page 207: ...tems Value Remarks BGP4 BGP4 function Disabled IPsec IPsec setting IPsec function Use IKE version IKEv1 TCP MSS adjustment Fixed 1350 byte IKE phase 1 setting Key Exchange Method Main mode Local ID specification Not specified Remote ID specification Not specified Encryption algorithm AES128 CBC Authentication algorithm HMAC SHA1 DH Group choice 1024 bit Lifetime 28800 seconds DPD Keepalive Not use...

Page 208: ...Setting This product supports IPsec IKEv1 and IKEv2 can be used as the key exchange method Since setting is different IKEv1 and IKEv2 are described separately IKEv1 1 Open the IPsec screen from TOP Maintenance VPN 2 Select IKEv1 as the IKE version ...

Page 209: ...PN communication Policy based Fragment Method post fragment pre fragment post fragment Static Routing Checked When using the default route Unchecked When not using the default route When route based is selected it can be enabled or disabled Disabled TCP MSS Adjustment Checked Auto rewrites the MSS value of TCP packet that passes through the IPsec tunnel to an optimum value according to the encrypt...

Page 210: ...et ID according to the format of the selected Local ID Setting IP address IP address format FQDN Set in domain name format Character string can be 1 64 alphanumeric characters Key ID Character string can be 1 47 alphanumeric characters User FQDN Set in the form username domainname Character string can be 3 160 alphanumeric characters ASCII 0x21 0x7e characters can be used for FQDN Key ID User FQDN...

Page 211: ...FQDN remote example com Key ID RemoteID 1 User FQDN adm example com Not set Encryption Algorithms Set the encryption algorithm to be used for IKE phase 1 AES256 CBC AES192 CBC AES128 CBC 3DES CBC AES256 CBC Authentication Algorithms Set the authentication algorithm to be used for IKE phase 1 HMAC SHA1 HMAC SHA2 256 HMAC MD5 HMAC SHA1 Life Time sec Set the validity period of the IKE SA Input range ...

Page 212: ...ified IKE Retry Count Specify the number of retransmissions to be performed when the key exchange packet does not reach the peer It can be set from 2 10 times Not specified IKE Phase 2 Settings Remote Peer Setting Set the specification method of the IPsec peer device Any Select when the IP address of the IPsec peer device is not fixed IP address Select when the IP address of the IPsec peer device ...

Page 213: ...alue that is smaller than the one set at the destination Rekey is done at random between from 70 to 85 of the set lifetime 28800 Life Time with Data Kbyte Specify the amount of data to communicate on the IPsec SA in Kbytes Not specified PFS Disable means PFS is not guaranteed 768bit guarantees PFS using DH Group1 1024bit guarantees PFS using DH Group2 1536bit guarantees PFS using DH Group5 2048bit...

Page 214: ...et Moreover rekeying is done regardless of the existence of traffic using the generated SA No Rekey IKE negotiation starts when IPsec target traffic is generated In this mode no rekeying is done Rekey Remaining Time sec Rekey Automatic update of SA starts when the remaining time sec is less than the specified value 30 to 345600 seconds Not set ...

Page 215: ... Setting Setting Confirmation 215 IKEv2 1 Open the IPsec screen from TOP Maintenance VPN 2 Select IKEv2 as the IKE version 3 Input IPsec settings ...

Page 216: ...t pre fragment post fragment Static Routing Checked When using default route Unchecked When not using default route When route based is selected it can be enable or disabled Disabled TCP MSS Adjustment Checked Auto rewrites the MSS value of TCP packet that passes through the IPsec tunnel to an optimum value according to the encryption algorithm Checked Fixed rewrites the MSS value of TCP packet th...

Page 217: ...with a user name Default Source IP address Local ID Set ID according to the format of the selected Local ID Setting IP address IP address format FQDN Set in domain name format Character string can be 1 64 alphanumeric characters Key ID Character string can be 1 47 alphanumeric characters User FQDN Set in the form username domainname Character string can be 3 160 alphanumeric characters ASCII 0x21 ...

Page 218: ... characters can be used for FQDN Key ID User FQDN except the following space Sample input IP address 192 0 2 222 FQDN remote example com Key ID RemoteID 1 User FQDN adm example com Not set Encryption Algorithms Set the encryption algorithm to be used for IKE_SA_INIT AES256 CBC AES192 CBC AES128 CBC 3DES CBC AES256 CBC Authentication Algorithms Set the authentication algorithm to be used for IKE_SA...

Page 219: ... function in seconds to detect communication disconnection of the IPsec tunnel Not set IKE Retry Interval sec Specify the retransmission interval seconds to be performed when a key exchange packet does not reach the peer It can be set from 5 60 seconds Not specified IKE Retry Count Specify the number of retransmissions to be performed when the key exchange packet does not reach the other party It ...

Page 220: ...vice network Set it according to the ID of the peer for IPsec communication If there are multiple subnets subject to IPsec input more than one in remote ID Not Set Encryption Algorithms Set the encryption algorithm to be used at IKE_AUTH AES256 CBC AES192 CBC AES128 CBC 3DES CBC NULL AES256 CBC Authentication Algorithms Set the authentication algorithm to be used at IKE_AUTH HMAC SHA1 96 HMAC SHA2...

Page 221: ...ence of traffic using the generated SA No Rekey IKE negotiation starts when traffic of the IPsec target is generated In this mode no rekeying is done Enable Rekey Remaining Time sec Rekey Automatic update of SA starts when the remaining time sec becomes less than the specified value 30 to 345600 seconds Not Set Note The IPsec remote ID and static routing setting priority is as follows If the VPN o...

Page 222: ...pecification Two or more subnet connection 1 N 1 specification N specification N N N specification N specification ALL N 0 0 0 0 0 or not specified blank N specification All subnet connection 1 ALL 1 specification 0 0 0 0 0 or not specified blank N ALL N specification 0 0 0 0 0 or not specified blank Connection Type Local ID Remote ID Used Remarks Pattern 1 Not specified local WAN IP address no su...

Page 223: ...ed during this time 28800 x 0 85 24480 seconds Maximum value Local and remote IDs of IKE v1 IKE Phase 1 Phase 2 are treated as follows IKE IKE Phase1 IPsec IKE Phase2 Phase Mode Behavior Peer Direction local id remote id local id remote id IKE Phase1 Ph1 main mode initiator 1 Send Send in sequence 5 Not sent Receive from peer Compare with remote id of local station Unused responder 1 Send Send in ...

Page 224: ...ce 2 Receive from peer Compare with remote id of local station Compare with local id of local station IKEv2 Phase Mode Behavior Peer Direction local id remote id IKE AUTH exchange initiator 1 Send Send with IKE AUTH exchange request Send with IKE AUTH exchange request Receive from peer Compare with remote id of local station Compare with local id of local station responder 1 Send Send with IKE AUT...

Page 225: ...e shared key Password aaa Peer device authentication Authentication method Pre shared key Password aaa Own device authentication Authentication method Pre shared key Password aaa Peer device authentication Authentication method Pre shared key Password aaa Initiator Responder Authentication is established as both an Initiator and Responder There is no restriction on the starting direction Device De...

Page 226: ...ator Device Device Own device authentication Authentication method EAP MD5 Password bbb Peer device authentication Authentication method digital signature File name test pem Own device authentication Authentication method digital signature File name test pem Peer device authentication Authentication method EAP MD5 Password bbb Initiator Responder Place a center router that can digitally sign Set t...

Page 227: ...tting for IPsec communication between this product and Cisco1941 Location 1 SA3500G setting IPsec Set at Web setting Cisco 1941 SA3500G Center Wired Network Location 1 SA3500G IP Address LAN 192 168 110 1 24 WAN 192 168 100 2 24 Cisco1941 IP Address LAN 10 0 0 254 24 WAN 192 168 100 10 24 ...

Page 228: ...228 Setting Setting Confirmation ...

Page 229: ...e setting for IPsec communication between this product and Cisco1941 Location 1 SA3500G setting IPsec Set at Web setting Cisco1941 SA3500G Center Wired Network Location 1 SA3500G IP Address LAN 192 168 110 1 24 WAN 10 0 1 1 24 Cisco1941 IP Address LAN 192 168 100 10 24 WAN 10 0 0 1 24 ...

Page 230: ...230 Setting Setting Confirmation ...

Page 231: ...d encryption hostname Cisco1941 boot start marker boot system flash c1900 universalk9 mz SPA 153 3 M3 bin boot end marker no aaa new model ip cef no ipv6 cef multilink bundle name authenticated license udi pid CISCO1941 K9 sn FHK145076YB redundancy crypto isakmp policy 10 encr aes 256 authentication pre share lifetime 28800 crypto isakmp key hogehoge address 192 168 100 2 crypto ipsec transform se...

Page 232: ... 0 254 255 255 255 0 duplex auto speed auto ip forward protocol nd no ip http server no ip http secure server ip route 192 168 110 0 255 255 255 0 192 168 100 2 access list 100 permit ip 10 0 0 0 0 0 0 255 192 168 110 0 0 0 0 255 control plane line con 0 line aux 0 line 2 no activation character no exec transport preferred none transport output lat pad telnet rlogin lapb ta mop udptn v120 ssh stop...

Page 233: ...ncryption hostname Cisco1941 boot start marker boot system flash c1900 universalk9 mz SPA 153 3 M3 bin boot end marker no aaa new model ip cef no ipv6 cef multilink bundle name authenticated license udi pid CISCO1941 K9 sn FHK145076YB redundancy crypto ikev2 proposal ikev2proposal encryption aes cbc 256 integrity sha1 group 1 crypto ikev2 policy ikev2policy match address local 10 0 0 1 proposal ik...

Page 234: ... 1 set security association lifetime seconds 28800 set transform set TS set ikev2 profile ikev2profile match address 100 interface Embedded Service Engine0 0 no ip address shutdown interface GigabitEthernet0 0 ip address 10 0 0 1 255 255 255 0 duplex auto speed auto no mop enabled crypto map cmap interface GigabitEthernet0 1 ip address 192 168 100 10 255 255 255 0 duplex auto speed auto ip forward...

Page 235: ... plane line con 0 line aux 0 line 2 no activation character no exec transport preferred none transport output lat pad telnet rlogin lapb ta mop udptn v120 ssh stopbits 1 line vty 0 4 login transport input all scheduler allocate 20000 1000 End ...

Page 236: ...cted for target interface The target interface IPsec 1 setting is enabled only when the VPN operation mode is set to route based in the IPsec setting 1 Open the IPv4 Packet Filter screen from TOP Maintenance Filter Setup 2 Select filtering point from Select Target Interface Select from IPoE PPPoE LAN or IPsec 1 3 Click Edit to go to the following screen 4 Click the Apply button 5 Click the Save bu...

Page 237: ...ination unreachable is sent Not set Filter Type Forward For IP packets not addressed to this product Host For IP packets addressed to this product Not set Direction in For IP packets received by this product out For IP packets sent from this product Not set Protocol All IP All IP packets ICMP TCP UDP Other IP packets other than the above Specify using the protocol number TCP FLAG Select if to targ...

Page 238: ...y All port numbers Specific port number Specify a specific port number Not set 5 7 18 MAC Address Filtering Setup Same setting with maintenance bridge mode Refer to Section 5 6 7 5 7 19 SNMP Agent Setting SNMP can be used to monitor and control the status of this product This product supports SNMP versions 1 and 2c ...

Page 239: ... noted Available character string Alphanumeric characters Maximum number of characters 64 0x21 0x7e can be used Unavailable characters are backslash and space Not set Access Restriction Set whether to allow only a specific SNMP manager or any SNMP manager access of this product Checked if only a specific SNMP manager is allowed access Unchecked if access from any SNMP manager is allowed Set one or...

Page 240: ...n sent when interface is down link up sent when interface starts auth failure sent when authentication failed due to community name mismatch ALL SNMP cold start Trap Delay Time sec Set the cold start trap delay time Range is 0 3 600 seconds 5 Table No 1 3 Destination Destination IP address of trap Not set Community Select the community name when trap is sent from Community 1 Community 2 and Commun...

Page 241: ... Setting Same setting with maintenance bridge mode Refer to Section 5 6 11 5 7 22 Save and Restore Setting Same setting with maintenance bridge mode Refer to Section 5 6 12 5 7 23 Factory Default Same setting with maintenance bridge mode Refer to Section 5 6 13 5 7 24 Firmware Update Same setting with maintenance bridge mode Refer to Section 5 6 14 ...

Page 242: ...nance 2 Check the following check boxes Maintenance Maintenance Update Initial value Enable Home IP Location Home IP location Initial value Unchecked 3 Click the Apply button 4 Click the Save button to save the settings How to check the Home IP Location name 1 Open the Device Status screen from TOP Maintenance Information Refer to Section 6 1 2 2 Home IP location Home IP Location name is checked N...

Page 243: ... 7 28 Switching to Bridge Mode This product restarts when it is switched to the bridge mode And also all settings are initialized 1 Open the Connection Setup screen from TOP Maintenance Basic Setup 2 Select Bridge for mode setup 3 Click the Apply button 4 Click the OK button on the restart message window 5 After restarting execute STEP2 Administrator Password of the wizard Set it according to Sect...

Page 244: ...rowse through the security scan functions setting and information of this product 1 Click Security from the TOP page 2 Setting screen for the security scan functions opens The figure above is an example of screen in router mode Location of the save button is the same in bridge mode Click Save Button Setting Navigation Panel Setting Information Viewing Window ...

Page 245: ...ndividual permission Web Guard WG Set the permission to particular dangerous websites Web Guard setting Individual permission setting URL Filter UF Set the permission of websites by category Category setting Individual permission setting Checking of category corresponding to a specified URL Keyword Filter KF Set the permission of specific URL keyword Keyword setting Application Guard APG Set the p...

Page 246: ...246 Setting Setting Confirmation Device Manager Device management setting Basic RADIUS function Settings related to RADIUS authentication ...

Page 247: ...ting screen from TOP Security 2 Check the item to cancel the packet forwarding restriction 3 Check this item when setting strict check of TCP stream 4 Click the Apply button 5 Click the Save button to save the setup Setting Item Description Initial Value In case of Security Scan function is disabled Check this item to forward packets when security scan function is disabled Disabled Strict checking...

Page 248: ...ave button to save the settings Setting Item Description Initial Value Firewall Configuration Enable Firewall IPv4 Enable disable the firewall function When disabled the SPI setting is grayed out and cannot be set Enabled Block all IPv6 Traffic Set whether IPv6 communication is transparent or blocked in bridge mode Enabled SPI Configuration SPI setting items TCP Set the session timer of TCP establ...

Page 249: ...e button to save the setting Setting Item Description Initial Value Firewall Configuration Enable Firewall Enable disable the firewall function When disabled the SPI setting is grayed out and cannot be set When PPPoE is set the firewall function is always enabled and cannot be disabled Enabled NAPT Enable Interface Check the interface that enables NAPT function This setting item is displayed only ...

Page 250: ...ccesses When this function is disabled the Smurf and IP spoofing attack packets are excluded as detection targets Enabled If NAPT Enable Interface is disabled Internet may be inaccessible depending on the environment In that case refer to Section 7 1 17 and review the settings of the network equipment connected to the upper side of this product ...

Page 251: ...eration policy Antivirus AV tab 1 Open the Antivirus AV screen from TOP Security 2 Set the Antivirus function according to the security policy 3 Click the Apply button 4 Click the Save button to save the setting Permit tab This screen is a display example where XXXX Test File was registered The list is not initially set ...

Page 252: ... before scanning Therefore the processing speed decreases temporarily during this processing The following compressed files are supported gz zip rar jar apk Password set files such as ZIP files cannot be scanned Compressed File Scan Check this item to scan a compressed file Enabled Bomb Check Detection Check this item when a compressed data file with compression rate of 200 or more is not scanned ...

Page 253: ...tivirus AV function detection Set it from the security log screen When individual permission is done applicable communication is permitted even if it is dangerous Virus Displays the virus type that was set to be excluded from detection Number of registrations 10 Not set Action Click the Delete button to delete from the detection target ...

Page 254: ...tected by the firewall by preventing the communication Enabled Detect Mode Configuration Set the operation when illegal access is detected Block Block unauthorized access and output logs Block Log only Output log indicating security risk has been detected and do not block unauthorized access Detection Configuration Set this item to use the intrusion prevention extended function Set whether or not ...

Page 255: ...the initial screen The list is not initially set To delete the added individual permission setting from the list select the attack name that needs to be deleted and click the Delete button Setting Items Description Initial Value Permit List Displays the set attack name signature to be excluded from the Intrusion Prevention IPS function detection Set it from the security log screen For individual p...

Page 256: ... button to save the setup Setting Item Description Initial Value Web Guard Configuration Check this item to detect and block traffic to a dangerous website such as a phishing site Enabled Detection Mode Configuration Set the operation when communication to a dangerous website is detected Block Block communication to dangerous websites and output log Block Log Only Log will only be outputted indica...

Page 257: ...rity log screen or from this page When individual permission is done applicable communication will be permitted even if it is dangerous URL Displays the URL excluded as detection target that was set by the customer Enter the hostname and pathname of the URL Pathname is optional Do not include http or https in the URL The hostname is exactly matched and pathnames are determined by prefix matching F...

Page 258: ...er of registrations 10 When multibyte characters are used the number of characters that can be set is reduced Action When registering a detection target input the URL and click the Add button Click the Delete button to remove from the list ...

Page 259: ...ding to the operation policy Tab Description URL Filter Set whether to enable disable the URL filter function Content Filter Set the traffic operation for each category URL Category Query Set the category of the URL filter function Permit Set the individual permission of the URL filter function URL Filter tab ...

Page 260: ...nd set the URL Filter function according to the security policy In addition refer to Section 3 3 10 for the details of the available categories that can be set 4 Click the Apply button located at the bottom of the Content Filter tab Note that when the Apply button is not clicked the setting does not take effect 5 Click the Save button to save the setting URL Category Query The screen is a sample d...

Page 261: ...lter Configuration Check this item to detect traffic to websites of the applicable category and pass or block it according to the operation of the set category Initially all categories are set to Pass Set the category to be blocked at the Standard Block Profile or Block Category to Block Enabled Block Configuration Set the operation when the category is unknown or cannot be confirmed Block the acc...

Page 262: ...lcohol and Tobacco Abused Drug Extremism racial discrimination Ultraism Abortion Criminal Actions Violent and Bloody Gross Dating Click block log only or pass button to set Block block communication to websites that belong to the specified category and output log Log only output logs only and will not block communication to websites that belong to the specified category Pass allow communication to...

Page 263: ...specified category Pass allow communication to the entertainment site category Pass Block Category Used to select blocking passing for each category Individual category Set the category to be permitted to Pass and the category to be blocked to Block Refer to Section 3 3 10 for the details of the categories that can be set All Pass Setting Item Description Initial Value Permit List Displays the set...

Page 264: ...127 bytes for the host name 127 characters 127 bytes for the path name 1 character 1 byte between host name and path name Number of allowed registrations 100 When multibyte characters are used the number of characters that can be set is reduced Action When registering a detection target input the URL and click the Add button Click the Delete button to remove from the list ...

Page 265: ... list setting The screen is a sample display where example1 com is registered The keyword is not initially set 1 Open the URL Keyword Filter KF screen from TOP Security 2 Click the URL Keyword Filter tab check Enable Keyword Filter and then click the Apply button 3 After referring to the setting explanation on the next page click the Keyword list tab and set the URL Keyword Filter function accordi...

Page 266: ...keyword Keyword Refer to Section 3 3 11 for the details of keyword setting Possible characters ASCII 0x21 0x7e Multibyte characters are excluded Maximum size of keyword 127 characters 127 bytes Number of keywords that can be registered 100 items When multibyte characters are used the number of characters that can be set is reduced Not Set Behavior Block Blocks communication to websites that contai...

Page 267: ...pplication Guard APG screen from TOP Security 2 Click the Application Control tab check Enable Application Guard and then click the Apply button 3 After referring to the setting explanation on the next page click the Application Control list tab and set the Application Guard function according to the security policy Refer to Section 3 3 12 for the Application Guard function details 4 Click the App...

Page 268: ...trol List Select applications and protocols to be blocked Set the application and protocol to Block When the All Block button is clicked all displayed applications and protocols are set to Block If the Make all blogs only button is clicked it logs all applications and protocols displayed in the application list when they are detected When the All Pass button is clicked all displayed applications a...

Page 269: ...e Controller Application for remote access Shopping Auction site Social web Site SNS Social Networking Service Streaming Streaming Tunnel VPN Virtual Private Network VoIP Voice over IP Web Service Web service Update Update 1 The list of supported applications protocols and category selection is updated regularly ...

Page 270: ...l Trigger Set the condition for Mail Notification Test Mail Sends test email Mail Notification tab 1 Open the Mail Notification screen from TOP Security 2 Click the Mail Notification tab and check Enable Mail Notification 3 Set the email account and language to be used for sending emails 4 Click the Apply button 5 Click the Save button to save the setting Note For the SMTP server address port numb...

Page 271: ... Address tab and set the email addresses for the administrator User can also be notified To set the mail address of the terminal user refer to the Section 5 9 3 Refer to Section 3 3 14 for the email notification conditions of the administrator and users 3 Click the Apply button 4 Click the Save button to save the setting ...

Page 272: ...rs Refer to Section 3 3 14 for administrator and user s email notification conditions 3 Click the Apply button 4 Click the Save button to save the setting Test Mail tab 1 Open the Mail Notification screen from TOP Security 2 Click the Test Mail tab and click the Send button 3 Test result is displayed in Result When sending of test mail fails check the Mail Address tab or the Mail Notification tab ...

Page 273: ...tor s address information All events are notified to the set addresses in the Mail Address tab Item number Mail Address Set the administrator s email address Not Set Setting Item Description Initial Value Mail Notice Condition Common Set the condition for sending email to the administrator and users Notify Detecting AV Block Check this item to send email when communication is guarded by the Antivi...

Page 274: ...ed Monthly Report Notice Timing Specify the schedule of monthly reports sending In order to send notification this product must be ON every first day of the month 10 00 Setting Item Description Initial Value Test Mail Email is sent to the administrator s email address To execute the test mail an account and email address administrator must be setup beforehand Send Test Mail An email is sent to the...

Page 275: ... Click the Preview ON button and check the notification image 6 Click the Apply button 7 Click the Save button to save setting Setting Item Description Initial Value Select Target Language Select language English or Japanese English Message Select this function to edit the threat detection screen or email notification Threat detection screen Additional Message Configuration Edit mode Select edit m...

Page 276: ... email see Section 5 8 10 6 Click the Apply button 7 Click the Save button to save settings Setting Item Description Initial Value Select Target Language Select language English or Japanese English Message Select this function to edit the threat detection screen or email notification Threat Detection Screen Additional Message Configuration Add message Enter up to 1000 characters using single byte ...

Page 277: ...e setting 6 Register the root certificate used in this function by clicking the Download button and temporarily saving it to a personal computer on the user terminal to authenticate To register the root certificate to the user terminal refer to the manual of the user terminal Setting Item Description Initial Value RADIUS Server Configuration Enable RADIUS Server Check to use the RADIUS server func...

Page 278: ...ddress comment and pre shared key of the terminal to register as a client 4 After editing click OK To delete the client list click Delete 5 Click the Apply button 6 Click the Save button to save the setting Note Registration to the client list is unnecessary when using the RADIUS client of this product Setting Item Description Initial Value Client Configuration IP Address Enter the RADIUS client I...

Page 279: ...r name user s email address authentication ID and password 4 After editing click the OK button To delete a user from the user list click the Delete button 5 When the user setting is completed click the Apply button If not the user information will not be updated 6 Click the Save button to save the setting value The required parameters are different depending on the authentication method Set accord...

Page 280: ...eation When using PEAP client certificate is not necessary Setting Item Description Initial Value Basic Information User name Enter the user name to connect Not Set E mail Enter user email address Not Set Authentication Information User ID Enter user ID for authentication Not Set Password Enter password for authentication Not Set ...

Page 281: ...sue button of client certificate 2 Click the Issue button 3 As the screen of the calendar is displayed set the expiration date of the client certificate and click the Close button 4 The set expire date will be reflected in the expiration date field of the new issue 5 Set an arbitrary password ...

Page 282: ...e validity period of the client certificate expires after the wireless LAN terminal belongs the wireless attribution does not come off while connecting with the wireless access point To revoke both of the registered client s issued client certificate and issue a new client certificate delete the corresponding user and re register the user When this product is used as a RADIUS server the RADIUS cli...

Page 283: ...The Network Topology function is common in bridge mode and router mode 1 Click the Network Topology icon on the TOP screen 2 The configuration screen related to the Network Topology function opens Click Save button Setting navigation panel Setting information viewing window ...

Page 284: ...gy setting screen structure is as follows Item Description Necessity of Operation Remarks Network Topology Network Topology function setting and reference Device Map Display and configure device map Device Manager Device management setting External Device PATLITE function setting ...

Page 285: ...f information displayed on the device map Device search method by device map MAC mode display example IP mode display example 1 Open the Device Map screen from TOP Network Topology 2 From the pull down menu select IP address or MAC address 3 Enter the MAC address or IP address and click the Search button 4 The circle mark of the connection port of the searched terminal changes to red and indicates...

Page 286: ...ap detects and displays the terminal that communicated between LAN and WAN Communication between LANs is not detected When a router is connected between two devices the device information will not be displayed correctly MAC address is displayed as the WAN address of the router device information and device type is displayed as device information The device information and device type do not necess...

Page 287: ...n to display in the pull down Select from 1 hour 4 hours 8 hours 12 hours 24 hours no update 1 hour Interface Comment Comments on each physical interface can be placed LAN1 Enter a name to identify LAN port 1 It can be set within 0 to 32 characters Not Set LAN2 Enter a name to identify LAN port 2 It can be set within 0 to 32 characters Not Set LAN3 Enter a name to identify LAN port 3 It can be set...

Page 288: ... the Apply button 6 Click the Save button to save the setting Setting Item Description Initial Value Update Interval Sets the background update interval for the device information to display in the pull down Select from 1 hour 4 hours 8 hours 12 hours 24 hours no update 1 hour Interface Comment A comment can be added to each physical interface LAN1 Enter a name to identify LAN port 1 It can be set...

Page 289: ...e to identify Secondary SSID It can be set within 0 to 32 characters Not set WAN Enter a name to identify the WAN port It can be set within 0 to 32 characters Not set Community Name Setting Set the community name of the network Community Name If a router is used with this product set the same community name as the SNMP community name set in the router Public ...

Page 290: ...rom MAC mode or IP mode 3 To enable statistical information for each terminal of the detected terminal check Enable Auto Registration Device to Statistics Target list in the Automatic Registration Configuration 4 Check the MAC address automatically displayed or manually enter the MAC address 5 In Comment enter a name to identify the terminal 6 Enter the email address of the person who will receive...

Page 291: ...AC address comment e mail address statistical information of the terminal to be registered and click the Set button Delete device Since this product is a security device it holds information on the device where communication is detected during operation of this product To delete a device from the device list follow the procedure below 1 Disconnect the device to be deleted from this product 2 Open ...

Page 292: ...depending on the application used and other factors Comment Input the name to identify the terminal cannot be used Not Set Mail Address Input an e mail address of the terminal user to receive e mail notifications Not Set Link Wired wireless and not connected are indicated by icons If target managed terminal is not detected from this product not connected is displayed Mail Check to enable e mail no...

Page 293: ...ly by other vendors It must be prepared by the customer Refer to Section 3 3 15 for the tested PATLITE products 1 Open the External Device screen from TOP Network Topology 2 Select the device type and select Rotary Beacon Light 3 Check Enable Light in Rotary Beacon Light Configuration 4 Enter the information for the PATLITE in Connection Configuration 5 Check the threat detection conditions to lig...

Page 294: ...E device when a threat is detected by the Antivirus function Enabled Light Detecting IPS Block Check this item to light the PATLITE device when a threat is detected by the Intrusion Prevention System function Disabled Light Detecting WG Block Check this item to light the PATLITE device when a threat is detected by the Web Guard function Enabled Light Detecting UF Block Check this item to light the...

Page 295: ...seconds when turning back the power on 2 The RESET switch is at the back of this product Press the switch using a thin stick or wire material that does not conduct electricity like toothpick tip until POWER NETWORK and WIRELESS lamps begin to flash green then let go It takes about 6 to 10 seconds for POWER NETWORK and WIRELESS lamps to flash green on and off This completes the initialization After...

Page 296: ...sion upgrade function firmware can be updated by switch operation The operation specifications are as follows The operation varies depending on the state of the INFO lamp INFO lamp is lit orange 1 Press and hold the OPT2 switch on the back of this product for at least 3 seconds until the INFO lamp blinks orange with a thin rod shape object material that does not pass electricity such as toothpick ...

Page 297: ...mary SSID is enabled 1 Activate the WPS PBC function of the wireless LAN terminal For the start up refer to the instruction manual attached to the wireless LAN terminal 2 Continue to hold down the WPS switch on the front of this product and release the WIRELESS lamp of this product as it flashes orange 3 Confirm that the WIRELESS lamp of this product lights orange After the WPS processing is over ...

Page 298: ...ce Information BGP Peer State IPsec SA Information TOP Maintenance Information VPN Status IPsec Certificate Information TOP Maintenance Information VPN Status IPsec Tunnel Traffic statistical information TOP Maintenance Information VPN Statistics SNMP MIB Information TOP Maintenance Information MIB Information Event Log TOP Maintenance Information Event Log Security scan function license informati...

Page 299: ...rmation Description Device Information Displays the device information of this product Device ID Displays the device ID of this product Serial Number Displays the serial number of this product WAN MAC Address Displays the WAN interface MAC address of this product LAN MAC Address Displays the LAN interface MAC address of this product WLAN MAC Address Displays the wireless LAN interface MAC address ...

Page 300: ...splays the channel used by the secondary wireless LAN function Encryption Mode Displays the encryption mode used for the secondary wireless LAN function WAN IPoE Status Displays the WAN IPoE status IPv4 Connectivity Status Internet Connected IP address is set in the WAN interface Internet Not Connected IP address is not set in the WAN interface IPv4 Address Netmask Displays the IP address and net ...

Page 301: ... 301 6 1 2 Confirmation of Firmware Version and Network Information Router Mode The firmware version and the network information of this product can be checked on the Web setting 1 Open TOP Maintenance Information Device Status screen ...

Page 302: ...unction Network Name SSID Displays the SSID of the secondary wireless LAN function Channels Displays the channel used by the secondary wireless LAN function Encryption Mode Displays the encryption mode used for the secondary wireless LAN function LAN Status IPv4 Address Netmask Displays the IP address and netmask of the LAN interface DNS Server Information IPv4 Primary DNS Displays the primary DNS...

Page 303: ...N Port 2 Displays the LAN port 2 connection status LAN Port 3 Displays the LAN port 3 connection status LAN Port 4 Displays the LAN port 4 connection status Refresh button Updates the display contents of this screen to the latest information ...

Page 304: ...ion Disable State where the license of the security scan function has expired and activation is not yet done Check License button Check the license expiration time on the license server and display the latest expiration time Used when purchasing an additional license 1 year Update Signature button After checking whether there is an updatable signature update it to the latest signature Feature Stat...

Page 305: ...ate where the URL Keyword Filtering function is disabled For functions which do not use a signature the signature version is displayed as Application Guard Enable State where the Application Guard function is enabled Disable State where the Application Guard function is disabled RADIUS Server Function Validity Displays the operating status of the simple RADIUS function Enable State with simple RAD...

Page 306: ...ing table of this product can be checked on the Web setting This information is displayed only in router mode 1 Open the Routing Table screen from TOP Maintenance Information When the Refresh button is clicked the display screen is updated to the latest information ...

Page 307: ...nts Symbols such as on the left end A valid route on the BGP table d The corresponding route up down is intense and suppressed r A state that is not installed in the routing table by RIB Failure s Status suppressed by the summary only option of the aggregate address command Route selected as best path i When i is displayed on the right side of the best path the route is an iBGP route If nothing is...

Page 308: ...S The AS number passed through is displayed in order from the right end i is ORIGIN attribute of IGP for Incomplete 6 1 5 BGP Peer Status The BGP peer status of this product can be confirmed on the Web setting This information is displayed only in router mode 1 Open the BGP Peer Status screen from TOP Maintenance Information ...

Page 309: ...until a BGP session is established After establishment the number of received routes from the BGP neighbor is displayed Total number of neighbors 2 Number of BGP neighbors Includes neighbors where BGP sessions are not yet established How to read detailed BGP peer status This table summarizes and displays the status of BGP connection and the connection status of each neighbor Item Display Value Con...

Page 310: ...attribute sent to this neighbor both Default Information originate default sent 6 accepted prefixes Maximum prefixes allowed 1024 warning only Threshold for warning message 100 Connections established 13 dropped 12 Last reset 01 10 18 due to User reset Description of address family Local host 10 1 1 1 Local host IP address Local port 49909 Local host port number Foreign host 10 1 180 180 External ...

Page 311: ...d One leased IP address information is displayed per line The following describes the displayed contents of the items from the left side Lease expiration Expiration date of the leased IP address Client MAC Address The MAC address of the client from which the IP address is leased Leased IP address IP address leased to a client Client Hostname Hostname of the client Client ID Client ID of the client...

Page 312: ...extended channel is not used 1 The extended channel is 4 channels lower than the control channel 1 The extended channel is 4 channels higher than the control channel Wi Fi Station Secondary SSID The WLAN information of the secondary SSID can be checked Refer to Wi Fi station information primary SSID for the details ARP Table The ARP table information of this product can be checked One entry inform...

Page 313: ...yed only in router mode 1 Open the VPN Status screen from TOP Maintenance Information When the Refresh button is clicked the display screen is updated to the latest information How to read SA information Item Displayed Value Content Listening IP address 172 168 10 100 WAN IP address of the local device 192 168 1 200 LAN IP address of the local device ...

Page 314: ...ations 1up 0conne cting vpn ipsec0 1 ESTABLISHED 6 seconds ago 172 16 10 100 172 16 10 100 172 16 20 200 172 16 20 200 vpn ipsec0 1 IKEv1 SPIs c2a243c70373cf6f_i b53e19843e16ad53_r pre shared key re authentication in 6 hours vpn ipsec0 1 IKE proposal AES_CBC_256 HMAC_SHA1_96 PRF_HMAC_SHA1 MODP_768 IKE SA information Displays the local ID remote ID of IKE Phase 1 and the IP address of the connected...

Page 315: ...uer Displays the issuer of the certificate validity Displays the expiration date In case where the time acquisition could not be done this unit does not check the start time serial Displays the serial number flags Displays flags related to CRL subjkeyId Displays the public key ID pubkey Displays the public key length keyid Displays the keyID subjkey Displays the public key ...

Page 316: ...art counter ikeRspRekey IKE SA rekey response counter ikeChildSaRekey IPsec SA rekey success counter ikeInInvalid Received invalid messages counter ikeInInvalidSpi Received invalid ID SPI counter ikeInInitReq Received IKE SA initialization request counter ikeInInitRsp Received IKE SA initialization response counter ikeOutInitReq Transmitted IKE SA initialization request counter ikeOutInitRsp Trans...

Page 317: ...nter ikeInInitReq Received IKE SA initialization request counter ikeInInitRsp Received IKE SA initialization response counter ikeOutCrChildRsp Transmitted IPsecSA create response counter ikeInInfoReq Received INFORMATIONAL request counter ikeInInfoRsp Received INFORMATIONAL response counter ikeOutInfoReq Transmitted INFORMATIONAL request counter ikeOutInfoRsp Transmitted INFORMATIONAL response cou...

Page 318: ...as 1 3 6 1 2 1 11 1 OID Object Name Contents 1 3 6 1 2 1 11 1 snmpInPkts The total number of received SNMP messages 1 3 6 1 2 1 11 2 OutPkts The total number of sent SNMP messages 1 3 6 1 2 1 11 3 InBadVersions The total number of arrived unsupported version of SNMP messages 1 3 6 1 2 1 11 4 InBadCommunityNames The total number of SNMP messages with invalid community name 1 3 6 1 2 1 11 5 InBadCom...

Page 319: ... The total number of sent badValue SNMP error messages 1 3 6 1 2 1 11 24 OutGenErrs The total number of sent getErr SNMP messages 1 3 6 1 2 1 11 25 OutGetRequests The total number of sent Get Request 1 3 6 1 2 1 11 26 OutGetNexts The total number of sent Get Next 1 3 6 1 2 1 11 27 OutSetRequests The total number of sent Set Request 1 3 6 1 2 1 11 28 OutGetResponses The total number of sent GetResp...

Page 320: ...r similar device Setting Item Value Remarks Initial Value Select Log Emergency Event volume small Alert Critical Error Warning Notice Informational Debug Event volume big Select the level to display the event log Levels that can be changed by log level is shown on the left The event log level can be changed according to the severity and urgency of the event For example when set to Emergency level ...

Page 321: ... level to save the event log from Log Level 3 Click the Apply button 4 Click the Save button to save the setting Setting Item Value Remarks Initial Value Event Log Function Checked If the event log function is used Unchecked If the event log function is not used Enabled Log Level Emergency Event volume small Alert Critical Error Warning Notice Informational Debug Event volume big Set the level to ...

Page 322: ...nctions To exclude blocked communication from detection targets set individual permission from this screen Log Setting Set whether to display security log for each security scan function Check the function to output to the security log Log Setting tab View Log tab 1 Open the TOP Security Security Log screen 2 Click the Log Setting tab check to enable the function and click the Apply button 3 Click...

Page 323: ...g log messages Click the Export button to save the security logs to a computer Individual permission To exclude communication blocked by the security scan function select the corresponding security log and click the individual permission button However when setting individual permissions even if the applicable communication is dangerous it will be permitted When setting these permissions it is the...

Page 324: ...on from the list select the applicable list and click the Pass Setting button The following screen will pop up After checking the contents click the OK or Cancel button If OK is clicked it will be reflected in the individual permission setting This method of individual permission setting is the same for the other security scan functions 1 Select the item to be permitted individually from the secur...

Page 325: ...Prevention IPS Application Guard APG Web Guard WG When HTTP access is blocked the HTTP X Forwarded For header information is outputted to the security log Use it when checking the access source when accessing the relevant page through a proxy server ...

Page 326: ...326 Device Information Confirmation URL Filter UF URL Keyword Filter KF ...

Page 327: ...G The date time function action detected terminal MAC destination IP address and source IP address and port protocol can be checked The function indicates the type of threat detected Security log display area Checking of past logs can be done by going back through pages Specify the number of logs displayed per page Display latest logs delete logs and save security logs to a computer ...

Page 328: ...n the security scan function license of this product has expired when the security scan function is being prepared or when the setting of each security scan function is disabled Tab Description Daily Displays daily statistics Weekly Displays weekly statistics Monthly Displays monthly statistics Displays monthly access information UF APG Detail Displays hourly statistics for the selected day Chart ...

Page 329: ...weekly basis for each security scan function Monthly Display the number of blocks and scans on a monthly basis for each security scan function For UF and APG if the item name is clicked UF has a monthly category APG can display the monthly application access information Click UF Click APG ...

Page 330: ...f accesses Category Displays the category name of the URL Filtering function Only those detected in the target month are displayed Access Displays the total number of accesses detected by this product during the selected period Average Displays the average number for the past 2 months to present If past information is only for one month information for the past month will be displayed Even if you ...

Page 331: ...cation Name Displays the application name of the Application Guard function Only those detected in the target month are displayed Access Count Displays the total number of accesses detected by this product during the selected target period Historical Average Display the average number for the past 2 months to present If past information is only for one month information for the past month will be ...

Page 332: ...332 Device Information Confirmation Detail For each selected date the number of scans and blocks for every security scan function are displayed per hour ...

Page 333: ...ering function Number of URLs Block Number of traffic blocked by the URL Filtering function Number of URLs KF Scan Number of traffic scanned by the URL Keyword Filtering function Number of URLs Block Number of traffic blocked by the URL Keyword Filtering function Number of URLs APG Scan Number of application and protocol scanned by the Application Guard function Block Number of application and pro...

Page 334: ...lay 1 Open the Statistics screen from TOP Security 2 Click the Graph tab and check the occurrence status of the blocks from the block graph 3 Click Select Function to display the security scan function The mark in the column of the table indicates the selected security scan function Note Other on the right side of the graph shows the total number of blocks of terminals that are not set for statist...

Page 335: ...rom this product and confirm the arrival of that packet 1 Open the Ping screen from TOP Maintenance Diagnostics 2 Set the address information of the target host Enter the IPv4 address or domain name of the target node 3 Click the Execute button How to view the results Sent ping packet five times all succeeded received Sent ping packet five times all failed ...

Page 336: ...ct and confirm the route to the target host 1 Open the Traceroute screen from Top Maintenance Diagnostics 2 Set the address information of the node for route checking to the Target Host Enter the IPv4 address or domain name of the node for route checking 3 Click the Execute button To view the results Target host to 192 168 252 1 via 192 168 1 1 and 192 168 200 1 ...

Page 337: ...g An example of display is shown below If all the self diagnosis results are OK but the Internet cannot be accessed see Section 7 1 5 Cannot Access the Internet Self diagnosis before execution 1 Open the TOP Maintenance Diagnostics Self Diagnosis screen 2 Click the Execute button Viewing the results Self diagnosis after execution The display example is an example when the cable of the WAN port is ...

Page 338: ...LEAR button To re collect packet dumps after clicking the DOWNLOAD button click the CLEAR button Setting Items Value Remarks Initial Value Capture Interface WAN Checked Collect WAN interface packet dumps Unchecked Do not collect WAN interface packet dumps Select the number of files to save by using the pulldown menu Disabled Number of files 3 LAN Checked Collect LAN interface packet dumps Unchecke...

Page 339: ... Since this product can store up to 120 Mbytes in memory it must be set not to exceed the limit For example if all four interfaces need to be captured check the four interfaces and specify the number of each file as 3 4 interfaces x 3 files x 10 Mbytes 120 Mbytes To collect only LAN and WAN check the LAN and WAN and set the number of each file to 6 60 MB of each capture can be collected Caution Wh...

Page 340: ...atus In case of 1 to 4 below since this product does not detect TCP SYN and ACK it considers it an illegal packet and will discard TCP ACK In such a case the routing setting of the router need to be changed so as not to issue a route change request or to add routing information to the routing table of each PC １ Since TCP SYN from PC 1 to Server is a different subnet it is sent to RouterA of the de...

Page 341: ...rk 2 Depending on the network that requires confirmation of the network configuration upon installation changing the setting of other network equipment may be needed A network where there are multiple packet routes to each node This is an example of a network configuration where it is assumed that all packets going back and forth between nodes including internet access from the node will not pass ...

Page 342: ...t certificate 7 1 3 Forgot Login Password of Web Setting Please initialize this product This product cannot return the login password to the initial state Initialization method Please initialize using the reset switch of this product For the details refer to Section 5 10 1 Note After initializing and restarting the product no activation operation is required 7 1 4 Cannot Activate If the ALERT2 lam...

Page 343: ... minutes there might be something abnormal with this product Turn the power off once and then turn it on after 10 seconds If this continues please contact your distributor Note Blinking orange indicates writing to memory or USB memory If the USB memory is continuously written including erasing flashing orange continues In this case do not turn off the power 5 NETWORK21 Orange or Green The IP addre...

Page 344: ...10 seconds turn on the power If this continues please contact your distributor 7 1 6 Security Scan Function Not Working The security scan function of this product limits the packets to be detected Encrypted packets such as encrypted packets with IPsec are not supported For more information on the security scan function of this product refer to the Section 3 1 If the security scan function such as ...

Page 345: ...ter KF screen uncheck the Enable Keyword Filter check box in Keyword Filter Configuration and change it to disabled See Section 5 8 8 Application Guard APG On the Application Guard APG screen uncheck Enable Application Guard in Application Guard Configuration and change it to disabled See Section 5 8 9 7 1 9 Operation to be Done When Setting Values are Changed If settings of this product are chang...

Page 346: ...ncorrect Check the following setting values Destination address is correct The pre shared key matches the setting of the peer device The local ID and remote ID of IKE Phase 1 must match the setting of the peer device In IKEv2 the local ID and the remote ID of the IKE_SA_INIT exchange must match the setting of the peer device The local ID and remote ID of IKEv Phase 2 must match the setting of the ...

Page 347: ...to channel function of this product is used disable the wireless LAN function of this product then enable it or restart this product to automatically select a channel with good radio conditions Make sure that there is no electronic device using Bluetooth near this product 7 1 15 PPPoE Session Not Connected If the PPPoE session does not connect or is disconnected check the following Check whether t...

Page 348: ...00G WAN IP address 7 1 18 Route Information of RIP is Not Transferred in Bridge Mode When Firewall Configuration is enabled on the TOP Security Firewall FW screen the RIP route information that is transmitted by broadcast from the router or network device connected to the upper level of this product will be discarded In this case set Firewall Configuration to disabled 7 1 19 Cannot Connect to Remo...

Page 349: ...dress of the remote PC Netmask 32 is recommended Source Port Number 3389 When a port number is fixed input the port number Check any if it is undefined Destination IP address IP address of the local PC Netmask 32 is recommended Destination Port Number 3389 The figure is shown with Windows as an example Modify according to the environment ...

Page 350: ...rt from Maintenance IPv4 Packet Filter Edit on the Web setting and click on the Apply button After editing the entry click Save to save the setting value Setting Item Setting Value Remarks Type Permit Filter Type Forward Direction in Protocol TCP Source IP address IP address of remote PC Netmask 32 is recommended Source Port Number Port number of remote PC If the port number is fixed enter that po...

Page 351: ...aned the attached file of the email Check the time information of the received email and the security log of this product to see if the Destroy log remains in the Anti Virus 7 1 25 Device Authentication with MAC Address When installing this product on a network that authenticates the device with a MAC address MAC address permission must be set on this product Be aware that the MAC address for perm...

Page 352: ...s 8 Setting Examples Installation and configuration examples Section Title 8 1 Use in this Network 8 1 1 Operating PPPoE on WAN Side of the Router 8 1 2 Using VPN 8 1 3 Using VLAN 8 1 4 IEEE802 1X Authentication Terminal ...

Page 353: ...ter or a home gateway Install this product in the local area network of the router Installation location 8 1 2 Using VPN Installation location Install this product outside the VPN network Explanation Since the security scan function of this product does not support VPN packets the following configuration is recommended SA3500G PC Router PPPoE SA3500G PC VPN Equipment VPN Internet Internet ...

Page 354: ...354 Setting Examples 8 1 3 Using VLAN Installation location Install this product outside the VLAN network SA3500G PC VLAN Equipment VLAN Network Internet ...

Page 355: ...PoL frames and multicast EAP frames Wireless LAN Using the simple RADIUS function of this product it can be installed with the following configuration Description This product operates as an authenticator of IEEE802 1X wireless LAN SA3500G IEEE802 1X Authenticator IEEE802 1X Supplicant Internet IEEE802 1X Network SA3500G IEEE802 1X Authenticator Wireless LAN IEEE802 1X Supplicant Internet IEEE802 ...

Page 356: ...nature and always uses the latest information Signatures are sometimes called definition files The signature is used with the following functions Antivirus AV Intrusion Prevention IPS Web Guard WG Application Guard APG Security Scan Function This is the name of the security function of this product It has the following functions Fire Wall FW Anti Virus AV Intrusion Prevention IPS Web guard WG Unif...

Page 357: ... Ｔ ｄ ｔ ５ EQ NK ５ Ｅ Ｕ ｅ ｕ ６ AK SN ６ Ｆ Ｖ ｆ ｖ ７ BL EB ７ Ｇ Ｗ ｇ ｗ ８ BS CN ８ Ｈ Ｘ ｈ ｘ ９ HT EM ９ Ｉ Ｙ ｉ ｙ Ａ LF SB Ｊ Ｚ ｊ ｚ Ｂ HM EC Ｋ ｋ Ｃ CL Ｌ ｌ Ｄ CR Ｍ ｍ Ｅ SO Ｎ ｎ Ｆ SI Ｏ ｏ Example 0x35 5 0x21 0x0D CR return 0x0A LF new line 0x09 TAB Horizontal tab 0x03 CTL C Control C 0x1B ESC Escape 0x20 SPC Space Upper 4 bits Available code Lower 4 bits ...

Page 358: ...358 Contact Information 10 Contact Information For general questions such as this product function operation setting and troubleshooting please contact your distributor ...

Page 359: ... Function Manual NWA A08068 001 00 Copyright 2018 NEC Platforms Ltd 1th edition October 2018 NEC Platforms Ltd Reproduction revision and distribution are prohibited without permission from NEC Platforms Ltd NEC Platforms Confidential ...