Planet Technology CS-500 User Manual

Content Security Gateway User’s Manual

Content Security Gateway

CS-500

User’s Manual

Content Security Gateway User’s Manual

Copyright

Copyright (C) 2005 PLANET Technology Corp. All rights reserved.
The products and programs described in this User’s Manual are licensed products of PLANET Technology, This User’s
Manual contains proprietary information protected by copyright, and this User’s Manual and all accompanying hardware,
software, and documentation are copyrighted.
No part of this User’s Manual may be copied, photocopied, reproduced, translated, or reduced to any electronic medium
or machine-readable form by any means by electronic or mechanical. Including photocopying, recording, or information
storage and retrieval systems, for any purpose other than the purchaser's personal use, and without the prior express
written permission of PLANET Technology.

Disclaimer

PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and
makes no warranty and representation, either implied or expressed, with respect to the quality, performance,
merchantability, or fitness for a particular purpose.
PLANET has made every effort to ensure that this User’s Manual is accurate; PLANET disclaims liability for any
inaccuracies or omissions that may have occurred.
Information in this User’s Manual is subject to change without notice and does not represent a commitment on the part of
PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in this User’s Manual. PLANET
makes no commitment to update or keep current the information in this User’s Manual, and reserves the right to make
improvements to this User’s Manual and/or to the products described in this User’s Manual, at any time without notice.
If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate your comments and
suggestions.

CE mark Warning

This is a class B device, in a domestic environment, this product may cause radio interference, in which case the user
may be required to take adequate measures.

Trademarks

The PLANET logo is a trademark of PLANET Technology.
This documentation may refer to numerous hardware and software products by their trade names. In most, if not all cases,
these designations are claimed as trademarks or registered trademarks by their respective companies.

Customer Service

For information on customer service and support for the Content Security Gateway, please refer to the following Website
URL:

http://

www.planet.com.tw

Before contacting customer service, please take a moment to gather the following information:

♦ Content Security Gateway serial number and MAC address
♦ Any error messages that displayed when the problem occurred
♦ Any software running when the problem occurred
♦ Steps you took to resolve the problem on your own

Revision

User’s Manual for PLANET Content Security Gateway

Model: CS-500

Rev: 3.0 (May, 2006)

Part No. EM-CS500v3

Content Security Gateway User’s Manual

Table of Contents

CHAPTER 1: INTRODUCTION ........................................................................................................................ 1

1.1 FEATURES...........................................................................................................................................................1

1.2 PACKAGE CONTENTS ..........................................................................................................................................2

1.3 CONTENT SECURITY GATE WAY FRONT VIEW ....................................................................................................2

1.4 CONTENT SECURITY GATE WAY REAR PANEL ....................................................................................................2

1.5 SPECIFICATION....................................................................................................................................................3

CHAPTER 2: HARDWARE INSTALLA TION.................................................................................................... 5

2.1 INSTALLATION REQUIREMENTS ...........................................................................................................................5

2.2 OPERATION MODE..............................................................................................................................................5

2.2.1 Transparent Mode Connection Example..............................................................................................5

2.2.2 NAT Mode Connecting Example ...........................................................................................................6

CHAPTER 3: GETTING STARTED .................................................................................................................. 7

3.1 WEB CONFIGURATION ........................................................................................................................................7

3.2 CONFIGURE WAN INTERFACE ............................................................................................................................8

3.3 CONFIGURE DMZ INTERFACE ............................................................................................................................9

3.4 CONFIGURE POLICY............................................................................................................................................9

CHAPTER 4: WEB CONFIGURATION ...........................................................................................................11

4.1 SYSTEM.............................................................................................................................................................11

4.1.1 Admin.......................................................................................................................................................12

4.1.2 Permitted IPs..........................................................................................................................................14

4.1.3 Software Update....................................................................................................................................16

4.1.4 Setting .....................................................................................................................................................16

4.1.5 Date/Time................................................................................................................................................22

4.1.6 Multiple Subnet ......................................................................................................................................23

4.1.7 Route Table.............................................................................................................................................28

4.1.8 DHCP.......................................................................................................................................................30

4.1.9 Dynamic DNS.........................................................................................................................................31

4.1.10 Host Table.............................................................................................................................................34

4.1.11 Language ..............................................................................................................................................36

4.1.12 Logout ...................................................................................................................................................36

4.2 INTERFACE ........................................................................................................................................................37

4.2.1 LAN..........................................................................................................................................................37

4.2.2 WAN.........................................................................................................................................................38

4.2.3 DMZ.........................................................................................................................................................42

Content Security Gateway User’s Manual

4.3 POLICY OBJECT ................................................................................................................................................43

4.3.1 Address...................................................................................................................................................43

4.3.1.1 LAN.................................................................................................................................................44

4.3.1.2 LAN Group.....................................................................................................................................46

4.3.1.3 WAN............................................................................................................................................... 49

4.3.1.4 WAN Group...................................................................................................................................51

4.3.1.5 DMZ................................................................................................................................................53

4.3.1.6 DMZ Group.................................................................................................................................... 55

4.3.2 Service.....................................................................................................................................................58

4.3.2.1 Pre-defined....................................................................................................................................59

4.3.2.2 Custom...........................................................................................................................................59

4.3.2.3 Group..............................................................................................................................................62

4.3.3 Schedule.................................................................................................................................................64

4.3.4 QoS..........................................................................................................................................................66

4.3.5 Authentication......................................................................................................................................... 70

4.3.5.1 Auth Setting...................................................................................................................................70

4.3.5.2 Auth User.......................................................................................................................................71

4.3.5.3 Auth Group ....................................................................................................................................75

4.3.5.4 Radius Serve.................................................................................................................................77

4.3.5.5 POP3..............................................................................................................................................78

4.3.6 Content Blocking.................................................................................................................................... 79

4.3.6.1 URL Blocking.................................................................................................................................79

4.3.6.2 Scripts ............................................................................................................................................81

4.3.6.3 P2P.................................................................................................................................................82

4.3.6.4 IM....................................................................................................................................................83

4.3.6.5 Download.......................................................................................................................................83

4.3.6.6 Upload............................................................................................................................................84

4.3.7 Virtual Server.......................................................................................................................................... 84

4.3.7.1 Mapped IP.....................................................................................................................................85

4.3.7.2 Virtual Server.................................................................................................................................88

4.3.8 VPN..........................................................................................................................................................94

4.3.8.1 IPSec Autokey...............................................................................................................................94

4.3.8.2 PPTP Server..................................................................................................................................97

4.3.8.3 PPTP Client.................................................................................................................................100

4.3.8.4 T unnel...........................................................................................................................................102

4.4 POLICY ............................................................................................................................................................153

4.4.1 Outgoing................................................................................................................................................153

4.4.2 Incoming................................................................................................................................................156

4.4.3 WAN To DMZ & LAN To DMZ............................................................................................................159

Content Security Gateway User’s Manual

4.4.4 DMZ To WAN & DMZ To LAN............................................................................................................162

4.5 MAIL SECURITY...............................................................................................................................................166

4.5.1 Configure...............................................................................................................................................166

4.5.2 Anti-Spam .............................................................................................................................................170

4.5.2.1 Setting..........................................................................................................................................171

4.5.2.2 Rule..............................................................................................................................................172

4.5.2.3 Whitelist........................................................................................................................................175

4.5.2.4 Blacklist........................................................................................................................................176

4.5.2.5 T raining.........................................................................................................................................178

4.5.2.6 Spam Mail....................................................................................................................................185

4.5.3 Anti-Virus............................................................................................................................................... 185

4.5.3.1 Setting..........................................................................................................................................185

4.5.3.2 Virus Mail.....................................................................................................................................187

4.6 IDP..................................................................................................................................................................187

4.6.1 Setting ...................................................................................................................................................187

4.6.2 Signature...............................................................................................................................................188

4.6.3 IDP Report............................................................................................................................................192

4.7 ANOMALY FLOW IP .........................................................................................................................................192

4.8 MONITOR.........................................................................................................................................................193

4.8.1 Log.........................................................................................................................................................193

4.8.1.1 T raf fic............................................................................................................................................ 193

4.8.1.2 Event ............................................................................................................................................195

4.8.1.3 Connection ..................................................................................................................................196

4.8.1.4 Log Backup..................................................................................................................................197

4.8.2 Accounting Report...............................................................................................................................198

4.8.2.1 Setting..........................................................................................................................................199

4.8.2.2 Outbound.....................................................................................................................................199

4.8.2.3 Inbound........................................................................................................................................202

4.8.3 Statistic..................................................................................................................................................205

4.8.3.1 WAN Statistics.............................................................................................................................206

4.8.3.2 Policy Statistics...........................................................................................................................206

4.8.4 Status.....................................................................................................................................................208

4.8.4.1 Interface Status........................................................................................................................... 208

4.8.4.2 Authentication..............................................................................................................................209

4.8.4.3 ARP Table....................................................................................................................................209

4.8.4.4 DHCP Clients..............................................................................................................................210

Content Security Gateway User’s Manual

Chapter 1: Introduction

The innovation of the Internet has created a tremendous worldwide venue for e-business and information
sharing, but it also creates network security problems, so the security request will be the primary concerned
for the enterprise. Planet’s Content Security Gateway CS-500, a special designed of security gateway for
small business, adopts Heuristics Analysis to filter spam and virus mail, auto-training system can raise
identify rate of spam, and built-in Clam virus scan engine can detect viruses, worms and other threats from
email transfer.

Meanwhile, Instant Messaging (IM) and peer-to-peer (P2P) are the fastest growing communications medium
of all time, the spread of IM and P2P has created a network security threats and consumed amount of
bandwidth. CS-500 also can prevent employees using varied IM and P2P like MSN, Yahoo Messenger, ICQ,
QQ and Skype.

CS-500 not only can filter spam and virus mail, but also is a high performance VPN firewall. The IDP and
firewall function can defense hacker and blaster attack from Internet. Moreover, built-in QoS feature can let
you configure the traffic per specific protocol more flexibly. The completely function in one device can offers
an excellent security solution and the secure environment for the SMB or SOHO users.

1.1 Features

♦ Anti-Spam Filtering: Multiple defense layers (Head Analysis, Text Analysis, Blacklist & Whitelist,

Bayesian Filtering), and Heuristics Analysis to block over 95% spam mail. Customizable notification
options and spam mail report are provided for administrator. Varied actions toward spam mail include:
Delete, Deliver, and Forward. Built-in auto-training system to rise identify rate of spam mail substantially.

♦ Anti-Virus Protection: Built-in Clam virus scan engine can detect viruses, worms, and other threats

from email transfer. Scan mission-critical content protocols-SMTP, POP in real time as traffic enters the
network to provide maximum protection. Customizable notification options and virus mail report are
provided for administrator. Varied actions toward spam mail include: Delete, Deliver, and Forward.

♦ Policy-based Firewall: The built-in policy-based firewall prevent many known hacker attack including

SYN attack, ICMP flood, UDP flood, Ping of Death, etc. The access control function allowed only
specified WAN or LAN users to use only allowed network services on specified time.

♦ VPN Connectivity: The security gateway support PPTP server/client and IPSec VPN. With DES, 3DES

and AES encryption and SHA-1 / MD5 authentication, the network traffic over public Internet is secured.

♦ Content Filtering: The security gateway can block network connection based on URLs, Scripts (The

Pop-up, Java Applet, cookies and Active X), P2P (eDonkey, Bit Torrent, WinMX and Foxy), Instant

Messaging (MSN, Yahoo Messenger, ICQ, QQ and Skype), Download and Upload.

♦ IDP: CS-500 provides three kinds of the Signature to complete the intrusion detection system, user can

select to configure “Anomaly”, “Pre-defined” and “Custom” according to the current environment’s
request.

♦ QoS: You can control the outbound and inbound Upstream/downstream Bandwidth by configuring the

QoS based on the WAN bandwidth.

♦ User Authentication: Web-based authentication allows users to be authenticated by web browser. User

database can be configured on the devices or through external RADIUS server.

♦ Multiple NAT: Multiple NAT allows local port to set multiple subnet works and connect to the Internet

through different WAN IP addresses.

- 1 -

Content Security Gateway User’s Manual

1.2 Package Contents

The following items should be included:

CS-500

 Content Security Gateway

 User’s Manual CD-ROM

 This Quick Installation Guide

 Power Adapter

If any of the contents are missing or damaged, please contact your dealer or distributor immediately.

1.3 Content Security Gateway Front View

CS-500 Front Panel

LED Description

PWR Power is supplied to this device.

STATUS Blinks to indicate this devise is being turned on

and booting. After one minute, this LED indicator
will stop blinking, it means this device is now
ready to use.

WAN, LAN,
DMZ

Steady on indicates the port is connected to
other network device.

Blink to indicates there is traffic on the port

1.4 Content Security Gateway Rear Panel

CS-500 Rear Panel

Port or button Description

RESET Press this button to restore to factory default

- 2 -

Content Security Gateway User’s Manual

A

A

settings.

WAN Connect to your xDSL/Cable modem or other

Internet connection devices

LAN Connect to your local PC, switch or other

local network device

DMZ Connect to your server or other network

device

1.5 Specification

Product Content Security Gateway
Model CS-500
Hardware
Ethernet

LED POWER, STATUS, 10/100 and LNK/ACT for each LAN and WAN port
Power 5VDC, 2.4A
Operating Environment Temperature: 0~50°C

Dimension W x D x H, mm 220 x 150 x 40
Regulatory FCC, CE Mark
Software
Management Web
Network Connection Transparent mode (WAN to DMZ), NAT, Multi-NAT
Routing Mode Static Route, RIPv2
Concurrent Sessions 110,000
New session / second 8,000
Email Capacity per Day 90,000
Firewall Throughout 100Mbps
3DES Throughput 15Mbps
Firewall Policy-based firewall rule with schedule, NAT/NAPT, SPI firewall
VPN Tunnels 200
VPN Function PPTP server and client, IPSec

Content Filtering URL, P2P application, Instant Message, download & upload blocking

Anomaly Flow IP Hacker Alert:

Scanning Mail Settings The allowed size of scanned mail: 10 ~ 512Kbytes
Anti-Virus Email attachment virus scanning by SMTP, POP3

Anti-Spam Inbound scanning for external and internal Mail Server

LAN 1 x 10/100Mbps RJ-45
WAN 1 x 10/100Mbps RJ-45
DMZ 1 x 10/100Mbps RJ-45

Relative Humidity: 10%~90%

DES, 3DES and AES encryption, SHA-1 and MD5 authentication algorithm
Remote access VPN (client-to-Site) and Site to Site VPN

Popup, Java Applet, cookies and Active X blocking

Sasser, Code Red, Syn Flood, ICMP Flood, UDP Flood, Blaster Alert

Inbound scanning for internal and external Mail server

ction of infected mail: Delete, Deliver to the recipient, forward to a specific
account
Automatic or manual update virus database

Check sender address in RBL
Black list and white list support auto training system

ction of spam mail: Delete, Deliver to the recipient, forward to a specific
account

- 3 -

Content Security Gateway User’s Manual

IDP Anomaly: Syn Flood, UDP Flood, ICMP Flood and more.

Pre-defined : Backdoor, DDoS, DoS, Exploit, NetBIOS and Spyware.
Custom: User defined based on TCP, UDP, ICMP or IP protocol.

QoS Policy rules with Inbound/Outbound traffic management

Guaranteed and maximum bandwidth
Scheduled in unit of 30 minutes
3 Priorities

User Authentication Built-in user database with up to 500 entries

Support local database, RADIUS and POP3 authentication

Logs Log and alarm for event and traffic

Log can be saved from web, sent by e-mail or send to syslog server

Statistics Traffic statistics for WAN interface and policies

Graphic display

Others Dynamic DNS, NTP support, DHCP server, Virtual server, Mapping IP (DMZ)

- 4 -

Content Security Gateway User’s Manual

Chapter 2: Hardware Installation

2.1 Installation Requirements

Before installing the Content Security Gateway, make sure your network meets the following requirements.

- Mechanical Requirements

The Content Security Gateway is to be installed between your Internet connection and local area network.
The Content Security Gateway can be placed on the table or rack. Locate the unit near the power outlet.

- Electrical Requirements

The Content Security Gateway is a power-required device, it means, the Content Security Gateway will not
work until it is powered. If your networked PCs will need to transmit data all the time, please consider use
an UPS (Uninterrupted Power Supply) for your Content Security Gateway. It will prevent you from network
data loss. In some area, installing a surge suppression device may also help to protect your Content
Security Gateway from being damaged by unregulated surge or current to the Content Security Gateway.

- Network Requirements

In order for Content Security Gateway to secure your network traffic, the traffic must pass through Content
Security Gateway at a useful point in a network. In most situations, the Content Security Gateway should
be placed behind the Internet connection device.

2.2 Operation Mode

CS-500 DMZ port supports three operation modes, Disable, NAT and Transparent. In Disable mode, the DMZ
port is not active. In transparent mode, CS-500 works as proxy with forward DMZ packet to WAN and forward
WAN packet to DMZ, the DMZ and WAN side IP addresses are in the same subnet. In NAT mode, DMZ side
user will share one public IP address of WAN port to make Internet connection. Please find the following two
pictures for example.

2.2.1 Transparent Mode Connection Example

Internet

ISP

ADSL Modem

WAN: 61.11.11.11

CS-500

LAN:

192.168.1.1

LAN PC 1:

192.168.1.2

LAN PC 2:

192.168.1.3

- 5 -

DMZ: Trans parent
to WAN

DMZ PC 3:

61.11.11.12

DMZ PC 2:

61.11.11.13

Content Security Gateway User’s Manual

The WAN and DMZ side IP addresses are on the same subnet. This application is suitable if you have a
subnet of IP addresses and you do not want to change any IP configuration on the subnet.

2.2.2 NAT Mode Connecting Example

Internet

ISP

ADSL Modem

CS-500

DMZ: NAT

192.168.2.1

DMZ PC 3:

192.168.2.2

DMZ PC 2:

192.168.2.3

LAN:

192.168.1.1

LAN PC 1:

192.168.1.2

WAN: 61.11.11.11

LAN PC 2:

192.168.1.3

DMZ and WAN IP addresses are on the different subnet. This provides higher security level then transparent mode.

- 6 -

Content Security Gateway User’s Manual

Chapter 3: Getting Started

3.1 Web Configuration

STEP 1:

Connect both the Administrator’s PC and the LAN port of the Content Security Gateway to a hub or switch.
Make sure there is a link light on the hub/switch for both connections. The Content Security Gateway has an
embedded web server used for management and configuration. Use a web browser to display the
configurations of the Content Security Gateway (such as Internet Explorer 4(or above) or Netscape 4.0(or

above) with full java script support). The default IP address of the Content Security Gateway is 192.168.1.1

with a subnet mask of 255.255.255.0. Therefore, the IP address of the Administrator PC must be in the range
between 192.168.1.2– 192.168.1.254

If the company’s LAN IP Address is not subnet of 192.168.1.0, (i.e. LAN IP Address is 172.16.0.1), then the
Administrator must change his/her PC IP address to be within the same range of the LAN subnet (i.e.

172.16.0.2). Reboot the PC if necessary.

By default, the Content Security Gateway is shipped with its DHCP Server function enabled. This means the
client computers on the LAN network including the Administrator PC can set their TCP/IP settings to
automatically obtain an IP address from the Content Security Gateway.

The following table is a list of private IP addresses. These addresses may not be used as a WAN IP address.

10.0.0.0 ~ 10.255.255.255

172.16.0.0 ~ 172.31.255.255

192.168.0.0 ~ 192.168.255.255

STEP 2:

Once the Administrator PC has an IP address on the same network as the Content Security Gateway, open
up an Internet web browser and type in

A pop-up screen will appear and prompt for a username and password. A username and password is required
to connect to the Content Security Gateway. Enter the default login username and password of Administrator

(see below).

Username: admin
Password: admin

Click OK.

http://192.168.1.1 in the address bar.

- 7 -

Content Security Gateway User’s Manual

3.2 Configure WAN interface

After entering the username and password, the Content Security Gateway WEB UI screen will display. Select

the Interface tab on the left menu then click on WAN below it.

Click on Modify button of WAN, the following page is shown.

PPPoE (ADSL User): This option is for PPPoE users who are required to enter a username and password in

order to connect.

Username: Enter the PPPoE username provided by the ISP.
Password: Enter the PPPoE password provided by the ISP.
IP Address provided by ISP:

Dynamic: Select this if the IP address is automatically assigned by the ISP.
Fixed: Select this if you were given a static IP address. Enter the IP address that is given to you by

your ISP.

Service-On-Demand:

The PPPoE connection will automatically disconnect after a length of idle time (no activities). Enter in
the amount of idle minutes before disconnection. Enter ‘0’ if you do not want the PPPoE connection to
disconnect at all.

For Dynamic IP Address (Cable Modem User): This option is for users who are automatically assigned an

IP address by their ISP, such as cable modem users. The following fields apply:

MAC Address: This is the MAC Address of the device. Some ISPs require specified MAC address. If the
required MAC address is your PC’s, click Clone MAC Address.
Hostname: This will be the name assign to the device. Some cable modem ISP assign a specific

hostname in order to connect to their network. Please enter the hostname here. If not required by your
ISP, you do not have to enter a hostname.

Domain Name: You can specify your own domain name or leave it blank.
User Name: The user name is provided by ISP.
Password: The password is provided by ISP.

For Static IP Address: This option is for users who are assigned a static IP Address from their ISP. Your ISP

will provide all the information needed for this section such as IP Address, Netmask, Gateway, and DNS. Use
this option also if you have more than one public IP Address assigned to you.

IP Address: Enter the static IP address assigned to you by your ISP. This will be the public IP address of

the WAN port of the device.

Netmask: This will be the Netmask of the WAN network. (i.e. 255.255.255.0)

- 8 -

Content Security Gateway User’s Manual

Default Gateway: This will be the Gateway IP address.
Domain Name Server (DNS): This is the IP Address of the DNS server.

For PPTP (European User Only): This is mainly used in Europe. You need to know the PPTP Server

address as well as your name and password.

User Name: The user name is provided by ISP.
Password: The password is provided by ISP.
IP Address: Enter the static IP address assigned to you by your ISP, or obtain an IP address

automatically from ISP.

PPTP Gateway: Enter the PPTP server IP address assigned to you by your ISP.
Connect ID: This is the ID given by ISP. This is optional.
BEZEQ-ISRAEL: Select this item if you are using the service provided by BEZEQ in Israel.
Service-On-Demand: The PPPoE connection will automatically disconnect after a length of idle time

(no activities). Enter in the amount of idle minutes before disconnection. Enter ‘0’ if you do not want the
PPPoE connection to disconnect at all.

Ping: Select this to allow the WAN network to ping the IP Address of the Content Security Gateway. This will

allow people from the Internet to be able to ping the Content Security Gateway. If set to enable, the device will
respond to echo request packets from the WAN network.

WebUI: Select this to allow the device WEBUI to be accessed from the WAN network. This will allow the

WebUI to be configured from a user on the Internet. Keep in mind that the device always requires a username
and password to enter the WebUI.

3.3 Configure DMZ interface

Depends on your network requirement, you can disable the DMZ port, make DMZ port transparent to WAN or
enable NAT function on it.

To configure the DMZ port, select the Interface tab on the left menu, then click on DMZ, the following page is

shown.

3.4 Configure Policy

STEP 1:

Click on the Policy tab from the main function menu, and then click on Outgoing (LAN to WAN) from the

sub-function list.

STEP 2:

Click on New Entry button.

STEP 3:

When the New Entry option appears, enter the following configuration:

Source Address – select “Inside_Any”

- 9 -

Destination Address – select “Outside_Any”
Service - select “ANY”
Action - select “Permit”

Click on OK to apply the changes.

Content Security Gateway User’s Manual

STEP 4:

The configuration is successful when the screen below is displayed.

Please make sure that all the computers that are connected to the LAN port have their Default Gateway IP
Address set to the Content Security Gateway’s LAN IP Address (i.e. 192.168.1.1). At this point, all the
computers on the LAN network should gain access to the Internet immediately. If a Content Security Gateway

filter function is required, please refer to the Policy section in chapter 4.

- 10 -

Content Security Gateway User’s Manual

Chapter 4: Web Configuration

4.1 System

The Content Security Gateway Administration and monitoring configuration is set by the System Administrator.

The System Administrator can add or modify System settings and monitoring mode. The sub Administrators

can only read System settings but not modify them. In System, the System Administrator can:

1. Add and change the sub Administrator’s names and passwords;

2. Back up all Content Security Gateway settings into local files;

“System” is the managing of settings such as the privileges of packets that pass through the Content Security

Gateway and monitoring controls. Administrators may manage, monitor, and configure Content Security

Gateway settings. All configurations are “read-only” for all users other than the Administrator; those users are

not able to change any settings for the Content Security Gateway.

System setting can divide into two parts: Administration, Configure and Logout.

Administration:

Admin: has control of user access to the Content Security Gateway. He/she can add/remove users and

change passwords.

Permitted IPs: Enables the Administrator to authorize specific internal/external IP address(es) for Managing

Gateway.

Software Update: The administrator can update the device’s software with the latest version. Administrators

may visit distributor’s web site to download the latest firmware. Administrators may update the device

firmware to optimize its performance and keep up with the latest fixes for intruding attacks.

Configure:

Setting: The Administrator may use this function to backup Content Security Gateway configurations and

export (save) them to an “Administrator” computer or anywhere on the network; or restore a configuration
file to the device; or restore the Content Security Gateway back to default factory settings. Under Setting, the

Administrator may enable e-mail alert notification. This will alert Administrator(s) automatically whenever the

Content Security Gateway has experienced unauthorized access or a network hit (hacking or flooding). Once

enabled, an IP address of a SMTP (Simple Mail Transfer protocol) Server is required. Up to two e-mail

addresses can be entered for the alert notifications.

Date/Time: This function enables the Content Security Gateway to be synchronized either with an Internet

Server time or with the client computer’s clock.

Multiple Subnet: This function allows local port to set multiple subnet works and connect with the internet

through WAN IP Addresses.

Route Table: Use this function to enable the Administrator to add static routes for the networks when the
dynamic route is not efficient enough.

- 11 -

Content Security Gateway User’s Manual

DHCP: Administrator can configure DHCP (Dynamic Host Configuration Protocol) settings for the LAN (LAN)

network.

Dynamic DNS: The Dynamic DNS (require Dynamic DNS Service) allows you to alias a dynamic IP address

to a static hostname, allowing your device to be more easily accessed by specific name. When this function is

enabled, the IP address in Dynamic DNS Server will be automatically updated with the new IP address

provided by ISP.
Host Table: The Content Security Gateway Administrator may use the Host Table function to make the

Content Security Gateway act as a DNS Server for the LAN and DMZ network. All DNS requests to a specific

Domain Name will be routed to the Content Security Gateway’s IP address. For example, let’s say an

organization has their mail server (i.e., mail.planet.com.tw) in the DMZ network (i.e. 192.168.10.10). The

outside Internet world may access the mail server of the organization easily by its domain name, providing

that the Administrator has set up Virtual Server or Mapped IP settings correctly. However, for the users in the

LAN network, their WAN DNS server will assign them a public IP address for the mail server. So for the LAN

network to access the mail server (mail.planet.com.tw), they would have to go out to the Internet, then come

back through the Content Security Gateway to access the mail server. Essentially, the LAN network is

accessing the mail server by a real public IP address, while the mail server serves their request by a NAT

address and not a real one. This odd situation occurs when there are servers in the DMZ network and they

are bound to real IP addresses. To avoid this, set up Host Table so all the LAN network computers will use the

Content Security Gateway as a DNS server, which acts as the DNS Proxy.

Language: Both Chinese and English are supported in the Content Security Gateway.

Logout:

Logout: Administrator logs out the Content Security Gateway. This function protects your system while you

are away.

4.1.1 Admin

On the left hand menu, click on Administration, and then select Admin below it. The current list of

Administrator(s) shows up.

ÍÍ

- 12 -

Content Security Gateway User’s Manual

Settings of the Administration table
Admin Name: The username of Administrators for the Content Security Gateway. The user admin cannot be

removed.

Privilege: The privileges of Administrators (Admin or Sub Admin)
The username of the main Administrator is Admin with read / wri te privilege.

Sub Admin may be created by clicking

New Sub Admin

. Sub Admin have read only privilege.

Configure: Click Modify to change the “Sub Admin” password and click Remove to delete a “Sub Admin”.

Changing the Main/Sub-Admin’s Password

Step 1. The Modify Admin Password window will appear. Enter in the required information:

 Password: enter original password.
 New Password: enter new password
 Confirm Password: enter the new password again.

Step 2. Click OK to confirm password change or click Cancel to cancel it.

Adding a new Sub Admin

Step 1. In the Add New Sub Admin window:

 Sub Admin Name: enter the username of new Sub Admin.

 Password: enter a password for the new Sub Admin.

 Confirm Password: enter the password again.

Step 2. Click OK to add the user or click Cancel to cancel the addition.

- 13 -

Content Security Gateway User’s Manual

Removing a Sub Admin

Step 1. In the Administration table, locate the Admin name you want to edit, and click on the Remove

option in the Configure field.

Step 2. The Remove confirmation pop-up box will appear. Click OK to remove that Sub Admin or click

Cancel to cancel.

4.1.2 Permitted IPs

Only the authorized IP address is permitted to manage the Content Security Gateway.

ÍÍ

- 14 -

Add Permitted IPs Address

Step 1. Click New Entry button.

Content Security Gateway User’s Manual

Step 2. In IP Address field, enter the LAN IP address or WAN IP address.

 Name: Enter the host name for the authorized IP address.
 IP Address: Enter the LAN IP address or WAN IP address.
 Netmask: Enter the netmask of LAN/WAN.
 Ping: Select this to allow the external network to ping the IP Address of the Firewall.
 HTTP: Check this item, Web User can use HTTP to connect to the Setting window of Content

Security Gateway.

Step 3. Click OK to add Permitted IP or click Cancel to discard changes.

Modify Permitted IPs Address

Step 1. In the table of Permitted IPs, highlight the IP you want to modify, and then click Modify.

Step 2. In Modify Permitted IPs, enter new IP address.

Step 3. Click OK to modify or click Cancel to discard changes.

Remove Permitted IPs Addresses

Step 1. In the table of Permitted IPs, highlight the IP you want to remove, and then click Remove.

Step 2. In the confirm window, click OK to remove or click Cancel to discard changes.

- 15 -

4.1.3 Software Update

Content Security Gateway User’s Manual

Under Software Update, the admin may update the device’s software with a newer software. You may
acquire the current version number of software in Version Number. Administrators may visit distributor’s web

site to download the latest version and save it in server’s hard disk.

Step 1. Click Browse to select the latest version of Software.

Step 2. Click OK to update software.

ÍÍ

NOTE: It takes three minutes to update the software. The system will restart automatically after updating the

software.

4.1.4 Setting

The Administrator may use this function to backup Content Security Gateway configurations and export (save)

them to an “Administrator” computer or anywhere on the network; or restore a configuration file to the

device; or restore the Content Security Gateway back to default factory settings.

Entering the Settings window

Click Setting in the Configure menu to enter the Settings window. The Setting will be shown on the screen.

- 16 -

ÍÍ

Content Security Gateway User’s Manual

Exporting Content Security Gateway settings

Step 1. Under Backup/Restore Configuration, click on the Download button next to Export System

Settings to Client.

Step 2. When the File Download pop-up window appears, choose the destination place to save the

exported file. The Administrator may choose to rename the file if preferred.

- 17 -

Content Security Gateway User’s Manual

Importing Content Security Gateway settings
Under Backup/Restore Configuration, click on the Browse button next to Import System Settings from
Client. When the Choose File pop-up window appears, select the file which contains the saved Content

Security Gateway Settings, then click OK.
Click OK to import the file into the Content Security Gateway or click Cancel to cancel importing.

Restoring Factory Default Settings

Step 1. Select Reset Factory Settings under Backup/Restore Configuration.

Step 2. Click OK at the bottom-right of the screen to restore the factory settings.

- 18 -

Content Security Gateway User’s Manual

System Name Setting
Input the name you want into Device Name column to be the device name.

Email Setting

Step 1. Select Enable E-mail Alert Notification under E-Mail Setting. This function will enable the

Content Security Gateway to send e-mail alerts to the System Administrator when the network is

being attacked by hackers or when emergency conditions occur.

Step 2. SMTP Server IP: Enter SMTP server’s IP address.

Step 3. E-Mail Address 1: Enter the first e-mail address to receive the alarm notification.

Step 4. E-Mail Address 2: Enter the second e-mail address to receive the alarm notification. (Optional)

Click OK on the bottom-right of the screen to enable E-mail alert notification.

- 19 -

Content Security Gateway User’s Manual

Web Management (WAN Interface)

The administrator can change the port number used by HTTP port1 anytime. (Remote UI Management)

Step 1. Set Web Management (WAN Interface). The administrator can change the port number used

by HTTP port anytime.

MTU (set networking packet length)

The administrator can modify the networking packet length.

Step 1. MTU Setting. Modify the networking packet length.

Link Speed / Duplex Mode Setting

This function allows administrator to set the transmission speed and mode of WAN Port.

- 20 -

Content Security Gateway User’s Manual

Dynamic Routing (RIPv2)

Enable Dynamic Routing (RIPv2), CS-500 will advertise an IP address pool to the specific network so that the

address pool can be provided

to the network. You can choose to enable LAN, WAN or DMZ interface to allow

RIP protocol supporting.

Routing information update timer: CS-500 will

send out the RIP protocol in a period of time to update the

routing table, the default timer is 30 seconds.

Routing information timeout: If CS-500 does not receive the RIP protocol from the other router in a period

of time, CS-50

80 seconds.

1

0 will cut off the routing automatically until it receives RIP protocol again. The default timer is

- 21 -

Content Security Gateway User’s Manual

To-Appliance Packet Logging

Whe

n the function is selected, the CS-500 will record the packets that contain the IP address of CS-500 in

sou

rce or destination, the records will display in Traffic Log for administrator to inquire about.

System Reboot

Once this function is enabled, the

Reboot Appliance: Click Reboot.
A confirmation pop-up bo . Follow the confirmation pop-up box, click OK to restart Content
Security Gateway or click Cancel to discard changes.

x will appear

Content Security Gateway will be rebooted.

4.1.5 Date/Time

Synchronizing the Content Security Gateway with the System Cl

Administrator can co

Network Time Server (NTP) or by syncing to your computer’

Follow these steps to sync to an Internet Ti me Server
Step 1. Enable synchronization by checking the box.
Step 2. Click the down arrow to select the offset time from GMT.
Step 3. Enter the Server IP Address or Server name with which you want to synchronize.

nfigure the Content Security Gateway’s date and time by either syncing to an Internet

s clock.

- 22 -

ock

Content Security Gateway User’s Manual

Step 4. Update system clock every □ minutes You can set the interval time to synchronize with

utside servers. If you set it to 0, it means the device will not synchronize automatically.

o

Follow this step to sync to your co
Step 1. Click on the Sync button.

Click OK to apply the setting or click Cancel to discard changes.

mputer’s clock.

ÍÍ

4.1.6 Mult

NA T mode

iple Subnet

Multiple Sub

Addresses.

For instance: The lease line of a company applies several real IP Addresses 168.85.88.0/24, and the

company is divided into R&D department, service, sales department, procurement department, accounting

department, the company can distinguish each department

convenient management. The settings are as the following:

1. R&D department sub-network: 192.168.1.11/24 (LAN) ÅÆ 168.85.88.253 (WAN)

2. Service department sub-network: 192.168.2.11/24 (LAN) ÅÆ 168.85.88.252 (WAN

3. Sales department sub-network: 192.168.3.11/24 (LAN) ÅÆ 168.85.88.251 (WAN)

4. Procurement department sub-network: 192.168.4.11/24 (LAN) ÅÆ 168.85.88.250(WAN)

5. Accounting department sub-network: 192.168.5.11/24 (LAN) ÅÆ 168.85.88.249 (WAN)

The first department (R&D department) was set while setting interface IP, the other four ones have to be

added in Multiple Subnet, after completing the settings, each department use the different WAN IP add

connect to the internet. The settin

Service IP Address: 192.168.2

Subnet Mask: 255.255.255.0

Default Gateway: 192.168.2.11

net allows local port to set multiple subnet works and connect with the Internet through WAN IP

by different subnet works for the purpose of

)

ress to

gs of LAN computers on Service department are as the following:

.1

he other departments are also set by groups, this is the function of Multiple Subnet.

T

- 23 -

Content Security Gateway User’s Manual

Multiple Subnet settings

Click System on the left side menu bar, select Configure then click Multiple Subnet to enter Multiple Subnet

window.

ÍÍ

Multiple Subnet functions

WAN Interface IP / Forwarding Mode: Display WAN Port IP addres
Interface: Indicate the multiple subnet location in LAN or DMZ site.
Alias IP of Int. Interface / Netmask: Local port IP address and subnet Mask.
Configure: Modify the settings of M

r click Delete to delete settings.

o

Add a Multiple Subnet NAT Mode.
Step 1: Click the New Entry button below to add Multiple Subnet.
Step the new window.

2: Enter the IP address in the website name column of

Alias IP of LAN Interface: Enter Local port

Netmask: Enter Local port subne

WAN Interface IP: Add WAN IP.

Forwarding Mode: Click the NAT button below to setup.

Step 3: Click OK to add Multiple Subnet or click Cancel to discard changes.

ultiple Subnet. Click Modify to modify the parameters of Multiple Subnet

IP address.

t Mask.

s and Forwarding Mode.

Modify a Multiple Subnet

- 24 -

Content Security Gateway User’s Manual

Step 1: Find the IP address you want to modify and click Modify.
Step 2: Enter the new IP address in Modify Multiple Subnet window.
Step 3: Click the OK button below to change the setting or click Cancel to discard changes.

Removing a Multiple Subnet

Step 1: Find the IP address you want to delete and click Delete.
Step 2: A confirmation pop-up box will appear, click OK to delete the setting or click Cancel to discard

changes.

Routing Mode

Multiple Subnet allows local port to set Multiple Subnet Routing Mode and connect with the internet through

WAN IP address.

For example, the leased line of a company applies several real IP Addresses 168.85.88.0/24 and the

company is divided into R&D, Customer Service, Sales, Procurement, and Accounting Department. The

company can d

istinguish each department by different sub-network for the purpose of convenient

management.

The settings are as the following:

R&D: Alias IP of LAN interface - 168.85.88.1, Netmask: 255.255.255.192

- 25 -