Vantage CNM. Support Note. Centralized Network Management. Version /2007

(1)

Vantage CNM

Centralized Network Management

Support Note

Version 3.0

(2)

1 Application Notes ... 6

1.1 General Knowledge on Setting Up CNM Server ... 6

1.1.1 Server Configuration ... 6

1.1.1.1 CNM Server Installation ... 6

1.1.1.1.1 Upgrade (Migration) from existing CNM instrallation ... 6

1.1.1.1.1.1 From CNM 2.3 ... 7

1.1.1.1.1.2 From CNM 2.2 or below ... 10

1.1.1.1.2 Installing A New CNM Server ... 11

1.1.1.2 VRPT Server Installation ... 11

1.1.1.3 CNM Activation ... 11

1.1.1.4 Reinstall & License Migration ... 14

1.1.1.4.1 Reinstalling On The Same PC ... 14

1.1.1.4.2 Reinstalling On Different PC ... 14

1.1.1.5 Model & Firmware Support List ... 16

1.1.2 Deployment Scenario ... 21

1.1.2.1 Single Server for CNM & VRPT ... 21

1.1.2.2 Installing CNM & VRPT on different servers ... 26

1.1.2.2.1 Installing Single VRPT Server ... 26

1.1.2.2.2 Installing Multiple VRPT Servers... 30

1.2 A Scenario for CNM Application ... 34

1.2.1 Device Registration to Vantage CNM ... 38

1.2.1.1 Device Group Setup ... 39

1.2.1.2 Adding Device to Vantage CNM ... 39

1.2.1.3 Enable/Setup CNM Function on Devices ... 41

1.2.1.3.1 For ZyNOS Devices ... 41

1.2.1.3.2 For ZLD Devices ... 41

1.2.2 Account Management (UAM) ... 42

1.2.3 Device Maintenance ... 45

1.2.3.1 Device Configuration ... 45

(3)

1.2.3.2.1 Backup and Restore ... 46

1.2.3.2.2 Group Configuration Backup ... 49

1.2.3.3 Firmware Management ... 51

1.2.3.3.1 Group Firmware Upgrade Process ... 52

1.2.3.3.2 Schedule Firmware Upgrade ... 54

1.2.3.3.3 Firmware Upgrade Report ... 55

1.2.4 VPN Management ... 57

1.2.4.1 Building VPN Community ... 58

1.2.4.1.1 Building a Full-Mesh VPN Community ... 58

1.2.4.1.2 Building a Hub & Spoke VPN Community ... 64

1.2.4.1.3 Building a Remote Access VPN Community ... 70

1.2.4.1.3.1 For Site-to-Site with Dynamic IP Case ... 70

1.2.4.1.3.2 For Mobile User’s Case ... 75

1.2.4.2 VPN Installation Report ... 78 1.2.4.3 VPN Monitoring ... 79 1.2.4.3.1 By Community ... 79 1.2.4.3.2 By Device ... 81 1.2.4.4 VPN Diagnostic ... 82 1.2.5 UTM Management ... 83

1.2.5.1 Centralized License Management ... 83

1.2.5.1.1 Device Registration & License Activation/Upgrade ... 83

1.2.5.1.2 Viewing Device License Status ... 85

1.2.5.1.3 License Expire Notification ... 86

1.2.5.2 Policy Enforcement ... 86

1.2.5.2.1 Configuring UTM policy ... 86

1.2.5.2.2 Apply Group Configuration of UTM Policy ... 91

1.2.5.2.3 Signature Backup and Restore for The Devices... 95

1.2.5.3 Read UTM Report ... 97

1.2.5.3.1 Set the VRPT Server for Devices ... 97

1.2.5.3.2 Device Configuration for Viewing Reports ... 100

(4)

1.2.5.4.1 Alarm Monitor ... 104

1.2.5.4.2 Alarm Search ... 106

1.2.6 Real-time Monitoring and Alerting... 109

1.2.6.1 Monitoring (Device Online/Offline) ... 109

1.2.6.2 Alerting (Email Notification) ... 110

1.2.7 Log & Reporting ... 114

1.2.7.1 Viewing Report for Managed Devices ... 115

1.2.7.1.1 Bandwidth Report ... 115 1.2.7.1.2 Attack Report... 118 1.2.7.1.3 UTM Report ... 120 1.2.7.1.3.1 IDP Report ... 122 1.2.7.1.3.2 AntiVirus Report ... 125 1.2.7.1.3.3 AntiSpam Report ... 125

1.2.7.2 Configuring Schedule Report ... 127

2 FAQ ... 130

2.1 Server Related FAQ ... 130

2.1.1 Where to download CNM software and patches? ... 130

2.1.2 How many types of license does ZyXEL offer? ... 131

2.1.3 What OS does Vantage CNM server support? ... 131

2.1.4 What browser does Vantage CNM server support?... 131

2.1.5 What is OTV (Object Tree View), Content Screen ...etc? ... 131

2.1.6 Why can’t I get complete OTV (Object Tree View)? ... 132

2.1.7 When I login to Vantage, I get this error message "HTTP Status 500 - No Context configured to process this request". ... 132

2.1.8 My Internet Explorer (IE) does not trust the Certificate from Vantage server, should I trust it? ... 132

2.1.9 How can I skip the warning message of Certificate when I login the CNM? ... 132

2.1.10 If my Vantage server is behind a NAT/Firewall router, and I would like to allow outsiders to connect Vantage server's management interface from Internet. What should I do? 135 2.1.11 When accessing Vantage Server by Internet Explorer, why does my web browser shut down without any caution sometimes? ... 135

(5)

2.1.12 Why do I get the message ‘Pop-up blocked’ when I try to login Vantage server? 135

2.1.13 Why can’t I see the “Reinstall” button when I login my www.myzyxel.com? .... 136

2.2 Device Related FAQ ... 136

2.2.1 What device and f/w version is supported by Vantage CNM 3.0? ... 136

2.2.2 What is the max number of devices that Vantage CNM 3.0 supports? ... 141

2.2.3 Which MAC address should I input when register a device? ... 141

2.2.4 What should I do if I want to register hundreds of devices at one time? ... 141

2.2.5 Where can I get examples of the XML files? ... 141

2.2.6 On each device, we should enter Vantage Server's IP address as the manager IP, but how many management IP can each device have? ... 141

2.2.7 I have registered the MAC address of devices supported in the list, and the activation on device “cnm active 1” & “cnm manageIp xxxxx”. But the device in OTV is gray, what should I do? ... 142

2.3 CNM Function Related FAQ ... 142

2.3.1 When an administrator in SUPER group changes the user’s profile in other groups, the access permission of this user should be changed. But what should be done to make the change effective? ... 142

2.3.2 What’s the difference between Log & Report>CNM Logs and Monitor>Device Alarm? 142 2.3.3 Why I can not receive the Notification mails? ... 142

2.3.4 What should I do if I configure something on device and would like to synchronize these configurations to the settings on Vantage? ... 144

2.3.5 I can upload firmware from “Firmware Management” page, but this firmware is not available in “Firmware Upgrade” page. What’s wrong? ... 144

2.3.6 How can I see the report for a device?... 145

2.3.7 In OTV, a device is shown with green, but why it is shown with status of “off” on right window? ... 145

2.3.8 Currently, my device is managed by CNM server with no encrypt-mode. And it’s green in OTV. Then if I want to use encrypt mode with DES algorithm, what should I do? 145 2.3.9 If I want to re-install the CNM but not lose my configuration, what should I do? 146 2.3.10 I have registered the MAC address of devices supported in the list, and the activation on device “cnm active 1” & “cnm manageIp xxxxx”. But the device in OTV is gray, what should I do? ... 147

(6)

2.3.11 Why the configuration between device & CNM is not consistent with each other? 147

2.3.12 Where can I change the number of days in “report>bandwidth>summary”? .... 147

2.3.13 Where can I create one time report? ... 148

2.3.14 The VPN Community supports three kinds community, Full Mesh, Hub & Spoke, Remote Access. What if I want to build a community which mixed the three modes, for example, part of the gateways are to build Full Mesh community and the rest part are to build Hub & Spoke community? ... 149

2.3.15 I’m getting the alert email warning that VRPT is receiving too many logs from one of my devices. What should I do?... 149

3 Trouble Shooting ... 151

3.1 Trouble between Vantage Server & Client... 152

3.2 Trouble between Vantage Server & ZyXEL devices ... 152

3.3 Trouble between Vantage Server & Vantage Report ... 152

3.4 Trouble in migration ... 153

1 Application Notes

Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details.

1.1

General Knowledge on Setting Up CNM Server

In this part, we will depict how to install and activate CNM server, and the deployment of the CNM server and VRPT servers in your real network environments.

1.1.1 Server Configuration

1.1.1.1 CNM Server Installation

If you already have a CNM server with old version installed, please refer to Upgrade (Migration) From Existing CNM Installation. If you haven’t got a CNM server installed yet, please refer to Installing A New CNM Server.

(7)

1.1.1.1.1.1 From CNM 2.3

We can upgrade the CNM server to version 3.0 directly from 2.3 FCS (2.3.00.61.00) or 2.3 patch 1(2.3.00.61.01).

The upgrade can be performed by running the “Vantage CNM 3.0.00.61.00.exe” directly to do the upgrade.

1. If you have existed CNM running, please shut it down first.

2. Please make sure the ports 1864, 11864, 8080, 443, 3306, 3305 in your system are not occupied.

3. Please make sure the available space in the disk with pervious CNM installation is more than 600MB.

4. Then run the install package “Vantage CNM 3.0.00.61.00.exe” to do the migration. 5. The installation will check the migration condition to make sure everything is available.

(8)

7. The program will install CNM 3.0 first.

8. The program will check whether www.myZyXEL.com is reachable for CNM license migration.

(9)

The migration will start after checking successfully. There will be a migration warning window pop out.

You will see command prompt windows during migration. Just simply allow it to execute and it will close automatically.

9. If migrate successfully from CNM 2.3, you will be asked to restart your computer.

(10)

10. If the migration failed, there will be a warning message. You can read the upgrade log in directory “upgradeLog” in your primary hard drive disk, upgrade utility will automatically do the rollback for all changes so pervious version won’t be affected

1.1.1.1.1.2 From CNM 2.2 or below

If you are using Vantage CNM 2.2 version, you need to upgrade your CNM to 2.3 version, 2.3.00.61.00. The upgrade step is:

(11)

For detail upgrade procedure, please reference to the Upgrade Notes in CNM 2.3 release package.

If you are not sure about the version of your Vantage CNM, please go to System>>About. Since the upgrade process from version 2.2 is complicated, we recommend customer to uninstall the existed version before installing CNM version 3.0. For the brand-new installation, please refer to steps below.

1.1.1.1.2

Installing A New CNM Server

1. Run Vantage CNM 3.0 (3.0.00.61.00.exe) on the server which is for CNM

2. If server is running windows XP SP2 or 2003, make sure UDP1864, 11864 & TCP8080, 443 is allowed by Firewall

3. If the CNM Server is placed behind a NAT Firewall router, Configure NAT and Firewall: a. Forward UDP 1864 & 11864 to CNM Server (Devices to CNM server by SGMP) b. Forward TCP 8080, 443 to CNM Server (Devices to CNM server by TR-069 &

CNM client to CNM server)

4. Check if the Server is running and port (UDP 1864, UDP 11864, TCP 8080, TCP443) is opening thru “netstat –an”

5. If installation failed, check “X:\Program Files\ZyXEL\CNM \logs\vantage.log”

1.1.1.2 VRPT Server Installation

1. Run Vantage Report for CNM on the server which is set for VRPT

2. If server is running windows XP SP2 or 2003, make sure UDP514 & TCP8088 is allowed by Firewall

3. If the VRPT Server is placed behind a NAT Firewall router, config NAT and Firewall: a. Forward UDP 514 to VRPT Server (devices send syslog to the VRPT) b. Forward TCP 8088 to VRPT Server (management between CNM to VRPT)

4. Check if the Server is running and port (UDP 514, TCP 8088) is opening thru “netstat –an” 5. If installation failed, check “X:\Program Files\ZyXEL\Vantage Report for

CNM\vrpt\log\utput.log”

CNM has to be activated in myzyxel.com using licence key. Please refer to the steps below.

1.1.1.3 CNM Activation

a. Open browser to connect to CNM: http://<CNM Server IP>:8080 or https:// <CNM Server IP> (on CNM)

b. Login server by entering the default username/password: root/root (on CNM) c. Server will show three options:

(12)

2. If you haven’t got a standard license yet, and you want to evaluate the CNM server, please choose I want to try CNM, and press Continue. In the CNM trial license, we provide a maximum of 30 days evaluate period, with maximum 10 nodes (devices) can be managed.

3. If you’re reinstalling the CNM server on a different PC from the previous one, and you want to migrate the standard license to this new server, please choose I want to re-install CNM on a different computer using my existing standard license. Then press Continue.

In this example, we choose I have a license.

d. In the following page, input your license key and your myzyxel.com account.

If you don’t have a myzyxel.com account yet, please choose New MyZyXEL.com account, and fill in the username password and email address. Click Apply, myzyxel.com will create a new account for you, register your CNM server under this account, and activate the CNM server.

If you already have a myzyxel.com account, please choose Existing MyZyXEL.com account and input your username and password, and click Apply. Your CNM server will be registered to myzyxel.com and be activated.

(13)

Note: Please make sure your server is connected to Internet.

e. After the server is activated successfully, it will ask you to setup the FTP server and Mail server in the next page.

(14)

Note: Please check status of FTP and VRPT server in CNM after the installation FTP Server

CNM System

Setting>Configuration>Servers>Status

Make sure the FTP server is ready for firmware upgrade

Add VRPT Server to CNM

CNM System Setting>Configuration>VRPT Management:

Add VRPT Server to CNM for reporting, Check the status of VRPT Server is available.

1.1.1.4 Reinstall & License Migration

1.1.1.4.1

Reinstalling On The Same PC

If the new CNM server is installed on the same PC as the previous CNM server, after installing successfully, the CNM server will automatically go to myzyxel.com to refresh the license. Then we don’t need to do any extra work, only to make sure the PC on which the CNM is installed is connected to the Internet.

1.1.1.4.2

Reinstalling On Different PC

If the new CNM server is installed on a different PC, after the server is installed successfully, login the server with default account username/password: root/root.

a. Please choose I want to re-install CNM on a different computer using my existing standard license.

(15)

b. Start a browser, and go to www.myzyxel.com. Login your account set before. Choose the item, then click reinstall.

c. Input the new Authentication Code you got in the new server, and click

Submit

.

(16)

d. Go back to your new CNM server, click

Continue

. After setting up the FTP sever

and mail server, go to

CNM System Setting>License

, and click the

Refresh

button. CNM

server will synch with myzyxel.com, and be activated with the previous license key.

1.1.1.5 Model & Firmware Support List

Device Model Device F/W New CNM 3.0 features Reporting Function

USG 1000 2.00

Only support basic agent function(Registration, Configuration

Backup/Restore, Firmware Upgrade, Log , Alarm)

Traffic Report Attack Report VPN Report Web Usage Report Log Report

(17)

2.01 and above

Same device cnofiguration page as device‘s ewc (Device Operation) VPN Community UTM Report Traffic Report Attack Report VPN Report Web Usage Report Log Report

USG 300

2.00

2.01 and above

ZW 1050 1.01, 2.00

(18)

2.01 and above

ZW 70

3.65WM1 and above

4.00, 4.01, 4.02, 4.03and above

ZW 35 3.64WZ5 and above

(19)

4.00, 4.01, 4.02, 4.03 and above

ZW 5

3.64XD5 and above

4.00, 4.01, 4.02, 4.03 and above

ZW 2WG 4.02, 4.03 and above

(20)

ZW 2+

4.00, 4.01, 4.02, 4.03 and above

ZW 2 3.62

Same device cnofiguration page as device‘s ewc (Device Operation)

VPN Community

Attack Report Web Usage Report Log Report

P662HW-61 3.40QR8 and 3.40QR9

VPN Community

P662H-61 3.40QR8 and 3.40QR9

VPN Community

P662HW-D1

3.40AGZ3 to 3.40AGZ6

VPN Community

P662H-D1

3.40AGZ3 to 3.40AGZ6

VPN Community

P653HWI-17 3.40

VPN Community

(21)

1.1.2 Deployment Scenario

TCP/IP ports are used on CNM & VRPT server

Vantage CNM Server

Protocol Type Port Number Usage

UDP 11864 ZLD Device (e.g. ZW1050, USG series) communicates to CNM Server through UDP 11864

UDP 1864 ZyNOS Device communicates to CNM Server through UDP 1864

TCP 8080

CNM client (browser) connects to CNM Server through TCP 8080. Device communicates to CNM Server through TCP 8080 (for TR069)

TCP 443

CNM client (browser) connects to CNM Server through TCP 443. Device communicates to CNM Server through TCP 443 (for TR069)

VRPT Server

UDP 514 Device sends syslog to VRPT Server for logging and reporting

TCP 8088 CNM communicates to VRPT Server to retrieve reports and maintenance

FTP Server

TCP 20/21 Device connects to FTP server for firmware upgrade/configure backup/restore

1.1.2.1 Single Server for CNM & VRPT

For a SI/Reseller who maintains no more than 100 devices, both CNM (for management) and VRPT (for reporting) can be installed on the same server. Below is an example of the network topology and Hardware requirement.

CNM & VRPT Server

(22)

Memory 2GB and higher

Hard Disk 250GB and higher

Which ports should be allowed if Firewall is enabled on Server (e.g. XP, W2003)

Installing CNM & VRPT on Same Server

CNM+VRPT NAT/Firewall Internet Managed Device CNM Public IP & VRPT Instance IP

What is the NAT rule & Firewall

rule ?

What is the Setting of VRPT Management on CNM server ?

1. On the NAT/Firewall, same public IP can be used as the public IP of CNM & VRPT Server. Forward Port 1864(UDP), 11864 (UDP), 8080 (TCP), 443 (TCP), 514 (UDP) and 8088 (TCP) to the CNM+VRPT Server

2. For ZyNOS-based ZyWALL using as the NAT gateway, please check if the command “ip nat lookback” is enabled.

For ZLD gateway (e.g. ZW1050) a policy route should be set.

a. Go to Object>Address, set addresses for vantage server’s WAN, LAN and your Lan subnet.

b. Go to Network>Virtual Server, set a rule as below to map your vantage server’s Wan IP to internal IP.

(23)

c. Go to Network>Routing, click Add icon, and configuration a rule as below to achieve loopback.

3. Port 1864(UDP), 11864 (UDP), 8080 (TCP), 443 (TCP), 514 (UDP) and 8088 (TCP) have to be opened in Firewall and forwarded to CNM+VRPT Server

4. If FTP Server is installed on the same machine, please also open 20/21 (TCP) and firewall policy on gateway.

5. Configure the public IP that mapped to VRPT in CNMSystem Setting>Configuration>VRPT Management of CNM

Here’s a configuration Example: IP Assignment

CNM & VRPT Server 192.168.1.33

WAN IP of NAT router 172.25.27.18

Go to the WEB GUI of ZyWALL, and configure the NAT rule and the firewall rule: In Firewall>Service

(24)

Add port 1864, 11864, 8088 and 8080 to Custom Service:

(25)

Then, go to Firewall>Rule Summary WAN-to-LAN. Press the Insert button to add a firewall rule.

Please press the Insert button to add the CNM_ZyNOS (1864), CNM_ZLD (11864),

CNM_to_VRPT (8088), web/tr069 (8080), HTTPS (443) and SYSLOG (514) to the selected Service.

Then, go to NAT and make sure all ports are forwarded to the Server.

Go to Advanced>NAT>Port Forwarding; forward the port 514, 8088, 1864, 11864 and 8080 and 443 to your server’s IP Address

(26)

Then, go to CNMSystem Settings>Configuration>VRPT Management, you can find that the status of VRPT become available.

1.1.2.2 Installing CNM & VRPT on different servers

1.1.2.2.1

Installing Single VRPT Server

For a SI/Reseller who maintains less than 100 devices but better performance is wanted for management & reporting, CNM (for management) and VRPT (for reporting) could be installed separately to achieve this. Below is an example of the network topology and Hardware requirement.

Management Server (Vantage CNM)

CPU Intel Pentium IV 3.2 GHz or higher

Memory 2GB or higher

Hard Disk 80GB or higher

Reporting Server (Vantage Report for CNM)

(27)

Note: Reporting Server can handle <=1500 logs/sec

rule ?

Installing CNM & VRPT on Different Servers

CNM NAT/Firewall Internet Managed Device CNM Public IP & VRPT Instance IP VRPT What is the Setting of VRPT Management on CNM server ? Which ports should be

allowed if Firewall is enabled on Server (e.g. XP, W2003)

Which ports should be allowed if Firewall is enabled on Server (e.g. XP,

W2003)

1. On the NAT/Firewall, same public IP can be used as the public IP of CNM & VRPT Server. Forward Port 1864(UDP), 11864 (UDP), 8080 (TCP), 443 (TCP) to CNM Server and forward 514 (UDP) and 8088 (TCP) to VRPT Server

2. For ZyNOS-based ZyWALL using as the NAT gateway, please check if the command “ip nat lookback” is enabled. For ZLD gateway (e.g. ZW1050) a policy route should be set. Please refer to 1.1.2.1 Single Server for CNM & VRPT.

3. If firewall is enabled on the server, Allow 1864(UDP), 11864 (UDP), 8080 (TCP), 443 (TCP) on CNM Server and allow 514 (UDP) and 8088 (TCP) on VRPT Server

4. Configure the public IP that mapped to VRPT in CNM System Setting>Configuration>VRPT Management of CNM

(28)

IP Assignment

CNM Server 192.168.1.33

VRPT Server 192.168.1.34

WAN IP of NAT router 172.25.27.18

In the NAT Router/Firewall, add the port 1864, 11864, 8088, and 8080 in the service: Security>Firewall>Service

Forward port 11864, 1864, 8080, 443, 514, and 8088 in the firewall configuration, direction of WAN-to-LAN

(29)

Forward Port 11864, 1864, 8080 and 443 to CNM server and port 8088 and 514 to VRPT in NAT configuration:

Then, go to CNM System Setting>Configuration>VRPT Management, you can find that the status of VRPT turns available.

(30)

1.1.2.2.2

Installing Multiple VRPT Servers

For a SI or MSP who maintains more than 100 devices, CNM (for management) and more than one VRPT (for reporting) should be installed on different Server. Below is the illustration of the network topology and recommended hardware platform.

Management Server (Vantage CNM)

Reporting Server (Vantage Report for CNM)

(31)

rule ? Which ports should be allowed if Firewall is enabled on Server (e.g. XP, W2003)

Installing Multiple VRPT Servers

CNM NAT/Firewall Internet CNM Public IP & VRPT Instance IP VRPT_1

What is the Setting of VRPT Management

on CNM servers (VRPT_1, VPRT_2) ? Which ports should

be allowed if Firewall is enabled on Server (e.g. XP, W2003) Managed Device VRPT Instance 2 VRPT Instance 1 VRPT_2 VRPT_1 Public IP VRPT_2 Public IP 1. On the NAT/Firewall, same public IP can be used as the public IP of CNM & VRPT Server. Forward Port 1864(UDP), 11864 (UDP), 8080 (TCP), 443 (TCP) to CNM Server and forward 514 (UDP) and 8088 (TCP) to VRPT Server

2. For ZyNOS-based ZyWALL using as the NAT gateway, please check if the command “ip nat loopback” is enabled. Please refer to 1.1.2.1 Single Server for CNM & VRPT.

3. If firewall is enabled on the server, Allow 1864(UDP), 11864 (UDP), 8080 (TCP), 443 (TCP) on CNM Server and allow 514 (UDP) and 8088 (TCP) on VRPT Server

4. Configure the public IP that mapped to VRPT in CNM System>Configuration>VRPT Management of CNM

Note: Full feature NAT must be used to make more than 1 VRPT server visible to all devices on the internet (as port that used for receiving logs is fixed), which means different Public IP address has to be mapped to different VRPT server. But 1 VRPT could share the same Public IP address with CNM.

Here’s a configuration example: IP Assignment

(32)

VRPT Server 1 192.168.1.2

VRPT Server 2 192.168.1.34

Public IP of NAT Router 172.25.27.18, 172.25.27.66

Full-feature NAT setting

Source IP address NAT Type Public IP address

192.168.1.2 One-to-one 172.25.27.18

192.168.1.3-192.168.1.254 Many-to-one 172.25.27.66

Step1. Make sure the ports of 1864, 11864, 8088, 514, 443, 8080 and 21 are allowed in the WAN-to-LAN rule of the firewall setting.

Step2. Go to Advanced>NAT>NATOverview, choose the Full-feature and configure the Address Mapping.

(33)

Step4. Configure the Many-To-One rule.

(34)

Step6. Configure the port forwarding, forward the port 8080, 443, 1864, 11864 and 21 to the 192.168.1.33, and forward port 514 and 8088 to 192.168.1.34. (For One-To-One mapping of VRPT (192.168.1.2), no port forwarding is needed).

Step7, add the two VRPT servers IP to the CNM, and then check its status.

1.2 A Scenario for CNM Application

In the following application note, we will introduce how to use Vantage to conduct UTM, VPN Management and device maintenance over multiple ZyXEL appliances in MSP (Managed Service Provider) environment.

We will also introduce how to use the report function of CNM.

We assume customer reading this chapter has already done basic setups including: Vantage CNM Server and FTP server setup and activation onWindows Operating System and also connection between Vantage server and FTP server is ok.

(35)

Customers, who have not finished the preceding operations yet, please refer to detailed steps in Quick Start Guide of Vantage CNM 3.0.

Jim is a principal of company M, a local MSP (Managed Services Provider). He always receives many requests from small & medium- sized companies in the hope that M company would help them find a reliable and cost effective solution to maintain their network. Here comes Company A and Company B.

Company A is a medium-sized company with 300 employees. There are N branches all over the country. Almost 80 percents of Company A’s employees need to use the Internet in daily work. They would like to use UTM function to protect their network and want to maintain the devices centrally. They also need a report about the UTM and the Internet usage of the company. Besides, in order to transmit secret information among the HQ and three branch offices securely, they also want a convenient way to build VPN tunnels among these offices and monitor all the VPN tunnels.

Company B is a small-sized company with three branches. The security gateway of Branch Office 1 and Branch Office 2 have static public IP address and Branch Office 3’s security gateway get dynamic IP address via DSL connection. They want to share their resources and information among HQ and branches without compromising their security. By deploying the ZyWALL’s VPN feature they can be confident that only trusted users could access the company’s network. They would like a report for their bandwidth management, security status and Internet usage as well.

Company M’s solution for Company A and Company B with ZyXEL appliances and Vantage CNM:

UTM Management

1. Centralized License Management 2. Policy Enforcement

3. UTM Report

4. Active Monitoring and Alerting

VPN Management

1．Security VPN tunnel establishment 2．VPN tunnel installation report 3．VPN Tunnel Status

Device Maintenance

1. Firmware management and upgrade 2. ROM file backup and restore

Monitor, Alerting & Reporting

1. Device alarm, alert and notify

2. Monitor the Internet usage and security status via device report

(36)

The following picture shows the network for M’s solution.

The companies are connected to the Internet with static Public IPs, except Brach Office 3 of Company B, which gets dynamic public IP via DSL connection. Company A uses a ZyWALL USG 1000 in HQ, and uses ZyNOS ZyWALL in the branch offices as the firewall to protect the company network. There’s an NAT router in front of the ZyWALL 2 Plus in Branch 3. Company B uses a ZyWALL USG 300 in HQ, and ZyNOS ZyWALL in the branches as firewall to protect the company work.

The following diagram depicts the network environment & IP address assignments of this example.

Company A:

Device Name Device Type Administrat or

IP Address

A_HQ_USG1000 USG 1000 John WAN: 172.25.27.41 LAN: 192.168.1.0 Mask: 255.255.255.0

(37)

A_BR1_ZW5 ZyWALL5 WAN: 172.25.27.63 LAN: 192.168.2.0 Mask: 255.255.255.0

A_BR2_ZW35 ZyWALL35 WAN: 172.25.27.79

LAN: 192.168.3.0 Mask: 255.255.255.0 A_BR3_ZW2Plus ZyWALL2Plus WAN: 192.168.4.33

LAN: 192.168.1.0 Mask: 255.255.255.0 . . . A_BRN_ZW35 . . . ZyWALL35 . . . ……

NAT router WAN: 172.25.27.110

Company B:

Device Name Device Type Administrat or

IP Address

B_HQ_USG300 USG 300 Tom WAN: 172.25.27.42 LAN: 192.168.1.0 Mask: 255.255.255.0 B_BR1_ZW5 ZyWALL5 WAN: 172.25.27.54 LAN: 192.168.2.0 Mask: 255.255.255.0 B_BR2_ZW70 ZyWALL70 WAN: 172.25.27.64 LAN: 192.168.3.0 Mask: 255.255.255.0

(38)

B_BR3_ZW35 ZyWALL35 WAN: dynamic LAN: 192.168.4.0 Mask: 255.255.255.0 Vantage server: CNM server FTP server Administrator root IP Address WAN: 172.25.27.18 Mask: 255.255.255.0 WAN: 172.25.27.18 Mask: 255.255.255.0

Please note that Vantage can only manage ZyXEL devices which support CNM (Central Network Management). You can check if your ZyXEL devices support Vantage from Users Guide/Data Sheet which is available on ZyXEL WEB site (http://www.zyxel.com) or you can go to the devices' SMT menu, and issue this command cnm, for those devices which support CNM, you can get the following result.

ras> cnm

active sgid managerIp debug reset encrykey encrymode keepalive version tr069

In the following, we are going to show how to configure Vantage and ZyXEL devices step by step.

1.2.1 Device Registration to Vantage CNM

Before proceeding, please login to Vantage server via typing this URL http://<vantage server's IP>:8080. In this example, it should be http://172.25.27.18:8080. The default User Name and Password are root/root, users can change the default password later.

(39)

Device Group Setup: Define different group folders for different companies and different branch offices.

Adding Device to Vantage CNM: Add the managed devices to CNM server.

Enable/Setup CNM Function on Devices: Enable CNM function on the managed devices to have them register to CNM server.

1.2.1.1 Device Group Setup

1. Create group folder for Company A

 Right click on Root>Add Folder; give this group folder a name, Company_A. 2. Create group folder for Company B.

 Right click on Root>Add Folder; give this group folder a name, Company_B.

After you complete, you should be able to get the following Object Tree in the left frame of the web page.

1.2.1.2 Adding Device to Vantage CNM

1. Add ZyWALL devices in folder Company_A.

a. Adding USG 1000

 Right click Company_A icon on OTV (Object Tree View) and choose Add Device. A dialogue will appear on the right side.

 Input the smallest MAC address of USG 1000 in HQ.  Give this device a name, A_HQ_USG1000.

 Select the corresponding Device Type, and enter the device’s login username and password.

 If there’re two exact ZLD devices doing HA, please check the HA checkbox, and select the device’s role (Master or Backup), then click Apply

b. Adding ZyWALL5

 Right click Company_A icon on OTV (Object Tree View) and choose Add Device. A dialogue will appear on the right side.

 Input the MAC address of LAN interface of ZyWALL5 in HQ.  Give this device a name, A_BR1_ZW5.

 Select the corresponding Device Type and firmware version. Set the Syslog Server IP address , click Apply

(40)

For other ZLD devices in Company A, please repeat the above steps for adding USG 1000 in HQ. For other ZyNOS devices in Company A, please repeat the above steps for adding ZyWALL5 in Branch Office 1.

2. Add ZyWALL devices in folder Company_B a. Adding USG 300

 Right click Company_B icon in Object Tree, and select Add Device.A dialogue will appear on the right side.

 Input the MAC address of LAN interface of USG 300in HQ.  Give this device a name, B_HQ_USG300.

 Select the corresponding Device Type, and enter the device’s login username and password,

 If there’re two exact ZLD devices doing HA, please check the HA checkbox, and select the device’s role (Master or Backup), then click Apply.

b. Adding ZyWALL5

 Right click Company_B icon on OTV (Object Tree View) and choose Add Device. A dialogue will appear on the right side.

 Input the MAC address of LAN interface of ZyWALL5 in HQ.  Give this device a name, B_BR1_ZW5.

 Select the corresponding Device Type and firmware version. Set the Syslog Server IP address , click Apply

For other ZLD devices in Company B, please repeat the above steps for adding USG 300 in HQ. For other ZyNOS devices in Company B, please repeat the above steps for adding ZyWALL5 in Branch Office 1.

(41)

1.2.1.3 Enable/Setup CNM Function on Devices

1.2.1.3.1

For ZyNOS Devices

Vantage CNM is disabled on the device by default. There are two ways to enable Vantage function on ZyNOS Devices.

1. SMT menus

Please telnet to ZyXEL devices and go to SMT menu 24.8, then issue the following commands.

172.25.27.18 is Vantage Server's IP address. 2. WEB GUI Configuration

Login to the GUI interface of ZyXEL devices and go to ADVANCED>REMOTE MGMT in the navigation panel and then click CNM tab to configure your device’s Vantage CNM settings.

In Registration Status field, it displays Registering when the ZyXEL device first connects with the Vantage server and then Registered after it has been successfully registered with the Vantage server. Last Registration Time displays the last date and time that the ZyXEL device registered with the Vantage server. Enter the Vantage server’s IP to Vantage CNM Server Address field, select Enable check box, and click Apply to enable Vantage function.

1.2.1.3.2

For ZLD Devices

Vantage CNM is disabled by default on the device by default. There’re two ways to enable Vantage function on ZLD devices.

(42)

Please telnet to your device. After the sign behind Router is changed from “>” to “#”, please issue the following CI command.

2. Web GUI Configuration

Login your device’s web GUI, and go to System>Vantage CNM, check the Enable box, and enter the CNM server’s IP address.

When the device is registering to the CNM server, a lightening bolt will show on the device and the folder in which the device belongs to.

1.2.2 Account Management (UAM)

From CNM 3.0, a new feature UAM (User Account Management) is added. It provides flexibility to define different user groups with different privileges, including CNM server

(43)

operations and folder/device access privileges. The accounts in a specific group inherit all the privileges in that group.

A group is a group of accounts who share exactly the same privileges for the CNM operation. An account is a specific administrator. It must be in a specific group, and inherits all the privileges in that group.

Note 1: There’s a default group super, which can manage the whole Vantage operations and with the privilege to access all the registered devices for monitoring and configuring all their functions. And there’s a default account root in this group. Both the group super and account root cannot be deleted.

Note 2: Since CNM 3.0 UAM (User Account Management) is a completely new feature, if user upgraded his CNM server from version 2.3, the old accounts in CNM 2.3 will be migrated to CNM 3.0 as the following:

The “root” account will be in “super” group in CNM 3.0 after migration.

For all other accounts in CNM 2.3, the migration will create a special group called “custom” in CNM 3.0. Those accounts will be migrated to this “custom” group in CNM 3.0.

This “custom” group has minimum priority. It only has the priority to navigate the

configuration but cannot change anything. That means the original accounts’ information will be lost and administrator “root” needs to reconfigure these old accounts migrated from CNM 2.3.

(44)

The following steps depict how to set user accounts for administrators of Company A and Company B.

1. Create a user group for the administrator of Company A, with the privilege to be only able to access the folder Company_A.

a. Go to Account Management>Group, and click Add button.

b. Give the group name A-admin. Click the Associate button to let out the popup window, and choose only the folder Company_A. Give full privileges of all the devices in this folder. Click Apply button.

2. Create an account John in the group A-admin.

a. Go to Account Management>Account, and click Add button.

b. Give the account name John and password, and input the user’s mail address. Choose A-admin as the Administrator Group. Click Apply button. 3. Create a user group for the administrator of Company B, with the privilege to be only able to access the folder Company_B.

a. Go to Account Management>Group, and click Add button.

b. Give the group name B-admin. Click the Associate button to let out the popup window, and choose only the folder Company_B. Give full privileges of all the devices in this folder. Click Apply button.

4. Create an account Tom in the group B-admin.

a. Go to Account Management>Account, and click Add button.

b. Give the account name Tom and password, and input the user’s mail address. Choose B-admin as the Administrator Group. Click Apply button.

(45)

After you complete, you should get administrators list like this

1.2.3 Device Maintenance

As for the detailed information about the whole scenario, please refer to A Scenario for Vantage Application

1.2.3.1 Device Configuration

On CNM 3.0, for ZyNOS devices, configuration for the supported devices with supported firmware version is the same as the device’s web GUI; and for ZLD devices, configuration for the supported devices with supported firmware version is the same as the device’s web GUI, except for the Anti-x functions. For the supported model list and firmware version, please refer to 1.1.1.5 Model & Firmware Support List.

For the configuring the device, please first select one device in the OTV, then go to Device Operation>Device Configuration. In this example, we choose a ZyNOS device, and the functions same as its web GUI will be listed under Device Configuration.

(46)

For example, if we want to configure a VPN rule on this device, we just need to go to Security>VPN. Then we can set the VPN rule just as in the device’s web configuration page.

After the configuration is saved, CNM server will transfer the setup info to the device.

1.2.3.2 Configuration File Management

Administrator can use the Configuration File Management screen to backup the device’s configuration file to Vantage CNM server, or restore a selected configuration file to the device. Once your device’s configuration is configured and functioning properly, it is highly

recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings.

1.2.3.2.1

Backup and Restore

Select a device in the OTV, and go to Device Operation>Configuration

Management>Configuration File Management. The Backup & Restore screen will show as below. Click Backup button to back the current configuration file of this device to CNM server.

Input a name for this configuration file, and the description about this file is optional. We can choose to backup now or set a backup schedule for this device.

(47)

If we choose Backup Now, after the backup is done, we will see the configuration file in the list as below.

If we choose Scheduled Time, the CNM server will take the backup action at the specified schedule.

(48)

For Weekly or Monthly, the CNM will perform the backup action in a recurrent schedule at the date administrator has set.

After clicking Backup button, we will see the configuration file in the Configuration File List. And also a new record about the scheduled backup will show in the Schedule List tab.

(49)

1.2.3.2.2

Group Configuration Backup

Company M can use backup configuration files of several devices at the same time, even the devices are of different models.

Select folder Company_A in OTV, go to Device Operation>Configuration Management>Configuration File Management. Clic the Backup button.

Type a name for the configuration file group you want to backup in Romfile Name field and make some description in Note field. Select the devices you want to backup the configuration file. Please note that only the devices with Ready status can backup their configuration files. Click Backup to start the backup process.

(50)

After the backup is done, the screen will return to the Backup & Restore page, and we can find the detailed record for the backup we just done in the Configuration File List.

Group File Name displays the name of the configuration file we just backup. BackupTime displays the date and time at which the backup was performed. Description displays the description you made for the configuration file. Admin shows which administrator did the backup.

The group configuration files we backup are stored in the CNM server. When we want to restore the group configuration files, we can just select the folder Company_A in the OTV, and go to Device Operation>Configuration Management>Configuration File Management. Press the Restore button.

(51)

A group of devices whose configuration files are contained in this group configuration file are listed. Select the devices we want to perform restore, and click Restore button. The configuration files will be sent to respective devices and perform the restore.

1.2.3.3 Firmware Management

Company M can use the Vantage Firmware Management screen to download ZyXEL device firmware from the ZyXEL FTP site to Vantage. After downloading it to Vantage, administrator can then upload it from Vantage to the target devices in Company A and Company B. All firmware are downloaded to one repository within Vantage. Administrator should subscribe to the ZyXEL mailing lists to be regularly informed of new firmware versions.

Go to Device Operation>Firmware Management>Firmware List, you can found detailed info about the current firmawre in your Vantage, such as FW Version, Device Type and so on.

Click Add button to download a firmware from your local computer.

(52)

After all the firmwares are uploaded to the vantage server, we can find all the firmware info in Firmware List screen.

Note: You can only delete firmware downloads done by you or an administrator within your user group. You can not edit an existing firmware in Vantage.You can only delete it.

1.2.3.3.1

Group Firmware Upgrade Process

Company M can use the Device Firmware Upload screen to upload firmware to devices from Vantage. Administrator may upload firmware to several homogeneous device at the same time such as all ZyWALL 5 in branches of A Company or the four ZyWALL 35 in Company A and Company B. Vantage can upload firmware from 20 to 50 devices at a time depending on your network bandwidth.

Select folder Company_A, go to Device Operattion>Firmware Management>Firmware Upgrade.

Select the Device Type in the dropdown list.

(53)

A list of all the fireware to the selected device type will show. Click the Upgrade button in the rear end of the firmware you’d want to upload to the devices.

All the devices of the selected device type in Company_A will show. Select the devices you would want to do the firmware upgrade.

Note: You should upgrade the firmware to the device when the Upgrade Status is Ready. Click Apply to begin the group firmware upgrade process.

You can see the Upgrade Status of the devices turn to upgrading and the two devices’ icon will first turn grey then two bule lightning marks are added on the devices’ incon. When the upgrade process is done, it will turn to Ready to upgrade again and the bule lightning marks will disappear.

(54)

1.2.3.3.2

Schedule Firmware Upgrade

Alternatively, you can schedule when you want firmware upgrades to starts. First please select the folder Company_A in the OTV.

Then please go to Device Operation>Firmware Management>Schedule List. Click Add button .

Select the Device Type of which devices you would want to perform the scheduled firmware upgrade.

A list of all the firewares to the selected device type will show. Click the Upgrade button in the rear end of the firmware you’d want to upload to the devices.

(55)

Select the candidate devices. Click the calendar button to select the date and choose the exact hour from the dropdown list at which you would want the upgrade performed. Type some extra information in the Description field. This description appears in the firmware upgrade report screen when the upgrade is logged.

Advisory Notes on Firmware Upgrade: It is advisable to upgrade firmware during periods of low network activity, since each device must restart after firmware upload. You should also notify device owners before you begin the upload.

1.2.3.3.3

Firmware Upgrade Report

Go to Log & Report>Operation Report>Firmware Upgrade Report, Firmware Upgrade Report will be shown next. Administrator can get the details of firmware uploaded to Vantage in this screen.

(56)

Index displays the upgrade list number. Administrator displays the administrator who performed the upgrade. Result displays the upgrade result description. Description displays a description entered in data maintenance prior to uploading.

We can make the CNM server send notification mails to the device owner and administrator. Please go to CNM System Setting>Configuration>Notification.

We can choose to send the notification to either administrator or device owner or both of them. Click the Edit button , a mail sample will pop out.

We can add other mail receivers in the CC field, and we can edit the mail contact. Click Apply after the modification.

(57)

1.2.4 VPN Management

As for the detailed information about the whole scenario, please refer to 1.2 A Scenario for CNM Application.

(58)

Company A is a medium-sized company with 300 employees. There are N branches all over the country. Three branch offices and the HQ office want to transmit secret information among them securely, they want a convenient way to build and monitor VPN tunnels.

Company B is also a medium-sized company with three branches. The security gateway of Branch Office 1 and Branch Office 2 have static public IP address and Branch Office 3’s security gateway get dynamic IP address via DSL connection. They want to share their resources and information among HQ and branches without compromising their security.

From CNM version 3.0, we began to implement VPN Community, which is a more

comprehensive and flexible function to build VPN tunnels. VPN Community, as its name suggests, is a group of security gateways among which VPN tunnels are built. According to how the VPN tunnels are deployed, there’re three kinds of VPN communities, Full Mesh, Hub & Spoke, and Remote Access.

1.2.4.1 Building VPN Community

The following shows the steps to build the Full Mesh, Hub & Spoke, and Remote Access VPN communities correspondently.

1.2.4.1.1

Building a Full-Mesh VPN Community

Administrator John for Company A can use the CNM’s VPN Management function to build a Full-Mesh VPN community, in which all the security gateways will build VPN tunnels with each other.

(59)

Step 1.Go to VPN Management>VPN Community, Click the Add button , a configuration page will show.

(60)

Step 2. Input a community name, and choose Full Mesh in the Community Type dropdown list.

(61)

Step 3. In the Member Gateways section, click Add button , a pop up window will show. Select the VPN gateways for this VPN community.

Step 4. We should notice that there’s an NAT router in front of Branch Office 3’s security gateway ZyWALL 2 Plus. Then we must modify this gateway’s public IP address. Click Edit button

behind the record of A_BR3_ZW2Plus.

A pop up window will show the details of this security gateway’s VPN settings. Check the box Behind NAT, and modify the Public IP Address to the NAT router’s WAN IP address, and input the ZyWALL 2 Plus’s WAN IP address in the My IP field.

And also important is that we should modify the Local ID Content as the WAN IP of the NAT router.

(62)

Step 5. We also should notice that the local LAN subnet of A_HQ_USG1000 overlaps with the local LAN subnet of A_BR3_ZW2Plus. To avoid this overlapping, we can employ the function NAT over IPsec.

Click Edit button in the rear end of the record of A_BR3_ZW2Plus. In the pop up configuration window, under the Virtual Address Mapping Rule section, check the box Active, and choose the Mapping Type as Many One to One. Specify the Private Starting/Ending IP Address, and the Vitual Starting/Ending IP Address.

(63)

After the configuration, we will get a view of the Member Gateways as the following.

NOTE: NAT over IPsec in CNM 3.0 is only available for ZyWALL 2 Plus with f/w 4.01 and above, ZyWALL 5, 35, 70 with f/w 4.03 and above. This feature is not available now for ZLD devices.

Step 6. We can modify the security parameters in IPsec phase 1 and phase 2 according to special requirements. And finally press Apply.

After finishing the configuration for the Hub & Spoke community, we can go to the Installation Report section to check whether the VPN settings are sent to the gateways

(64)

successfully. And we can also go to the VPN Monitor section to check the VPN tunnel status. For detailed explanations, please go to 1.2.4.2 VPN Installation Report and 1.2.4.3 VPN Monitoring.

After all the tunnels are up from the VPN Monitor, we can check the same scene in the WEB GUI as following.

1.2.4.1.2

Building a Hub & Spoke VPN Community

Administrator Tom for Company B can use the CNM’s VPN Management function to build a Hub & Spoke VPN community, in which the HQ security gateway will act as the Hub gateway, and the security gateways of Branch Office 1 and Branch Office 2 will act as Spoke gateways.

The picture below shows a logical scenario for the Hub & Spoke VPN community of Company B.

(65)

(66)

Step 2. Input a community name, and choose Hub & Spoke in the Community Type dropdown list. Since Company B also wants to share internal resources among all its branch offices, Tom should enable inter-routing between spokes.

Step 3. In the Hub Gateway section, click Add button , a pop up window will show. Select the B_HQ_USG300 as the hub gateway of this VPN community.

Step 4. In the Spoke Gateways section, click Add button , a pop up window will show. Select B_BR1_ZW5 and B_BR2_ZW70 as the spoke gateways of this VPN community.

(67)

Step 5. Please note that if we enabled inter-routing between spokes, we should make sure the hub gateway’s network policy overlap the networks of all the spoke gateways. If not yet, we should click the Edit button in the rear end of the hub gateway’s record.

A pop up window will show the details of this security gateway’s VPN settings. Please change the Local Network address to a subnet that can cover all the networks of the spoke

(68)

gateways. In this example, we change it to 192.168.0.0, with subnet mask as 255.255.0.0.

After the configuration, we will get a view of this VPN community’s gateways as the following.

(69)

(70)

1.2.4.1.3

Building a Remote Access VPN Community

1.2.4.1.3.1 For Site-to-Site with Dynamic IP Case

For the Branch Office 3, since its gateway gets its WAN IP address dynamically, Tom can build a Remote Access VPN community between the HQ office and Branch Office 3.

The picture below shows a logical scenario for the Remote Access VPN community of Company B.

(71)

Step 2. Input a community name, and choose Remote Access in the Community Type dropdown list.

(72)

Step 3. In the Central Gateway section, click Add button , a pop up window will show. Select the B_HQ_USG300 as the central gateway of this VPN community.

Step 4. In the Satellite Gateways section, click Add button , a pop up window will show. Select B_BR3_ZW35 as the satellite gateway of this VPN community.

(73)

After the configuration, we will get a view of this VPN community’s gateways as the following.

(74)

(75)

1.2.4.1.3.2 For Mobile User‟s Case

There are many mobile workers in Company B, such as sales on their business trip. They also need to share the resources in HQ securely. By taking a handy secure gateway such as ZyWALL P1 or using VPN software client, they can build dynamic VPN tunnels to the HQ’s gateway.

Then do we need to add a new VPN rule on the HQ’s gateway B_HQ_USG300? Since there’s already a Remote Access VPN community built in this case, we can use the existing dynamic VPN rule in the Central Gateway of this Remote Access VPN community.

And on the VPN clients’ side, since ZyWALL P1 and VPN software can’t be managed by CNM 3.0, the mobile workers need to manually build VPN tunnels to the HQ gateway.

The following steps details how to build dynamic VPN tunnels for the mobile users.

Step 1. Please go to VPN Management>VPN Community, and click the Edit button in the rear end of the Remote Access Community of Company B.

Record the Central Gateway’s VPN parameters, including the central gateway’s gateway IP, local network, Pre-shared key, and the security parameters of phase 1 and phase 2.

(76)

Step 2. On the mobile worker’s side, build a VPN tunnel to the central gateway. We will take ZyWALL IPsec VPN Client as an example.

Please make sure the Remote Gateway IP address, Remote LAN address and the phase 1 and phase 2 security parameters are consistent with the central gateway’s settings.

(77)

Step 3. After the tunnel is established, we can check the status in the VPN client’s SA monitor and the central gateway’s SA monitor. Or we can go to 1.2.4.3 VPN Monitoring to check the tunnel status in SA Monitor.

(78)

1.2.4.2 VPN Installation Report

After configuring the VPN community is finished, let’s go to the Installation Report to check if the configurations in the community are sent to the gateways successfully.

(79)

We can click on the Show Detail button to check the detail installation status for each gateway.

Note:Successful means the VPN configurations are sent to the corresponding gateways successfully. To be created means the VPN configurations are not yet sent to the gateways. The info in this section doesn’t represent whether the VPN tunnels are built successfully. To check if the tunnels are established, please go to VPN Monitor.

1.2.4.3 VPN Monitoring

After we make sure the VPN configurations are sent to the devices successfully by checking the VPN Installation Report, we can go to VPN Monitor to check if the tunnels can establish successfully. Let’s still take the Full Mesh VPN community in Company A as an example.

We can check the tunnels’ status either by VPN Community or by Device.

1.2.4.3.1

By Community

(80)

We can click the Show Detail icon to show the details of each tunnel in this community.

When the Status icon shows blue, it means the tunnel is up, if the icon is grey, it means the tunnel is down.

Note: Since CNM 3.0 will not calculate the dynamic VPN tunnels, in VPN Monitor>By Community for Remote Accesscommunities, the number of Up Tunnels and Total Tunnels will show as *.

(81)

1.2.4.3.2

By Device

In VPN Monitor>By Device, the page will show all the status of the secure gateways that have built VPN tunnels.

Note: Since CNM 3.0 will not calculate the dynamic VPN tunnels, in VPN Monitor>By Device>VPN Tunnel Status, the up dynamic VPN tunnels can’t be added to the number of the Up Tunnels.

If we want to check the up dynamic VPN tunnels or check the up tunnels’ VPN policies, we need to go to By Device>SA Monitor.

(82)

Note: SA Monitor only supports ZLD devices and ZyNOS devices with firmware version 4.30 or above.

Click Show Detail icon, all the established VPN tunnels to the central gateway will be shown, including the dynamic VPN tunnels. If the Remote Gateway is shown as N/A, it means it’s a dynamic tunnel.

1.2.4.4 VPN Diagnostic

If one tunnel is down, the Diagnostic icon will show on the rear end of this tunnel. We can click this icon; a pop up window will show to allow us to dial this tunnel manually. When we press the dial button, a pop up window will show the all the IKE logs, which will give us basic info to judge the incorrect settings.

(83)

Note: The manual dial function is only available for ZyNOS ZyWALL with f/w version 4.03 or above and ZLD with f/w version 2.01 or above.

1.2.5 UTM Management

First please Note that the UTM management on CNM 3.0 is only available to ZyNOS devices. CNM 3.0 doesn’t support the UTM services for ZLD devices yet.

As for the detailed information about the whole scenario, please refer to1.2 A Scenario for CNM Application.

Company A is a medium-sized company with 300 employees. There are N branches all over the country. Almost 80 percents of A Company’s employees need to use the Internet in daily work. They would like to use UTM function to protect their network and want to maintain the devices centrally. They also need a report about the UTM and the Internet usage of the company.

1.2.5.1 Centralized License Management

1.2.5.1.1

Device Registration & License Activation/Upgrade

Select the device which needs to be registered, then go to Device Operation>License Management>Service Activation>Registration, you can see the Service Registration page. The selected device registration status will be shown in this page.

(84)

If the device is not registered, select New myZyXEL.com account and enter the corresponding info needed to register the device as below. Click Apply.

Wait for a few minutes until you see User Name and Password fields turn to grey. It shows that the device has been registered successfully.

Go to the Service tab, you can find the services (CF, AS and AV) are activated. Also you can update your license key or refresh your service license in this page.

If you already have an account exist in myZyXEL.com, then all you have to do is select Existing myZyXEL.com account and enter your username password, select IDP/AV and AS 3 months trial version to activate.

(85)

All UTM services of the devices in A Company can be registered in Vantage server, just repeat the above steps.

1.2.5.1.2

Viewing Device License Status

Select a folder in the OTV, and go to Device Operation>License Management>License status, you can see the detailed information of the UTM service status of all the devices in this folder. Also you can Refresh/Active/Update your service license in this page.

(86)

1.2.5.1.3

License Expire Notification

If your ZyXEL device’s license has been expired, you can find the expired information in Vantage.

Select a folder in the OTV, and go to Device Operation>License Management>Lic