Vantage CNM. Support Note. Centralized Network Management. Version /2007

Transcription

1 Vantage CNM Centralized Network Management Support Note Version /2007

2 1 Application Notes General Knowledge on Setting Up CNM Server Server Configuration CNM Server Installation Upgrade (Migration) from existing CNM instrallation From CNM From CNM 2.2 or below Installing A New CNM Server VRPT Server Installation CNM Activation Reinstall & License Migration Reinstalling On The Same PC Reinstalling On Different PC Model & Firmware Support List Deployment Scenario Single Server for CNM & VRPT Installing CNM & VRPT on different servers Installing Single VRPT Server Installing Multiple VRPT Servers A Scenario for CNM Application Device Registration to Vantage CNM Device Group Setup Adding Device to Vantage CNM Enable/Setup CNM Function on Devices For ZyNOS Devices For ZLD Devices Account Management (UAM) Device Maintenance Device Configuration Configuration File Management

3 Backup and Restore Group Configuration Backup Firmware Management Group Firmware Upgrade Process Schedule Firmware Upgrade Firmware Upgrade Report VPN Management Building VPN Community Building a Full-Mesh VPN Community Building a Hub & Spoke VPN Community Building a Remote Access VPN Community For Site-to-Site with Dynamic IP Case For Mobile User s Case VPN Installation Report VPN Monitoring By Community By Device VPN Diagnostic UTM Management Centralized License Management Device Registration & License Activation/Upgrade Viewing Device License Status License Expire Notification Policy Enforcement Configuring UTM policy Apply Group Configuration of UTM Policy Signature Backup and Restore for The Devices Read UTM Report Set the VRPT Server for Devices Device Configuration for Viewing Reports Viewing the UTM Report in CNM UTM Alarm Monitoring and Alerting

4 Alarm Monitor Alarm Search Real-time Monitoring and Alerting Monitoring (Device Online/Offline) Alerting ( Notification) Log & Reporting Viewing Report for Managed Devices Bandwidth Report Attack Report UTM Report IDP Report AntiVirus Report AntiSpam Report Configuring Schedule Report FAQ Server Related FAQ Where to download CNM software and patches? How many types of license does ZyXEL offer? What OS does Vantage CNM server support? What browser does Vantage CNM server support? What is OTV (Object Tree View), Content Screen...etc? Why can t I get complete OTV (Object Tree View)? When I login to Vantage, I get this error message "HTTP Status No Context configured to process this request" My Internet Explorer (IE) does not trust the Certificate from Vantage server, should I trust it? How can I skip the warning message of Certificate when I login the CNM? If my Vantage server is behind a NAT/Firewall router, and I would like to allow outsiders to connect Vantage server's management interface from Internet. What should I do? When accessing Vantage Server by Internet Explorer, why does my web browser shut down without any caution sometimes?

5 Why do I get the message Pop-up blocked when I try to login Vantage server? Why can t I see the Reinstall button when I login my Device Related FAQ What device and f/w version is supported by Vantage CNM 3.0? What is the max number of devices that Vantage CNM 3.0 supports? Which MAC address should I input when register a device? What should I do if I want to register hundreds of devices at one time? Where can I get examples of the XML files? On each device, we should enter Vantage Server's IP address as the manager IP, but how many management IP can each device have? I have registered the MAC address of devices supported in the list, and the activation on device cnm active 1 & cnm manageip xxxxx. But the device in OTV is gray, what should I do? CNM Function Related FAQ When an administrator in SUPER group changes the user s profile in other groups, the access permission of this user should be changed. But what should be done to make the change effective? What s the difference between Log & Report>CNM Logs and Monitor>Device Alarm? Why I can not receive the Notification mails? What should I do if I configure something on device and would like to synchronize these configurations to the settings on Vantage? I can upload firmware from Firmware Management page, but this firmware is not available in Firmware Upgrade page. What s wrong? How can I see the report for a device? In OTV, a device is shown with green, but why it is shown with status of off on right window? Currently, my device is managed by CNM server with no encrypt-mode. And it s green in OTV. Then if I want to use encrypt mode with DES algorithm, what should I do? If I want to re-install the CNM but not lose my configuration, what should I do? I have registered the MAC address of devices supported in the list, and the activation on device cnm active 1 & cnm manageip xxxxx. But the device in OTV is gray, what should I do?

6 Why the configuration between device & CNM is not consistent with each other? Where can I change the number of days in report>bandwidth>summary? Where can I create one time report? The VPN Community supports three kinds community, Full Mesh, Hub & Spoke, Remote Access. What if I want to build a community which mixed the three modes, for example, part of the gateways are to build Full Mesh community and the rest part are to build Hub & Spoke community? I m getting the alert warning that VRPT is receiving too many logs from one of my devices. What should I do? Trouble Shooting Trouble between Vantage Server & Client Trouble between Vantage Server & ZyXEL devices Trouble between Vantage Server & Vantage Report Trouble in migration Application Notes Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. 1.1 General Knowledge on Setting Up CNM Server In this part, we will depict how to install and activate CNM server, and the deployment of the CNM server and VRPT servers in your real network environments Server Configuration CNM Server Installation If you already have a CNM server with old version installed, please refer to Upgrade (Migration) From Existing CNM Installation. If you haven t got a CNM server installed yet, please refer to Installing A New CNM Server Upgrade (Migration) from existing CNM instrallation 6

7 From CNM 2.3 We can upgrade the CNM server to version 3.0 directly from 2.3 FCS ( ) or 2.3 patch 1( ). The upgrade can be performed by running the Vantage CNM exe directly to do the upgrade. 1. If you have existed CNM running, please shut it down first. 2. Please make sure the ports 1864, 11864, 8080, 443, 3306, 3305 in your system are not occupied. 3. Please make sure the available space in the disk with pervious CNM installation is more than 600MB. 4. Then run the install package Vantage CNM exe to do the migration. 5. The installation will check the migration condition to make sure everything is available. 6. Confirm the check result. 7

8 7. The program will install CNM 3.0 first. 8. The program will check whether is reachable for CNM license migration. 8

9 The migration will start after checking successfully. There will be a migration warning window pop out. You will see command prompt windows during migration. Just simply allow it to execute and it will close automatically. 9. If migrate successfully from CNM 2.3, you will be asked to restart your computer. 9

10 10. If the migration failed, there will be a warning message. You can read the upgrade log in directory upgradelog in your primary hard drive disk, upgrade utility will automatically do the rollback for all changes so pervious version won t be affected From CNM 2.2 or below If you are using Vantage CNM 2.2 version, you need to upgrade your CNM to 2.3 version, The upgrade step is: > > > >

11 For detail upgrade procedure, please reference to the Upgrade Notes in CNM 2.3 release package. If you are not sure about the version of your Vantage CNM, please go to System>>About. Since the upgrade process from version 2.2 is complicated, we recommend customer to uninstall the existed version before installing CNM version 3.0. For the brand-new installation, please refer to steps below Installing A New CNM Server 1. Run Vantage CNM 3.0 ( exe) on the server which is for CNM 2. If server is running windows XP SP2 or 2003, make sure UDP1864, & TCP8080, 443 is allowed by Firewall 3. If the CNM Server is placed behind a NAT Firewall router, Configure NAT and Firewall: a. Forward UDP 1864 & to CNM Server (Devices to CNM server by SGMP) b. Forward TCP 8080, 443 to CNM Server (Devices to CNM server by TR-069 & CNM client to CNM server) 4. Check if the Server is running and port (UDP 1864, UDP 11864, TCP 8080, TCP443) is opening thru netstat an 5. If installation failed, check X:\Program Files\ZyXEL\CNM \logs\vantage.log VRPT Server Installation 1. Run Vantage Report for CNM on the server which is set for VRPT 2. If server is running windows XP SP2 or 2003, make sure UDP514 & TCP8088 is allowed by Firewall 3. If the VRPT Server is placed behind a NAT Firewall router, config NAT and Firewall: a. Forward UDP 514 to VRPT Server (devices send syslog to the VRPT) b. Forward TCP 8088 to VRPT Server (management between CNM to VRPT) 4. Check if the Server is running and port (UDP 514, TCP 8088) is opening thru netstat an 5. If installation failed, check X:\Program Files\ZyXEL\Vantage Report for CNM\vrpt\log\utput.log CNM has to be activated in myzyxel.com using licence key. Please refer to the steps below CNM Activation a. Open browser to connect to CNM: Server IP>:8080 or <CNM Server IP> (on CNM) b. Login server by entering the default username/password: root/root (on CNM) c. Server will show three options: 1. If you have a standard license key, you can choose I have a license, and press Continue. 11

12 2. If you haven t got a standard license yet, and you want to evaluate the CNM server, please choose I want to try CNM, and press Continue. In the CNM trial license, we provide a maximum of 30 days evaluate period, with maximum 10 nodes (devices) can be managed. 3. If you re reinstalling the CNM server on a different PC from the previous one, and you want to migrate the standard license to this new server, please choose I want to re-install CNM on a different computer using my existing standard license. Then press Continue. In this example, we choose I have a license. d. In the following page, input your license key and your myzyxel.com account. If you don t have a myzyxel.com account yet, please choose New MyZyXEL.com account, and fill in the username password and address. Click Apply, myzyxel.com will create a new account for you, register your CNM server under this account, and activate the CNM server. If you already have a myzyxel.com account, please choose Existing MyZyXEL.com account and input your username and password, and click Apply. Your CNM server will be registered to myzyxel.com and be activated. 12

13 Note: Please make sure your server is connected to Internet. e. After the server is activated successfully, it will ask you to setup the FTP server and Mail server in the next page. 13

14 Note: Please check status of FTP and VRPT server in CNM after the installation FTP Server CNM System Setting>Configuration>Servers>Status Make sure the FTP server is ready for firmware upgrade Add VRPT Server to CNM CNM System Setting>Configuration>VRPT Management: Add VRPT Server to CNM for reporting, Check the status of VRPT Server is available Reinstall & License Migration Reinstalling On The Same PC If the new CNM server is installed on the same PC as the previous CNM server, after installing successfully, the CNM server will automatically go to myzyxel.com to refresh the license. Then we don t need to do any extra work, only to make sure the PC on which the CNM is installed is connected to the Internet Reinstalling On Different PC If the new CNM server is installed on a different PC, after the server is installed successfully, login the server with default account username/password: root/root. a. Please choose I want to re-install CNM on a different computer using my existing standard license. 14

15 b. Start a browser, and go to Login your account set before. Choose the item, then click reinstall. c. Input the new Authentication Code you got in the new server, and click Submit. myzyxel.com server will show the reinstall successful message. 15

16 d. Go back to your new CNM server, click Continue. After setting up the FTP sever and mail server, go to CNM System Setting>License, and click the Refresh button. CNM server will synch with myzyxel.com, and be activated with the previous license key Model & Firmware Support List Device Model Device F/W New CNM 3.0 features Reporting Function USG Only support basic agent function(registration, Configuration Backup/Restore, Firmware Upgrade, Log, Alarm) Traffic Report Attack Report VPN Report Web Usage Report Log Report 16

17 UTM Report 2.01 and above 2.00 Same device cnofiguration page as device s ewc (Device Operation) VPN Community Only support basic agent function(registration, Configuration Backup/Restore, Firmware Upgrade, Log, Alarm) Traffic Report Attack Report VPN Report Web Usage Report Log Report Traffic Report Attack Report VPN Report Web Usage Report Log Report USG 300 UTM Report 2.01 and above ZW , 2.00 Same device cnofiguration page as device s ewc (Device Operation) VPN Community Only support basic agent function(registration, Configuration Backup/Restore, Firmware Upgrade, Log, Alarm) Traffic Report Attack Report VPN Report Web Usage Report Log Report Traffic Report Attack Report VPN Report Web Usage Report Log Report 17

18 UTM Report 2.01 and above 3.65WM1 and above Same device cnofiguration page as device s ewc (Device Operation) VPN Community Only support basic agent function(registration, Configuration Backup/Restore, Firmware Upgrade, Log, Alarm) Traffic Report Attack Report VPN Report Web Usage Report Log Report Traffic Report Attack Report VPN Report Web Usage Report Log Report ZW 70 UTM Report 4.00, 4.01, 4.02, 4.03and above Same device cnofiguration page as device s ewc (Device Operation) VPN Community Traffic Report Attack Report VPN Report Web Usage Report Log Report ZW WZ5 and above Only support basic agent function(registration, Configuration Backup/Restore, Firmware Upgrade, Log, Alarm) Traffic Report Attack Report VPN Report Web Usage Report Log Report 18

19 UTM Report 4.00, 4.01, 4.02, 4.03 and above Same device cnofiguration page as device s ewc (Device Operation) VPN Community Traffic Report Attack Report VPN Report Web Usage Report Log Report 3.64XD5 and above Only support basic agent function(registration, Configuration Backup/Restore, Firmware Upgrade, Log, Alarm) Traffic Report Attack Report VPN Report Web Usage Report Log Report ZW 5 UTM Report 4.00, 4.01, 4.02, 4.03 and above Same device cnofiguration page as device s ewc (Device Operation) VPN Community Traffic Report Attack Report VPN Report Web Usage Report Log Report UTM Report ZW 2WG 4.02, 4.03 and above Same device cnofiguration page as device s ewc (Device Operation) VPN Community Traffic Report Attack Report VPN Report Web Usage Report Log Report 19

20 UTM Report ZW , 4.01, 4.02, 4.03 and above Same device cnofiguration page as device s ewc (Device Operation) VPN Community Traffic Report Attack Report VPN Report Web Usage Report Log Report ZW Same device cnofiguration page as device s ewc (Device Operation) Attack Report Web Usage Report VPN Community Log Report P662HW QR8 and 3.40QR9 Same device cnofiguration page as device s ewc (Device Operation) Attack Report Web Usage Report VPN Community Log Report P662H QR8 and 3.40QR9 Same device cnofiguration page as device s ewc (Device Operation) Attack Report Web Usage Report VPN Community Log Report P662HW-D1 3.40AGZ3 to 3.40AGZ6 Same device cnofiguration page as device s ewc (Device Operation) VPN Community Attack Report Web Usage Report Log Report P662H-D1 3.40AGZ3 to 3.40AGZ6 Same device cnofiguration page as device s ewc (Device Operation) VPN Community Attack Report Web Usage Report Log Report P653HWI Same device cnofiguration page as device s ewc (Device Operation) VPN Community Attack Report Web Usage Report Log Report 20

21 1.1.2 Deployment Scenario TCP/IP ports are used on CNM & VRPT server Vantage CNM Server Protocol Type Port Number Usage UDP UDP 1864 TCP 8080 TCP 443 ZLD Device (e.g. ZW1050, USG series) communicates to CNM Server through UDP ZyNOS Device communicates to CNM Server through UDP 1864 CNM client (browser) connects to CNM Server through TCP Device communicates to CNM Server through TCP 8080 (for TR069) CNM client (browser) connects to CNM Server through TCP 443. Device communicates to CNM Server through TCP 443 (for TR069) VRPT Server UDP 514 TCP 8088 Device sends syslog to VRPT Server for logging and reporting CNM communicates to VRPT Server to retrieve reports and maintenance FTP Server TCP 20/21 Device connects to FTP server for firmware upgrade/configure backup/restore Single Server for CNM & VRPT For a SI/Reseller who maintains no more than 100 devices, both CNM (for management) and VRPT (for reporting) can be installed on the same server. Below is an example of the network topology and Hardware requirement. CNM & VRPT Server CPU Intel P GHz 21

22 Memory Hard Disk 2GB and higher 250GB and higher Installing CNM & VRPT on Same Server What is the Setting of VRPT Management on CNM server? Internet CNM+VRPT Which ports should be allowed if Firewall is enabled on Server (e.g. XP, W2003) NAT/Firewall What is the NAT rule & Firewall rule? CNM Public IP & VRPT Instance IP Managed Device 1. On the NAT/Firewall, same public IP can be used as the public IP of CNM & VRPT Server. Forward Port 1864(UDP), (UDP), 8080 (TCP), 443 (TCP), 514 (UDP) and 8088 (TCP) to the CNM+VRPT Server 2. For ZyNOS-based ZyWALL using as the NAT gateway, please check if the command ip nat lookback is enabled. For ZLD gateway (e.g. ZW1050) a policy route should be set. a. Go to Object>Address, set addresses for vantage server s WAN, LAN and your Lan subnet. b. Go to Network>Virtual Server, set a rule as below to map your vantage server s Wan IP to internal IP. 22

23 c. Go to Network>Routing, click Add icon, and configuration a rule as below to achieve loopback. 3. Port 1864(UDP), (UDP), 8080 (TCP), 443 (TCP), 514 (UDP) and 8088 (TCP) have to be opened in Firewall and forwarded to CNM+VRPT Server 4. If FTP Server is installed on the same machine, please also open 20/21 (TCP) and firewall policy on gateway. 5. Configure the public IP that mapped to VRPT in CNM System Setting>Configuration>VRPT Management of CNM Here s a configuration Example: IP Assignment CNM & VRPT Server WAN IP of NAT router Go to the WEB GUI of ZyWALL, and configure the NAT rule and the firewall rule: In Firewall>Service 23

24 Add port 1864, 11864, 8088 and 8080 to Custom Service: Then these ports could be used in firewall rule that we will define later. 24

25 Then, go to Firewall>Rule Summary WAN-to-LAN. Press the Insert button to add a firewall rule. Please press the Insert button to add the CNM_ZyNOS (1864), CNM_ZLD (11864), CNM_to_VRPT (8088), web/tr069 (8080), HTTPS (443) and SYSLOG (514) to the selected Service. Then, go to NAT and make sure all ports are forwarded to the Server. Go to Advanced>NAT>Port Forwarding; forward the port 514, 8088, 1864, and 8080 and 443 to your server s IP Address 25

26 Then, go to CNM System Settings>Configuration>VRPT Management, you can find that the status of VRPT become available Installing CNM & VRPT on different servers Installing Single VRPT Server For a SI/Reseller who maintains less than 100 devices but better performance is wanted for management & reporting, CNM (for management) and VRPT (for reporting) could be installed separately to achieve this. Below is an example of the network topology and Hardware requirement. Management Server (Vantage CNM) CPU Memory Hard Disk Intel Pentium IV 3.2 GHz or higher 2GB or higher 80GB or higher Reporting Server (Vantage Report for CNM) CPU Intel Pentium IV 3.2 GHz or higher 26

27 Memory Hard Disk 1GB or higher 200GB or higher Note: Reporting Server can handle <=1500 logs/sec Installing CNM & VRPT on Different Servers Which ports should be allowed if Firewall is enabled on Server (e.g. XP, W2003) What is the Setting of VRPT Management on CNM server? CNM VRPT Which ports should be allowed if Firewall is enabled on Server (e.g. XP, W2003) NAT/Firewall What is the NAT rule & Firewall rule? Internet CNM Public IP & VRPT Instance IP Managed Device 1. On the NAT/Firewall, same public IP can be used as the public IP of CNM & VRPT Server. Forward Port 1864(UDP), (UDP), 8080 (TCP), 443 (TCP) to CNM Server and forward 514 (UDP) and 8088 (TCP) to VRPT Server 2. For ZyNOS-based ZyWALL using as the NAT gateway, please check if the command ip nat lookback is enabled. For ZLD gateway (e.g. ZW1050) a policy route should be set. Please refer to Single Server for CNM & VRPT. 3. If firewall is enabled on the server, Allow 1864(UDP), (UDP), 8080 (TCP), 443 (TCP) on CNM Server and allow 514 (UDP) and 8088 (TCP) on VRPT Server 4. Configure the public IP that mapped to VRPT in CNM System Setting>Configuration>VRPT Management of CNM Here s a configuration Example: 27

28 IP Assignment CNM Server VRPT Server WAN IP of NAT router In the NAT Router/Firewall, add the port 1864, 11864, 8088, and 8080 in the service: Security>Firewall>Service Forward port 11864, 1864, 8080, 443, 514, and 8088 in the firewall configuration, direction of WAN-to-LAN 28

29 Forward Port 11864, 1864, 8080 and 443 to CNM server and port 8088 and 514 to VRPT in NAT configuration: Then, go to CNM System Setting>Configuration>VRPT Management, you can find that the status of VRPT turns available. 29

30 Installing Multiple VRPT Servers For a SI or MSP who maintains more than 100 devices, CNM (for management) and more than one VRPT (for reporting) should be installed on different Server. Below is the illustration of the network topology and recommended hardware platform. Management Server (Vantage CNM) CPU Memory Hard Disk Intel Pentium IV 3.2 GHz or higher 2GB or higher 80GB or higher Reporting Server (Vantage Report for CNM) CPU Memory Hard Disk Intel Pentium IV 3.2 GHz or higher 1GB or higher 200GB or higher Note: Reporting Server can handle <=1500 logs/sec 30

31 Which ports should be allowed if Firewall is enabled on Server (e.g. XP, W2003) CNM VRPT_1 Which ports should be allowed if Firewall is enabled on Server (e.g. XP, W2003) Installing Multiple VRPT Servers What is the Setting of VRPT Management on CNM servers VRPT Instance 1 (VRPT_1, VPRT_2)? Managed Device VRPT_1 Public IP NAT/Firewall What is the NAT rule & Firewall rule? VRPT_2 Internet VRPT_2 Public IP CNM Public IP & VRPT Instance IP VRPT Instance 2 1. On the NAT/Firewall, same public IP can be used as the public IP of CNM & VRPT Server. Forward Port 1864(UDP), (UDP), 8080 (TCP), 443 (TCP) to CNM Server and forward 514 (UDP) and 8088 (TCP) to VRPT Server 2. For ZyNOS-based ZyWALL using as the NAT gateway, please check if the command ip nat loopback is enabled. Please refer to Single Server for CNM & VRPT. 3. If firewall is enabled on the server, Allow 1864(UDP), (UDP), 8080 (TCP), 443 (TCP) on CNM Server and allow 514 (UDP) and 8088 (TCP) on VRPT Server 4. Configure the public IP that mapped to VRPT in CNM System>Configuration>VRPT Management of CNM Note: Full feature NAT must be used to make more than 1 VRPT server visible to all devices on the internet (as port that used for receiving logs is fixed), which means different Public IP address has to be mapped to different VRPT server. But 1 VRPT could share the same Public IP address with CNM. Here s a configuration example: IP Assignment CNM Server

32 VRPT Server VRPT Server Public IP of NAT Router , Full-feature NAT setting Source IP address NAT Type Public IP address One-to-one Many-to-one Step1. Make sure the ports of 1864, 11864, 8088, 514, 443, 8080 and 21 are allowed in the WAN-to-LAN rule of the firewall setting. Step2. Go to Advanced>NAT>NAT Overview, choose the Full-feature and configure the Address Mapping. Step3. Configure the One-to-One rule, 32

33 Step4. Configure the Many-To-One rule. Step5, Check the NAT mapping is the same as below: 33

34 Step6. Configure the port forwarding, forward the port 8080, 443, 1864, and 21 to the , and forward port 514 and 8088 to (For One-To-One mapping of VRPT ( ), no port forwarding is needed). Step7, add the two VRPT servers IP to the CNM, and then check its status. 1.2 A Scenario for CNM Application In the following application note, we will introduce how to use Vantage to conduct UTM, VPN Management and device maintenance over multiple ZyXEL appliances in MSP (Managed Service Provider) environment. We will also introduce how to use the report function of CNM. We assume customer reading this chapter has already done basic setups including: Vantage CNM Server and FTP server setup and activation on Windows Operating System and also connection between Vantage server and FTP server is ok. 34

35 Customers, who have not finished the preceding operations yet, please refer to detailed steps in Quick Start Guide of Vantage CNM 3.0. Jim is a principal of company M, a local MSP (Managed Services Provider). He always receives many requests from small & medium- sized companies in the hope that M company would help them find a reliable and cost effective solution to maintain their network. Here comes Company A and Company B. Company A is a medium-sized company with 300 employees. There are N branches all over the country. Almost 80 percents of Company A s employees need to use the Internet in daily work. They would like to use UTM function to protect their network and want to maintain the devices centrally. They also need a report about the UTM and the Internet usage of the company. Besides, in order to transmit secret information among the HQ and three branch offices securely, they also want a convenient way to build VPN tunnels among these offices and monitor all the VPN tunnels. Company B is a small-sized company with three branches. The security gateway of Branch Office 1 and Branch Office 2 have static public IP address and Branch Office 3 s security gateway get dynamic IP address via DSL connection. They want to share their resources and information among HQ and branches without compromising their security. By deploying the ZyWALL s VPN feature they can be confident that only trusted users could access the company s network. They would like a report for their bandwidth management, security status and Internet usage as well. Company M s solution for Company A and Company B with ZyXEL appliances and Vantage CNM: UTM Management VPN Management Device Maintenance 1. Centralized License Management 2. Policy Enforcement 3. UTM Report 4. Active Monitoring and Alerting 1. Security VPN tunnel establishment 2. VPN tunnel installation report 3. VPN Tunnel Status 1. Firmware management and upgrade 2. ROM file backup and restore Monitor, Alerting & Reporting 1. Device alarm, alert and notify 2. Monitor the Internet usage and security status via device report 35

36 The following picture shows the network for M s solution. The companies are connected to the Internet with static Public IPs, except Brach Office 3 of Company B, which gets dynamic public IP via DSL connection. Company A uses a ZyWALL USG 1000 in HQ, and uses ZyNOS ZyWALL in the branch offices as the firewall to protect the company network. There s an NAT router in front of the ZyWALL 2 Plus in Branch 3. Company B uses a ZyWALL USG 300 in HQ, and ZyNOS ZyWALL in the branches as firewall to protect the company work. The following diagram depicts the network environment & IP address assignments of this example. Company A: Device Name Device Type Administrat or IP Address A_HQ_USG1000 USG 1000 John WAN: LAN: Mask:

37 A_BR1_ZW5 ZyWALL5 WAN: LAN: Mask: A_BR2_ZW35 ZyWALL35 WAN: LAN: Mask: A_BR3_ZW2Plus ZyWALL2Plus WAN: LAN: Mask: A_BRN_ZW35 ZyWALL35 NAT router WAN: Company B: Device Name Device Type Administrat or IP Address B_HQ_USG300 USG 300 Tom WAN: LAN: Mask: B_BR1_ZW5 ZyWALL5 WAN: LAN: Mask: B_BR2_ZW70 ZyWALL70 WAN: LAN: Mask:

38 B_BR3_ZW35 ZyWALL35 WAN: dynamic LAN: Mask: Vantage server: Administrator IP Address CNM server root WAN: Mask: FTP server WAN: Mask: Please note that Vantage can only manage ZyXEL devices which support CNM (Central Network Management). You can check if your ZyXEL devices support Vantage from Users Guide/Data Sheet which is available on ZyXEL WEB site ( or you can go to the devices' SMT menu, and issue this command cnm, for those devices which support CNM, you can get the following result. ras> cnm active sgid managerip debug reset encrykey encrymode keepalive version tr069 In the following, we are going to show how to configure Vantage and ZyXEL devices step by step Device Registration to Vantage CNM Before proceeding, please login to Vantage server via typing this URL server's IP>:8080. In this example, it should be The default User Name and Password are root/root, users can change the default password later. To complete this application, users need to finish the following items step by step. 38

39 Device Group Setup: Define different group folders for different companies and different branch offices. Adding Device to Vantage CNM: Add the managed devices to CNM server. Enable/Setup CNM Function on Devices: Enable CNM function on the managed devices to have them register to CNM server Device Group Setup 1. Create group folder for Company A Right click on Root>Add Folder; give this group folder a name, Company_A. 2. Create group folder for Company B. Right click on Root>Add Folder; give this group folder a name, Company_B. After you complete, you should be able to get the following Object Tree in the left frame of the web page Adding Device to Vantage CNM 1. Add ZyWALL devices in folder Company_A. a. Adding USG 1000 Right click Company_A icon on OTV (Object Tree View) and choose Add Device. A dialogue will appear on the right side. Input the smallest MAC address of USG 1000 in HQ. Give this device a name, A_HQ_USG1000. Select the corresponding Device Type, and enter the device s login username and password. If there re two exact ZLD devices doing HA, please check the HA checkbox, and select the device s role (Master or Backup), then click Apply b. Adding ZyWALL5 Right click Company_A icon on OTV (Object Tree View) and choose Add Device. A dialogue will appear on the right side. Input the MAC address of LAN interface of ZyWALL5 in HQ. Give this device a name, A_BR1_ZW5. Select the corresponding Device Type and firmware version. Set the Syslog Server IP address, click Apply 39

40 For other ZLD devices in Company A, please repeat the above steps for adding USG 1000 in HQ. For other ZyNOS devices in Company A, please repeat the above steps for adding ZyWALL5 in Branch Office Add ZyWALL devices in folder Company_B a. Adding USG 300 Right click Company_B icon in Object Tree, and select Add Device. A dialogue will appear on the right side. Input the MAC address of LAN interface of USG 300 in HQ. Give this device a name, B_HQ_USG300. Select the corresponding Device Type, and enter the device s login username and password, If there re two exact ZLD devices doing HA, please check the HA checkbox, and select the device s role (Master or Backup), then click Apply. b. Adding ZyWALL5 Right click Company_B icon on OTV (Object Tree View) and choose Add Device. A dialogue will appear on the right side. Input the MAC address of LAN interface of ZyWALL5 in HQ. Give this device a name, B_BR1_ZW5. Select the corresponding Device Type and firmware version. Set the Syslog Server IP address, click Apply For other ZLD devices in Company B, please repeat the above steps for adding USG 300 in HQ. For other ZyNOS devices in Company B, please repeat the above steps for adding ZyWALL5 in Branch Office 1. After finishing the above 2 items, you should get OTV on the left frame like this. 40

41 Enable/Setup CNM Function on Devices For ZyNOS Devices Vantage CNM is disabled on the device by default. There are two ways to enable Vantage function on ZyNOS Devices. 1. SMT menus Please telnet to ZyXEL devices and go to SMT menu 24.8, then issue the following commands is Vantage Server's IP address. 2. WEB GUI Configuration Login to the GUI interface of ZyXEL devices and go to ADVANCED>REMOTE MGMT in the navigation panel and then click CNM tab to configure your device s Vantage CNM settings. In Registration Status field, it displays Registering when the ZyXEL device first connects with the Vantage server and then Registered after it has been successfully registered with the Vantage server. Last Registration Time displays the last date and time that the ZyXEL device registered with the Vantage server. Enter the Vantage server s IP to Vantage CNM Server Address field, select Enable check box, and click Apply to enable Vantage function For ZLD Devices Vantage CNM is disabled by default on the device by default. There re two ways to enable Vantage function on ZLD devices. 1. SMT menus 41

42 Please telnet to your device. After the sign behind Router is changed from > to #, please issue the following CI command. 2. Web GUI Configuration Login your device s web GUI, and go to System>Vantage CNM, check the enter the CNM server s IP address. Enable box, and When the device is registering to the CNM server, a lightening bolt will show on the device and the folder in which the device belongs to Account Management (UAM) From CNM 3.0, a new feature UAM (User Account Management) is added. It provides flexibility to define different user groups with different privileges, including CNM server 42

43 operations and folder/device access privileges. The accounts in a specific group inherit all the privileges in that group. A group is a group of accounts who share exactly the same privileges for the CNM operation. An account is a specific administrator. It must be in a specific group, and inherits all the privileges in that group. Note 1: There s a default group super, which can manage the whole Vantage operations and with the privilege to access all the registered devices for monitoring and configuring all their functions. And there s a default account root in this group. Both the group super and account root cannot be deleted. Note 2: Since CNM 3.0 UAM (User Account Management) is a completely new feature, if user upgraded his CNM server from version 2.3, the old accounts in CNM 2.3 will be migrated to CNM 3.0 as the following: The root account will be in super group in CNM 3.0 after migration. For all other accounts in CNM 2.3, the migration will create a special group called custom in CNM 3.0. Those accounts will be migrated to this custom group in CNM 3.0. This custom group has minimum priority. It only has the priority to navigate the configuration but cannot change anything. That means the original accounts information will be lost and administrator root needs to reconfigure these old accounts migrated from CNM

44 The following steps depict how to set user accounts for administrators of Company A and Company B. 1. Create a user group for the administrator of Company A, with the privilege to be only able to access the folder Company_A. a. Go to Account Management>Group, and click Add button. b. Give the group name A-admin. Click the Associate button to let out the popup window, and choose only the folder Company_A. Give full privileges of all the devices in this folder. Click Apply button. 2. Create an account John in the group A-admin. a. Go to Account Management>Account, and click Add button. b. Give the account name John and password, and input the user s mail address. Choose A-admin as the Administrator Group. Click Apply button. 3. Create a user group for the administrator of Company B, with the privilege to be only able to access the folder Company_B. a. Go to Account Management>Group, and click Add button. b. Give the group name B-admin. Click the Associate button to let out the popup window, and choose only the folder Company_B. Give full privileges of all the devices in this folder. Click Apply button. 4. Create an account Tom in the group B-admin. a. Go to Account Management>Account, and click Add button. b. Give the account name Tom and password, and input the user s mail address. Choose B-admin as the Administrator Group. Click Apply button. 44

45 After you complete, you should get administrators list like this Device Maintenance As for the detailed information about the whole scenario, please refer to A Scenario for Vantage Application Device Configuration On CNM 3.0, for ZyNOS devices, configuration for the supported devices with supported firmware version is the same as the device s web GUI; and for ZLD devices, configuration for the supported devices with supported firmware version is the same as the device s web GUI, except for the Anti-x functions. For the supported model list and firmware version, please refer to Model & Firmware Support List. For the configuring the device, please first select one device in the OTV, then go to Device Operation>Device Configuration. In this example, we choose a ZyNOS device, and the functions same as its web GUI will be listed under Device Configuration. 45

46 For example, if we want to configure a VPN rule on this device, we just need to go to Security>VPN. Then we can set the VPN rule just as in the device s web configuration page. After the configuration is saved, CNM server will transfer the setup info to the device Configuration File Management Administrator can use the Configuration File Management screen to backup the device s configuration file to Vantage CNM server, or restore a selected configuration file to the device. Once your device s configuration is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings Backup and Restore Select a device in the OTV, and go to Device Operation>Configuration Management>Configuration File Management. The Backup & Restore screen will show as below. Click Backup button to back the current configuration file of this device to CNM server. Input a name for this configuration file, and the description about this file is optional. We can choose to backup now or set a backup schedule for this device. 46

47 If we choose Backup Now, after the backup is done, we will see the configuration file in the list as below. If we choose Scheduled Time, the CNM server will take the backup action at the specified schedule. For One-Time shedule, CNM server will ask to select the specified date and time. 47

48 For Weekly or Monthly, the CNM will perform the backup action in a recurrent schedule at the date administrator has set. After clicking Backup button, we will see the configuration file in the Configuration File List. And also a new record about the scheduled backup will show in the Schedule List tab. 48

49 Group Configuration Backup Company M can use backup configuration files of several devices at the same time, even the devices are of different models. Select folder Company_A in OTV, go to Device Operation>Configuration Management>Configuration File Management. Clic the Backup button. Type a name for the configuration file group you want to backup in Romfile Name field and make some description in Note field. Select the devices you want to backup the configuration file. Please note that only the devices with Ready status can backup their configuration files. Click Backup to start the backup process. 49

50 After the backup is done, the screen will return to the Backup & Restore page, and we can find the detailed record for the backup we just done in the Configuration File List. Group File Name displays the name of the configuration file we just backup. Backup Time displays the date and time at which the backup was performed. Description displays the description you made for the configuration file. Admin shows which administrator did the backup. The group configuration files we backup are stored in the CNM server. When we want to restore the group configuration files, we can just select the folder Company_A in the OTV, and go to Device Operation>Configuration Management>Configuration File Management. Press the Restore button. 50

51 A group of devices whose configuration files are contained in this group configuration file are listed. Select the devices we want to perform restore, and click Restore button. The configuration files will be sent to respective devices and perform the restore Firmware Management Company M can use the Vantage Firmware Management screen to download ZyXEL device firmware from the ZyXEL FTP site to Vantage. After downloading it to Vantage, administrator can then upload it from Vantage to the target devices in Company A and Company B. All firmware are downloaded to one repository within Vantage. Administrator should subscribe to the ZyXEL mailing lists to be regularly informed of new firmware versions. Go to Device Operation>Firmware Management>Firmware List, you can found detailed info about the current firmawre in your Vantage, such as FW Version, Device Type and so on. Click Add button to download a firmware from your local computer. In the next screen, you are requested to browse the Firmware Zip File Path and Name which you want to download from. Enter a firmware name in Firmware Alias field. Click Apply. 51

52 After all the firmwares are uploaded to the vantage server, we can find all the firmware info in Firmware List screen. Note: You can only delete firmware downloads done by you or an administrator within your user group. You can not edit an existing firmware in Vantage.You can only delete it Group Firmware Upgrade Process Company M can use the Device Firmware Upload screen to upload firmware to devices from Vantage. Administrator may upload firmware to several homogeneous device at the same time such as all ZyWALL 5 in branches of A Company or the four ZyWALL 35 in Company A and Company B. Vantage can upload firmware from 20 to 50 devices at a time depending on your network bandwidth. Select folder Company_A, go to Device Operattion>Firmware Management>Firmware Upgrade. Select the Device Type in the dropdown list. 52

53 A list of all the fireware to the selected device type will show. Click the Upgrade button in the rear end of the firmware you d want to upload to the devices. All the devices of the selected device type in Company_A will show. Select the devices you would want to do the firmware upgrade. Note: You should upgrade the firmware to the device when the Upgrade Status is Ready. Click Apply to begin the group firmware upgrade process. You can see the Upgrade Status of the devices turn to upgrading and the two devices icon will first turn grey then two bule lightning marks are added on the devices incon. When the upgrade process is done, it will turn to Ready to upgrade again and the bule lightning marks will disappear. 53

54 Schedule Firmware Upgrade Alternatively, you can schedule when you want firmware upgrades to starts. First please select the folder Company_A in the OTV. Then please go to Device Operation>Firmware Management>Schedule List. Click Add button. Select the Device Type of which devices you would want to perform the scheduled firmware upgrade. A list of all the firewares to the selected device type will show. Click the Upgrade button in the rear end of the firmware you d want to upload to the devices. 54

55 Select the candidate devices. Click the calendar button to select the date and choose the exact hour from the dropdown list at which you would want the upgrade performed. Type some extra information in the Description field. This description appears in the firmware upgrade report screen when the upgrade is logged. Advisory Notes on Firmware Upgrade: It is advisable to upgrade firmware during periods of low network activity, since each device must restart after firmware upload. You should also notify device owners before you begin the upload Firmware Upgrade Report Go to Log & Report>Operation Report>Firmware Upgrade Report, Firmware Upgrade Report will be shown next. Administrator can get the details of firmware uploaded to Vantage in this screen. 55

56 Index displays the upgrade list number. Administrator displays the administrator who performed the upgrade. Result displays the upgrade result description. Description displays a description entered in data maintenance prior to uploading. We can make the CNM server send notification mails to the device owner and administrator. Please go to CNM System Setting>Configuration>Notification. We can choose to send the notification to either administrator or device owner or both of them. Click the Edit button, a mail sample will pop out. We can add other mail receivers in the CC field, and we can edit the mail contact. Click Apply after the modification. 56

57 1.2.4 VPN Management As for the detailed information about the whole scenario, please refer to 1.2 A Scenario for CNM Application. 57

58 Company A is a medium-sized company with 300 employees. There are N branches all over the country. Three branch offices and the HQ office want to transmit secret information among them securely, they want a convenient way to build and monitor VPN tunnels. Company B is also a medium-sized company with three branches. The security gateway of Branch Office 1 and Branch Office 2 have static public IP address and Branch Office 3 s security gateway get dynamic IP address via DSL connection. They want to share their resources and information among HQ and branches without compromising their security. From CNM version 3.0, we began to implement VPN Community, which is a more comprehensive and flexible function to build VPN tunnels. VPN Community, as its name suggests, is a group of security gateways among which VPN tunnels are built. According to how the VPN tunnels are deployed, there re three kinds of VPN communities, Full Mesh, Hub & Spoke, and Remote Access Building VPN Community The following shows the steps to build the Full Mesh, Hub & Spoke, and Remote Access VPN communities correspondently Building a Full-Mesh VPN Community Administrator John for Company A can use the CNM s VPN Management function to build a Full-Mesh VPN community, in which all the security gateways will build VPN tunnels with each other. The picture below shows a logical scenario for the VPN community of Company A. 58

59 Step 1.Go to VPN Management>VPN Community, Click the Add button page will show., a configuration 59

60 Step 2. Input a community name, and choose Full Mesh in the Community Type dropdown list. 60

61 Step 3. In the Member Gateways section, click Add button Select the VPN gateways for this VPN community., a pop up window will show. Step 4. We should notice that there s an NAT router in front of Branch Office 3 s security gateway ZyWALL 2 Plus. Then we must modify this gateway s public IP address. Click Edit button behind the record of A_BR3_ZW2Plus. A pop up window will show the details of this security gateway s VPN settings. Check the box Behind NAT, and modify the Public IP Address to the NAT router s WAN IP address, and input the ZyWALL 2 Plus s WAN IP address in the My IP field. And also important is that we should modify the Local ID Content as the WAN IP of the NAT router. 61

62 Step 5. We also should notice that the local LAN subnet of A_HQ_USG1000 overlaps with the local LAN subnet of A_BR3_ZW2Plus. To avoid this overlapping, we can employ the function NAT over IPsec. Click Edit button in the rear end of the record of A_BR3_ZW2Plus. In the pop up configuration window, under the Virtual Address Mapping Rule section, check the box Active, and choose the Mapping Type as Many One to One. Specify the Private Starting/Ending IP Address, and the Vitual Starting/Ending IP Address. 62

63 After the configuration, we will get a view of the Member Gateways as the following. NOTE: NAT over IPsec in CNM 3.0 is only available for ZyWALL 2 Plus with f/w 4.01 and above, ZyWALL 5, 35, 70 with f/w 4.03 and above. This feature is not available now for ZLD devices. Step 6. We can modify the security parameters in IPsec phase 1 and phase 2 according to special requirements. And finally press Apply. After finishing the configuration for the Hub & Spoke community, we can go to the Installation Report section to check whether the VPN settings are sent to the gateways 63

64 successfully. And we can also go to the VPN Monitor section to check the VPN tunnel status. For detailed explanations, please go to VPN Installation Report and VPN Monitoring. After all the tunnels are up from the VPN Monitor, we can check the same scene in the WEB GUI as following Building a Hub & Spoke VPN Community Administrator Tom for Company B can use the CNM s VPN Management function to build a Hub & Spoke VPN community, in which the HQ security gateway will act as the Hub gateway, and the security gateways of Branch Office 1 and Branch Office 2 will act as Spoke gateways. The picture below shows a logical scenario for the Hub & Spoke VPN community of Company B. 64

65 Step 1.Go to VPN Management>VPN Community, Click the Add button page will show., a configuration 65

66 Step 2. Input a community name, and choose Hub & Spoke in the Community Type dropdown list. Since Company B also wants to share internal resources among all its branch offices, Tom should enable inter-routing between spokes. Step 3. In the Hub Gateway section, click Add button, a pop up window will show. Select the B_HQ_USG300 as the hub gateway of this VPN community. Step 4. In the Spoke Gateways section, click Add button, a pop up window will show. Select B_BR1_ZW5 and B_BR2_ZW70 as the spoke gateways of this VPN community. 66

67 Step 5. Please note that if we enabled inter-routing between spokes, we should make sure the hub gateway s network policy overlap the networks of all the spoke gateways. If not yet, we should click the Edit button in the rear end of the hub gateway s record. A pop up window will show the details of this security gateway s VPN settings. Please change the Local Network address to a subnet that can cover all the networks of the spoke 67

68 gateways. In this example, we change it to , with subnet mask as After the configuration, we will get a view of this VPN community s gateways as the following. Step 5. We can modify the security parameters in IPsec phase 1 and phase 2 according to special requirements. And finally press Apply. 68

69 After finishing the configuration for the Hub & Spoke community, we can go to the Installation Report section to check whether the VPN settings are sent to the gateways successfully. And we can also go to the VPN Monitor section to check the VPN tunnel status. For detailed explanations, please go to VPN Installation Report and VPN Monitoring. After all the tunnels are up from the VPN Monitor, we can check the same scene in the WEB GUI as following. 69

70 Building a Remote Access VPN Community For Site-to-Site with Dynamic IP Case For the Branch Office 3, since its gateway gets its WAN IP address dynamically, Tom can build a Remote Access VPN community between the HQ office and Branch Office 3. The picture below shows a logical scenario for the Remote Access VPN community of Company B. Step 1.Go to VPN Management>VPN Community, Click the Add button page will show., a configuration 70

71 Step 2. Input a community name, and choose Remote Access in the Community Type dropdown list. 71

72 Step 3. In the Central Gateway section, click Add button, a pop up window will show. Select the B_HQ_USG300 as the central gateway of this VPN community. Step 4. In the Satellite Gateways section, click Add button, a pop up window will show. Select B_BR3_ZW35 as the satellite gateway of this VPN community. 72

73 After the configuration, we will get a view of this VPN community s gateways as the following. Step 5. We can modify the security parameters in IPsec phase 1 and phase 2 according to special requirements. And finally press Apply. 73

74 After finishing the configuration for the Hub & Spoke community, we can go to the Installation Report section to check whether the VPN settings are sent to the gateways successfully. And we can also go to the VPN Monitor section to check the VPN tunnel status. For detailed explanations, please go to VPN Installation Report and VPN Monitoring. After all the tunnels are up from the VPN Monitor, we can check the same scene in the WEB GUI as following. 74

75 For Mobile User s Case There are many mobile workers in Company B, such as sales on their business trip. They also need to share the resources in HQ securely. By taking a handy secure gateway such as ZyWALL P1 or using VPN software client, they can build dynamic VPN tunnels to the HQ s gateway. Then do we need to add a new VPN rule on the HQ s gateway B_HQ_USG300? Since there s already a Remote Access VPN community built in this case, we can use the existing dynamic VPN rule in the Central Gateway of this Remote Access VPN community. And on the VPN clients side, since ZyWALL P1 and VPN software can t be managed by CNM 3.0, the mobile workers need to manually build VPN tunnels to the HQ gateway. The following steps details how to build dynamic VPN tunnels for the mobile users. Step 1. Please go to VPN Management>VPN Community, and click the Edit button in the rear end of the Remote Access Community of Company B. Record the Central Gateway s VPN parameters, including the central gateway s gateway IP, local network, Pre-shared key, and the security parameters of phase 1 and phase 2. 75

76 Step 2. On the mobile worker s side, build a VPN tunnel to the central gateway. We will take ZyWALL IPsec VPN Client as an example. Please make sure the Remote Gateway IP address, Remote LAN address and the phase 1 and phase 2 security parameters are consistent with the central gateway s settings. 76

77 Step 3. After the tunnel is established, we can check the status in the VPN client s SA monitor and the central gateway s SA monitor. Or we can go to VPN Monitoring to check the tunnel status in SA Monitor. 77

78 VPN Installation Report After configuring the VPN community is finished, let s go to the Installation Report to check if the configurations in the community are sent to the gateways successfully. We will take the Full Mesh VPN community in Company A as an example. 78

79 We can click on the Show Detail button gateway. to check the detail installation status for each Note: Successful means the VPN configurations are sent to the corresponding gateways successfully. To be created means the VPN configurations are not yet sent to the gateways. The info in this section doesn t represent whether the VPN tunnels are built successfully. To check if the tunnels are established, please go to VPN Monitor VPN Monitoring After we make sure the VPN configurations are sent to the devices successfully by checking the VPN Installation Report, we can go to VPN Monitor to check if the tunnels can establish successfully. Let s still take the Full Mesh VPN community in Company A as an example. We can check the tunnels status either by VPN Community or by Device By Community Please go to VPN Management>VPN Monitor>By Community 79

80 We can click the Show Detail icon to show the details of each tunnel in this community. When the Status icon means the tunnel is down. shows blue, it means the tunnel is up, if the icon is grey, it Note: Since CNM 3.0 will not calculate the dynamic VPN tunnels, in VPN Monitor>By Community for Remote Access communities, the number of Up Tunnels and Total Tunnels will show as *. 80

81 By Device In VPN Monitor>By Device, the page will show all the status of the secure gateways that have built VPN tunnels. Note: Since CNM 3.0 will not calculate the dynamic VPN tunnels, in VPN Monitor>By Device>VPN Tunnel Status, the up dynamic VPN tunnels can t be added to the number of the Up Tunnels. If we want to check the up dynamic VPN tunnels or check the up tunnels VPN policies, we need to go to By Device>SA Monitor. 81

82 Note: SA Monitor only supports ZLD devices and ZyNOS devices with firmware version 4.30 or above. Click Show Detail icon, all the established VPN tunnels to the central gateway will be shown, including the dynamic VPN tunnels. If the Remote Gateway is shown as N/A, it means it s a dynamic tunnel VPN Diagnostic If one tunnel is down, the Diagnostic icon will show on the rear end of this tunnel. We can click this icon; a pop up window will show to allow us to dial this tunnel manually. When we press the dial button, a pop up window will show the all the IKE logs, which will give us basic info to judge the incorrect settings. 82

83 Note: The manual dial function is only available for ZyNOS ZyWALL with f/w version 4.03 or above and ZLD with f/w version 2.01 or above UTM Management First please Note that the UTM management on CNM 3.0 is only available to ZyNOS devices. CNM 3.0 doesn t support the UTM services for ZLD devices yet. As for the detailed information about the whole scenario, please refer to 1.2 A Scenario for CNM Application. Company A is a medium-sized company with 300 employees. There are N branches all over the country. Almost 80 percents of A Company s employees need to use the Internet in daily work. They would like to use UTM function to protect their network and want to maintain the devices centrally. They also need a report about the UTM and the Internet usage of the company Centralized License Management Device Registration & License Activation/Upgrade Select the device which needs to be registered, then go to Device Operation>License Management>Service Activation>Registration, you can see the Service Registration page. The selected device registration status will be shown in this page. 83

84 If the device is not registered, select New myzyxel.com account and enter the corresponding info needed to register the device as below. Click Apply. Wait for a few minutes until you see User Name and Password fields turn to grey. It shows that the device has been registered successfully. Go to the Service tab, you can find the services (CF, AS and AV) are activated. Also you can update your license key or refresh your service license in this page. If you already have an account exist in myzyxel.com, then all you have to do is select Existing myzyxel.com account and enter your username password, select IDP/AV and AS 3 months trial version to activate. 84

85 All UTM services of the devices in A Company can be registered in Vantage server, just repeat the above steps Viewing Device License Status Select a folder in the OTV, and go to Device Operation>License Management>License status, you can see the detailed information of the UTM service status of all the devices in this folder. Also you can Refresh/Active/Update your service license in this page. 85

86 License Expire Notification If your ZyXEL device s license has been expired, you can find the expired information in Vantage. Select a folder in the OTV, and go to Device Operation>License Management>License status, the detailed information of the UTM service status in all the devices in this folder. You can find that the AV/IDP service of A_BR2ZW35 has been expired, and the Status of them is Inactive. You can check up the device expiration time from Expiration Date list Policy Enforcement The ZyWall UTM is designed to protect nework-based security. It functions to protect networks from intrusions/virus/spams while allowing safe Internet access. In Vantage, you can create your own rules for ZyXEL devices according to the applications in your network Configuring UTM policy Jim can configure UTM (IDP, Anti-Virus, Anti-Spam) in Vantage sever. Below list the steps of configuration about IDP for A_BR1_ZW5. Note: Your device must have a turbo card installed to use the IDP feature. 86

87 Step 1.Selcet A_BR1_ZW5 in the OTV, then go to Device Operation>Device Configuration>Security>IDP, you can see the IDP>General screen as shown next. It is the same as the IDP configuration page in GUI except the Update and Backup & Restore field. Step 2.Check Enable Intrusion Detection and Prevention check box to enable IDP function, and check the protected directions. Click Apply to save the settings. Step 3.Go to IDP>Signature, configure signatures according to your application. Here Company A would like to block MSN utilization to ensure maximum productivity for all 300 employees. Click Switch to query view, Query Signatures screen will be shown next. Enter MSN to Signature Search field. Click Search. 87

88 Step 4.All signatures refer to MSN will be shown in next shown screen. Active all the policies, and set action for all to Drop Session, and then click Apply. Thus all the employees in HQ behind ZyWALL 70 can not log on MSN now. Step 5.Go to Signature Update, the detailed signature information in the device will be shown in the screen. You can update the IDP and Anti-Virus Signature to the latest version with 88

89 the online update server manually or set update be done automatically, click Apply to save the settings. Note: Remember to make sure the IDP AV signatures are most updated thereby the ZyWALL UTM engine can stay in the best status. Step 6. We can save the IDP general and update settings as BB and they re then available to apply to other devices of the same type. Go to Device Operation>Device Configuration>Load or Save BB. Click the Save as BB icon, a pop up window will show. 89

90 Input a name for this BB, and click Apply to save it as a BB. After this BB is saved, it can be applied to other same models. When we go to another ZyWALL35 s Load or Save BB screen, we can see load a BB icon will show in the IDP General column. After click the icon, a window will pop up. We can choose a BB from the drop down list. 90

91 Apply Group Configuration of UTM Policy There are N branches of A Company all over the country. Jim would like to configure all the ZyWALL 35 in branches centrally since they have similar utilization refer to AV, AS, IDP, firewall and so on. Vantage CNM group configuration is a way to configure batch devices which under a certain folder. Vantage CNM 3.0 can batch configure device s General/AV/IDP/Firewall/AS/Signature Update/Content Filter/VPN/Remote Management/Device Log features. Below are detailed steps: Note: only the administrator who has configured authority can do this job. Let s take Anti-Virus setting for example. Step 1.Select the folder Company_A in the OTV, and go to Device Operation section in the main screen. Step 2.Go to Device Configuration>Security>Anti-Virus. It will request to select Device Type, Firmware Version. Here we should select ZyWALL35, 4.02 then click Next button. Note: 1. ZLD devices don t support group configuration yet in CNM In Device Type field, it only shows the types in your selected group folder. In Company_A group folder, it only includes ZyWALL5, ZyWALL 35 and ZyWALL2 Plus, so we can only find these device types in Device Type field. 91

92 Step 3.In next shown screen, all the device Name of the ZyWALL35 in all branches of Company A will be listed. You should select the exact device you want to apply group configuration. Then click Next button. Note: The device either without a Turbo Card installed or the AV/IDP service inactvie can t be selected. Step 4: In next shown Screen, we can Create a new configuration BB to save your group configuration as a new configuration BB and it is then available to apply to other devices of the same type. If there re existed BB, we can Select an existing configuration Building Block, we can load an existed BB of the selected feature setting to the device. In this example, we will choose to Create a new configuration BB. Step 5: In Configuration BB screen, type a Name to identify your Configuration BB and type some extra description of the BB in Note field. You can leave Note field as blank. Then click Create button to go to next screen. 92

93 Step 6: The Anti-Virus configuration page will be shown next. It s just like the AV configuration screen of the web GUI of the device. After configuring the AV direction for FTP, click Save button. Then change the service to HTTP(TCP 80,8080,3128) and configure the protected direction, then click Save button. 93

94 After all the services you would want to check are configured, please click Save&Exit button. Step 7: In this next shown screen, confirm the information for the group configuration including the Device Type, Firmware Version, Feature and Building Block Name, also the Device Name list. If all of them are correct, click Apply button to save the group configuration. The screen will come back as you can see in step 4. You can build another new group configuration. 94

95 We can check this created BB in Device Operation>Configuration Management> Building Block Signature Backup and Restore for The Devices Select one device from the OTV. Then go to Device Operation>Configuration Management>Signature Profile Management, you can see the Signature Backup & Restore screen as shown below. 95

96 In Signature Profile List field, there are two items: IDP and Anti-Virus. In ZyNOS 4.00, only IDP can be selected. In ZyNOS 4.01 and above, Anti-Virus check box is available. Click Backup button to back up the IDP or AV signature files, and also the IDP signature configuration to the server. In this example, we choose to back Anti-Virus signature files. Input a name for this signature file and click Backup button. Accept the warning message by clicking OK. Wait a moment; we will see the AV signature file in the list. 96

97 Click Restore button device. in the rear end of a signature file to restore this file to the selected In Reset to Factory field, Click Reset to clear all user-entered IDP configuration information and return to factory defaults Read UTM Report ZyWALL s UTM function, coupled with Vantage s remote access reporting facility, Company M can ensure Company A to carry on their daily jobs in a security environment, giving them peace of mind and putting them ahead of their competitors Set the VRPT Server for Devices To get the report in CNM, we should make sure the configuration of VRPT Management has been done and the VRPT server is available. Below list the steps to setup VRPT server for CNM. Step 1. For the CNM server and VRPT server deployment in your real network environment, please first refer to Deployment Scenario to make sure the communication between CNM and VRPT server is without any problem. Step 2. Go to CNM System Setting>VRPT Management, we will see the records of the VRPT servers. If there is no VRPT server s info exists, click Add button to add a VRPT server for your device. 97

98 Step 2.Type a name for the VRPT server in Name field and its IP address in Syslog Server Address field. Also type some extra description of the VRPT server in Description field. We can leave Description field as blank. Click Associate button to be sent to this VRPT server. to let out the pop up window. Select the devices whose logs are After associsting the devices, click Apply button. 98

99 Then we can see the current status of the VRPT server we just configured. Step 3.Go to CNM System Setting>Configuration>VRPT Management. Click on the name of the VRPT server. A window for VRPT server configuration will pop out. Please go to System>Server Configuration, input the mail server s address, a usable mail account in this mail server, and the sender and receiver s mail addresses. 99

100 After clicking the Apply button, we can test if the mail settings are correct by clicking the Test button. If the settings are correct, people with configured Receiver s will receive the mail as below Device Configuration for Viewing Reports Go to Device Operation>Device Configuration>Device Log, and check whether Syslog Logging has been enabled and the IP address of the VRPT server has been filled in the Syslog Server IP field. 100

101 And also make sure the entries are enabled for the logs you would want the device sent to the VRPT server. 101

102 Viewing the UTM Report in CNM Take AntiSpam Report for example. For more UTM report, please see Viewing Report for Managed Devices. Note: John said: I have a host of people troop into my office to complain about the Spam issue. We have to mainly use s to develop our business, but when our employees start to receive fifteen to twenty junk mails everyday, it does take a long time to distinguish them out from those formal ones. Jim can resolve this issue well by using ZyWALL s Anti-Spam function and Vantage report to block Spam mails and trace the sender and source of the Spam mails. Note: To look at anti-spam reports, each ZyXEL device must record anti-spam messages in its log. Refer to the User's Guide for each ZyXEL device for more information. In most devices, go to Logs>Log Settings, and make sure Anti-Spam is enabled. For AntiSpam Summary report, administrator can look at the number of spam messages by time interval. Click settings, the Report Display Settings screen appears. You can select a specific Start Date and End Date for your report. The date range can be up to 30 days long, but you cannot include days that are older than Store Log Days in System>General Configuration. Click Apply to update the report immediately, or click Cancel to close this screen without any changes. 102

103 For Top Senders report, administrator could look at the top combinations of senders of spam messages and the first SMTP server to which the sender sends spam. Administrator could block the senders if the senders are in the Top Senders report or block such spam mails address by adding them into blacklist. For Top Sources report, administrator could look at the top sources of spam messages by number of messages and block such IP addresses by adding firewall rules. Please notice the direction of the firewall rules. For By Score report, administrator could look at the top scores calculated for spam messages and then determine reasonable score threshold to control the quantity of spam mail on ZyWALL.. 103

104 UTM Alarm Monitoring and Alerting Company M can monitor that whether there is someone or attackers threat the network security in Company A and Company B in Vantage and take some effective measures to resolve the troubles. An alert is a type of log that warrants more serious attention. They include system errors, attacks and attempted access to blocked web sites or web sites with restricted web features such as cookies, active X and so on. Below is an example shows how to see alarm report in Vantage Alarm Monitor Please go to CNM System Setting>Configuration>Log Setting. Select a level in the Alarm Indication Threshold. 104

105 In this case, Jim set the threshold as Major. Then when a device is under attack, a red exclamation mark will show up on device icon. And the status will be changed from On to On_Alarm. Go to Monitor>Device Alarm>Unresolved Alarm, administrator can see more detailed info about the Alarm. Click Respond ALL, all the Alarm info will be deleted in the record of the Unresolved Alarm. We will see all the alarms in the Responded Alarm section. And the red exclamation mark will disappear on the OTV. 105

106 Click Clear All, all the alarms in the Responded Alarm record will disappear Alarm Search In the Monitor>Device Alarm>Unresolved/Responded Alarm section, we can define different criteria to search specific alarms. First administrator should select the range in which he wants to perform the search by clicking a folder in the OTV. 106

107 Then go to Monitor>Device Alarm>Unresolved/Responded Alarm section. In Platform field, administrator can select the device s platform on which the alarms happen. In Category field, administrator can select the category for the alarms which he wants to search. 107

108 In Severity field, administrator can seclect the severity lever for the alarms which he wants to search. If Warning is selected, all the alarms will be displayed in this screen. In Time Period field, administrator can select the alarms happened in a specific time period, such as Last 1 Hr, Last 8 Hr and so on. Administrator can customize the exact time period via selecting the Customize check box. Click icon, a calendar screen will be popped out, administrator can seclect a specific day for a range of days for the alarms he wants to search. 108

109 1.2.6 Real-time Monitoring and Alerting Vantage is a cost-effective solution that allows the administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices. As for the detailed information about the whole scenario, please refer to 1.2 A Scenario for CNM Application Monitoring (Device Online/Offline) Administrator can check the status of every device belonging to Company A or Company B by clicking Company_A icon or Company-B icon in the OTV, then go to Monitor>Device Status. And John/Tom can check the status of devices in their own company clicking Company_A/Company_B. The Status of each device is on when the device is able to talk with Vantage server. And managers can also have a quick view by checking the color of the device icon on the OTV. It will be green if the status is on. Different display of the icon has different meaning; please check User's Guide for the details. If the communication between Devices and Vantage is good, then the device icons would turn to green. 109

110 Alerting ( Notification) Vantage can send automatic s to people for events that may warrant immediate attention. We can configure someone Vantage should automatically notify when an administrator performs firmware upgrade, device up/down, VPN up/down, device UTM service license expire, and also CNM related actions, including CNM license expire, VRPT server status, and when the logs or alarms are purged by a administrator. To achieve this, we should first configure an SMTP server for notifications. Go to CNM System Settings>Configuration>Servers, Servers configuration screen will be shown. We can configure these servers during installing CNM or after CNM is installed it in this screen. We should know the SMTP server s IP or Domain Name, a user account as Mail Sender and its Username and Password, or notifications will not work in Vantage if these are incorrectly configured. 110

111 After SMTP Server has been configured correctly, go to Notifications, notifications screen will shown next. We can configure notifications for Device related notifications and CNM related notifications. If checkbox is checked for both Administrator and Device Owner, when the event occurred, notification mails will be sent to them automaitically. Administrator refers to all the accounts that have the management privilege for the devices. E.g. When a device in the group Company_A reboots, both the account root and John will receive the notification mail. Please also note that if we want device related notifications be send to the administrators, we should first make sure the Receive Alerts for Device is enabled. Please go to Account Management>Group. Click Edit button in the rear end of a group. 111

112 Make sure the Receive Alerts for Device is checked. Select Device Owner check box will have an s automatically sent to the selected device owner address. We can add and edit device owners in CNM System Setting>Device Owner. It s in fact Address Book in CNM 2.3 or below. If the CNM 3.0 is upgraded from CNM 2.3, the Address Book in 2.3 will be migrated to the Device Owners in 3.0 The device owners can be associated to specific devices. Right click one device on the OTV, and select Edit Device. Choose a Device Owner in the dropdown list, and click Apply. 112

113 The notification mail contents can be edited by clicking the Edit button each column. in the rear end of If we want the notifications s sent to other addresses, we can click the Edit button, and enter the mail address in the CC field. If we want to enter multiple addresses, separate them by commas. 113

114 Jim set notifications for Device Reboot be sent to administrators (all the accounts in the super group and A-admin group). So if the device reboots, administrators and the device owner will get the notification s as below. The mail will show the detailed information about the time when the device reboots, and the device s name, MAC address and device type Log & Reporting The report function can provide essential firewall traffic reports, identifies suspicious activities, monitors network activity, tracks bandwidth usage and reveals questionable web surfing. It allows you to reveal if your network is experiencing significant number of critical events. The Attacks reports list the suspicious activities, frequencies and the source. It also allows you to provide the bandwidth measurements to support a bandwidth budget tailored to your organization s needs. To get the report in CNM, we should make sure the configuration of VRPT Management has been done and the VRPT server is available and the syslog settings on devices have been setup correctly. For detailed procedure about the VRPT server setup, and syslog settings on devices, please go to Set the VRPT Server for Devices and Device Configuration for Viewing Reports. 114

115 Viewing Report for Managed Devices After the VRPT server is setup and the syslog settings on the devices are done, select a device on the OTV, and go to Log & Report>VRPT. Accept the alerting message, and then we will be linked to the VRPT server web page. The current release and copyright for Vantage Report is showed on this screen. Monitor is a special menu in VRPT for live monitor according to the logs received during the last 60 minutes. Live monitor report for Bandwidth and Service will be shown as continuous curves for they are generated by traffic logs. While live report for Attack, Intrusion, AntiVirus and AntiSpam will expose to you as discrete picture for it monitors event logs Bandwidth Report One day the employees in Branch 1 of Company A complain the network of the company is so bad that they even can not send and receive the s properly. All the traffic go through the A_BRN_ZW35. Then Administrator in M company will go to Vantage and check the Bandwidth report for the ZyWALL 35 and takes some measures to resolve this problem. Below is a sample to show how to check the bandwidth usage. 115

116 You need to enable the traffic log on the device. Right click the device s icon, select EWC>HTTP to login to the GUI configuration page (make sure firewall has been disabled), then go to Logs>Reports, enable Send Raw Traffic Statistics to Syslog Server for Analysis, thus you can get the bandwidth usage report in Vantage. In Vantage, check Traffic>Bandwidth>Top Hosts, administrator find the below report. It shows the user with IP address is on the top of the list. Enter the drill down menu of it to check further. It will show the top ten protocols by Host as below. 116

117 Protocol type others assumes large amount of events and bandwidth. From all the symptoms administrator could infer that this user is downloading large files and the protocol is not in the standard list of device. This kind of operation may consume a lot if NAT session (with large number of events) while this effect other user s normal usage. Administrator locates the error host according to the direction of the Bandwidth and he may find the definite root cause by setting customized service. Administrator can add firewall rule with its direction according to the Bandwidth direction to control the network condition. Also, administrator could go to Traffic>Bandwidth>Top Protocols report for help. 117

118 Attack Report Administrator can get the report for attack on the devices in Company A which we mentioned in Monitor>Device Alarm. Note: To look at attack reports, each ZyXEL device must record DoS attacks in its log. See the User's Guide for each ZyXEL device for more information. In most devices, go to Logs > Log Settings, and make sure Attacks is enabled. For Attack Monitor report, administrator can monitor the number of Denial-of- Service(DoS) attacks detected by the selected device s firewall. Please check the below tables for coordinate information of the report. Attack Monitor Report Coordinate Meaning Unit X axis Lease time Minute Y axis Number of the attacks For Attack Summary report, administrator can look at the number of DoS attacks detected by time interval. Click Settings. The Report Display Settings screen appears. 118

119 Select a specific Start Date and End Date. The date range can be up to 30 days long, but you cannot include days that are older than Store Log Days in System > General Configuration. Click Apply to update the report immediately, or click Cancel to close this screen without any changes. In the sample report below, there are 10 attacks happen during 11:00 and 57 attacks happen during 13:00. For Attack Summary report, administrator can look at the top sources of DoS attacks by number of attacks the selected device stopped and can block such IP addresses by adding firewall rules. Please notice the direction of the firewall rules. Click on a source to look at the top categories of DoS attacks by the selected source. The Top Attack Sources Drill-Down report appears. For Attack>By Category report, administrator can look at the top categories of DoS attacks the selected device stopped by number of attacks. 119

120 Click on a category to look at the top sources of DoS attacks in the selected category. The Top Attack Categories Drill-Down report appears. User can search all the logs for Attacks in Log Viewer>All Logs. Below is a sample log report about Attacks for A_BRn_ZW UTM Report Administrator can get the report for security UTM in Company A which we mentioned in UTM Management. There are three UTM items (Intrusion, AntiVirus and AntiSpam) showed under the Monitor and Network Attack field. 120

121 Below are sample reports for the UTM reports (Intrusion, AntiVirus and AntiSpam) of A_BRN_ZW35. Please check the below tables for coordinate information of the report. Intrusion/AntiVirus/AntiSpam Monitor Report Coordi nate X-axis Y-axis Meaning Lease time Number of the events The x axis of each report shows the lease time. The Y axis of each report shows the number of intrusions/virus/spam detected by the selected device's Intrusion/AntiVirus/ AntiSpam feature each minute. Use Intrusion Monitor report to monitor the number of intrusions detected by A_BRN_ZW

122 Use AntiVirus Monitor report to monitor the number of virus occurrences prevented by A_BRN_ZW35. Use AntiSpam Monitor report to monitor the number of spam message stopped by A_BRN_ZW IDP Report VRPT supports intrusion report for ZyWALL with firmware version 4.0. It provides reports based on Top Intrusion, Top Sources (attacker), Top Destinations (victim) and Severity. These reports are under Network Attack>Intrusion menu. Following is an example to illustrate that an internal host is conducting network treat (e.g. infected by Trojan or DoS) and passing through device. VRPT will obtain the Syslogs from device for analysis. 122

123 When ZyWALL detects intrusion events, it will generate Syslog and forward to VRPT Server. Get the report from Vantage, system administrator can easily find out the intrusion event and the source/destination of the threat of network. And drill-down report of Intrusion report allows user to view the intrusion events by querying Intrusion signatures hit by attacker. Also user could use scheduled report for reminding. 123

124 Here are some hints for administrator to trace the intrusion. Here Top means top ten except Top Severity. The advanced query (Drill down report) can be Top Intrusions/TopSources/ Top Destinations/By Severity. Below are relationships between basic query and advanced query (drill down report). Top Intrusion (Signature) -----Top Host Top Sources Top Signature Top Destinations---Top Signature Top Severity------Top Signature Here Severity includes eight types. The table below shows the types with meanings. Type Meaning Emergency: system is unusable Alert action must be taken immediately 124

125 Critical critical conditions Error error conditions Warning warning conditions Notice normal but significant condition Informational informational messages Debug debug-level messages Administrator should add two firewall rules for the target Source attacker for VRPT does not show the direction of Intrusion (LAN to WAN or WAN to LAN). The attacker may be at LAN side or WAN side. For Destination report, administrator should focus its effort on monitor AntiVirus Report Under Network Attack>AntiVirus menu, user could find Top Viruses, Top Sources and Top Destinations report. Administrator could monitor top virus types and block such destination and source by firewall rules. See below sample. There s a top AV source with the IP address User could find the detailed AV type by checking drill down report. According to the information, user could add firewall rule to block such IP address. But please still notice the firewall rule direction. User should add both LAN to WAN and WAN to LAN directions AntiSpam Report 125

126 AntiSpam report is especially for ZyWALL 5/35/70 UTM AntiSpam feature. Using this kind of report, administrator will trace the sender and source of the Spam Mail. Also user could determine score threshold by checking score report. 1. Administrator could block the senders if the senders are in the Top Senders report or block such spam mails address by adding them into blacklist. 2. For Top Sources report, administrator could block such IP addresses by adding firewall rules. Please still notice the direction of the rules as that of in the Intrusion scenario. 126

127 3. User could determine score threshold for ZyWALL AntiSpam by By Score report. When AntiSpam function enables, MailShell server will return a score for each passing through ZyWALL. Score report shows return score with its quantity. See below sample. There are 16 s with return score in the 86 to 90 range and 26 s with return score in the 91 to 95 range in the BAR picture. Then administrator could determine reasonable score threshold to control the quantity of the spam mail on ZyWALL Configuring Schedule Report Jim would like to get the schedule report for UTM in Company A and Company B in order to know the statistical status of their security. Vantage provides support for ing and archiving daily, weekly and overtime reports. User could create such schedules for these reports (daily/weekly/overtime) for individual device. VRPT will generate the reports and send them to receiver as an according to the schedule. And user could check them at their available time. Note: To send scheduled reports by , we have to make sure a mail server is configured correctly for VRPT. Please refer to Set the VRPT Server for Devices Step 3. Step 1. Return to the CNM server s web configuration page, go to Schedule Report>>Schedule Reports for adding schedule reports. There are three kinds of schedule reports (Daily & Weekly & Overtime) available. 127

128 Step 2. Design customized configuration for schedule report. Take Overtime Report for example. Go to Add Overtime Report scheduled report, Destination address, -Subject and -Body are needed to be filled in first to configure the info for user. Choose report type. There are two types of Report Type user could choose. One is HTML pattern and the other is PDF pattern. The HTML pattern looks just like the one you could check on VRPT. User could take it as offline VRPT report. You may include two of them in your scheduled report by choose both in the drop down menu. Choose the time duration. After doing that user should choose Start Date and End Date to give the time duration. For Daily Report configuration there s no such feature and for Weekly Report there s Day to Submit feature instead. About Include all data in a single report feature. Now Include all data in a single report feature is only for PDF pattern report. If you enable this feature the scheduled report will contain all statistics in a single PDF file and it is easy to read. Otherwise, each item in report list will form a PDF file. Finally user should choose the report he/she wants from Report List. Jim chooses all the items for UTM from Report List. 128

129 Note: If you want to add a daily report, do not set the value for log storing days as 1. Because the daily report reports log statistics from the time we set yesterday to the time we set today. If we set log store day=1, all the logs before 0:00 today will be deleted from the VRPT server. And we only get the report based on the logs from 0:00 today to the time we get the report. The picture below shows daily report sample received by user. 129

130 Here receiver Judy.Zhu, subject Daily bandwidth report and the mail body Please check the daily bandwidth report generated by CNM match the Destination Address, Subject and Body under Schedule Reports>Schedule Reports. All the customized reports are included in the.zip file with the name E8_DailyReport_ _2148.zip. And E8 denotes the MAC address of your device. Note: In the.zip file, there s an index.html file. It is like the home page of the schedule report. User could check all the reports you have ever selected by accessing this file. 2 FAQ 2.1 Server Related FAQ Where to download CNM software and patches? CNM software and patches can be downloaded from or ftp://ftp.zyxel.com/vantage_cnm/software or ftp://ftp.zyxel.dk/vantage_cnm/software 130

131 2.1.2 How many types of license does ZyXEL offer? Vantage CNM 3.0 Support Note ZyXEL provides six kinds of license for Vantage CNM; they are 10, 25, 50, 100, 300 and 1000 nodes. However, user can combine any licenses to make their desired number of nodes. You can try Vantage CNM service free, the trial period is 90 days and the max number of nodes it supports is 10, and What OS does Vantage CNM server support? CNM Server supports Windows XP Professional SP1/SP2, Windows 2000 SP4 and Windows 2003 Server SP1 version, Windows Vista English version. But it doesn't support Linux so far What browser does Vantage CNM server support? CNM Server supports IE version 6.0/7.0 or above, Firefox version 1.5 or above. Please disable pop-up blocker in the browsers What is OTV (Object Tree View), Content Screen...etc? 131

132 2.1.6 Why can t I get complete OTV (Object Tree View)? 1. Please make sure the browser you re using is in the list of the supported browsers in question Please check if flash player is installed on the client PC. 3. Please try to clear your browser s cache When I login to Vantage, I get this error message "HTTP Status No Context configured to process this request". Make sure your Vantage server is already running first. When Vantage service is ready, the icon on system tray should turn to blue. Otherwise, if it's starting, it's green. If you see this error message when connecting to Vantage server, please make sure that you type the URL correctly, Server's IP:8080>. Please note that the URL is case sensitive My Internet Explorer (IE) does not trust the Certificate from Vantage server, should I trust it? You should trust it in order to access Vantage server How can I skip the warning message of Certificate when I login the CNM? You can import a certificate which is applied by a trusted CA into your Vantage server then it will not show the warning message. Please refer to the steps below: 1. Go to CNM System Settting> Certificate Management, click Create CSR, then input certificate request information. In Common Name field, you should fill in a web address like It should not be your vantage server s IP address. 132

133 2. Apply a certificate from trusted CA using the CSR you just created, then import the certificate into your vantage server. If the certificate is imported successfully, you can get the detailed information of the certificate as below. 133

134 3. When you login the vantage server at the first time after importing the Certificate, you will see the error message either. Click the icon, a warning window will be shown next. Click View certificates, and install the certificate into your IE browser. If the certificate is imported successfully, the message will be shown as below: 134

135 4. Logout and then login the vantage server again, you will not see the warning message. Note: In vantage server, certificate with format PEM (Base-64) encoded X.509 is supported If my Vantage server is behind a NAT/Firewall router, and I would like to allow outsiders to connect Vantage server's management interface from Internet. What should I do? Please make sure you have forwarded TCP port 8080 and 443 in configuration of NAT and Firewall When accessing Vantage Server by Internet Explorer, why does my web browser shut down without any caution sometimes? There are three possible causes: 1. Check IE version is 6.0 or later. 2. Lack of system resources. Please check if your system memory is sufficient on Vantage server and Vantage client. Please refer to Vantage Quick Installation Guide for CPU/Memory requirements. 3. The popped up window is killed by other applications. Some "advertisement killer" applications may kill Vantage popped up window. If there is Ad.killer on your Vantage client system, please turn it off Why do I get the message Pop-up blocked when I try to login Vantage server? In Windows XP SP2, Pop-up windows will be blocked by default, this might affect CNM when login. It will show a bar with the message as below. Right click the bar and choose Always Allow Pop-ups from This Site. 135

136 Click Yes to double confirm. Then the Vantage login window can pop up successfully Why can t I see the Reinstall button when I login my Only the CNM Standard version can be un-installed, for the CNM trial version, it can only be installed for once. 2.2 Device Related FAQ What device and f/w version is supported by Vantage CNM 3.0? For more up to date information, please check the release note of each firmware release. And currently, this is the list. Device Model Device F/W New CNM 3.0 features Reporting Function 136

137 2.00 Only support basic agent function(registration, Configuration Backup/Restore, Firmware Upgrade, Log, Alarm) Traffic Report Attack Report VPN Report Web Usage Report Log Report USG 1000 UTM Report 2.01 and above 2.00 Same device cnofiguration page as device s ewc (Device Operation) VPN Community Only support basic agent function(registration, Configuration Backup/Restore, Firmware Upgrade, Log, Alarm) Traffic Report Attack Report VPN Report Web Usage Report Log Report Traffic Report Attack Report VPN Report Web Usage Report Log Report USG 300 UTM Report 2.01 and above Same device cnofiguration page as device s ewc (Device Operation) VPN Community Traffic Report Attack Report VPN Report Web Usage Report Log Report 137

138 1.01, 2.00 Only support basic agent function(registration, Configuration Backup/Restore, Firmware Upgrade, Log, Alarm) Traffic Report Attack Report VPN Report Web Usage Report Log Report ZW 1050 UTM Report 2.01 and above 3.65WM1 and above Same device cnofiguration page as device s ewc (Device Operation) VPN Community Only support basic agent function(registration, Configuration Backup/Restore, Firmware Upgrade, Log, Alarm) Traffic Report Attack Report VPN Report Web Usage Report Log Report Traffic Report Attack Report VPN Report Web Usage Report Log Report ZW 70 UTM Report 4.00, 4.01, 4.02, 4.03 and above Same device cnofiguration page as device s ewc (Device Operation) VPN Community Traffic Report Attack Report VPN Report Web Usage Report Log Report ZW WZ5 and above Only support basic agent function(registration, Configuration Backup/Restore, Firmware Upgrade, Log, Alarm) Traffic Report Attack Report VPN Report 138

139 Web Usage Report Log Report UTM Report 4.00, 4.01, 4.02, 4.03 and above Same device cnofiguration page as device s ewc (Device Operation) VPN Community Traffic Report Attack Report VPN Report Web Usage Report Log Report 3.64XD5 and above Only support basic agent function(registration, Configuration Backup/Restore, Firmware Upgrade, Log, Alarm) Traffic Report Attack Report VPN Report Web Usage Report Log Report ZW 5 UTM Report 4.00, 4.01, 4.02, 4.03 and above Same device cnofiguration page as device s ewc (Device Operation) VPN Community Traffic Report Attack Report VPN Report Web Usage Report Log Report UTM Report ZW 2WG 4.02, 4.03 and above Same device cnofiguration page as device s ewc (Device Operation) VPN Community Traffic Report Attack Report VPN Report Web Usage Report Log Report 139

140 UTM Report ZW , 4.01, 4.02, 4.03 and above Same device cnofiguration page as device s ewc (Device Operation) VPN Community Traffic Report Attack Report VPN Report Web Usage Report Log Report ZW Same device cnofiguration page as device s ewc (Device Operation) Attack Report Web Usage Report VPN Community Log Report P662HW QR8 and 3.40QR9 Same device cnofiguration page as device s ewc (Device Operation) Attack Report Web Usage Report VPN Community Log Report P662H QR8 and 3.40QR9 Same device cnofiguration page as device s ewc (Device Operation) Attack Report Web Usage Report VPN Community Log Report P662HW-D1 3.40AGZ3 to 3.40AGZ6 Same device cnofiguration page as device s ewc (Device Operation) VPN Community Attack Report Web Usage Report Log Report P662H-D1 3.40AGZ3 to 3.40AGZ6 Same device cnofiguration page as device s ewc (Device Operation) VPN Community Attack Report Web Usage Report Log Report P653HWI Same device cnofiguration page as device s ewc (Device Operation) VPN Community Attack Report Web Usage Report Log Report 140

141 2.2.2 What is the max number of devices that Vantage CNM 3.0 supports? At the time this document is composed, we recommend registering up to 1000 devices. For most up to date information please check the latest release note of Vantage CNM Which MAC address should I input when register a device? For ZyNOS devices, we should input LAN MAC address, and for ZLD devices, e should input the smallest MAC address What should I do if I want to register hundreds of devices at one time? Users can edit all of devices MAC address, Model type, and Model name etc in one XML file, and then import the XML file into Vantage. CNM System Setting>Maintenance>Device>Device List Import Where can I get examples of the XML files? After you install Vantage on your system, you would get the XML file in this path, {Installed path}/ \conf\maint\deviceimport-example.xml. You can open this file via editor software. But note XML fields must not contain a return character. EX, below is forbidden: <mac>00a0c544e2a7 </mac> You must write the field in one line, like this <mac>00a0c544e2a7</mac> On each device, we should enter Vantage Server's IP address as the manager IP, but how many management IP can each device have? One device should be under one CNM s management domain. So a device can have only one manager IP. 141

142 2.2.7 I have registered the MAC address of devices supported in the list, and the activation on device cnm active 1 & cnm manageip xxxxx. But the device in OTV is gray, what should I do? 1. Make sure your F/W version is supported by CNM version of CNM version you used. 2. Make sure the routing between them has no problem. 3. Make sure the MAC address is LAN MAC. 4. When registered that model, confirm you chose the corresponding model type. 5. Make sure working mode is the same. That is no encryption both or encryption mode both. 2.3 CNM Function Related FAQ When an administrator in SUPER group changes the user s profile in other groups, the access permission of this user should be changed. But what should be done to make the change effective? Logout, then login again. If user login and is operating in the system now, his template cannot be changed What s the difference between Log & Report>CNM Logs and Monitor>Device Alarm? For Monitor>Device Alarm, it shows devices alerts (attacks). For Log & Report>CNM Logs, normal operations, add device, delete device etc. are recorded here Why I can not receive the Notification mails? Step1. Go to CNM System Setting>Configuration>Servers, check if the SMTP server is configured correctly. 142

143 Step2. Go to CNM System Setting>Notification, check if the sending notifications to Administrator or Device Owner is enabled. 143

144 Step3. If it s the administrator can t receive notifications, please go to Account Management>Group. Click Edit button in the rear end of the group which the devices belong to, and check if Receive Alerts for Device is enabled What should I do if I configure something on device and would like to synchronize these configurations to the settings on Vantage? Select the device in the OTV, and go to Device Opertaion>Configuration Management>Synchronization, then select "Device overwrites Vantage CNM". Once configuration is changed on device by local administrator with console port, no information is sent to CNM server. As a root manager, you should do the action mentioned above to synchronize. Therefore, when managing so many devices at certain time, we should coordinate with each local administrator I can upload firmware from Firmware Management page, but this firmware is not available in Firmware Upgrade page. What s wrong? Please make sure the firmware package (zip file) is downloaded from ZyXEL public WEB site. The package should include 3 files: *.xml *.bin *.rom This file describes the product line, model name, version, and release date of this firmware package. The firmware file The default configuration file for this firmware Please note the firmware package users download from also includes release note in PDF, users don t need to remove this file from the zip file. This file won t affect Vantage s operation, but this file will be ignored by Vantage. 144

145 2.3.6 How can I see the report for a device? To see the report for a specific device, select the device from OTV tree and click the report correspondingly. Please note that the device should be added to VRPT first. More detailed info please refer to Log & Reporting In OTV, a device is shown with green, but why it is shown with status of off on right window? It s normal. Because, time needed to synchronize with two sides and then show us the real status. And vice versa, maybe status is off in right window but gray icon in the left. Suggestion: before some operation, try to refresh the OTV with fresh button at left-bottom Currently, my device is managed by CNM server with no encrypt-mode. And it s green in OTV. Then if I want to use encrypt mode with DES algorithm, what should I do? You should use same settings on both sides and reset the states on devices. For example, select a device in the OTV, and right click on the icon, choose Edit device, in the edit screen, choose the algorithm you want. Here, I select DES. And key is Note: after you applied it, this doesn t send to device to synchronize. It s used in local database. Usually CNM server uses a unique ID to separate lots of devices and use that ID to query info for that device, including encryption mode, key. Then it decides whether to decrypt those packets for search further info about it. Therefore, remember, settings here for encryption takes effect locally merely. 145

146 So, you have to change the configuration of you device. For example, if we adopt DES with , 3 commands should be executed in command line mode of ZyWALL: cnm encrymode 1 cnm encrykey cnm reset If I want to re-install the CNM but not lose my configuration, what should I do? Use the backup feature in CNM System Setting>Maintenance. Backup file is a zip file, it represent all backup data for the whole system, including database files (backup.sql & vrpt.sql), VRPT s schedule folder and rom/log/firmware folder in Vantage FTP. Therefore, you can backup the configuration first and then restore it to CNM server before reinstalling the CNM. Go to CNM System Setting>Maintenance>System, click Backup button. In the following page, input a descriptive name and some descriptions(optional), and click Backup. The CNM system configuration will backup to the CNM server under the folder CNM\backup. It s a zip file. Note: When the system does the backup, all other users will be kicked out. Administrator root should inform them before doing the backup. After the backup is done, we can also download the backup file to our own PC by clicking the file name. Here, we suggest use To your Computer. Otherwise, when uninstalling the CNM, those folders and files will be deleted of course. 146

147 When we want to reinstall the CNM server, the procedure should be like the following: 1. Re-install 2. Re-activate 3. Restore backed up file in CNM System Setting>Maintenance. First Upload the configuration file to CNM server, then click the Restore button in the rear end of the uploaded configuration file I have registered the MAC address of devices supported in the list, and the activation on device cnm active 1 & cnm manageip xxxxx. But the device in OTV is gray, what should I do? 1. Make sure your F/W version is supported by CNM version of CNM version you used. 2. Make sure the routing between them has no problem. 3. Make sure the MAC address is LAN MAC. 4. When registered that model, confirm you chose the corresponding model type. 5. Make sure working mode is the same. That is no encryption both or encryption mode both Why the configuration between device & CNM is not consistent with each other? Once configuration is changed on device by local administrator with console port, no information is sent to CNM server. As a root manager, you should do the action to synchronize by using Device Operation>Configuration Management> Synchronization>Device Overwrites Vantage CNM. Therefore, when managing so many devices at certain time, we should coordinate with each local administrator Where can I change the number of days in report>bandwidth>summary? Here, you can select from 1~7. 147

148 And if you want to increase the number, go to CNM System Setting>Configuration>VRPT management. Click on the name of the VRPT server, a VRPT server general configuration page will pop out. Please go to System>General Configuration. There, number of Stored Log Days is consistent with the number of days you can get summary like above Where can I create one time report? Go to Log & Report>VRPT, you can see the Vantage Report screen as shown next. The current release and copyright for Vantage Report is showed on this screen. 148

149 Then go to Schedule Report>Summary>Add Daily Report. More info, please refer to Configuring Schedule Report The VPN Community supports three kinds community, Full Mesh, Hub & Spoke, Remote Access. What if I want to build a community which mixed the three modes, for example, part of the gateways are to build Full Mesh community and the rest part are to build Hub & Spoke community? CNM 3.0 doesn t support mixed mode VPN community. In this case, we suggest divide the gateways into two communities, one is built with Full Mesh mode, and the other is built with Hub & Spoke mode I m getting the alert warning that VRPT is receiving too many logs from one of my devices. What should I do? When VRPT has received more than 10,000,000 logs from a specific device, it will send out an alerting to the administrator. 149

150 An example The log number of the device ( F92B) is over 10,000,000 and up to 10,903,835.This will degrade the performance of VRPT. Please check the log setting of these devices and change the log setting to decrease the logs sent by these device if necessary. Or reduce "Stored Log Days" through System>General Configuration on UI.VRPT will continue receiving the logs sent by these devices. In this case, please follow the steps below to check this problem. Step 1. Please go to CNM System Setting>Configuration>VRPT Management, click the hyperlink on the name of the VRPT server. Step 2. The VRPT general configuration page will show. Please go to General Configuration>Log Receiver>By Day (Summary) to check if the VRPT server is receiving too many logs every day. And go to Log Receiver>By Device to check how many logs the VRPT server has received from that specific device. Step 3. Please go to System> General Configuration, reduce the Stored Log Days. 150

151 Step 4. Please go to the device s web GUI, and check if there re unwanted logs enabled. For example, we don t want the ICMP logs to be recorded and sent to VRPT server, but there is this kind of log recorded. Step 5. Please go to that device s log settings, Device Operation>Device Configuration>Device Log, and remove the unwanted logs. 3 Trouble Shooting 151

152 3.1 Trouble between Vantage Server & Client Vantage CNM 3.0 Support Note Step1. Check if your browser is in the list of supported browsers. Please refer to FAQ 2.4 What browser does Vantage CNM server support?. Step2. Check if the routing between Server & Client is ok. If Vantage is behind a NAT router, you should forward TCP port 8080 and 443. Step3. Collect logs from Vantage Server from "<Installed folder>\logs\" 3.2 Trouble between Vantage Server & ZyXEL devices Step1. Check packets can be sent between Vantage & devices. If Vantage is behind a NAT router, then you should forward UDP port 1864, 11864, 8080 and 443. So CNM server can be accessed from outside. Step2. Check if the encryption mode & encryption key configurations are the same on both Vantage Server & devices. Step3. Check firmware version of the devices to make sure it supports Vantage Server's current version. Device: Step4. Collect logs from Vantage Server for technical support's reference. 1. Using Terminal program to access ZyWALL via Console 2. Use sys baud 5 to set console speed to Turn on CNM debugging in SMT Menu 24.8 by cnm debug 1 4. Save the dumps into one file. Server: Collect Vantage server s logs from {installed folder}\logs\ 3.3 Trouble between Vantage Server & Vantage Report Step1. If the CNM and VRPT are installed in different servers, make sure the routing between Vantage CNM & VRPT server is ok. Step2. If the CNM and VRPT are both behind the same NAT gateway, please check the NAT port forwarding rule and firewall rule, and if the NAT gateway is a ZyNOS device, 152

153 please check if ip nat lookback is enabled. For more details please refer to Deployment Scenario. 3.4 Trouble in migration Step1. Check if CNM has been stopped. Step2. Check if CNM version is 2.3 major or 2.3 patch 1. Step3. Check if one port or ports are occupied (1864, 11864, 8080, 443, 3306, and 3305), usually, the Web server and SQL server will take these ports. Step4. Check if the free disk space in the destination folder is larger than 600M. Zyxel support. Step5. If the data migration fails, send the log {installed folder}\upgradelog to 153