ZyWALL 5/35/70 Series Internet Security Appliance User’s Guide Version 4.
ZyWALL 5/35/70 Series User’s Guide Copyright Copyright © 2005 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
ZyWALL 5/35/70 Series User’s Guide Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations. This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules.
ZyWALL 5/35/70 Series User’s Guide Federal Communications Commission (FCC) Interference Statement 4
ZyWALL 5/35/70 Series User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel can service the device. Please contact your vendor for further information. • Connect the power cord to the right supply voltage (110V AC in North America or 230V AC in Europe).
ZyWALL 5/35/70 Series User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase.
ZyWALL 5/35/70 Series User’s Guide Customer Support Please have the following information ready when you contact customer support. • • • • Product model and serial number. Warranty Information. Date that you received your device. Brief description of the problem and the steps you took to solve it. METHOD SUPPORT E-MAIL TELEPHONEA WEB SITE FAX FTP SITE REGULAR MAIL LOCATION CORPORATE HEADQUARTERS (WORLDWIDE) CZECH REPUBLIC DENMARK FINLAND SALES E-MAIL support@zyxel.com.
ZyWALL 5/35/70 Series User’s Guide TELEPHONEA WEB SITE SALES E-MAIL FAX FTP SITE info@pl.zyxel.com +48-22-5286603 www.pl.zyxel.com ZyXEL Communications ul.Emilli Plater 53 00-113 Warszawa Poland www.zyxel.ru ZyXEL Russia Ostrovityanova 37a Str. Moscow, 117279 Russia www.zyxel.es ZyXEL Communications Alejandro Villegas 33 1º, 28043 Madrid Spain www.zyxel.se ZyXEL Communications A/S Sjöporten 4, 41764 Göteborg Sweden www.ua.zyxel.com ZyXEL Ukraine 13, Pimonenko Str.
ZyWALL 5/35/70 Series User’s Guide 9 Customer Support
ZyWALL 5/35/70 Series User’s Guide Table of Contents Copyright .................................................................................................................. 2 Federal Communications Commission (FCC) Interference Statement ............... 3 Safety Warnings ....................................................................................................... 5 ZyXEL Limited Warranty..........................................................................................
ZyWALL 5/35/70 Series User’s Guide Chapter 3 Wizard Setup .......................................................................................................... 80 3.1 Wizard Setup Overview ......................................................................................80 3.2.1 ISP Parameters ........................................................................................80 3.2.1.1 Ethernet ...........................................................................................80 3.2.
ZyWALL 5/35/70 Series User’s Guide 7.4.2 Weighted Round Robin ...........................................................................129 7.4.3 Spillover ..................................................................................................129 7.5 TCP/IP Priority (Metric) ....................................................................................130 7.7 Configuring Load Balancing .............................................................................133 7.7.1 Least Load First .
ZyWALL 5/35/70 Series User’s Guide 9.11.2 Encryption .............................................................................................183 9.12 WPA-PSK Application Example .....................................................................184 9.13 Introduction to RADIUS ..................................................................................185 9.14 WPA with RADIUS Application Example ........................................................185 9.15 Wireless Client WPA Supplicants ....
ZyWALL 5/35/70 Series User’s Guide Chapter 11 Firewall Screens................................................................................................... 210 11.1 Access Methods .............................................................................................210 11.2 Firewall Policies Overview ..............................................................................210 11.3 Rule Logic Overview ......................................................................................
ZyWALL 5/35/70 Series User’s Guide 13.3.3 Signature Actions ..................................................................................244 13.3.4 Configuring IDP Signatures ..................................................................245 13.3.5.1 Query Example 1 ........................................................................247 13.3.5.2 Query Example 2 ........................................................................249 13.4.1 mySecurity Zone .....................................
ZyWALL 5/35/70 Series User’s Guide 16.6.2 Full Path URL Checking .......................................................................286 16.6.3 File Name URL Checking .....................................................................286 Chapter 17 Content Filtering Reports .................................................................................... 290 17.1 Checking Content Filtering Activation ............................................................290 17.
ZyWALL 5/35/70 Series User’s Guide 19.7 ID Type and Content ......................................................................................307 19.7.1 ID Type and Content Examples ............................................................308 19.8 IKE Phases ....................................................................................................309 19.8.1 Negotiation Mode ..................................................................................310 19.8.2 Pre-Shared Key ..........
ZyWALL 5/35/70 Series User’s Guide 22.5.1 Default Server IP Address ....................................................................380 22.5.2 Port Forwarding: Services and Port Numbers ......................................380 22.5.3 Configuring Servers Behind Port Forwarding (Example) ......................380 22.5.4 NAT and Multiple WAN .........................................................................381 22.5.5 Port Translation .................................................................
ZyWALL 5/35/70 Series User’s Guide 26.5 Name Server Record .....................................................................................415 26.5.1 Private DNS Server ..............................................................................415 26.6 System Screen ...............................................................................................416 26.8 Configure DNS Cache ....................................................................................421 26.10.1 DYNDNS Wildcard .
ZyWALL 5/35/70 Series User’s Guide 28.5 Using UPnP in Windows XP Example ...........................................................457 28.5.1 Auto-discover Your UPnP-enabled Network Device .............................458 28.5.2 Web Configurator Easy Access ............................................................459 Chapter 29 ALG Screen........................................................................................................... 462 29.1.1 ALG and NAT ....................................
ZyWALL 5/35/70 Series User’s Guide Chapter 32 Introducing the SMT ............................................................................................ 496 32.1 Introduction to the SMT ..................................................................................496 32.2 Accessing the SMT via the Console Port .......................................................496 32.2.1 Initial Screen .........................................................................................496 32.2.
ZyWALL 5/35/70 Series User’s Guide 36.2 Ethernet Encapsulation ..................................................................................528 36.3 Configuring the PPTP Client ..........................................................................530 36.4 Configuring the PPPoE Client ........................................................................530 36.5 Basic Setup Complete ....................................................................................531 Chapter 37 DMZ Setup ......
ZyWALL 5/35/70 Series User’s Guide Chapter 41 IP Static Route Setup ........................................................................................... 556 41.1 IP Static Route Setup .....................................................................................556 Chapter 42 Network Address Translation (NAT) ................................................................... 558 42.1 Using NAT ..................................................................................................
ZyWALL 5/35/70 Series User’s Guide Chapter 45 SNMP Configuration ............................................................................................ 594 45.1 SNMP Configuration ......................................................................................594 45.2 SNMP Traps ...................................................................................................595 Chapter 46 System Information & Diagnosis ........................................................................
ZyWALL 5/35/70 Series User’s Guide 47.5.6 TFTP Upload Command Example ........................................................620 47.5.7 Uploading Via Console Port ..................................................................620 47.5.8 Uploading Firmware File Via Console Port ...........................................620 47.5.9 Example Xmodem Firmware Upload Using HyperTerminal ..................621 47.5.10 Uploading Configuration File Via Console Port ..................................621 47.5.
ZyWALL 5/35/70 Series User’s Guide 52.5.1.3 Java Permissions ........................................................................656 52.6 Packet Flow ....................................................................................................658 Appendix A Product Specifications ........................................................................................ 660 Appendix B Hardware Installation...........................................................................................
ZyWALL 5/35/70 Series User’s Guide Certificates Commands ....................................................................................... 762 Appendix Q Brute-Force Password Guessing Protection..................................................... 766 Appendix R Boot Commands .................................................................................................. 768 Appendix S Log Descriptions..................................................................................................
ZyWALL 5/35/70 Series User’s Guide List of Figures Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ................................ 58 Figure 2 VPN Application .................................................................................................... 59 Figure 3 ZyWALL 70 Front Panel ........................................................................................ 59 Figure 4 ZyWALL 35 Front Panel ............................................................................
ZyWALL 5/35/70 Series User’s Guide Figure 39 WLAN Port Role Example .................................................................................. 114 Figure 40 LAN Port Roles ................................................................................................... 115 Figure 41 Port Roles Change Complete ............................................................................. 116 Figure 42 Bridge Loop: Bridge Connected to Wired LAN ...................................................
ZyWALL 5/35/70 Series User’s Guide Figure 82 Wireless Card: WPA-PSK ................................................................................... 190 Figure 83 Wireless Card: WPA ........................................................................................... 191 Figure 84 Wireless Card: 802.1x + Dynamic WEP ............................................................. 192 Figure 85 Wireless Card: 802.1x + Static WEP ...................................................................
ZyWALL 5/35/70 Series User’s Guide Figure 125 Anti-Spam: General ........................................................................................... 266 Figure 126 Anti-Spam: External DB .................................................................................... 268 Figure 127 Anti-Spam: Lists ................................................................................................ 270 Figure 128 Anti-Spam Rule Edit ....................................................................
ZyWALL 5/35/70 Series User’s Guide Figure 168 Trusted Remote Hosts ...................................................................................... 356 Figure 169 Remote Host Certificates .................................................................................. 357 Figure 170 Certificate Details ............................................................................................. 358 Figure 171 Trusted Remote Host Import ................................................................
ZyWALL 5/35/70 Series User’s Guide Figure 211 Login Screen (Internet Explorer) ....................................................................... 435 Figure 212 Login Screen (Netscape) .................................................................................. 435 Figure 213 Replace Certificate ............................................................................................ 436 Figure 214 Device-specific Certificate ....................................................................
ZyWALL 5/35/70 Series User’s Guide Figure 254 Firmware Upload In Process ............................................................................. 491 Figure 255 Network Temporarily Disconnected .................................................................. 492 Figure 256 Firmware Upload Error ...................................................................................... 492 Figure 257 Backup and Restore ........................................................................................
ZyWALL 5/35/70 Series User’s Guide Figure 297 Menu 6.3: Route Failover .................................................................................. 538 Figure 298 Menu 7.1: Wireless Setup ................................................................................. 540 Figure 299 Menu 7.1.1: WLAN MAC Address Filter ........................................................... 542 Figure 300 Menu 7: WLAN Setup .......................................................................................
ZyWALL 5/35/70 Series User’s Guide Figure 339 Menu 21.2: Firewall Setup ................................................................................ 579 Figure 340 Outgoing Packet Filtering Process .................................................................... 580 Figure 341 Filter Rule Process ............................................................................................ 582 Figure 342 Menu 21: Filter and Firewall Setup ...............................................................
ZyWALL 5/35/70 Series User’s Guide Figure 382 Example Xmodem Upload ................................................................................ 621 Figure 383 Menu 24.7.2 As Seen Using the Console Port ................................................ 622 Figure 384 Example Xmodem Upload ................................................................................ 622 Figure 385 Command Mode in Menu 24 .............................................................................
ZyWALL 5/35/70 Series User’s Guide Figure 425 Windows XP: Advanced TCP/IP Properties ...................................................... 681 Figure 426 Windows XP: Internet Protocol (TCP/IP) Properties ......................................... 682 Figure 427 Macintosh OS 8/9: Apple Menu ........................................................................ 683 Figure 428 Macintosh OS 8/9: TCP/IP ................................................................................
ZyWALL 5/35/70 Series User’s Guide Figure 468 Headquarters Network Policy Edit .................................................................... 731 Figure 469 Branch Office Network Policy Edit .................................................................... 732 Figure 470 VPN Rule Configured ........................................................................................ 733 Figure 471 VPN Dial ..................................................................................................
ZyWALL 5/35/70 Series User’s Guide List of Tables Table 1 Model Specific Features ........................................................................................ 50 Table 2 Front Panel LEDs .................................................................................................. 60 Table 3 Web Configurator HOME Screen in Router Mode ................................................. 66 Table 4 Web Configurator HOME Screen in Bridge Mode .................................................
ZyWALL 5/35/70 Series User’s Guide Table 39 WAN: Ethernet Encapsulation ............................................................................. 140 Table 40 WAN: PPPoE Encapsulation ............................................................................... 144 Table 41 WAN: PPTP Encapsulation ................................................................................. 147 Table 42 Traffic Redirect ...............................................................................................
ZyWALL 5/35/70 Series User’s Guide Table 82 Common Computer Virus Types ......................................................................... 254 Table 83 Anti-Virus: General .............................................................................................. 258 Table 84 Anti-Virus: Update ............................................................................................... 260 Table 85 Anti-Spam: General ..............................................................................
ZyWALL 5/35/70 Series User’s Guide Table 125 NAT Mapping Types .......................................................................................... 374 Table 126 NAT Overview .................................................................................................... 375 Table 127 NAT Address Mapping ....................................................................................... 377 Table 128 NAT Address Mapping Edit .....................................................................
ZyWALL 5/35/70 Series User’s Guide Table 168 Web Site Hits Report ......................................................................................... 476 Table 169 Protocol/ Port Report ......................................................................................... 477 Table 170 Host IP Address Report ..................................................................................... 478 Table 171 Report Specifications .......................................................................
ZyWALL 5/35/70 Series User’s Guide Table 211 Remote Node Network Layer Options Menu Fields .......................................... 552 Table 212 Menu 11.1.5: Traffic Redirect Setup .................................................................. 555 Table 213 Menu 12. 1: Edit IP Static Route ........................................................................ 557 Table 214 Applying NAT in Menus 4 & 11.1.2 ....................................................................
ZyWALL 5/35/70 Series User’s Guide Table 254 Classes of IP Addresses ................................................................................... 690 Table 255 Allowed IP Address Range By Class ................................................................. 691 Table 256 “Natural” Masks ................................................................................................ 691 Table 257 Alternative Subnet Mask Notation .....................................................................
ZyWALL 5/35/70 Series User’s Guide Table 297 AS Logs ............................................................................................................. 788 Table 298 Syslog Logs ....................................................................................................... 790 Table 299 RFC-2408 ISAKMP Payload Types ...................................................................
ZyWALL 5/35/70 Series User’s Guide Preface Congratulations on your purchase of the ZyWALL. Note: Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products. Your ZyWALL is easy to install and configure. About This User's Guide This manual is designed to guide you through the configuration of your ZyWALL for its various applications.
ZyWALL 5/35/70 Series User’s Guide Syntax Conventions • “Enter” means for you to type one or more characters. “Select” or “Choose” means for you to use one predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font. Predefined field choices are in Bold Arial font. Command and arrow keys are enclosed in square brackets. [ENTER] means the Enter, or carriage return key; [ESC] means the Escape key and [SPACE BAR] means the Space Bar.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 1 Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. 1.1 ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with security features including VPN, firewall, content filtering, antispam, IDP (Intrusion Detection and Prevention), anti-virus and certificates. The ZyWALL’s De-Militarized Zone (DMZ) increases LAN security by providing separate ports for connecting publicly accessible servers.
ZyWALL 5/35/70 Series User’s Guide Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change. 1.2.1 Physical Features LAN Port The 10/100 Mbps auto-negotiating Ethernet LAN port allows the ZyWALL to detect the speed of incoming transmissions and adjust appropriately without manual intervention.
ZyWALL 5/35/70 Series User’s Guide Time and Date The ZyWALL allows you to get the current time and date from an external server when you turn on your ZyWALL. You can also set the time manually. The Real Time Chip (RTC) keeps track of the time and date. Reset Button Use the reset button to restore the factory default password to 1234; IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses starting at 192.168.1.33.
ZyWALL 5/35/70 Series User’s Guide Bandwidth Management Bandwidth management allows you to allocate network resources according to defined policies. This policy-based bandwidth allocation helps your network to better handle real-time applications such as Voice-over-IP (VoIP).
ZyWALL 5/35/70 Series User’s Guide Content Filtering The ZyWALL can block web features such as ActiveX controls, Java applets and cookies, as well as disable web proxies. The ZyWALL can block or allow access to web sites that you specify. The ZyWALL can also block access to web sites containing keywords that you specify. You can define time periods and days during which content filtering is enabled and include or exclude a range of users on the LAN from content filtering.
ZyWALL 5/35/70 Series User’s Guide IEEE 802.1x for Network Security The ZyWALL supports the IEEE 802.1x standard that works with the IEEE 802.11 to enhance user authentication. With the local user profile, the ZyWALL allows you to configure up 32 user profiles without a network authentication server. In addition, centralized user and accounting management is possible on an optional network authentication server. Wi-Fi Protected Access Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.
ZyWALL 5/35/70 Series User’s Guide Dynamic DNS Support With Dynamic DNS (Domain Name System) support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS service provider. IP Multicast Deliver IP packets to a specific group of hosts using IP multicast. IGMP (Internet Group Management Protocol) is the protocol used to support multicast groups.
ZyWALL 5/35/70 Series User’s Guide Traffic Redirect Traffic Redirect forwards WAN traffic to a backup gateway on the LAN when the ZyWALL cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails. Port Forwarding Use this feature to forward incoming service requests to a server on your local network. You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server.
ZyWALL 5/35/70 Series User’s Guide 1.3 Applications for the ZyWALL Here are some examples of what you can do with your ZyWALL. 1.3.1 Secure Broadband Internet Access via Cable or DSL Modem You can connect a cable modem, DSL or wireless modem to the ZyWALL for broadband Internet access via Ethernet or wireless port on the modem. The ZyWALL guarantees not only high speed Internet access, but secure internal network protection and traffic management as well.
ZyWALL 5/35/70 Series User’s Guide Figure 2 VPN Application 1.3.
ZyWALL 5/35/70 Series User’s Guide The following table describes the LEDs. Table 2 Front Panel LEDs LED COLOR STATUS DESCRIPTION Off The ZyWALL is turned off. Green On The ZyWALL is turned on. Red On The power to the ZyWALL is too low. Green Off The ZyWALL is not ready or has failed. On The ZyWALL is ready and running. Flashing The ZyWALL is restarting. Off The backup port is not connected. Flashing The backup port is sending or receiving packets.
ZyWALL 5/35/70 Series User’s Guide 61 Chapter 1 Getting to Know Your ZyWALL
ZyWALL 5/35/70 Series User’s Guide CHAPTER 2 Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.
ZyWALL 5/35/70 Series User’s Guide Figure 6 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Note: If you do not replace the default certificate here or in the CERTIFICATES screen, this screen displays every time you access the web configurator. Figure 7 Replace Certificate Screen 7 You should now see the HOME screen (see Figure 9 on page 65).
ZyWALL 5/35/70 Series User’s Guide 2.3.1 Procedure To Use The Reset Button Make sure the SYS LED is on (not blinking) before you begin this procedure. 1 Press the RESET button for ten seconds, and then release it. If the SYS LED begins to blink, the defaults have been restored and the ZyWALL restarts. Otherwise, go to step 2. 2 Turn the ZyWALL off. 3 While pressing the RESET button, turn the ZyWALL on. 4 Continue to hold the RESET button.
ZyWALL 5/35/70 Series User’s Guide Note: Follow the instructions you see in the HOME screen or click the icon. The screen varies according to the device mode you select in the MAINTENANCE Device Mode screen. 2.4.1 Router Mode The following screen displays when the ZyWALL is set to router mode. The ZyWALL is set to router mode by default. Not all fields are available on all models. Figure 9 Web Configurator HOME Screen in Router Mode Use submenus to configure ZyWALL features.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 3 Web Configurator HOME Screen in Router Mode LABEL DESCRIPTION Wizards for WAN 1 (WAN) and VPN Quick Setup Internet Access Click Internet Access to use the initial configuration wizard. This configures WAN1 on a ZyWALL with multiple WAN ports or the WAN port on a ZyWALL with a single WAN port. VPN Click VPN to create VPN policies.
ZyWALL 5/35/70 Series User’s Guide Table 3 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Interface This is the port type. Port types for a ZyWALL with multiple WAN ports are: WAN1, WAN2, Dial Backup, LAN, WLAN and DMZ. Port types for a ZyWALL with a single WAN port are: WAN, Dial Backup, LAN, WLAN and DMZ. Click "+" to expand or "-" to collapse the LAN, WLAN (when the wireless card is part of the WLAN in the Port Roles screen), and DMZ IP alias drop-down lists.
ZyWALL 5/35/70 Series User’s Guide Figure 10 Web Configurator HOME Screen in Bridge Mode The following table describes the labels in this screen. Table 4 Web Configurator HOME Screen in Bridge Mode LABEL DESCRIPTION Wizards for VPN Quick Setup VPN Click VPN to create VPN policies. Device Information System Name This is the System Name you enter in the MAINTENANCE General screen. It is for identification purposes.
ZyWALL 5/35/70 Series User’s Guide Table 4 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION Firmware Version This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Firewall This displays whether or not the ZyWALL’s firewall is activated.
ZyWALL 5/35/70 Series User’s Guide Table 4 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding port. Show Statistics Click Show Statistics to see bridge performance statistics such as the number of packets sent and number of packets received for each port, including WAN (or WAN1, WAN2), Dial Backup, LAN, WLAN and DMZ.
ZyWALL 5/35/70 Series User’s Guide Table 5 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE DNS ROUTER MODE O Remote Management O UPnP O O ALG O O Logs O O Maintenance O O Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change. The following table describes the sub-menus.
ZyWALL 5/35/70 Series User’s Guide Table 6 Screens Summary (continued) LINK TAB FUNCTION WAN General This screen allows you to configure load balancing, route priority and traffic redirect properties. Route (ZyWALL 5 only) This screen allows you to configure route priority. WAN (ZyWALL Use this screen to configure the WAN port for internet access. 5 only) WAN1 (ZyWALL 35 and ZyWALL 70) Use this screen to configure the WAN1 port for Internet access.
ZyWALL 5/35/70 Series User’s Guide Table 6 Screens Summary (continued) LINK TAB FUNCTION IDP General Use this screen to enable IDP on the ZyWALL and choose what interface(s) you want to protect from intrusions. Signature Use these screens to view signatures by attack type or search for signatures by signature name, ID, severity, target operating system, action etc. You can also configure signature actions here. Update Use this screen to download new signature downloads.
ZyWALL 5/35/70 Series User’s Guide Table 6 Screens Summary (continued) LINK TAB FUNCTION NAT NAT Overview Use this screen to enable NAT. Address Mapping Use this screen to configure network address translation mapping rules. Port Forwarding Use this screen to configure servers behind the ZyWALL. Port Triggering Use this screen to change your ZyWALL’s port triggering settings. STATIC ROUTE IP Static Route Use this screen to configure IP static routes.
ZyWALL 5/35/70 Series User’s Guide Table 6 Screens Summary (continued) LINK TAB FUNCTION MAINTENANCE General This screen contains administrative. Password Use this screen to change your password. Time and Date Use this screen to change your ZyWALL’s time and date. Device Mode Use this screen to configure and have your ZyWALL work as a router or a bridge.
ZyWALL 5/35/70 Series User’s Guide Table 7 Home: Show Statistics (continued) LABEL DESCRIPTION Status For the LAN and DMZ ports, this displays the port speed and duplex setting. For the WAN and Dial Backup ports, this displays the port speed and duplex setting if you’re using Ethernet encapsulation and Down (line is down), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE encapsulation.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 8 Home: Show Statistics: Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen. Port Select the check box(es) to display the throughput statistics of the corresponding port(s). B/s Specify the direction of the traffic for which you want to show throughput statistics in this table.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 9 Home: DHCP Table LABEL DESCRIPTION Interface Select LAN, DMZ or WLAN to show the current DHCP client information for the specified interface. # This is the index number of the host computer. IP Address This field displays the IP address relative to the # field listed above. Host Name This field displays the computer host name.
ZyWALL 5/35/70 Series User’s Guide Figure 14 Home : VPN Status The following table describes the labels in this screen. Table 10 Home : VPN Status LABEL DESCRIPTION # This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 3 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you configure WAN1 on a ZyWALL with multiple WAN ports or the WAN port on a ZyWALL with a single WAN port to access the Internet and edit VPN policies and configure IKE settings to establish a VPN tunnel. 3.
ZyWALL 5/35/70 Series User’s Guide Figure 15 ISP Parameters : Ethernet Encapsulation The following table describes the labels in this screen. Table 11 ISP Parameters : Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection.
ZyWALL 5/35/70 Series User’s Guide 3.2.1.2 PPPoE Encapsulation Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet Engineering Task Force) standard specifying how a host personal computer interacts with a broadband modem (for example xDSL, cable, wireless, etc.) to achieve access to high-speed data networks. Figure 16 ISP Parameters : PPPoE Encapsulation The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Table 12 ISP Parameters: PPPoE Encapsulation (continued) LABEL DESCRIPTION IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection. Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static. My WAN IP Address Enter your WAN IP address in this field. First DNS Server Second DNS Server Enter the DNS server's IP address(es) in the field(s) to the right.
ZyWALL 5/35/70 Series User’s Guide Figure 17 ISP Parameters: PPTP Encapsulation The following table describes the labels in this screen. Table 13 ISP Parameters : PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. User Name Type the user name given to you by your ISP.
ZyWALL 5/35/70 Series User’s Guide Table 13 ISP Parameters : PPTP Encapsulation LABEL DESCRIPTION Connection ID/ Name Enter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your xDSL modem. WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection.
ZyWALL 5/35/70 Series User’s Guide Figure 19 Internet Access Setup Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 18 on page 85), the following screen displays. Note: If you want to activate a standard service with your iCard’s PIN number (license key), use the REGISTRATION Service screen.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 14 Internet Access Wizard: Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com account If you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL. Existing myZyXEL.
ZyWALL 5/35/70 Series User’s Guide Figure 22 Internet Access Wizard: Status The following screen appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings. Figure 23 Internet Access Wizard: Registration Failed If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next.
ZyWALL 5/35/70 Series User’s Guide Figure 25 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting Use the VPN wizard screens to configure a VPN rule that uses a pre-shared key. If you want to set the rule to use a certificate, please go to the VPN screens for configuration. Click VPN Wizard in the HOME screen to open the VPN configuration wizard. The first screen displays as shown next.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 15 VPN Wizard: Gateway Setting LABEL DESCRIPTION Gateway Policy Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces. My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address or the domain name of your ZyWALL or leave the field set to 0.0.0.0.
ZyWALL 5/35/70 Series User’s Guide Figure 27 VPN Wizard: Network Setting The following table describes the labels in this screen. Table 16 VPN Wizard : Network Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel. Clear the Active check box to turn the network policy off. The ZyWALL does not apply the policy. Packets for the tunnel do not trigger the tunnel.
ZyWALL 5/35/70 Series User’s Guide Table 16 VPN Wizard : Network Setting LABEL DESCRIPTION Remote Network Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. Select Single for a single IP address. Select Range IP for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 17 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords. Note: Multiple SAs (security associations) connecting through a secure gateway must have the same negotiation mode.
ZyWALL 5/35/70 Series User’s Guide 3.6 VPN Wizard IPSec Setting (IKE Phase 2) Figure 29 VPN Wizard: IPSec Setting The following table describes the labels in this screen. Table 18 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tunnel is compatible with NAT, Transport is not. Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems.
ZyWALL 5/35/70 Series User’s Guide Table 18 VPN Wizard: IPSec Setting (continued) LABEL DESCRIPTION SA Life Time (Seconds) Define the length of time before an IKE SA automatically renegotiates in this field. The minimum value is 180 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
ZyWALL 5/35/70 Series User’s Guide Figure 30 VPN Wizard: VPN Status The following table describes the labels in this screen. Table 19 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy. Gateway Policy Setting My ZyWALL This is the WAN IP address or the domain name of your ZyWALL in router mode or the ZyWALL’s IP address in bridge mode.
ZyWALL 5/35/70 Series User’s Guide Table 19 VPN Wizard: VPN Status (continued) LABEL DESCRIPTION Name This is the name of this VPN network policy. Network Policy Setting Local Network Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL. Ending IP Address/ Subnet Mask When the local network is configured for a single IP address, this field is N/A.
ZyWALL 5/35/70 Series User’s Guide 3.8 VPN Wizard Setup Complete Congratulations! You have successfully set up the VPN rule after any existing rule(s) for your ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 99 Chapter 3 Wizard Setup
ZyWALL 5/35/70 Series User’s Guide CHAPTER 4 Registration 4.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. Note: You need to create an account before you can register your device and activate the services at myZyXEL.com. You can directly create a myZyXEL.com account, register your ZyWALL and activate a service using the REGISTRATION screen. Alternatively, go to http://www.myZyXEL.
ZyWALL 5/35/70 Series User’s Guide You will get automatic e-mail notification of new signature releases from mySecurityZone after you activate the IDP/Anti-virus service. You can also check for new signature or virus updates at http://mysecurity.zyxel.com. See the chapters about content filtering, anti-virus, anti-spam and IDP for more information. Note: To update the signature file or use a subscription service, you have to register and activate the corresponding service at myZyXEL.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 20 Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com account If you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL. Existing myZyXEL.com account If you already have an account at myZyXEL.
ZyWALL 5/35/70 Series User’s Guide Figure 33 Registration: Registered Device 4.3 Service After you activate a trial, you can also use the Service screen to register and enter your iCard’s PIN number (license key). Click REGISTRATION, Service to open the screen as shown next. Note: If you restore the ZyWALL to the default configuration file or upload a different configuration file after you register, click the Service License Refresh button to update license information.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 21 Service LABEL DESCRIPTION Service Management Service This field displays the service name available on the ZyWALL. Status This field displays whether a service is activated (Active) or not (Inactive). Registration Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard).
ZyWALL 5/35/70 Series User’s Guide 105 Chapter 4 Registration
ZyWALL 5/35/70 Series User’s Guide CHAPTER 5 LAN Screens This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode. The LAN Port Roles screen is available on the ZyWALL 5 and ZyWALL 35. 5.1 LAN Overview Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, and partition your physical network into logical networks. 5.
ZyWALL 5/35/70 Series User’s Guide These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), read the embedded web configurator help regarding what fields need to be configured. 5.3.2 IP Address and Subnet Mask Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number. Where you obtain your network number depends on your particular situation.
ZyWALL 5/35/70 Series User’s Guide Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also.
ZyWALL 5/35/70 Series User’s Guide Figure 35 LAN The following table describes the labels in this screen. Table 22 LAN LABEL DESCRIPTION LAN TCP/IP 109 IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively, click the right mouse button to copy and/or paste the IP address. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
ZyWALL 5/35/70 Series User’s Guide Table 22 LAN (continued) LABEL DESCRIPTION Multicast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
ZyWALL 5/35/70 Series User’s Guide 5.6 LAN Static DHCP This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. To change your ZyWALL’s static DHCP settings, click NETWORK, LAN and then the Static DHCP tab. The screen appears as shown.
ZyWALL 5/35/70 Series User’s Guide Table 23 LAN Static DHCP LABEL DESCRIPTION IP Address Type the IP address that you want to assign to the computer on your LAN. Alternatively, click the right mouse button to copy and/or paste the IP address. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 5.7 LAN IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface.
ZyWALL 5/35/70 Series User’s Guide Figure 38 LAN IP Alias The following table describes the labels in this screen. Table 24 LAN IP Alias 113 LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.
ZyWALL 5/35/70 Series User’s Guide Table 24 LAN IP Alias LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 5.8 LAN Port Roles Use the Port Roles screen to set ports as LAN, DMZ or WLAN interfaces. The LAN port role is not available on all models. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyWALL’s wireless LAN coverage.
ZyWALL 5/35/70 Series User’s Guide To change your ZyWALL’s port role settings, click NETWORK, LAN and then the Port Roles tab. The screen appears as shown. The radio buttons on the left correspond to Ethernet ports on the front panel of the ZyWALL. Ports 1 to 4 are all LAN ports by default. The radio buttons on the right are for the wireless card. Note: Your changes are also reflected in the DMZ Port Roles and WLAN Port Roles screens.
ZyWALL 5/35/70 Series User’s Guide Table 25 LAN Port Roles (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen.
ZyWALL 5/35/70 Series User’s Guide 117 Chapter 5 LAN Screens
ZyWALL 5/35/70 Series User’s Guide CHAPTER 6 Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. 6.1 Bridge Loop The ZyWALL can act as a bridge between a switch and a wired LAN or between two routers. Be careful to avoid bridge loops when you enable bridging in the ZyWALL. Bridge loops cause broadcast traffic to circle the network endlessly, resulting in possible throughput degradation and disruption of communications.
ZyWALL 5/35/70 Series User’s Guide 6.2.1 Rapid STP The ZyWALL uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only aware bridges). Using RSTP topology change information does not have to propagate to the root bridge and unwanted learned addresses are flushed from the filtering database. In RSTP, the port states are Discarding, Learning, and Forwarding. 6.2.
ZyWALL 5/35/70 Series User’s Guide Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down. This bridge then initiates negotiations with other bridges to reconfigure the network to re-establish a valid network topology. 6.2.
ZyWALL 5/35/70 Series User’s Guide Figure 43 Bridge The following table describes the labels in this screen. Table 28 Bridge LABEL DESCRIPTION Bridge IP Address Setup 121 IP Address Type the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Gateway IP Address Enter the gateway IP address.
ZyWALL 5/35/70 Series User’s Guide Table 28 Bridge (continued) LABEL DESCRIPTION Rapid Spanning Tree Protocol Setup Enable Rapid Spanning Tree Protocol Select the check box to activate RSTP on the ZyWALL. Bridge Priority Enter a number between 0 and 61440 as bridge priority of the ZyWALL. 0 is the highest. Bridge Hello Time Enter an interval (between 1 and 10) in seconds that the root bridge waits before sending a hello packet.
ZyWALL 5/35/70 Series User’s Guide Figure 44 WLAN Port Role Example To change your ZyWALL’s port role settings, click NETWORK, BRIDGE and then the Port Roles tab. The screen appears as shown. The radio buttons on the left correspond to Ethernet ports on the front panel of the ZyWALL. Ports 1 to 4 are all DMZ ports on the ZyWALL 70 and all LAN ports on the ZyWALL 5 or ZyWALL 35 by default. The radio buttons on the right are for the WLAN card.
ZyWALL 5/35/70 Series User’s Guide Table 29 Bridge Port Roles (continued) LABEL DESCRIPTION WLAN When you have the wireless card set to WLAN, you can select a port’s WLAN radio button to use the port as part of the WLAN. The port will use the ZyWALL’s WLAN IP address and the MAC address of the WLAN card. Note: You must install a wireless card to use the WLAN port role. See Appendix A on page 660 for how to install a WLAN card. Wireless Card Select LAN to use the wireless card as part of the LAN.
ZyWALL 5/35/70 Series User’s Guide 125 Chapter 6 Bridge Screens
ZyWALL 5/35/70 Series User’s Guide CHAPTER 7 WAN Screens This chapter describes how to configure WAN settings. Multiple WAN and load balancing are not available on the ZyWALL 5. 7.1 WAN Overview • Use the WAN General screen to configure load balancing, route priority and traffic redirect properties for the ZyWALL 70 and ZyWALL 35. • Use the WAN Route screen to configure route priority for the ZyWALL 5. • Use the WAN1 screen to configure the WAN1 port for Internet access on the ZyWALL 70 and ZyWALL 35.
ZyWALL 5/35/70 Series User’s Guide You can select through which WAN port you want to send out traffic from UPnP-enabled applications (see Chapter 28 on page 452). The ZyWALL's DDNS lets you select which WAN interface you want to use for each individual domain name. The DDNS high availability feature lets you have the ZyWALL use the other WAN interface for a domain name if the configured WAN interface's connection goes down. See Section 26.10.2 on page 424 for details.
ZyWALL 5/35/70 Series User’s Guide 7.4.1.1 Example 1 The following figure depicts an example where both the WAN ports on the ZyWALL are connected to the Internet. The configured available outbound bandwidths for WAN 1 and WAN 2 are 512K and 256K respectively.
ZyWALL 5/35/70 Series User’s Guide 7.4.2 Weighted Round Robin Similar to the Round Robin (RR) algorithm, the Weighted Round Robin (WRR) algorithm sets the ZyWALL to send traffic through each WAN interface in turn. In addition, the WAN interfaces are assigned weights. An interface with a larger weight gets more of the traffic than an interface with a smaller weight. This algorithm is best suited for situations when the bandwidths set for the two WAN interfaces are different.
ZyWALL 5/35/70 Series User’s Guide Figure 49 Spillover Algorithm Example 7.5 TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1" for directly connected networks. The number must be between "1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost".
ZyWALL 5/35/70 Series User’s Guide Figure 50 WAN General 131 Chapter 7 WAN Screens
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 32 WAN General LABEL DESCRIPTION Active/Passive (Fail Over) Mode Select the Active/Passive (fail over) operation mode to have the ZyWALL use the second highest priority WAN port as a back up. This means that the ZyWALL will normally use the highest priority (primary) WAN port (depending on the priorities you configure in the Route Priority fields).
ZyWALL 5/35/70 Series User’s Guide Table 32 WAN General (continued) LABEL DESCRIPTION Check WAN1/2 Connectivity Select the check box to have the ZyWALL periodically test the respective WAN port's connection. Select Ping Default Gateway to have the ZyWALL ping the WAN port's default gateway IP address. Select Ping this Address and enter a domain name or IP address of a reliable nearby computer (for example, your ISP's DNS server address) to have the ZyWALL ping that address.
ZyWALL 5/35/70 Series User’s Guide 7.7.1 Least Load First To configure Least Load First, select Least Load First in the Load Balancing Algorithm field. Figure 51 Load Balancing: Least Load First The following table describes the related fields in this screen. Table 33 Load Balancing: Least Load First LABEL DESCRIPTION Active/Active Mode Select Active/Active Mode and set the related fields to enable load balancing on the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 7.7.2 Weighted Round Robin To load balance using the weighted round robin method, select Weighted Round Robin in the Load Balancing Algorithm field. Figure 52 Load Balancing: Weighted Round Robin The following table describes the related fields in this screen. Table 34 Load Balancing: Weighted Round Robin LABEL DESCRIPTION Active/Active Mode Select Active/Active Mode and set the related fields to enable load balancing on the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Figure 53 Load Balancing: Spillover The following table describes the related fields in this screen. Table 35 Load Balancing: Spillover LABEL DESCRIPTION Active/Active Mode Select Active/Active Mode and set the related fields to enable load balancing on the ZyWALL. Load Balancing Algorithm Select a load balancing method to use from the drop-down list box.
ZyWALL 5/35/70 Series User’s Guide Figure 54 WAN Route The following table describes the labels in this screen. Table 36 WAN Route LABEL DESCRIPTION Route Priority 137 WAN Traffic Redirect Dial Backup The default WAN connection is "1' as your broadband connection via the WAN port should always be your preferred method of accessing the WAN.
ZyWALL 5/35/70 Series User’s Guide Table 36 WAN Route (continued) LABEL DESCRIPTION Allow between WAN and WLAN Select this check box to forward NetBIOS packets from the WLAN to the WAN and from the WAN to the WLAN. Clear this check box to block all NetBIOS packets going from the WLAN to the WAN and from the WAN to the WLAN. Allow Trigger Dial Select this option to allow NetBIOS packets to initiate calls. Apply Click Apply to save your changes back to the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 1 The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields. 2 If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL’s WAN IP address), set the DNS server fields to get the DNS server address from the ISP. 3 You can manually enter the IP addresses of other DNS servers. These servers can be public or private.
ZyWALL 5/35/70 Series User’s Guide Figure 55 WAN: Ethernet Encapsulation The following table describes the labels in this screen. Table 39 WAN: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
ZyWALL 5/35/70 Series User’s Guide Table 39 WAN: Ethernet Encapsulation (continued) LABEL DESCRIPTION Retype to Confirm Type your password again to make sure that you have entered is correctly. Login Server IP Address Type the authentication server IP address here if your ISP gave you one. This field is not available for Telia Login. Login Server (Telia Login only) Type the domain name of the Telia login server, for example login1.telia.com.
ZyWALL 5/35/70 Series User’s Guide Table 39 WAN: Ethernet Encapsulation (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M. RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
ZyWALL 5/35/70 Series User’s Guide Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires no specific configuration of the broadband modem at the customer site. By implementing PPPoE directly on the ZyWALL (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyWALL does that part of the task. Furthermore, with NAT, all of the LANs’ computers will have access.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 40 WAN: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (i.e. DSL, cable, wireless, etc.) connection.
ZyWALL 5/35/70 Series User’s Guide Table 40 WAN: PPPoE Encapsulation LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, None, In Only or Out Only. When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically. When set to Both or In Only, the ZyWALL will incorporate RIP information that it receives.
ZyWALL 5/35/70 Series User’s Guide 7.12.3 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. The screen shown next is for PPTP encapsulation. Refer to Appendix G on page 700 for more information on PPTP.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 41 WAN: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
ZyWALL 5/35/70 Series User’s Guide Table 41 WAN: PPTP Encapsulation LABEL DESCRIPTION Enable NAT (Network Address Translation) Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Select this checkbox to enable NAT. For more information about NAT see Chapter 22 on page 370.
ZyWALL 5/35/70 Series User’s Guide 7.13 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection. Figure 58 Traffic Redirect WAN Setup The following network topology allows you to avoid triangle route security issues (see Appendix I on page 718) when the backup gateway is connected to the LAN or DMZ.
ZyWALL 5/35/70 Series User’s Guide Figure 59 Traffic Redirect LAN Setup 7.14 Configuring Traffic Redirect To change your ZyWALL’s traffic redirect settings, click NETWORK, WAN and then the Traffic Redirect tab. The screen appears as shown. Not all fields are available on all models. Figure 60 Traffic Redirect The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Table 42 Traffic Redirect (continued) LABEL DESCRIPTION Fail Tolerance Type how many WAN connection checks can fail (1 to 10) before the connection is considered "down" (not connected). The ZyWALL still checks a "down" connection to detect if it reconnects. Period The ZyWALL tests a WAN connection by periodically sending a ping to either the default gateway or the address in the Check WAN IP Address field.
ZyWALL 5/35/70 Series User’s Guide Figure 61 Dial Backup Chapter 7 WAN Screens 152
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 43 Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP. Retype to Confirm Type your password again to make sure that you have entered is correctly.
ZyWALL 5/35/70 Series User’s Guide Table 43 Dial Backup (continued) LABEL DESCRIPTION Enable RIP Select this check box to turn on RIP (Routing Information Protocol), which allows a router to exchange routing information with other routers. RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M. RIP-1 is universally supported; but RIP-2 carries more information.
ZyWALL 5/35/70 Series User’s Guide Table 43 Dial Backup (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 7.16 Advanced Modem Setup 7.16.1 AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing. ATDT is the command for a switch that requires tone dialing. If your switch requires pulse dialing, change the string to ATDP.
ZyWALL 5/35/70 Series User’s Guide Figure 62 Advanced Setup The following table describes the labels in this screen. Table 44 Advanced Setup LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~+++~~ath" can be used if your modem has a slow response time. Answer Type the AT Command string to answer a call.
ZyWALL 5/35/70 Series User’s Guide Table 44 Advanced Setup (continued) LABEL DESCRIPTION Dial Timeout (sec) Type a number of seconds for the ZyWALL to try to set up an outgoing call before timing out (stopping). 157 Retry Count Type a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number. Retry Interval (sec) Type a number of seconds for the ZyWALL to wait before trying another call after a call has failed.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 8 DMZ Screens This chapter describes how to configure the ZyWALL’s DMZ. 8.1 DMZ The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death). These public servers can also still be accessed from the secure LAN.
ZyWALL 5/35/70 Series User’s Guide Figure 63 DMZ The following table describes the labels in this screen. Table 45 DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your ZyWALL’s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets. 159 IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
ZyWALL 5/35/70 Series User’s Guide Table 45 DMZ (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
ZyWALL 5/35/70 Series User’s Guide Table 45 DMZ (continued) LABEL DESCRIPTION Allow between DMZ Select this check box to forward NetBIOS packets from the WLAN to the DMZ and WLAN and from the DMZ to the WLAN. Clear this check box to block all NetBIOS packets going from the WLAN to the DMZ and from the DMZ to the WLAN. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 8.
ZyWALL 5/35/70 Series User’s Guide Figure 64 DMZ Static DHCP The following table describes the labels in this screen. Table 46 DMZ Static DHCP LABEL DESCRIPTION # This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your DMZ. IP Address Type the IP address that you want to assign to the computer on your DMZ. Alternatively, click the right mouse button to copy and/or paste the IP address.
ZyWALL 5/35/70 Series User’s Guide 8.4 DMZ IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical DMZ interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each DMZ network. The IP alias IP addresses can be either private or public regardless of whether the physical DMZ interface is set to use a private or public IP address.
ZyWALL 5/35/70 Series User’s Guide Table 47 DMZ: IP Alias (continued) LABEL DESCRIPTION IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL. RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.
ZyWALL 5/35/70 Series User’s Guide Figure 66 DMZ Public Address Example 8.6 DMZ Private and Public IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet. The DMZ port and server F use private IP addresses that are in one subnet.
ZyWALL 5/35/70 Series User’s Guide Figure 67 DMZ Private and Public Address Example 8.7 DMZ Port Roles Use the Port Roles screen to set ports as LAN, DMZ or WLAN interfaces. The LAN port role is not available on all models. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyWALL’s wireless LAN coverage. The WLAN port role allows the ZyWALL’s firewall to treat traffic from connected APs as part of the ZyWALL’s WLAN.
ZyWALL 5/35/70 Series User’s Guide Figure 68 WLAN Port Role Example Note: Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1. A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP address. 2. Use the appropriate LAN, DMZ or WLAN IP address to access the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Figure 69 DMZ: Port Roles The following table describes the labels in this screen. Table 48 DMZ: Port Roles LABEL DESCRIPTION LAN Select a port’s LAN radio button to use the port as part of the LAN. The port will use the LAN IP address and MAC address. DMZ Select a port’s DMZ radio button to use the port as part of the DMZ. The port will use the DMZ IP address and MAC address.
ZyWALL 5/35/70 Series User’s Guide 169 Chapter 8 DMZ Screens
ZyWALL 5/35/70 Series User’s Guide CHAPTER 9 Wireless LAN This chapter discusses how to configure wireless LAN on the ZyWALL. 9.1 Wireless LAN Introduction A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-peer network or as complex as a number of computers with wireless LAN adapters communicating through access points which bridge network traffic to the wired LAN. Note: See Appendix A on page 660 for how to install a WLAN card.
ZyWALL 5/35/70 Series User’s Guide Figure 70 WLAN The following table describes the labels in this screen. Table 49 WLAN LABEL DESCRIPTION WLAN TCP/IP IP Address Type the IP address of your ZyWALL’s WLAN interface in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets. 171 IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
ZyWALL 5/35/70 Series User’s Guide Table 49 WLAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
ZyWALL 5/35/70 Series User’s Guide Table 49 WLAN (continued) LABEL DESCRIPTION Allow between WLAN and DMZ Select this check box to forward NetBIOS packets from the LAN to the DMZ and from the DMZ to the WLAN. If your firewall is enabled with the default policy set to block DMZ to WLAN traffic, you also need to enable the default DMZ to WLAN firewall rule that forwards NetBIOS traffic. Clear this check box to block all NetBIOS packets going from the WLAN to the DMZ and from the DMZ to the WLAN.
ZyWALL 5/35/70 Series User’s Guide Figure 71 WLAN Static DHCP The following table describes the labels in this screen. Table 50 WLAN Static DHCP LABEL DESCRIPTION # This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your WLAN. IP Address Type the IP address that you want to assign to the computer on your WLAN. Alternatively, click the right mouse button to copy and/or paste the IP address.
ZyWALL 5/35/70 Series User’s Guide When you use IP alias, you can also configure firewall rules to control access between the WLAN's logical networks (subnets). Note: Make sure that the subnets of the logical networks do not overlap. To change your ZyWALL’s IP alias settings, click NETWORK, WLAN and then the IP Alias tab. The screen appears as shown. Figure 72 WLAN IP Alias The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Table 51 WLAN IP Alias LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
ZyWALL 5/35/70 Series User’s Guide Note: Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1. A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP address. 2. Use the appropriate LAN, DMZ or WLAN IP address to access the ZyWALL. To change your ZyWALL’s port role settings, click NETWORK, WLAN and then the Port Roles tab.
ZyWALL 5/35/70 Series User’s Guide Table 52 WLAN Port Roles (continued) LABEL DESCRIPTION Wireless Card Select LAN to use the wireless card as part of the LAN. Select DMZ to use the wireless card as part of the DMZ. Select WLAN to use the wireless card as part of the WLAN. The ZyWALL restarts after you change the wireless card setting. Note: If you set the wireless card to be part of the LAN or DMZ, you can still use wireless access, but not the WLAN interface in the firewall.
ZyWALL 5/35/70 Series User’s Guide Figure 76 ZyWALL Wireless Security Levels If you do not enable any wireless security on your ZyWALL, your network is accessible to any wireless networking device that is within range. Use the ZyWALL web configurator to set up your wireless LAN security settings. Refer to the chapter on using the ZyWALL web configurator to see how to access the web configurator. 9.6.1 Encryption • Use WPA security if you have WPA-aware wireless clients and a RADIUS server.
ZyWALL 5/35/70 Series User’s Guide 9.6.3 Restricted Access The MAC Filter screen allows you to configure the AP to give exclusive access to devices (Allow Association) or exclude them from accessing the AP (Deny Association). 9.6.4 Hide ZyWALL Identity If you hide the ESSID, then the ZyWALL cannot be seen when a wireless client scans for local APs. The trade-off for the extra security of “hiding” the ZyWALL may be inconvenience for some valid WLAN clients. 9.
ZyWALL 5/35/70 Series User’s Guide 9.9 802.1x Overview The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management. Authentication can be done using the local user database internal to the ZyWALL (authenticate up to 32 users) or an external RADIUS server for an unlimited number of users. 9.9.
ZyWALL 5/35/70 Series User’s Guide Sent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. 9.9.
ZyWALL 5/35/70 Series User’s Guide If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless Card screen (see Section 9.16.4 on page 192). You may still configure and store keys here, but they will not be used while dynamic WEP is enabled. To use dynamic WEP, enable and configure dynamic WEP key exchange in the Wireless Card screen and configure RADIUS server settings in the AUTH SERVER RADIUS screen (see Section 21.3 on page 368).
ZyWALL 5/35/70 Series User’s Guide TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically.
ZyWALL 5/35/70 Series User’s Guide Figure 78 WPA-PSK Authentication 9.13 Introduction to RADIUS The ZyWALL can use an external RADIUS server to authenticate an unlimited number of users. RADIUS is based on a client-sever model that supports authentication and accounting, where access point is the client and the server is the RADIUS server. • Authentication Determines the identity of the users. • Accounting Keeps track of the client’s network activity.
ZyWALL 5/35/70 Series User’s Guide Figure 79 WPA with RADIUS Application Example 9.15 Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicants are the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data Communications' AEGIS client.
ZyWALL 5/35/70 Series User’s Guide Figure 80 Wireless Card: No Security The following table describes the labels in this screen. Table 54 Wireless Card: No Security LABEL DESCRIPTION Enable Wireless Card The wireless LAN is turned off by default, before you enable the wireless LAN you should configure some security by setting MAC filters and/or 802.1x security; otherwise your wireless LAN will be vulnerable upon enabling it. Select the check box to enable the wireless LAN.
ZyWALL 5/35/70 Series User’s Guide Table 54 Wireless Card: No Security (continued) LABEL DESCRIPTION Fragmentation This is the threshold (number of bytes) for the fragmentation boundary for directed Threshold messages. It is the maximum data fragment size that can be sent. Select the check box to change the default value and enter a value between 256 and 2432. Security Choose from one of the security settings listed in the drop-down box. • No Security • Static WEP • WPA-PSK • WPA • 802.
ZyWALL 5/35/70 Series User’s Guide Figure 81 Wireless Card: Static WEP The following table describes the wireless LAN security labels in this screen. Table 55 Wireless Card: Static WEP LABEL DESCRIPTION Security Select Static WEP from the drop-down list. WEP Encryption WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over the wireless network. Select 64-bit WEP or 128-bit WEP to enable data encryption.
ZyWALL 5/35/70 Series User’s Guide Figure 82 Wireless Card: WPA-PSK The following wireless LAN security fields become available when you select WPA-PSK in the Security drop down list-box. Table 56 Wireless Card: WPA-PSK LABEL DESCRIPTION Security Select WPA-PSK from the drop-down list. Pre-Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials.
ZyWALL 5/35/70 Series User’s Guide 9.16.3 WPA Click the NETWORK and WIRELESS CARD to display the Wireless Card screen. Select WPA from the Security list. Figure 83 Wireless Card: WPA The following wireless LAN security fields become available when you select WPA in the Security drop down list-box. Table 57 Wireless Card: WPA 191 LABEL DESCRIPTION Security Select WPA from the drop-down list.
ZyWALL 5/35/70 Series User’s Guide 9.16.4 IEEE 802.1x + Dynamic WEP Click the NETWORK and WIRELESS CARD to display the Wireless Card screen. Select 802.1x + Dynamic WEP from the Security list. Figure 84 Wireless Card: 802.1x + Dynamic WEP The following wireless LAN security fields become available when you select 802.1x + Dynamic WEP in the Security drop down list-box. Table 58 Wireless Card: 802.1x + Dynamic WEP LABEL DESCRIPTION Security Select 802.1x + Dynamic WEP from the drop-down list.
ZyWALL 5/35/70 Series User’s Guide 9.16.5 IEEE 802.1x + Static WEP Click the NETWORK and WIRELESS CARD to display the Wireless Card screen. Select 802.1x + Static WEP from the Security list. Figure 85 Wireless Card: 802.1x + Static WEP The following wireless LAN security fields become available when you select 802.1x + Static WEP in the Security drop down list-box. Table 59 Wireless Card: 802.1x + Static WEP 193 LABEL DESCRIPTION Security Select 802.1x + Static WEP from the drop-down list.
ZyWALL 5/35/70 Series User’s Guide Table 59 Wireless Card: 802.1x + Static WEP (continued) LABEL DESCRIPTION ReAuthentication Specify how often wireless stations have to resend user names and passwords in Timer (Seconds) order to stay connected. Enter a time interval between 10 and 65535 seconds. If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority.
ZyWALL 5/35/70 Series User’s Guide The following wireless LAN security fields become available when you select 802.1x + No WEP in the Security drop down list-box. Table 60 Wireless Card: 802.1x + No WEP LABEL DESCRIPTION Security Select 802.1x + No WEP from the drop-down list. ReAuthentication Specify how often wireless stations have to resend user names and passwords in Timer (Seconds) order to stay connected. Enter a time interval between 10 and 65535 seconds.
ZyWALL 5/35/70 Series User’s Guide The following wireless LAN security fields become available when you select No Access 802.1x + Static WEP in the Security drop down list-box. Table 61 Wireless Card: No Access 802.1x + Static WEP LABEL DESCRIPTION Security Select No Access 802.1x + Static WEP from the drop-down list. WEP Encryption WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over the wireless network.
ZyWALL 5/35/70 Series User’s Guide Figure 88 Wireless Card: MAC Address Filter The following table describes the labels in this menu. Table 62 Wireless Card: MAC Address Filter 197 LABEL DESCRIPTION Active Select or clear the check box to enable or disable MAC address filtering. Enable MAC address filtering to have the router allow or deny access to wireless stations based on MAC addresses. Disable MAC address filtering to have the router not perform MAC filtering on the wireless stations.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 10 Firewalls This chapter gives some background information on firewalls and introduces the ZyWALL firewall. 10.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term firewall is a system or group of systems that enforces an access-control policy between two networks.
ZyWALL 5/35/70 Series User’s Guide 1 Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. 2 Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
ZyWALL 5/35/70 Series User’s Guide Figure 89 ZyWALL Firewall Application 10.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The ZyWALL is pre-configured to automatically detect and thwart all known DoS attacks. 10.4.
ZyWALL 5/35/70 Series User’s Guide 10.4.2 Types of DoS Attacks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data. 4 IP Spoofing. • "Ping of Death" and "Teardrop" attacks exploit bugs in the TCP/IP implementations of various computer and host systems.
ZyWALL 5/35/70 Series User’s Guide response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.
ZyWALL 5/35/70 Series User’s Guide Figure 92 Smurf Attack 10.4.2.1 ICMP Vulnerability ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 64 ICMP Commands That Trigger Alerts 5 REDIRECT 13 TIMESTAMP_REQUEST 14 TIMESTAMP_REPLY 17 ADDRESS_MASK_REQUEST 18 ADDRESS_MASK_REPLY 10.4.2.2 Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are the following - all others are illegal.
ZyWALL 5/35/70 Series User’s Guide All SMTP commands are illegal except for those displayed in the following tables. Table 66 Legal SMTP Commands AUTH DATA EHLO ETRN EXPN HELO HELP MAIL QUIT RCPT RSET SAML SEND SOML TURN VRFY NOOP 10.4.2.3 Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints.
ZyWALL 5/35/70 Series User’s Guide Figure 93 Stateful Inspection The previous figure shows the ZyWALL’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked. 10.5.
ZyWALL 5/35/70 Series User’s Guide temporary entries might be modified, in order to permit only packets that are valid for the current state of the connection. 8 Any additional inbound or outbound packets that belong to the connection are inspected to update the state table entry and to modify the temporary inbound access list entries as required, and are forwarded through the interface.
ZyWALL 5/35/70 Series User’s Guide If an initiation packet originates on the LAN, this means that someone is trying to make a connection from the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the case with the default policy), the connection will be allowed. A cache entry is added which includes connection information such as IP addresses, TCP ports, sequence numbers, etc.
ZyWALL 5/35/70 Series User’s Guide Any protocol that operates in this way must be supported on a case-by-case basis. You can use the web configurator’s Custom Services feature to do this. 10.6 Guidelines For Enhancing Security With Your Firewall 1 Change the default password via SMT or web configurator. 2 Think about access control before you connect a console port to the network in any way, including attaching a modem to the port.
ZyWALL 5/35/70 Series User’s Guide 10.7.2 Firewall • The firewall inspects packet contents as well as their source and destination addresses. Firewalls of this type employ an inspection module, applicable to all protocols, that understands data in the packet is intended for other layers, from the network layer (IP headers) up to the application layer. • The firewall performs stateful inspection.
ZyWALL 5/35/70 Series User’s Guide C H A P T E R 11 Firewall Screens This chapter shows you how to configure your ZyWALL firewall. 11.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyWALL has to offer. For this reason, it is recommended that you configure your firewall using the web configurator. SMT screens allow you to activate the firewall.
ZyWALL 5/35/70 Series User’s Guide • WLAN to WAN By default, the ZyWALL’s stateful packet inspection drops packets traveling in the following directions: • WAN to LAN • WAN to WAN/ZyWALL This prevents computers on the WAN from using the ZyWALL as a gateway to communicate with other computers on the WAN and/or managing the ZyWALL. • WAN to WLAN This drops any packets travelling from the WAN to the WLAN and creates a log.
ZyWALL 5/35/70 Series User’s Guide 11.3 Rule Logic Overview Note: Study these points carefully before configuring rules. 11.3.1 Rule Checklist 1 State the intent of the rule. For example, This restricts all IRC access from the LAN to the Internet. Or, This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server. 2 Is the intent of the rule to forward or block traffic? 3 What direction of traffic does the rule apply to (see Section 10.
ZyWALL 5/35/70 Series User’s Guide 11.3.3.2 Service Select the service from the Service scrolling list box. If the service is not listed, it is necessary to first define it. See Section 11.11.2 on page 229 for more information on predefined services. 11.3.3.3 Source Address What is the connection’s source address; is it on the LAN, DMZ, WLAN or WAN? Is it a single IP, a range of IPs or a subnet? 11.3.3.
ZyWALL 5/35/70 Series User’s Guide Figure 94 LAN to WAN Traffic 11.4.2 WAN To LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it. See the following figure. Figure 95 WAN to LAN Traffic 11.5 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away.
ZyWALL 5/35/70 Series User’s Guide 11.6 Firewall Default Rule (Router Mode) Click SECURITY, FIREWALL to open the Default Rule screen. Enable (or activate) the firewall by selecting the Enable Firewall check box. Use this screen to configure general firewall settings when the ZyWALL is set to router mode. Figure 96 Default Rule (Router Mode) The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Table 67 Default Rule (Router Mode) (continued) LABEL DESCRIPTION Packet Direction This is the direction of travel of packets (LAN to LAN/ZyWALL, LAN to WAN, LAN to DMZ, LAN to WLAN, WAN to LAN, WAN to WAN/ZyWALL, WAN to DMZ, WAN to WLAN, DMZ to LAN, DMZ to WAN, DMZ to DMZ/ZyWALL, DMZ to WLAN, WLAN to LAN, WLAN to WAN, WLAN to DMZ or WLAN to WLAN/ ZyWALL). Firewall rules are grouped based on the direction of travel of packets to which they apply.
ZyWALL 5/35/70 Series User’s Guide Figure 97 Default Rule (Bridge Mode) The following table describes the labels in this screen. Table 68 Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
ZyWALL 5/35/70 Series User’s Guide Table 68 Default Rule (Bridge Mode) LABEL DESCRIPTION Log Broadcast Frame Select the check box to create a log for any Layer 2 broadcast frames that are traveling in the selected direction. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 11.8 Firewall Rule Summary Click SECURITY, FIREWALL, then the Rule Summary tab to open the screen. This screen displays a list of the configured firewall rules.
ZyWALL 5/35/70 Series User’s Guide Table 69 Rule Summary LABEL DESCRIPTION The following read-only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction. The firewall rules that you configure (summarized below) take priority over the general firewall action settings above. # This is your firewall rule number. The ordering of your rules is important as rules are applied in turn.
ZyWALL 5/35/70 Series User’s Guide Figure 99 Firewall Edit Rule Chapter 11 Firewall Screens 220
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 70 Firewall Edit Rule LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. Spaces are allowed. Edit Source/ Destination Address Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.
ZyWALL 5/35/70 Series User’s Guide 11.9 Anti-Probing If an outside user attempts to probe an unsupported port on your ZyWALL, an ICMP response packet is automatically returned. This allows the outside user to know the ZyWALL exists. The ZyWALL supports anti-probing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your ZyWALL when unsupported ports are probed.
ZyWALL 5/35/70 Series User’s Guide 11.10 Firewall Threshold In the Threshold screen, shown later, you may choose to generate an alert whenever an attack is detected. For DoS attacks, the ZyWALL uses thresholds to determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions. You can use the default threshold values, or you can change them to values more suitable to your security requirements. 11.10.
ZyWALL 5/35/70 Series User’s Guide When the rate of new connection attempts rises above a threshold (one-minute high), the ZyWALL starts deleting half-open sessions as required to accommodate new connection requests. The ZyWALL continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample period. 11.10.2.
ZyWALL 5/35/70 Series User’s Guide Figure 101 Firewall Threshold The following table describes the labels in this screen. Table 72 Firewall Threshold LABEL DESCRIPTION Disable DoS Attack Select the check box of an interface to which the ZyWALL does not apply the Protection on thresholds. This disables DoS protection on the selected interface. Denial of Service Thresholds 225 One Minute Low This is the rate of new half-open sessions that causes the firewall to stop deleting half-open sessions.
ZyWALL 5/35/70 Series User’s Guide Table 72 Firewall Threshold (continued) LABEL DESCRIPTION Maximum Incomplete High This is the number of existing half-open sessions that causes the firewall to start deleting half-open sessions. When the number of existing half-open sessions rises above this number, the ZyWALL deletes half-open sessions as required to accommodate new connection requests. Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number.
ZyWALL 5/35/70 Series User’s Guide Figure 102 Firewall Service The following table describes the labels in this screen. Table 73 Firewall Service 227 LABEL DESCRIPTION Custom Service This table shows all configured custom services. # This is the index number of the custom service. Service Name This is the name of the service. Protocol This is the IP protocol type. If you selected Custom, this is the IP protocol value you entered.
ZyWALL 5/35/70 Series User’s Guide Table 73 Firewall Service LABEL DESCRIPTION Add Click this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services. Predefined Service This table shows all the services that are already configured for use in firewall rules. See Section 11.11.2 on page 229 for more on the services. # This is the index number of the predefined service. Service Name This is the name of the service.
ZyWALL 5/35/70 Series User’s Guide Table 74 Firewall Edit Custom Service LABEL DESCRIPTION Type/Code This field is available only when you select ICMP in the IP Protocol field. The ICMP messages are identified by their types and in some cases codes. Enter the type number in the Type field and select the Code radio button and enter the code number if any. Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 11.11.
ZyWALL 5/35/70 Series User’s Guide Table 75 Predefined Services (continued) SERVICE DESCRIPTION IMAP(TCP/UDP:143) Internet Message Access Protocol (IMAP) is used to access mail stored on a remote mail server over a TCP/IP connection using port 143. IMAP has shorter response times than POP3. IMAPS(TCP/UDP:993) IMAP over TLS/SSL (IMAPS) is a secure protocol (that encrypts IMAP traffic) for receiving mail using a TLS/SSL connection. AX.25(AX.25:0) AX.25 (Amateur X.25, an “Amateur” version of X.
ZyWALL 5/35/70 Series User’s Guide Table 75 Predefined Services (continued) SERVICE DESCRIPTION SIP-V2(UDP:5060) The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol. SMTP(TCP:25) Simple Mail Transfer Protocol is the message-exchange standard for the Internet.
ZyWALL 5/35/70 Series User’s Guide Figure 104 Service 2 Configure it as follows and click Apply. Figure 105 Edit Custom Service Example 3 Click the Rule Summary tab. Select WAN to LAN from the Packet Direction dropdown list box. 4 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type 6, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7. 5 Click Insert to display the firewall rule configuration screen.
ZyWALL 5/35/70 Series User’s Guide Figure 106 Rule Summary 6 Enter the name of the firewall rule. 7 Select Any in the Destination Address(es) box and then click Delete. 8 Configure the destination address screen as follows and click Add. Figure 107 Rule Edit Example 9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done.
ZyWALL 5/35/70 Series User’s Guide Note: Custom services show up with an * before their names in the Services list box and the Rule Summary list box.
ZyWALL 5/35/70 Series User’s Guide Figure 109 My Service Example Rule Summary Rule 1: Allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 12 Intrusion Detection and Prevention (IDP) This chapter introduces some background information on IDP. Skip to the next chapter to see how to configure IDP on your ZyWALL. 12.1 Introduction to IDP An IDP system can detect malicious or suspicious packets and respond instantaneously. It can detect anomalies based on violations of protocol standards (RFCs – Requests for Comments) or traffic flows and abnormal flows such as port scans.
ZyWALL 5/35/70 Series User’s Guide Firewalls are usually deployed at the network edge. However, many attacks (inadvertently) are launched from within an organization. Virtual private networks (VPN), removable storage devices and wireless networks may all provide access to the internal network without going through the firewall. 12.1.2 IDS and IDP An Intrusion Detection System (IDS) can detect suspicious activity, but does not take action against attacks.
ZyWALL 5/35/70 Series User’s Guide 12.1.5 Example Intrusions The following are some examples of intrusions. 12.1.5.1 SQL Slammer Worm W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port. The worm has the unintended payload of performing a Denial of Service attack due to the large number of packets it sends.
ZyWALL 5/35/70 Series User’s Guide 12.1.5.4 MyDoom MyDoom W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with an bat, cmd, exe, pif, scr, or zip file extension. When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 13 Configuring IDP This chapter shows you how to configure IDP on the ZyWALL. 13.1 Overview To use IDP on the ZyWALL, you need to insert the ZyWALL Turbo Card into the rear panel slot of the ZyWALL. See the ZyWALL Turbo Card guide for details. Note: The ZyWALL has no wireless capability when ZyWALL Turbo Card is in place. The ZyWALL Turbo Card does not have a MAC address. IDP cannot check encrypted traffic such as VPN tunnel traffic. 13.1.
ZyWALL 5/35/70 Series User’s Guide Figure 111 Applying IDP to Interfaces 13.2 General Setup Use this screen to enable IDP on the ZyWALL and choose what interface(s) you want to protect from intrusions. Click IDP from the navigation panel. General is the first screen as shown in the following figure.
ZyWALL 5/35/70 Series User’s Guide Figure 112 IDP: General The following table describes the labels in this screen. Table 76 IDP: General Setup LABEL DESCRIPTION General Setup Enable Intrusion Detection and Protection Select this check box to enable IDP on the ZyWALL. When this check box is cleared the ZyWALL is in IDP “bypass” mode and no IDP checking is done. Turbo Card This field displays whether or not a ZyWALL Turbo Card is installed.
ZyWALL 5/35/70 Series User’s Guide To see signatures listed by intrusion type supported by the ZyWALL, select that type from the Attack Type list box. Figure 113 Attack Types The following table describes each attack type. Table 77 Attack Types 243 TYPE DESCRIPTION DoS/DDoS The goal of Denial of Service (DoS) attacks is not to steal information, but to disable a device or network on the Internet.
ZyWALL 5/35/70 Series User’s Guide Table 77 Attack Types (continued) TYPE DESCRIPTION Virus/Worm A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a program that is designed to copy itself from one computer to another on a network. A worm’s uncontrolled replication consumes system resources thus slowing or stopping other tasks. The IDP VirusWorm category refers to network-based viruses and worms.
ZyWALL 5/35/70 Series User’s Guide Figure 114 Signature Actions The following table describes signature actions. Table 79 Signature Actions ACTION DESCRIPTION No Action The intrusion is detected but no action is taken. Drop Packet The packet is silently discarded. Drop Session When the firewall is enabled, subsequent TCP/IP packets belonging to the same connection are dropped. Neither sender nor receiver are sent TCP RST packets.
ZyWALL 5/35/70 Series User’s Guide Figure 115 IDP: Signatures The following table describes the labels in this screen. Table 80 IDP Signatures: Group View LABEL DESCRIPTION Signature Groups Attack Type Select the type of signatures you want to view from the list box. See Section 13.3.1 on page 242 for information on types of signatures. Switch to query view Click this hyperlink to go to a screen where you can search for signatures based on criteria other than attack type.
ZyWALL 5/35/70 Series User’s Guide Table 80 IDP Signatures: Group View (continued) LABEL DESCRIPTION Log Select this check box to have a log generated when a match is found for a signature. Select the check box in the heading row to automatically select all check boxes or clear it to clear all entries on the current page. Alternatively, you may select or clear individual entries. The check box becomes gray when you select the check box.
ZyWALL 5/35/70 Series User’s Guide Note: A partial name may be searched but a complete ID number must be entered before a match can be found. For example, a search by name for “w” (in the first example) finds all intrusions that contain this letter in the name field. However a search by ID for “1” would return no match. You must enter the complete ID as shown in the second example. 4 Click Search.
ZyWALL 5/35/70 Series User’s Guide Figure 117 Signature Query by Complete ID 13.3.5.2 Query Example 2 1 From the “group view” signature screen, click the Switch to query view link. 1 Select Signature Search By Attributes. 2 Select the Severity, Type, Platform, Active, Log, Alert and/or Action items. In this example all severe DDoS type signatures that target the Windows operating system are displayed. 3 Click Search.
ZyWALL 5/35/70 Series User’s Guide Figure 118 Signature Query by Attribute. 13.4 Update The ZyWALL comes with built-in signatures created by the ZyXEL Security Response Team (ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads. Note: You should have already registered the ZyWALL at myZyXEL.com (http:// www.myzyxel.com/myzyxel/) and also have either activated the trial license or standard license (iCard).
ZyWALL 5/35/70 Series User’s Guide 13.4.2 Configuring IDP Update When scheduling signature updates, you should choose a day and time when your network is least busy so as to minimize disruption to your network. Your custom signature configurations are not over-written when you download new signatures. File-based anti-virus signatures (see the anti-virus chapter) are included with IDP signatures. When you download new signatures using the anti-virus Update screen, IDP signatures are also downloaded.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 81 Signatures Update LABEL DESCRIPTION Signature Information Current Pattern Version This field displays the signatures version number currently used by the ZyWALL. This number is defined by the ZyXEL Security Response Team (ZSRT) who maintain and update them. This number increments as new signatures are added, so you should refer to this number regularly. Go to https://mysecurity.zyxel.
ZyWALL 5/35/70 Series User’s Guide 13.5 Backup and Restore You can change the pre-defined Active, Log, Alert and/or Action settings of individual signatures. Figure 120 IDP: Backup & Restore Use the Backup & Restore screen to: • Back up IDP signatures with your custom configured settings. Click Backup and then choose a location and filename for the IDP configuration set. • Restore previously saved IDP signatures (with your custom configured settings).
ZyWALL 5/35/70 Series User’s Guide CHAPTER 14 Anti-Virus This chapter introduces and shows you how to configure the anti-virus scanner. 14.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself.
ZyWALL 5/35/70 Series User’s Guide 2 The virus spreads to other files and programs on the computer. 3 The infected files are unintentionally sent to another computer thus starting the spread of the virus. 4 Once the virus is spread through the network, the number of infected networked computers can grow exponentially. 14.1.3 Types of Anti-Virus Scanner The section describes two types of anti-virus scanner: host-based and network-based.
ZyWALL 5/35/70 Series User’s Guide 14.2.1 How the ZyWALL Anti-Virus Scanner Works The ZyWALL checks traffic going to the interface(s) you specify for signature matches. Figure 121 ZyWALL Anti-virus Example The following describes the virus scanning process on the ZyWALL. 1 The ZyWALL first identifies SMTP, POP3, HTTP and FTP packets through standard ports. 2 If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL records the sequence of the packets.
ZyWALL 5/35/70 Series User’s Guide 1 The ZyWALL anti-virus scanner cannot detect polymorphic viruses. 2 The ZyWALL does not scan the following file/traffic types: • Simultaneous downloads of a file using multiple connections. For example, when you use FlashGet to download sections of a file simultaneously. • Encrypted traffic (such as on a VPN) or password-protected files. • Traffic through custom (none-standard) ports. • ZIP file(s) within a ZIP file.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 83 Anti-Virus: General LABEL DESCRIPTION General Setup Enable Anti-Virus Select Enable Anti-Virus to activate the anti-virus feature on the ZyWALL. Clear this check box to disable it. Note: Before you use the anti-virus feature, you must register for the service (refer to the chapter on registration for more information).
ZyWALL 5/35/70 Series User’s Guide Note: You should have already registered the ZyWALL at myZyXEL.com (http:// www.myzyxel.com/myzyxel/) and also have either activated the trial license or standard license (iCard). If your license has expired, you will have to renew it before updates are allowed. 14.4.1 mySecurity Zone mySecurity Zone is a web portal that provides all security-related information such as intrusion and anti-virus information for ZyXEL security products.
ZyWALL 5/35/70 Series User’s Guide Figure 123 Anti-Virus: Update The following table describes the labels in this screen. Table 84 Anti-Virus: Update LABEL DESCRIPTION Signature Information Current Pattern Version This field displays the signatures version number currently used by the ZyWALL. This number is defined by the ZyXEL Security Response Team (ZSRT) who maintain and update them. This number increments as new signatures are added, so you should refer to this number regularly.
ZyWALL 5/35/70 Series User’s Guide Table 84 Anti-Virus: Update (continued) 261 LABEL DESCRIPTION Update Now Click this button to begin downloading signatures from the Update Server immediately. Auto Update Select the check box to configure a schedule for automatic signature updates. The Hourly, Daily and Weekly fields display when the check box is selected. The ZyWALL then automatically downloads signatures from the Update Server regularly at the time and/or day you specify.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 15 Anti-Spam This chapter covers how to use the ZyWALL’s anti-spam feature to deal with junk e-mail (spam). 15.1 Anti-Spam Overview The ZyWALL’s anti-spam feature identifies unsolicited commercial or junk e-mail (spam). You can set the ZyWALL to mark or discard spam. The ZyWALL can use an anti-spam external database to help identify spam. Use the whitelist to identify legitimate e-mail. Use the blacklist to identify spam e-mail. 15.1.
ZyWALL 5/35/70 Series User’s Guide 15.1.1.1 SpamBulk Engine The e-mail fingerprint ID that the ZyWALL generates and sends to the anti-spam external database only includes the parts of the e-mail that are the most difficult for spammers (senders of spam) to change or fake. The anti-spam external database maintains a database of e-mail fingerprint IDs. The anti-spam external database SpamBulk engine then queries the database in analyzing later e-mails.
ZyWALL 5/35/70 Series User’s Guide 15.1.1.4 SpamTricks Engine The SpamTricks engine checks for the tactics that spammers use to minimize the expense of sending lots of e-mail and tactics that they use to bypass spam filters. Use of relays, image-only e-mails, manipulation of mail formats and HTML obfuscation are common tricks for which the SpamTricks engine checks. The SpamTricks engine also checks for “phishing” (see Section 15.1.3 on page 264 for more on phishing). 15.1.
ZyWALL 5/35/70 Series User’s Guide The anti-spam external database checks for spoofing of e-mail attributes (like the IP address) and uses statistical analysis to detect phishing. 15.1.4 Whitelist Configure whitelist entries to identify legitimate e-mail. The whitelist entries have the ZyWALL classify any e-mail that is from a specified sender or uses a specified MIME (Multipurpose Internet Mail Extensions) header or MIME header value as being legitimate (see Section 15.1.
ZyWALL 5/35/70 Series User’s Guide 15.1.7 MIME Headers MIME (Multipurpose Internet Mail Extensions) allows varied media types to be used in email. MIME headers describe an e-mail’s content encoding and type. For example, it may show which program generated the e-mail and what type of text is used in the e-mail body.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 85 Anti-Spam: General LABEL DESCRIPTION General Setup Enable Anti-spam Select this check box to enable the anti-spam feature. Note: The anti-spam feature checks all SMTP and POP3 email going through the ZyWALL, regardless of through which port the e-mail came in or to which port it is going. Action for Spam Mails Use this section to set how the ZyWALL is to handle spam mail.
ZyWALL 5/35/70 Series User’s Guide Figure 126 Anti-Spam: External DB The following table describes the labels in this screen. Table 86 Anti-Spam: External DB LABEL DESCRIPTION External Database Enable External Database Enable the anti-spam external database feature to have the ZyWALL calculate a digest of an e-mail and send it to an anti-spam external database. The anti-spam external database sends a spam score for the e-mail back to the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Table 86 Anti-Spam: External DB (continued) LABEL DESCRIPTION Action for No Spam Score Use this field to configure what the ZyWALL does if it does not receive a valid response from the anti-spam external database. If the ZyWALL does not receive a response within seven seconds, it sends the e-mail digest a second time. If the ZyWALL still does not receive a response after another seven seconds, it takes the action that you configure here.
ZyWALL 5/35/70 Series User’s Guide Figure 127 Anti-Spam: Lists The following table describes the labels in this screen. Table 87 Anti-Spam: Lists LABEL DESCRIPTION Resource Usage Whitelist & Blacklist Storage Space in Use This bar displays the percentage of the ZyWALL’s anti-spam whitelist and blacklist storage space that is currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, you should consider deleting unnecessary entries before adding more.
ZyWALL 5/35/70 Series User’s Guide Table 87 Anti-Spam: Lists (continued) LABEL DESCRIPTION Insert Type the index number where you want to put an entry. For example, if you type 6, your new entry becomes number 6 and the previous entry 6 (if there is one) becomes entry 7. Click Insert to display the screen where you edit an entry. Blacklist Use Blacklist Select this check box to have the ZyWALL treat e-mail that matches a blacklist entry as spam.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 88 Anti-Spam Rule Edit LABEL DESCRIPTION Rule Edit Active Turn this entry on to have the ZyWALL use it as part of the whitelist or blacklist. You must also turn on the use of the corresponding list (in the Anti-Spam Customization screen) and the anti-spam feature (in the Anti-Spam General screen).
ZyWALL 5/35/70 Series User’s Guide Table 88 Anti-Spam Rule Edit 273 LABEL DESCRIPTION Apply Click Apply to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 16 Content Filtering Screens This chapter provides an overview of content filtering. 16.1 Content Filtering Overview Content filtering allows you to block certain web features, such as Cookies, and/or restrict specific websites. With content filtering, you can do the following: 16.1.1 Restrict Web Features The ZyWALL can block web features such as ActiveX controls, Java applets, cookies and disable web proxies. 16.1.
ZyWALL 5/35/70 Series User’s Guide Figure 129 Content Filter : General The following table describes the labels in this screen. Table 89 Content Filter : General LABEL DESCRIPTION General Setup 275 Enable Content Filter Select this check box to enable the content filter. Restrict Web Features Select the check box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out.
ZyWALL 5/35/70 Series User’s Guide Table 89 Content Filter : General LABEL DESCRIPTION Web Proxy A server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server. Schedule to Block Content filtering scheduling applies to the Filter List, Customized sites and Keywords.
ZyWALL 5/35/70 Series User’s Guide Figure 130 Content Filtering Lookup Procedure 1 A computer behind the ZyWALL tries to access a web site. 2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache. The ZyWALL blocks, blocks and logs or just logs the request based on your configuration.
ZyWALL 5/35/70 Series User’s Guide Figure 131 Content Filter : Categories The following table describes the labels in this screen. Table 90 Content Filter: Categories LABEL DESCRIPTION Auto Category Setup Enable External Database Content Filtering Enable external database content filtering to have the ZyWALL check an external database to find to which category a requested web page belongs. The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page.
ZyWALL 5/35/70 Series User’s Guide Table 90 Content Filter: Categories (continued) LABEL DESCRIPTION Unrated Web Pages Select Block to prevent users from accessing web pages that the external database content filtering has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the CONTENT FILTER General screen along with the category of the blocked web page.
ZyWALL 5/35/70 Series User’s Guide Table 90 Content Filter: Categories (continued) LABEL DESCRIPTION Alcohol/Tobacco Selecting this category excludes pages that promote or offer the sale alcohol/tobacco products, or provide the means to create them. It also includes pages that glorify, tout, or otherwise encourage the consumption of alcohol/tobacco. It does not include pages that sell alcohol or tobacco as a subset of other products.
ZyWALL 5/35/70 Series User’s Guide Table 90 Content Filter: Categories (continued) 281 LABEL DESCRIPTION Education Selecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty, or alumni groups.
ZyWALL 5/35/70 Series User’s Guide Table 90 Content Filter: Categories (continued) LABEL DESCRIPTION News/Media Selecting this category excludes pages that primarily report information or comments on current events or contemporary issues of the day. It also includes radio stations and magazines. It does not include pages that can be rated in other categories. Personals/Dating Selecting this category excludes pages that promote interpersonal relationships.
ZyWALL 5/35/70 Series User’s Guide Table 90 Content Filter: Categories (continued) LABEL DESCRIPTION Humor/Jokes Selecting this category excludes pages that primarily focus on comedy, jokes, fun, etc. This may include pages containing jokes of adult or mature nature. Pages containing humorous Adult/Mature content also have an Adult/Mature category rating.
ZyWALL 5/35/70 Series User’s Guide 16.5 Content Filter Customization Click SECURITY, CONTENT FILTER, then the Customization tab to display the CONTENT FILTER Customization screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 91 Content Filter: Customization LABEL DESCRIPTION Web Site List Customization Enable Web site customization Select this check box to allow trusted web sites and block forbidden web sites. Content filter list customization may be enabled and disabled without re-entering these site names.
ZyWALL 5/35/70 Series User’s Guide Table 91 Content Filter: Customization (continued) LABEL DESCRIPTION Add Click this button when you have finished adding the key words field above. Delete Select a keyword from the Keyword List, and then click this button to delete it from that list. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 16.
ZyWALL 5/35/70 Series User’s Guide Use the ip urlfilter customize actionFlags 8 [disable | enable] command to extend (or not extend) the keyword blocking search to include the URL's complete filename. 16.7 Content Filtering Cache Click SECURITY, CONTENT FILTER, then the Cache tab to display the CONTENT FILTER Cache screen. Use this screen to view and configure your ZyWALL’s URL caching.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 92 Content Filter: Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL Type the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyWALL is to allow an entry to remain in the URL cache before discarding it. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
ZyWALL 5/35/70 Series User’s Guide 289 Chapter 16 Content Filtering Screens
ZyWALL 5/35/70 Series User’s Guide CHAPTER 17 Content Filtering Reports This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. See Chapter 4 on page 100 on how to create a myZyXEL.com account, register your device and activate the subscription services using the REGISTRATION screens. 17.
ZyWALL 5/35/70 Series User’s Guide Figure 134 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 136 on page 292). Figure 135 myZyXEL.com: Welcome 4 In the Service Management screen click Content Filter in the Service Name field to open the Blue Coat login screen.
ZyWALL 5/35/70 Series User’s Guide Figure 136 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 136 on page 292). Type your myZyXEL.com account password in the Password field. 6 Click Submit. Figure 137 Blue Coat: Login 7 In the Web Filter Home screen, click the Reports tab.
ZyWALL 5/35/70 Series User’s Guide Figure 138 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 139 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
ZyWALL 5/35/70 Series User’s Guide Figure 140 Global Report Screen Example 11You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.
ZyWALL 5/35/70 Series User’s Guide Figure 141 Requested URLs Example 17.3 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review. 1 Log into the content filtering reports web site (see Section 17.2 on page 290).
ZyWALL 5/35/70 Series User’s Guide Figure 142 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed.
ZyWALL 5/35/70 Series User’s Guide 297 Chapter 17 Content Filtering Reports
ZyWALL 5/35/70 Series User’s Guide CHAPTER 18 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 18.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
ZyWALL 5/35/70 Series User’s Guide Figure 143 Encryption and Decryption 18.1.3.2 Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. 18.1.3.3 Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. 18.1.3.4 Data Origin Authentication The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service. 18.1.
ZyWALL 5/35/70 Series User’s Guide 18.2 IPSec Architecture The overall IPSec architecture is shown as follows. Figure 144 IPSec Architecture 18.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
ZyWALL 5/35/70 Series User’s Guide Figure 145 Transport and Tunnel Mode IPSec Encapsulation 18.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
ZyWALL 5/35/70 Series User’s Guide NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing.
ZyWALL 5/35/70 Series User’s Guide 303 Chapter 18 Introduction to IPSec
ZyWALL 5/35/70 Series User’s Guide CHAPTER 19 VPN Screens This chapter introduces the VPN Web Configurator. See Chapter 30 on page 468 for information on viewing logs and Appendix S on page 770 for IPSec log descriptions. 19.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections. 19.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN.
ZyWALL 5/35/70 Series User’s Guide Table 94 ESP and AH ESP Encryption AH DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a secret key. DES applies a 56-bit key to each 64-bit block of data. 3DES Triple DES (3DES) is a variant of DES, which iterates three times with three separate keys (3 x 56 = 168 bits), effectively doubling the strength of DES. AES Advanced Encryption Standard is a newer method of data encryption that also uses a secret key.
ZyWALL 5/35/70 Series User’s Guide If the remote secure gateway has a static WAN IP address, enter it in the Remote Gateway Address field. You may alternatively enter the remote secure gateway’s domain name (if it has one). You can also enter a remote secure gateway’s domain name in the Remote Gateway Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS.
ZyWALL 5/35/70 Series User’s Guide Figure 146 NAT Router Between IPSec Routers Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet. In the previous figure, IPSec router A sends an IPSec packet in an attempt to initiate a VPN. The NAT router changes the IPSec packet’s header so it does not match the header for which IPSec router B is checking.
ZyWALL 5/35/70 Series User’s Guide between three encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule (see Section 19.12 on page 320). The ID type and content act as an extra level of identification for incoming SAs. The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP address, domain name, or e-mail address.
ZyWALL 5/35/70 Series User’s Guide Table 97 Matching ID Type and Content Configuration Example ZYWALL A ZYWALL B Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.2 Peer ID content: tom@yourcompany.com The two ZyWALLs in this example cannot complete their negotiation because ZyWALL B’s Local ID type is IP, but ZyWALL A’s Peer ID type is set to E-mail. An ID mismatched message displays in the IPSec log.
ZyWALL 5/35/70 Series User’s Guide • Choose an authentication algorithm. • Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). • Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA stays connected.
ZyWALL 5/35/70 Series User’s Guide 19.8.3 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers have a shared secret, but the IKE SA is not authenticated.
ZyWALL 5/35/70 Series User’s Guide 19.10 VPN Rules (IKE) Click VPN to display the VPN Rules (IKE) screen. This is a read-only menu of your IPSec ) rule (tunnel). To add an IPSec rule (or gateway policy), click the add gateway policy ( icon. Edit an IPSec rule by clicking the edit ( ) icon to configure the associated submenus. Refer to Table 100 on page 313 for descriptions of the icons used in this screen.
ZyWALL 5/35/70 Series User’s Guide Figure 149 Gateway and Network Policies This figure helps explain the main fields in the VPN setup. Figure 150 IPSec Fields Summary Note: Local and remote network IP addresses must be static. The following table describes the icons used in the VPN screens. Table 100 VPN screen Icons Key ICON DESCRIPTION This represents your ZyWALL. This represents the remote secure gateway. This represents the local network. This represents the remote network.
ZyWALL 5/35/70 Series User’s Guide Table 100 VPN screen Icons Key ICON DESCRIPTION Click this icon to establish a VPN connection to a remote network. This indicates that a gateway or network policy is not active. Note: The Recycle Bin gateway policy is a virtual placeholder for any network policy(ies) without an associated gateway policy. When there is a network policy in the Recycle Bin, the Recycle Bin gateway policy automatically displays in this screen. See Section 19.
ZyWALL 5/35/70 Series User’s Guide Figure 151 VPN Rules (IKE): Gateway Policy: Edit 315 Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 101 VPN Rules (IKE): Gateway Policy: Edit LABEL DESCRIPTION Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces. NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers.
ZyWALL 5/35/70 Series User’s Guide Table 101 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Remote Gateway Address Type the WAN IP address or the domain name (up to 31 characters) of the IPSec router with which you're making the VPN connection. Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. In order to have more than one active rule with the Remote Gateway Address field set to 0.0.0.
ZyWALL 5/35/70 Series User’s Guide Table 101 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Key to Pre-shared Key. • Select IP to identify the remote IPSec router by its IP address. • Select DNS to identify the remote IPSec router by a domain name. • Select E-mail to identify the remote IPSec router by an e-mail address. Select from the following when you set Authentication Key to Certificate.
ZyWALL 5/35/70 Series User’s Guide Table 101 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Server Mode Select Server Mode to have this ZyWALL authenticate extended authentication clients that request this VPN connection. You must also configure the extended authentication clients’ usernames and passwords in the authentication server’s local user database or a RADIUS server (see Chapter 21 on page 366).
ZyWALL 5/35/70 Series User’s Guide Table 101 VPN Rules (IKE): Gateway Policy: Edit (continued) LABEL DESCRIPTION Enable Multiple Proposals Select this check box to allow the ZyWALL to use any of its phase 1 or phase 2 encryption and authentication algorithms when negotiating an IPSec SA.
ZyWALL 5/35/70 Series User’s Guide Figure 152 VPN Rules (IKE): Network Policy Edit 321 Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 102 VPN Rules (IKE): Network Policy Edit LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel. Clear the Active check box to turn the network policy off. The ZyWALL does not apply the policy. Packets for the tunnel do not trigger the tunnel.
ZyWALL 5/35/70 Series User’s Guide Table 102 VPN Rules (IKE): Network Policy Edit (continued) LABEL DESCRIPTION Starting IP Address When the Address Type field is configured to Single Address, enter a (static) IP address on the LAN behind your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Table 102 VPN Rules (IKE): Network Policy Edit (continued) LABEL DESCRIPTION Authentication Algorithm MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security. SA Life Time (Seconds) Define the length of time before an IKE SA automatically renegotiates in this field.
ZyWALL 5/35/70 Series User’s Guide Figure 153 VPN Rules (IKE): Network Policy Move The following table describes the labels in this screen. Table 103 VPN Rules (IKE): Network Policy Move LABEL DESCRIPTION Network Policy Information The following fields display the general network settings of this VPN policy. Name This field displays the policy name. Local Network This field displays one or a range of IP address(es) of the computer(s) behind the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide You may want to configure a VPN rule that uses manual key management if you are having problems with IKE key management. Refer to Table 100 on page 313 for descriptions of the icons used in this screen. Figure 154 VPN Rules (Manual) The following table describes the labels in this screen. Table 104 VPN Rules (Manual) LABEL DESCRIPTION # This is the VPN policy index number. Name This field displays the identification name for this VPN policy.
ZyWALL 5/35/70 Series User’s Guide Table 104 VPN Rules (Manual) (continued) LABEL DESCRIPTION IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). Remote Gateway Address This is the static WAN IP address or domain name of the remote IPSec router. Modify Click the edit icon to edit the VPN policy. Click the delete icon to remove the VPN policy.
ZyWALL 5/35/70 Series User’s Guide Figure 155 VPN Rules (Manual): Edit The following table describes the labels in this screen. Table 105 VPN Rules (Manual) Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces. Allow NetBIOS Traffic Through IPSec Tunnel This field is not available when the ZyWALL is in bridege mode.
ZyWALL 5/35/70 Series User’s Guide Table 105 VPN Rules (Manual) Edit (continued) LABEL DESCRIPTION Local Network Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
ZyWALL 5/35/70 Series User’s Guide Table 105 VPN Rules (Manual) Edit (continued) LABEL DESCRIPTION My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address or the domain name of your ZyWALL or leave the field set to 0.0.0.0. For a ZyWALL with multiple WAN ports, the following applies if the My ZyWALL field is configured as 0.0.0.0: • When the WAN port operation mode is set to Active/Passive, the ZyWALL uses the IP address (static or dynamic) of the WAN port that is in use.
ZyWALL 5/35/70 Series User’s Guide Table 105 VPN Rules (Manual) Edit (continued) LABEL DESCRIPTION Encryption Key This field is applicable when you select ESP in the Active Protocol field above. With DES, type a unique key 8 characters long. With 3DES, type a unique key 24 characters long. Any characters may be used, including spaces, but trailing spaces are truncated. Authentication Key Type a unique authentication key to be used by IPSec if applicable.
ZyWALL 5/35/70 Series User’s Guide Table 106 VPN: SA Monitor (continued) LABEL DESCRIPTION IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). Refresh Click Refresh to display the current active VPN connection(s). Disconnect Select a security association index number that you want to disconnect and then click Disconnect. 19.
ZyWALL 5/35/70 Series User’s Guide Table 107 VPN: Global Setting (continued) LABEL DESCRIPTION Gateway Domain Name This field is applicable when you enter a domain name to identify the Update Timer ZyWALL and/or the remote secure gateway. Enter the time period (between 2 and 60 minutes) to wait before the ZyWALL updates the domain name and IP address mapping through a DNS server.
ZyWALL 5/35/70 Series User’s Guide Figure 158 Telecommuters Sharing One VPN Rule Example Table 108 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS HEADQUARTERS My ZyWALL: 0.0.0.0 (dynamic IP address assigned by the ISP) Public static IP address Remote Gateway Address: Public static IP address 0.0.0.0 With this IP address only the telecommuter can initiate the IPSec tunnel. Local Network - Single IP Address: Telecommuter A: 192.168.2.12 Telecommuter B: 192.168.3.
ZyWALL 5/35/70 Series User’s Guide Figure 159 Telecommuters Using Unique VPN Rules Example Table 109 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rules: All Headquarters Rules: My ZyWALL 0.0.0.0 My ZyWALL: bigcompanyhq.com Remote Gateway Address: bigcompanyhq.com Local Network - Single IP Address: 192.168.1.10 Remote Network - Single IP Address: 192.168.1.10 Local ID Type: E-mail Peer ID Type: E-mail Local ID Content: bob@bigcompanyhq.
ZyWALL 5/35/70 Series User’s Guide Table 109 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS Local IP Address: 192.168.4.15 Remote Gateway Address: telecommuterc.dydns.org Remote Address 192.168.4.15 19.19 VPN and Remote Management If a VPN tunnel uses Telnet, FTP, WWW, SNMP, DNS or ICMP, then you should configure remote management (REMOTE MGMT) to allow access for that service.
ZyWALL 5/35/70 Series User’s Guide 337 Chapter 19 VPN Screens
ZyWALL 5/35/70 Series User’s Guide CHAPTER 20 Certificates This chapter gives background information about public-key certificates and explains how to use them. 20.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
ZyWALL 5/35/70 Series User’s Guide Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure). 20.1.
ZyWALL 5/35/70 Series User’s Guide 20.4 My Certificates Click SECURITY, CERTIFICATES, My Certificates to open the My Certificates screen. This is the ZyWALL’s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray. Figure 161 My Certificates The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide Table 110 My Certificates (continued) 341 LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request. SELF represents a self-signed certificate.
ZyWALL 5/35/70 Series User’s Guide 20.5 My Certificate Import Click SECURITY, CERTIFICATES, My Certificates and then Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the ZyWALL. Note: You can only import a certificate that matches a corresponding certification request that was generated by the ZyWALL. The certificate you import replaces the corresponding request in the My Certificates screen.
ZyWALL 5/35/70 Series User’s Guide Figure 162 My Certificate Import The following table describes the labels in this screen. Table 111 My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the My Certificates screen. 20.
ZyWALL 5/35/70 Series User’s Guide Figure 163 My Certificate Create The following table describes the labels in this screen. Table 112 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Subject Information Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although the Common Name is mandatory.
ZyWALL 5/35/70 Series User’s Guide Table 112 My Certificate Create (continued) 345 LABEL DESCRIPTION Country Type up to 127 characters to identify the nation where the certificate owner is located. You may use any character, including spaces, but the ZyWALL drops trailing spaces. Key Length Select a number from the drop-down list box to determine how many bits the key should use (512 to 2048). The longer the key, the more secure it is. A longer key also uses more PKI storage space.
ZyWALL 5/35/70 Series User’s Guide After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyWALL is generating the self-signed certificate or certification request. After the ZyWALL successfully enrolls a certificate or generates a certification request or a self-signed certificate, you see a screen with a Return button that takes you back to the My Certificates screen.
ZyWALL 5/35/70 Series User’s Guide Figure 164 My Certificate Details 347 Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 113 My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces). Property Default self-signed certificate which signs the imported remote host certificates.
ZyWALL 5/35/70 Series User’s Guide Table 113 My Certificate Details (continued) LABEL DESCRIPTION Subject Alternative Name This field displays the certificate owner‘s IP address (IP), domain name (DNS) or e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.
ZyWALL 5/35/70 Series User’s Guide Figure 165 Trusted CAs The following table describes the labels in this screen. Table 114 Trusted CAs LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
ZyWALL 5/35/70 Series User’s Guide Table 114 Trusted CAs (continued) LABEL DESCRIPTION CRL Issuer This field displays Yes if the certification authority issues Certificate Revocation Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists (CRL) check box in the certificate’s details screen to have the ZyWALL check the CRL before trusting any certificates issued by the certification authority. Otherwise the field displays “No”.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 115 Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the Trusted CAs screen. 20.
ZyWALL 5/35/70 Series User’s Guide Figure 167 Trusted CA Details The following table describes the labels in this screen. Table 116 Trusted CA Details 353 LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
ZyWALL 5/35/70 Series User’s Guide Table 116 Trusted CA Details (continued) LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate.
ZyWALL 5/35/70 Series User’s Guide Table 116 Trusted CA Details (continued) LABEL DESCRIPTION CRL Distribution Points This field displays how many directory servers with Lists of revoked certificates the issuing certification authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers. MD5 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm.
ZyWALL 5/35/70 Series User’s Guide Figure 168 Trusted Remote Hosts The following table describes the labels in this screen. Table 117 Trusted Remote Hosts LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
ZyWALL 5/35/70 Series User’s Guide Table 117 Trusted Remote Hosts (continued) LABEL DESCRIPTION Import Click Import to open a screen where you can save the certificate of a remote host (which you trust) from your computer to the ZyWALL. Refresh Click this button to display the current validity status of the certificates. 20.12 Verifying a Trusted Remote Host’s Certificate Certificates issued by certification authorities have the certification authority’s signature for you to check.
ZyWALL 5/35/70 Series User’s Guide Figure 170 Certificate Details Verify (over the phone for example) that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields. 20.13 Trusted Remote Hosts Import Click SECURITY, CERTIFICATES, Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. Follow the instructions in this screen to save a trusted host’s certificate to the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Figure 171 Trusted Remote Host Import The following table describes the labels in this screen. Table 118 Trusted Remote Host Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the Trusted Remote Hosts screen. 20.
ZyWALL 5/35/70 Series User’s Guide Figure 172 Trusted Remote Host Details The following table describes the labels in this screen. Table 119 Trusted Remote Host Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
ZyWALL 5/35/70 Series User’s Guide Table 119 Trusted Remote Host Details (continued) LABEL DESCRIPTION Certificate Information These read-only fields display detailed information about the certificate. 361 Type This field displays general information about the certificate. With trusted remote host certificates, this field always displays CA-signed. The ZyWALL is the Certification Authority that signed the certificate. X.509 means that this certificate was created and signed according to the ITU-T X.
ZyWALL 5/35/70 Series User’s Guide Table 119 Trusted Remote Host Details (continued) LABEL DESCRIPTION Certificate in PEM (Base-64) Encoded Format This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 120 Directory Servers LABEL DESCRIPTION PKI Storage Space This bar displays the percentage of the ZyWALL’s PKI storage space that is in Use currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates. # The index number of the directory server.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 121 Directory Server Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list box to select the access protocol used by the directory server.
ZyWALL 5/35/70 Series User’s Guide 365 Chapter 20 Certificates
ZyWALL 5/35/70 Series User’s Guide CHAPTER 21 Authentication Server This chapter discusses how to configure the ZyWALL’s authentication server feature. 21.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users. The ZyWALL uses the same local user database for VPN extended authentication and wireless LAN security. See Section 9.
ZyWALL 5/35/70 Series User’s Guide Figure 175 Local User Database 367 Chapter 21 Authentication Server
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 122 Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 21.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 123 RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication server. Clear the check box to enable user authentication using the local user profile on the ZyWALL. Server IP Address Enter the IP address of the external authentication server in dotted decimal notation.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 22 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 22.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. 22.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 22.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.
ZyWALL 5/35/70 Series User’s Guide Figure 177 How NAT Works 22.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
ZyWALL 5/35/70 Series User’s Guide 22.1.5 Port Restricted Cone NAT At the time of writing ZyWALL ZyNOS version 4.00 uses port restricted cone NAT. Port restricted cone NAT maps all outgoing packets from an internal IP address and port to a single IP address and port on the external network. In the following example, the ZyWALL maps the source address of all packets sent from internal IP address 1 and port A to IP address 2 and port B on the external network.
ZyWALL 5/35/70 Series User’s Guide • Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead. Note: Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types. The following table summarizes these types.
ZyWALL 5/35/70 Series User’s Guide 22.3 NAT Overview Click ADVANCED, NAT to open the NAT Overview screen. Not all fields are available on all models. Figure 180 NAT Overview The following table describes the labels in this screen. Table 126 NAT Overview LABEL DESCRIPTION Global Settings Max. Concurrent This read-only field displays the highest number of NAT sessions that the ZyWALL Sessions will permit at one time. Max.
ZyWALL 5/35/70 Series User’s Guide Table 126 NAT Overview (continued) LABEL DESCRIPTION WAN 1, 2 Enable NAT Select this check box to turn on the NAT feature for the WAN port. Clear this check box to turn off the NAT feature for the WAN port. Address Mapping Rules Select SUA to have the ZyWALL use its permanent, pre-defined NAT address mapping rules. Select Full Feature to have the ZyWALL use the address mapping rules that you configure. This is the equivalent of what used to be called full feature NAT.
ZyWALL 5/35/70 Series User’s Guide Figure 181 NAT Address Mapping The following table describes the labels in this screen. Table 127 NAT Address Mapping LABEL DESCRIPTION SUA Address This read-only table displays the default address mapping rules. Mapping Rules Full Feature Address Mapping Rules WAN Interface Select the WAN port for which you want to view or configure address mapping rules.
ZyWALL 5/35/70 Series User’s Guide Table 127 NAT Address Mapping (continued) LABEL DESCRIPTION Global Start IP This refers to the Inside Global IP Address (IGA), that is the starting global IP address. 0.0.0.0 is for a dynamic IP address from your ISP with Many-to-One and Server mapping types. Global End IP This is the ending Inside Global Address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types. Type 1. One-to-One mode maps one local IP address to one global IP address.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 128 NAT Address Mapping Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-One NAT mapping type. 2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e.
ZyWALL 5/35/70 Series User’s Guide 22.5.1 Default Server IP Address In addition to the servers for specified services, NAT supports a default server IP address. A default server receives packets from ports that are not specified in this screen. Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. 22.5.
ZyWALL 5/35/70 Series User’s Guide Figure 183 Multiple Servers Behind NAT Example 22.5.4 NAT and Multiple WAN The ZyWALL has two WAN ports. You can configure port forwarding and trigger port rule sets for the first WAN port and separate sets of rules for the second WAN port. 22.5.5 Port Translation The ZyWALL can translate the destination port number or a range of port numbers of packets coming from the WAN to another destination port number or range of port numbers on the LAN (or DMZ).
ZyWALL 5/35/70 Series User’s Guide Figure 184 Port Translation Example 22.6 Port Forwarding Note: If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Click ADVANCED, NAT and Port Forwarding to open the Port Forwarding screen. Not all fields are available on all models. Refer to Figure 129 on page 380 for port numbers commonly used for particular services.
ZyWALL 5/35/70 Series User’s Guide Figure 185 Port Forwarding The following table describes the labels in this screen. Table 130 Port Forwarding LABEL DESCRIPTION WAN Interface Select the WAN port for which you want to view or configure address mapping rules. Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen.
ZyWALL 5/35/70 Series User’s Guide Table 130 Port Forwarding LABEL DESCRIPTION Server IP Address Enter the inside IP address of the server here. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 22.7 Port Triggering Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side.
ZyWALL 5/35/70 Series User’s Guide 4 The ZyWALL forwards the traffic to Jane’s computer IP address. 5 Only Jane can connect to the Real Audio server until the connection is closed or times out. The ZyWALL times out in three minutes with UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol). To change your ZyWALL’s trigger port settings, click ADVANCED, NAT and the Port Triggering tab. The screen appears as shown. Not all fields are available on all models.
ZyWALL 5/35/70 Series User’s Guide Table 131 Port Triggering LABEL DESCRIPTION Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the ZyWALL to record the IP address of the LAN computer that sent the traffic to a server on the WAN. Start Port Type a port number or the starting port number in a range of port numbers. End Port Type a port number or the ending port number in a range of port numbers. Apply Click Apply to save your changes back to the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 387 Chapter 22 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide CHAPTER 23 Static Route This chapter shows you how to configure static routes for your ZyWALL. 23.1 IP Static Route Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond. For instance, the ZyWALL knows about network N2 in the following figure through remote node Router 1.
ZyWALL 5/35/70 Series User’s Guide Note: The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address. Figure 189 IP Static Route The following table describes the labels in this screen. Table 132 IP Static Route 389 LABEL DESCRIPTION # This is the number of an individual static route. Name This is the name that describes or identifies this route.
ZyWALL 5/35/70 Series User’s Guide Table 132 IP Static Route LABEL DESCRIPTION Active This field shows whether this static route is active (Yes) or not (No). Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number. Gateway This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations.
ZyWALL 5/35/70 Series User’s Guide Table 133 IP Static Route Edit 391 LABEL DESCRIPTION Gateway IP Address Enter the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations. Metric Metric represents the “cost” of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 24 Policy Route This chapter covers setting and applying policies used for IP routing. This chapter applies to the ZyWALL 35 and ZyWALL 70. 24.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
ZyWALL 5/35/70 Series User’s Guide IPPR follows the existing packet filtering facility of RAS in style and in implementation. 24.4 IP Routing Policy Setup Click ADVANCED, POLICY ROUTE to open the Policy Route Summary screen (some of the screen’s blank rows are not shown).
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 134 Policy Route Summary LABEL DESCRIPTION # This is the number of an individual policy route. Active This field shows whether the policy is active or inactive. Source Address/ This is the source IP address range and/or port number range. Port Destination Address/Port This is the destination IP address range and/or port number range. Gateway Enter the IP address of the gateway.
ZyWALL 5/35/70 Series User’s Guide Figure 192 Edit IP Policy Route The following table describes the labels in this screen. Table 135 Edit IP Policy Route LABEL DESCRIPTION Criteria 395 Active Select the check box to activate the policy. Rule Index This is the index number of the policy route. IP Protocol Select Predefined and then the IP protocol from ALL(0), ICMP(1), IGMP(2), TCP(6), UDP(17), GRE(47), ESP(50) or AH(51). Otherwise, select Custom and enter a number from 0 to 255.
ZyWALL 5/35/70 Series User’s Guide Table 135 Edit IP Policy Route (continued) LABEL DESCRIPTION Packet Length Type a length of packet (in bytes). The operators in the Len Compare field apply to incoming packets of this length. Length Comparison Choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Equal. Source Interface Use the check box to select LAN, DMZ, WAN_1, WAN_2 and/or WLAN. Starting IP Address Enter the source starting IP address.
ZyWALL 5/35/70 Series User’s Guide 397 Chapter 24 Policy Route
ZyWALL 5/35/70 Series User’s Guide CHAPTER 25 Bandwidth Management This chapter describes the functions and configuration of bandwidth management with multiple levels of sub-classes. 25.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the ZyWALL forwards certain types of traffic (especially real-time applications) with minimum delay.
ZyWALL 5/35/70 Series User’s Guide 25.3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth. 25.4 Application-based Bandwidth Management You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, Email and Video for example). 25.
ZyWALL 5/35/70 Series User’s Guide 25.6 Application and Subnet-based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets.
ZyWALL 5/35/70 Series User’s Guide When you enable maximize bandwidth usage, the ZyWALL first makes sure that each bandwidth class gets up to its bandwidth allotment. Next, the ZyWALL divides up an interface’s available bandwidth (bandwidth that is unbudgeted or unused by the classes) depending on how many bandwidth classes require more bandwidth and on their priority levels. When only one class requires more bandwidth, the ZyWALL gives extra bandwidth to that class.
ZyWALL 5/35/70 Series User’s Guide 25.7.5.1 Priority-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets.
ZyWALL 5/35/70 Series User’s Guide 25.8 Bandwidth Borrowing Bandwidth borrowing allows a sub-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface. Enable bandwidth borrowing on a sub-class to allow the sub-class to use its parent class’s unused bandwidth. A parent class’s unused bandwidth is given to the highest priority sub-class first.
ZyWALL 5/35/70 Series User’s Guide • The Bill class cannot borrow unused bandwidth from the Root class because the Sales class has bandwidth borrowing disabled. • The Amy class cannot borrow unused bandwidth from the Sales USA class because the Amy class has bandwidth borrowing disabled. • The Research Software and Hardware classes can both borrow unused bandwidth from the Research class because the Research Software and Hardware classes both have bandwidth borrowing enabled.
ZyWALL 5/35/70 Series User’s Guide Figure 194 Bandwidth Management: Summary The following table describes the labels in this screen. Table 141 Bandwidth Management: Summary 405 LABEL DESCRIPTION Class These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Bandwidth management applies to all traffic flowing out of the router through the interface, regardless of the traffic’s source.
ZyWALL 5/35/70 Series User’s Guide 25.11 Configuring Class Setup The Class Setup screen displays the configured bandwidth classes by individual interface. Select an interface and click the buttons to perform the actions described next. Click “+” to expand the class tree or click “-“ to collapse the class tree. Each interface has a permanent root class. The bandwidth budget of the root class is equal to the speed you configured on the interface (see Section 25.
ZyWALL 5/35/70 Series User’s Guide Table 142 Bandwidth Management: Class Setup (continued) LABEL DESCRIPTION Edit Click Edit to configure the selected class. You cannot edit the root class. Delete Click Delete to delete the class and all its sub-classes. You cannot delete the root class. Statistics Click Statistics to display the status of the selected class. Filter List This list displays the bandwidth management filters that are configured for the classes on the selected interface.
ZyWALL 5/35/70 Series User’s Guide Figure 196 Bandwidth Management: Edit Class The following table describes the labels in this screen. Table 143 Bandwidth Management: Edit Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces. Bandwidth Budget (kbps) Specify the maximum bandwidth allowed for the class in kbps.
ZyWALL 5/35/70 Series User’s Guide Table 143 Bandwidth Management: Edit Class (continued) LABEL DESCRIPTION Enable Bandwidth Filter Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).
ZyWALL 5/35/70 Series User’s Guide Table 143 Bandwidth Management: Edit Class (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving.
ZyWALL 5/35/70 Series User’s Guide Figure 197 Bandwidth Management: Statistics The following table describes the labels in this screen. Table 145 Bandwidth Management: Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class. Tx Packets This field displays the total number of packets transmitted.
ZyWALL 5/35/70 Series User’s Guide Figure 198 Bandwidth Management: Monitor The following table describes the labels in this screen. Table 146 Bandwidth Management: Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes. Class This field displays the name of the bandwidth class. A Default Class automatically displays for all the bandwidth in the Root Class that is not allocated to bandwidth classes.
ZyWALL 5/35/70 Series User’s Guide 413 Chapter 25 Bandwidth Management
ZyWALL 5/35/70 Series User’s Guide CHAPTER 26 DNS This chapter shows you how to configure the DNS screens. 26.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The ZyWALL uses a system DNS server (in the order you specify in the DNS System screen) to resolve domain names, for example, VPN, DDNS and the time server.
ZyWALL 5/35/70 Series User’s Guide 26.4 Address Record An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain. mail.myZyXEL.com.tw is also a FQDN, where "mail" is the host, "myZyXEL" is the secondlevel domain, and "com.
ZyWALL 5/35/70 Series User’s Guide Figure 199 Private DNS Server Example Note: If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network. 26.6 System Screen To configure your ZyWALL’s DNS address and name server records, click ADVANCED, DNS. The screen appears as shown.
ZyWALL 5/35/70 Series User’s Guide Figure 200 System DNS The following table describes the labels in this screen. Table 147 System DNS 417 LABEL DESCRIPTION Address Record An address record specifies the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.
ZyWALL 5/35/70 Series User’s Guide Table 147 System DNS LABEL DESCRIPTION Name Server Record A name server record contains a DNS server’s IP address. The ZyWALL can query the DNS server to resolve domain names for features like VPN, DDNS and the time server. When the ZyWALL needs to resolve a domain name, it checks it against the name server record entries in the order that they appear in this list. A “*” indicates a name server record without a domain zone. The default record is grayed out.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 148 System DNS: Add Address Record LABEL DESCRIPTION FQDN Type a fully qualified domain name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 149 System DNS: Insert Name Server Record LABEL DESCRIPTION Domain Zone This field is optional. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address.
ZyWALL 5/35/70 Series User’s Guide 26.8 Configure DNS Cache To configure your ZyWALL’s DNS caching, click ADVANCED, DNS, then the Cache tab. The screen appears as shown. Figure 203 DNS Cache The following table describes the labels in this screen. Table 150 DNS Cache LABEL DESCRIPTION DNS Cache Setup 421 Cache Positive DNS Resolutions Select the check box to record the positive DNS resolutions in the cache.
ZyWALL 5/35/70 Series User’s Guide Table 150 DNS Cache LABEL DESCRIPTION DNS Cache Entry Flush Click this button to clear the cache manually. After you flush the cache, the ZyWALL must query the DNS servers again for any domain names that had been previously resolved. Refresh Click this button to reload the cache. # This is the index number of a record. Cache Type This displays whether the response for the DNS request is positive or negative. Domain Name This is the domain name of a host.
ZyWALL 5/35/70 Series User’s Guide Figure 204 DNS DHCP The following table describes the labels in this screen. Table 151 DNS DHCP 423 LABEL DESCRIPTION DNS Servers Assigned by DHCP Server The ZyWALL passes a DNS (Domain Name System) server IP address to the DHCP clients. Selected Interface Select an interface from the drop-down list box to configure the DNS servers for the specified interface. DNS These read-only labels represent the DNS servers.
ZyWALL 5/35/70 Series User’s Guide 26.10 Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
ZyWALL 5/35/70 Series User’s Guide Figure 205 DDNS The following table describes the labels in this screen. Table 152 DDNS LABEL DESCRIPTION Account Setup Active Select this check box to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider. Username Enter your user name. You can use up to 31 alphanumeric characters (and the underscore). Spaces are not allowed. Password Enter the password associated with the user name above.
ZyWALL 5/35/70 Series User’s Guide Table 152 DDNS LABEL DESCRIPTION WAN Interface Select the WAN port to use for updating the IP address of the domain name. IP Address Update Policy Select Use WAN IP Address to have the ZyWALL update the domain name with the WAN port's IP address. Select Use User-Defined and enter the IP address if you have a static IP address. Select Let DDNS Server Auto Detect only when there are one or more NAT routers between the ZyWALL and the DDNS server.
ZyWALL 5/35/70 Series User’s Guide 427 Chapter 26 DNS
ZyWALL 5/35/70 Series User’s Guide CHAPTER 27 Remote Management This chapter provides information on the Remote Management screens. 27.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. Note: When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access. See Chapter 11 on page 210 for details on configuring firewall rules.
ZyWALL 5/35/70 Series User’s Guide 1 A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2 You have disabled that service in one of the remote management screens. 3 The IP address in the Secure Client IP Address field does not match the client IP address. If it does not match, the ZyWALL will disconnect the session immediately. 4 There is already another remote management session with an equal or higher priority running.
ZyWALL 5/35/70 Series User’s Guide Figure 206 HTTPS Implementation Note: If you disable HTTP Server Access (Disable) in the REMOTE MGMT WWW screen, then the ZyWALL blocks all HTTP connection attempts. 27.3 WWW Click ADVANCED, REMOTE MGMT to open the WWW screen. Use this screen to change your ZyWALL’s web settings.
ZyWALL 5/35/70 Series User’s Guide Figure 207 WWW The following table describes the labels in this screen. Table 153 WWW LABEL DESCRIPTION HTTPS Server Certificate Select the Server Certificate that the ZyWALL will use to identify itself. The ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
ZyWALL 5/35/70 Series User’s Guide Table 153 WWW (continued) LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the ZyWALL using this service. Secure Client IP Address A secure client is a “trusted” computer that is allowed to communicate with the ZyWALL using this service.
ZyWALL 5/35/70 Series User’s Guide 27.4.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL. If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape.
ZyWALL 5/35/70 Series User’s Guide 27.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
ZyWALL 5/35/70 Series User’s Guide Figure 211 Login Screen (Internet Explorer) Figure 212 Login Screen (Netscape) Click Login and you then see the next screen. The factory default certificate is a common default certificate for all ZyWALL models.
ZyWALL 5/35/70 Series User’s Guide Figure 213 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the following figure. Figure 214 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate.
ZyWALL 5/35/70 Series User’s Guide Figure 215 Common ZyWALL Certificate 27.5 SSH Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. Figure 216 SSH Communication Example 27.6 How SSH works The following table summarizes how a secure connection is established between two remote hosts.
ZyWALL 5/35/70 Series User’s Guide Figure 217 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server. The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer.
ZyWALL 5/35/70 Series User’s Guide 27.7.1 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL over SSH. 27.8 Configuring SSH Click ADVANCED, REMOTE MGMT and then the SSH tab to change your ZyWALL’s Secure Shell settings. Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 218 SSH The following table describes the labels in this screen.
ZyWALL 5/35/70 Series User’s Guide 27.9 Secure Telnet Using SSH Examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyWALL. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user’s guide. 27.9.1 Example 1: Microsoft Windows This section describes how to access the ZyWALL using the Secure Shell Client program.
ZyWALL 5/35/70 Series User’s Guide Figure 220 SSH Example 2: Test $ telnet 192.168.1.1 22 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. SSH-1.5-1.0.0 2 Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL. Type “yes” and press [ENTER].
ZyWALL 5/35/70 Series User’s Guide Figure 222 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.1's password: sftp> put firmware.bin ras Uploading firmware.
ZyWALL 5/35/70 Series User’s Guide Figure 224 Telnet The following table describes the labels in this screen. Table 155 Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the ZyWALL using this service.
ZyWALL 5/35/70 Series User’s Guide Figure 225 FTP The following table describes the labels in this screen. Table 156 FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the ZyWALL using this service.
ZyWALL 5/35/70 Series User’s Guide Figure 226 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
ZyWALL 5/35/70 Series User’s Guide 27.14.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. 27.14.2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs: Table 157 SNMP Traps TRAP # TRAP NAME DESCRIPTION 0 coldStart (defined in RFC-1215) A trap is sent after booting (power on).
ZyWALL 5/35/70 Series User’s Guide Figure 227 SNMP The following table describes the labels in this screen. Table 158 SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests. Set Community Enter the Set community, which is the password for incoming Set requests from the management station. The default is public and allows all requests.
ZyWALL 5/35/70 Series User’s Guide 27.15 DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to Chapter 7 on page 126 for more information. Click ADVANCED, REMOTE MGMT and then the DNS tab to change your ZyWALL’s DNS settings. Use this screen to set from which IP address the ZyWALL will accept DNS queries and on which interface it can send themyour ZyWALL’s DNS settings.This feature is not available when the ZyWALL is set to bridge mode.
ZyWALL 5/35/70 Series User’s Guide If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator, SMT menus or commands) without notifying the Vantage CNM administrator. 27.17 Configuring CNM Vantage CNM is disabled on the device by default. Click ADVANCED, REMOTE MGMT in the navigation panel and then click the CNM tab to configure your device’s Vantage CNM settings.
ZyWALL 5/35/70 Series User’s Guide Table 160 CNM (continued) LABEL DESCRIPTION Last Registration Time This field displays the last date (year-month-date) and time (hours-minutesseconds) that the ZyWALL registered with the Vantage CNM server. It displays all zeroes if it has not yet registered with the Vantage CNM server. Refresh Click Refresh to update the registration status and last registration time. Vantage CNM Setup Enable Select this check box to allow Vantage CNM to manage your ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 451 Chapter 27 Remote Management
ZyWALL 5/35/70 Series User’s Guide CHAPTER 28 UPnP This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. 28.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
ZyWALL 5/35/70 Series User’s Guide All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 28.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.
ZyWALL 5/35/70 Series User’s Guide Table 161 UPnP LABEL DESCRIPTION Allow users to make configuration changes through UPnP Select this check box to allow UPnP-enabled applications to automatically configure the ZyWALL so that they can communicate through the ZyWALL, for example by using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device; this eliminates the need to manually configure port forwarding for the UPnP enabled ap
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 162 UPnP Ports LABEL DESCRIPTION Reserve UPnP NAT rules in flash after system bootup Select this check box to have the ZyWALL retain UPnP created NAT rules even after restarting.
ZyWALL 5/35/70 Series User’s Guide 28.4.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start, Settings and Control Panel. Double-click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. 4 Click OK to go back to the Add/ Remove Programs Properties window and click Next.
ZyWALL 5/35/70 Series User’s Guide 28.4.2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP. 1 Click Start, Settings and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. The Windows Optional Networking Components Wizard window displays. 4 Select Networking Service in the Components selection box and click Details.
ZyWALL 5/35/70 Series User’s Guide 28.5.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Doubleclick Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created. Chapter 28 UPnP You may edit or delete the port mappings or click Add to manually add port mappings.
ZyWALL 5/35/70 Series User’s Guide Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 4 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray. 5 Double-click the icon to display your current Internet connection status. 28.5.
ZyWALL 5/35/70 Series User’s Guide Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays.
ZyWALL 5/35/70 Series User’s Guide 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 29 ALG Screen This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 29.1 ALG Introduction The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT unfriendly applications (such as SIP) to operate properly through the ZyWALL. Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’ data payload.
ZyWALL 5/35/70 Series User’s Guide If the primary WAN connection fails, the client needs to re-initialize the connection through the secondary WAN port to have the connection go through the secondary WAN port. When the ZyWALL uses both of the WAN ports at the same time, you can configure routing policies to specify the WAN port that the connection’s traffic is to use. 29.2 FTP File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks.
ZyWALL 5/35/70 Series User’s Guide Figure 232 H.323 ALG Example Signaling session over TCP port 1720 Audio session using RTP • With multiple WAN IP addresses on the ZyWALL, you can configure different firewall and port forwarding rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN (or DMZ). Use policy routing to have the H.323 calls from each of those LAN or DMZ IP addresses go out through the same WAN IP address that calls come in on.
ZyWALL 5/35/70 Series User’s Guide Figure 234 H.323 Calls from the WAN with Multiple Outgoing Calls • The H.323 ALG operates on TCP packets with a port 1720 destination. • The ZyWALL allows H.323 audio connections. • The ZyWALL can also apply bandwidth management to traffic that goes through the H.323 ALG. 29.
ZyWALL 5/35/70 Series User’s Guide The following example shows SIP signaling and audio sessions between SIP clients A and B and the SIP server (1). Figure 235 SIP ALG Example Signaling session over UDP port 5060 Audio session using RTP 29.5.3 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Figure 236 ALG The following table describes the labels in this screen. Table 163 ALG LABEL DESCRIPTION Enable FTP ALG Select this check box to allow FTP sessions to pass through the ZyWALL. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail. Enable H.323 ALG Select this check box to allow H.323 sessions to pass through the ZyWALL. H.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 30 Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to Appendix S on page 770 for example log message explanations. 30.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location. Click LOGS to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see Section 30.
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 164 View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see Section 30.3 on page 471) display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page. # This field displays the log number. Time This field displays the time the log was recorded.
ZyWALL 5/35/70 Series User’s Guide Table 165 Example Log Description LABEL DESCRIPTION notes The ZyWALL blocked the packet. message The ZyWALL blocked the packet in accordance with the firewall’s default policy of blocking sessions that are initiated from the WAN. “UDP” means that this was a User Datagram Protocol packet. “W to W/ZW” indicates that the packet was traveling from the WAN to the WAN or the ZyWALL. 30.2.1 Certificate Not Trusted Log Note myZyXEL.
ZyWALL 5/35/70 Series User’s Guide Figure 239 myZyXEL.com: Certificate Download 30.3 Configuring Log Settings To change your ZyWALL’s log settings, click LOGS, then the Log Settings tab. The screen appears as shown. Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send. An alert is a type of log that warrants more serious attention.
ZyWALL 5/35/70 Series User’s Guide Figure 240 Log Settings Chapter 30 Logs Screens 472
ZyWALL 5/35/70 Series User’s Guide The following table describes the labels in this screen. Table 166 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail. Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the ZyWALL sends.
ZyWALL 5/35/70 Series User’s Guide Table 166 Log Settings (continued) LABEL DESCRIPTION Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instantly email alerts to the e-mail address specified in the Send Alerts To field. Log Consolidation Active Some logs (such as the Attacks logs) may be so numerous that it becomes easy to ignore other important log messages. Select this check box to merge logs with identical messages into one log.
ZyWALL 5/35/70 Series User’s Guide Figure 241 Reports Note: Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 167 Reports LABEL DESCRIPTION Collect Statistics Select the check box and click Apply to have the ZyWALL record report data. Send Raw Select the check box and click Apply to have the ZyWALL send unprocessed traffic Traffic Statistics statistics to a syslog server for analysis.
ZyWALL 5/35/70 Series User’s Guide 30.4.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited. Figure 242 Web Site Hits Report Example The following table describes the label in this screen.
ZyWALL 5/35/70 Series User’s Guide Figure 243 Protocol/Port Report Example The following table describes the labels in this screen. Table 169 Protocol/ Port Report 477 LABEL DESCRIPTION Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL. The protocols or service ports are listed in descending order with the most used protocol or service port listed first.
ZyWALL 5/35/70 Series User’s Guide 30.4.3 Viewing Host IP Address In the Reports screen, select Host IP Address from the Report Type drop-down list box to have the ZyWALL record and display the LAN, DMZ or WLAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses. Note: Computers take turns using dynamically assigned LAN, DMZ or WLAN IP addresses.
ZyWALL 5/35/70 Series User’s Guide 30.4.4 Reports Specifications The following table lists detailed specifications on the reports feature. Table 171 Report Specifications LABEL DESCRIPTION Number of web 20 sites/protocols or ports/IP addresses listed: 479 Hit count limit: Up to 232 hits can be counted per web site. The count starts over at 0 if it passes four billion. Bytes count limit: Up to 264 bytes can be counted per protocol/port or LAN IP address.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 31 Maintenance This chapter displays information on the maintenance screens. 31.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL. 31.2 General Setup 31.2.1 General Setup and System Name General Setup contains administrative and system-related information. System Name is for identification purposes.
ZyWALL 5/35/70 Series User’s Guide Figure 245 General Setup The following table describes the labels in this screen. Table 172 General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores "_" are accepted. Domain Name Enter the domain name (if you know it) here.
ZyWALL 5/35/70 Series User’s Guide Figure 246 Password Setup The following table describes the labels in this screen. Table 173 Password Setup LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field. New Password Type your new system password (up to 30 characters). Note that as you type a password, the screen displays a (*) for each character you type. Retype to Confirm Type the new password again for confirmation.
ZyWALL 5/35/70 Series User’s Guide Figure 247 Time and Date The following table describes the labels in this screen. Table 174 Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the ZyWALL’s present time. Current Date This field displays the ZyWALL’s present date. Time and Date Setup 483 Manual Select this radio button to enter the time and date manually.
ZyWALL 5/35/70 Series User’s Guide Table 174 Time and Date (continued) LABEL DESCRIPTION Get from Time Server Select this radio button to have the ZyWALL get the time and date from the time server you specified below. Time Protocol Select the time service protocol that your time server uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main difference between them is the format.
ZyWALL 5/35/70 Series User’s Guide 31.5 Pre-defined NTP Time Servers List When you turn on the ZyWALL for the first time, the date and time start at 2000-01-01 00:00:00. The ZyWALL then attempts to synchronize with one of the following pre-defined list of NTP time servers. The ZyWALL continues to use the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified.
ZyWALL 5/35/70 Series User’s Guide When the System Time and Date Synchronization in Process screen appears, wait up to one minute. Figure 248 Synchronization in Process Click the Return button to go back to the Time and Date screen after the time and date is updated successfully. Figure 249 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen.
ZyWALL 5/35/70 Series User’s Guide 31.6 Introduction To Transparent Bridging A transparent bridge is invisible to the operation of a network in that it does not modify the frames it forwards. The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that port. All future communications to that MAC address will only be sent on that port.
ZyWALL 5/35/70 Series User’s Guide 3 As a transparent bridge does not modify the frames it forwards, it is effectively “stealth” as it is invisible to attackers. Bridging devices are most useful in complex environments that require a rapid or new firewall deployment. A transparent, bridging firewall can also be good for companies with several branch offices since the setups at these offices are often the same and it's likely that one design can be used for many of the networks.
ZyWALL 5/35/70 Series User’s Guide Table 177 Device Mode (Router Mode) (continued) LABEL DESCRIPTION Bridge Select this radio button and configure the following fields, then click Apply to set the ZyWALL to bridge mode. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask Enter the IP subnet mask of the ZyWALL. Gateway IP Address Enter the gateway IP address. Apply Click Apply to save your changes back to the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Table 178 Device Mode (Bridge Mode) (continued) LABEL DESCRIPTION Device Mode Setup Router Select this radio button and click Apply to set the ZyWALL to router mode. LAN Interface IP Address Enter the IP address of your ZyWALL’ s LAN port in dotted decimal notation. 192.168.1.1 is the factory default. LAN Interface Subnet Mask Enter the IP subnet mask of the ZyWALL’s LAN port.
ZyWALL 5/35/70 Series User’s Guide Figure 253 Firmware Upload The following table describes the labels in this screen. Table 179 Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process.
ZyWALL 5/35/70 Series User’s Guide Figure 255 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the HOME screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen. Figure 256 Firmware Upload Error 31.11 Backup and Restore See Section 47.5 on page 617 for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE, and then the Backup & Restore tab.
ZyWALL 5/35/70 Series User’s Guide Figure 257 Backup and Restore 31.11.1 Backup Configuration Backup Configuration allows you to back up (save) the ZyWALL’s current configuration to a file on your computer. Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings.
ZyWALL 5/35/70 Series User’s Guide Note: Do not turn off the ZyWALL while configuration file upload is in progress. After you see a “restore configuration successful” screen, you must then wait one minute before logging into the ZyWALL again. Figure 258 Configuration Upload Successful The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
ZyWALL 5/35/70 Series User’s Guide 31.11.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the ZyWALL to its factory defaults as shown on the screen. The following warning screen will appear. Figure 261 Reset Warning Message You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL. Refer to Section 2.3 on page 63 for more information on the RESET button. 31.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 32 Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. 32.1 Introduction to the SMT The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
ZyWALL 5/35/70 Series User’s Guide Figure 263 Initial Screen Copyright (c) 1994 - 2004 ZyXEL Communications Corp. initialize ch =0, ethernet initialize ch =1, ethernet initialize ch =2, ethernet initialize ch =3, ethernet initialize ch =4, ethernet AUX port init . done Modem init . inactive address: address: address: address: address: 00:A0:C5:01:23:45 00:A0:C5:01:23:46 00:A0:C5:01:23:47 00:A0:C5:01:23:48 00:00:00:00:00:00 Press ENTER to continue... 32.2.
ZyWALL 5/35/70 Series User’s Guide Table 181 Main Menu Commands OPERATION KEYSTROKES DESCRIPTION Move to a “hidden” menu Press [SPACE Fields beginning with “Edit” lead to hidden menus and have a BAR] to change No default setting of No. Press [SPACE BAR] to change No to Yes, to Yes then press and then press [ENTER] to go to a “hidden” menu. [ENTER]. Move the cursor [ENTER] or [UP]/ [DOWN] arrow keys Within a menu, press [ENTER] to move to the next field.
ZyWALL 5/35/70 Series User’s Guide Figure 265 Main Menu (Router Mode) Copyright (c) 1994 - 2005 ZyXEL Communications Corp. ZyWALL 70 Main Menu Getting Started 1. General Setup 2. WAN Setup 3. LAN Setup 4. Internet Access Setup 5. DMZ Setup 6. Route Setup 7. Wireless Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 15. NAT Setup Advanced Management 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24. System Maintenance 25. IP Routing Policy Setup 26.
ZyWALL 5/35/70 Series User’s Guide Table 182 Main Menu Summary NO. MENU TITLE FUNCTION 3 LAN Setup Use this menu to apply LAN filters, configure LAN DHCP and TCP/IP settings. 4 Internet Access Setup Configure your Internet access setup (Internet address, gateway, login, etc.) with this menu. 5 DMZ Setup Use this menu to apply DMZ filters, and configure DHCP and TCP/IP settings for the DMZ port. 6 Route Setup This menu is not available on the ZyWALL 5.
ZyWALL 5/35/70 Series User’s Guide Table 183 SMT Menus Overview (continued) MENUS SUB MENUS 6 Route Setup (for the ZyWALL 35 and the ZyWALL 70) 6.1 Route Assessment 6.2 Traffic Redirect 6.3 Route Failover 7 Wireless Setup 11 Remote Node Setup 7.1 Wireless Setup 7.1.1 WLAN MAC Address Filter 7.2 TCP/IP and DHCP Ethernet Setup 7.2.1 IP Alias Setup 11.1 Remote Node Profile 11.1.2 Remote Node Network Layer Options 11.1.4 Remote Node Filter 11.1.5 Traffic Redirect Setup (for the ZyWALL 5 only) 11.
ZyWALL 5/35/70 Series User’s Guide Table 183 SMT Menus Overview (continued) MENUS SUB MENUS 24 System Maintenance 24.1 System Status 24.2 System Information and Console Port Speed 24.2.1 System Information 24.3 Log and Trace 24.3.1 View Error Log 24.2.2 Console Port Speed 24.3.2 Syslog Logging 24.3.4 Call-Triggering Packet 24.4 Diagnostic 24.5 Backup Configuration 24.6 Restore Configuration 24.7 Upload Firmware 24.7.1 Upload System Firmware 24.7.2 Upload System Configuration File 24.
ZyWALL 5/35/70 Series User’s Guide Figure 267 Menu 23: System Password Menu 23 - System Password Old Password= ? New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: 2 Type your existing password and press [ENTER]. 3 Type your new system password and press [ENTER]. 4 Re-type your new system password for confirmation and press [ENTER]. Note that as you type a password, the screen displays an “x” for each character you type. 32.5 Resetting the ZyWALL See Section 2.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 33 SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 33.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 33.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - General Setup. 2 The Menu 1 - General Setup screen appears, as shown next. Fill in the required fields.
ZyWALL 5/35/70 Series User’s Guide Table 184 Menu 1: General Setup (Router Mode) (continued) FIELD DESCRIPTION Edit Dynamic DNS Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel.
ZyWALL 5/35/70 Series User’s Guide 33.2.1 Configuring Dynamic DNS To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS (shown next). Figure 270 Menu 1.1: Configure Dynamic DNS Menu 1.1 - Configure Dynamic DNS Service Provider= WWW.DynDNS.
ZyWALL 5/35/70 Series User’s Guide Figure 271 Menu 1.1.1: DDNS Host Summary Menu 1.1.
ZyWALL 5/35/70 Series User’s Guide Figure 272 Menu 1.1.1: DDNS Edit Host Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy: Let DDNS Server Auto Detect= Yes Use User-Defined= N/A Use WAN IP Address= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 188 Menu 1.1.
ZyWALL 5/35/70 Series User’s Guide Table 188 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION IP Address Update Policy: You can select Yes in either the Let DDNS Server Auto Detect field (recommended) or the Use User-Defined field, but not both. With the Let DDNS Server Auto Detect and Use User-Defined fields both set to No, the DDNS server automatically updates the IP address of the host name(s) with the ZyWALL’s WAN IP address. DDNS does not work with a private IP address.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 34 WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 34.1 Introduction to WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection. 34.2 WAN Setup From the main menu, enter 2 to open menu 2.
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this screen. Table 189 MAC Address Cloning in WAN Setup FIELD DESCRIPTION (WAN 1/2) MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address. Choose Factory Default to select the factory assigned default MAC Address. Choose IP address attached on LAN to use the MAC Address of that computer whose IP you give in the following field.
ZyWALL 5/35/70 Series User’s Guide Figure 274 Menu 2: Dial Backup Setup Menu 2 - WAN Setup WAN 1 MAC Address: Assigned By= Factory default IP Address= N/A WAN 2 MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= Yes Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
ZyWALL 5/35/70 Series User’s Guide To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes and then press [ENTER]. Figure 275 Menu 2.1: Advanced WAN Setup Menu 2.
ZyWALL 5/35/70 Series User’s Guide Table 192 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value. Retry Count Enter a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number.
ZyWALL 5/35/70 Series User’s Guide Figure 276 Menu 11.3: Remote Node Profile (Backup ISP) Menu 11.
ZyWALL 5/35/70 Series User’s Guide Table 193 Menu 11.3: Remote Node Profile (Backup ISP) (continued) FIELD DESCRIPTION Edit IP This field leads to a “hidden” menu. Press [SPACE BAR] to select Yes and press [ENTER] to go to Menu 11.3.2 - Remote Node Network Layer Options. See Section 34.8 on page 517 for more information. Edit Script Options Press [SPACE BAR] to select Yes and press [ENTER] to edit the AT script for the dial backup remote node (Menu 11.3.3 - Remote Node Script). See Section 34.
ZyWALL 5/35/70 Series User’s Guide Figure 277 Menu 11.3.1: Remote Node PPP Options Menu 11.3.1 - Remote Node PPP Options Encapsulation= Standard PPP Compression= No Enter here to CONFIRM or ESC to CANCEL: This table describes the Remote Node PPP Options Menu, and contains instructions on how to configure the PPP options fields. Table 194 Menu 11.3.
ZyWALL 5/35/70 Series User’s Guide Figure 278 Menu 11.3.2: Remote Node Network Layer Options Menu 11.3.2 - Remote Node Network Layer Options IP Address Assignment= Static Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 Network Address Translation= SUA Only NAT Lookup Set= 255 Metric= 15 Private= No RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: The following table describes the fields in this menu. Table 195 Menu 11.3.
ZyWALL 5/35/70 Series User’s Guide Table 195 Menu 11.3.2: Remote Node Network Layer Options FIELD DESCRIPTION NAT Lookup Set If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.
ZyWALL 5/35/70 Series User’s Guide You can use two variables, $USERNAME and $PASSWORD (all UPPER case), to represent the actual user name and password in the script, so they will not show in the clear. They are replaced with the outgoing login name and password in the remote node when the ZyWALL sees them in a ‘Send’ string. Please note that both variables must been entered exactly as shown. No other characters may appear before or after, either, i.e.
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 196 Menu 11.3.3: Remote Node Script FIELD DESCRIPTION Active Press [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or No to disable them. Set 1-6: Expect Enter an Expect string to match. After matching the Expect string, the ZyWALL returns the string in the Send field. Set 1-6: Send Enter a string to send out after the Expect string is matched. 34.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 35 LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 35.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections. 35.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 - LAN Setup. Figure 281 Menu 3: LAN Setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: 35.
ZyWALL 5/35/70 Series User’s Guide Figure 282 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 35.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup. Figure 283 Menu 3: TCP/IP and DHCP Setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2.
ZyWALL 5/35/70 Series User’s Guide Figure 284 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server Client IP Pool: Starting Address= 192.168.1.33 Size of Client IP Pool= 128 TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-1 Multicast= None Edit IP Alias= No DHCP Server Address= N/A Press ENTER to Confirm or ESC to Cancel: Follow the instructions in the next table on how to configure the DHCP fields.
ZyWALL 5/35/70 Series User’s Guide Table 197 Menu 3.2: DHCP Ethernet Setup Fields FIELD DESCRIPTION First DNS Server Second DNS Server Third DNS Server The ZyWALL passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address). The IP Address field below displays the (read-only) DNS server IP address that the ISP assigns.
ZyWALL 5/35/70 Series User’s Guide 35.4.1 IP Alias Setup IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. You must use menu 3.2 to configure the first network.
ZyWALL 5/35/70 Series User’s Guide Table 199 Menu 3.2.1: IP Alias Setup (continued) FIELD DESCRIPTION Outgoing Protocol Filters Enter the filter set(s) you wish to apply to the outgoing traffic between this node and the ZyWALL. When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 36 Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 36.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet. There are three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation. Contact your ISP to determine what encapsulation type you should use.
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 200 Menu 4: Internet Access Setup (Ethernet) FIELD DESCRIPTION ISP’s Name This is the descriptive name of your ISP for identification purposes. Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field.
ZyWALL 5/35/70 Series User’s Guide 36.3 Configuring the PPTP Client Note: The ZyWALL supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. After configuring My Login and Password for PPP connection, press [SPACE BAR] and then [ENTER] in the Encapsulation field in Menu 4 -Internet Access Setup to choose PPTP as your encapsulation option.
ZyWALL 5/35/70 Series User’s Guide Figure 288 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following table contains instructions about the new fields when you choose PPPoE in the Encapsu
ZyWALL 5/35/70 Series User’s Guide CHAPTER 37 DMZ Setup This chapter describes how to configure the ZyWALL’s DMZ using Menu 5 - DMZ Setup. 37.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup. Figure 289 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1. DMZ Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: 37.2 DMZ Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to your public server(s) traffic. Figure 290 Menu 5.
ZyWALL 5/35/70 Series User’s Guide 37.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155). Figure 291 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1. DMZ Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: From menu 5, select the submenu option 2. TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 5.2 - TCP/IP and DHCP Ethernet Setup, as shown next. Figure 292 Menu 5.2: TCP/IP and DHCP Ethernet Setup Menu 5.
ZyWALL 5/35/70 Series User’s Guide 37.3.2 IP Alias Setup You must use menu 5.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network. Pressing [ENTER] opens Menu 5.2.1 - IP Alias Setup, as shown next. Figure 293 Menu 5.2.1: IP Alias Setup Menu 5.2.
ZyWALL 5/35/70 Series User’s Guide 535 Chapter 37 DMZ Setup
ZyWALL 5/35/70 Series User’s Guide CHAPTER 38 Route Setup This chapter describes how to configure the ZyWALL's traffic redirect. This chapter applies to the ZyWALL 35 and ZyWALL 70. 38.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup. Figure 294 Menu 6: Route Setup Menu 6 - Route Setup 1. Route Assessment 2. Traffic Redirect 3. Route Failover Enter Menu Selection Number: 38.2 Route Assessment This menu allows you to configure traffic redirect properties.
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 203 Menu 6.1: Route Assessment FIELD DESCRIPTION Probing WAN 1/2 Check Point Press [SPACE BAR] and then press [ENTER] to choose Yes to test your ZyWALL's WAN accessibility.
ZyWALL 5/35/70 Series User’s Guide Table 204 Menu 6.2: Traffic Redirect FIELD DESCRIPTION Metric This field sets this route's priority among the routes the ZyWALL uses. Enter a number from 1 to 15 to set this route's priority among the ZyWALL's routes (see Section 7.5 on page 130) The smaller the number, the higher priority the route has. When you have completed this menu, press [ENTER] at the prompt "Press ENTER to Confirm…" to save your configuration, or press [ESC] at any time to cancel. 38.
ZyWALL 5/35/70 Series User’s Guide 539 Chapter 38 Route Setup
ZyWALL 5/35/70 Series User’s Guide CHAPTER 39 Wireless Setup Use menu 7 to set up your ZyWALL as the wireless access point. 39.1 Wireless LAN Setup Note: If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press [ENTER] to confirm. You must then change the wireless settings of your computer to match the ZyWALL’s new settings.
ZyWALL 5/35/70 Series User’s Guide Follow the instructions in the next table on how to configure the wireless LAN parameters. Table 206 Menu 7.1: Wireless Setup FIELD DESCRIPTION Enable Press [SPACE BAR] to select Yes to turn on the wireless LAN. The wireless LAN is off Wireless LAN by default. Configure wireless LAN security features such as Mac filters and 802.1X before you turn on the wireless LAN. Bridge Channel Select LAN to use the wireless card as part of the LAN.
ZyWALL 5/35/70 Series User’s Guide 39.1.1 MAC Address Filter Setup Your ZyWALL checks the MAC address of the wireless station device against a list of allowed or denied MAC addresses. However, intruders could fake allowed MAC addresses so MACbased authentication is less secure than EAP authentication. Follow the steps below to create the MAC address table on your ZyWALL. 1 From the main menu, enter 7 to open Menu 7 - WLAN Setup. 2 Enter 1 to display Menu 7.1 - Wireless Setup.
ZyWALL 5/35/70 Series User’s Guide Table 207 Menu 7.1.1: WLAN MAC Address Filter FIELD DESCRIPTION Address 1..12 Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the client computers that are allowed or denied access to the ZyWALL in these address fields. When you have completed this menu, press [ENTER] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [ESC] at any time to cancel. 39.
ZyWALL 5/35/70 Series User’s Guide Figure 301 Menu 7.2: TCP/IP and DHCP Ethernet Setup Menu 7.2 - TCP/IP and DHCP Ethernet Setup DHCP= None Client IP Pool: Starting Address= N/A Size of Client IP Pool= N/A TCP/IP Setup: IP Address= 0.0.0.0 IP Subnet Mask= 0.0.0.0 RIP Direction= None Version= N/A Multicast= IGMP-v2 Edit IP Alias= No DHCP Server Address= N/A Press ENTER to Confirm or ESC to Cancel: The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup.
ZyWALL 5/35/70 Series User’s Guide Figure 302 Menu 7.2.1: IP Alias Setup Menu 7.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Enter here to CONFIRM or ESC to CANCEL: Refer to Table 199 on page 526 for instructions on configuring IP alias parameters.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 40 Remote Node Setup This chapter shows you how to configure a remote node. 40.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node. The following describes how to configure Menu 11.
ZyWALL 5/35/70 Series User’s Guide Figure 303 Menu 11: Remote Node Setup Menu 11 - Remote Node Setup 1. WAN_1 (ISP, SUA) 2. WAN_2 (ISP, NAT) 3. -Dial (BACKUP_ISP, SUA) Enter Node # to Edit: 40.3 Remote Node Profile Setup The following explains how to configure the remote node profile menu. Not all fields are available on all models. 40.3.1 Ethernet Encapsulation There are three variations of menu 11.x depending on whether you choose Ethernet Encapsulation, PPPoE Encapsulation or PPTP Encapsulation.
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 208 Menu 11.1: Remote Node Profile for Ethernet Encapsulation FIELD DESCRIPTION Rem Node Name Enter a descriptive name for the remote node. This field can be up to eight characters. Active Press [SPACE BAR] and then [ENTER] to select Yes (activate remote node) or No (deactivate remote node). Encapsulation Ethernet is the default encapsulation.
ZyWALL 5/35/70 Series User’s Guide 40.3.2 PPPoE Encapsulation The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you’re using the ZyWALL with a DSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen. Please see Appendix F on page 698 for more information on PPPoE. Figure 305 Menu 11.1: Remote Node Profile for PPPoE Encapsulation Menu 11.
ZyWALL 5/35/70 Series User’s Guide 40.3.2.3 Metric See Section 7.5 on page 130 for details on the Metric field. Table 209 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here. Only valid with PPPoE encapsulation. Authen This field sets the authentication protocol used for outgoing calls.
ZyWALL 5/35/70 Series User’s Guide Figure 306 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Active= Yes Route= IP Encapsulation= PPTP Service Type= Standard Edit IP= No Telco Option: Allocated Budget(min)= 0 Period(hr)= 0 Schedules= Nailed-Up Connection= No Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP PPTP: My IP Addr= 10.0.0.140 My IP Mask= 255.255.255.0 Server IP Addr= 10.0.0.
ZyWALL 5/35/70 Series User’s Guide Figure 307 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.
ZyWALL 5/35/70 Series User’s Guide Table 211 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION NAT Lookup Set If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.
ZyWALL 5/35/70 Series User’s Guide Figure 308 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 309 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.1.
ZyWALL 5/35/70 Series User’s Guide Figure 310 Menu 11.1.5: Traffic Redirect Setup Menu 11.1.5 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 0.0.0.0 Metric= 14 Check WAN IP Address= 0.0.0.0 Fail Tolerance= 10 Period(sec)= 300 Timeout(sec)= 8 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu. Table 212 Menu 11.1.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 41 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 41.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1. Note: The first two static route entries are for default WAN1 and WAN2 routes on a ZyWALL with multiple WAN ports; the first static route entry is for the default WAN route on a ZyWALL with a single WAN port.
ZyWALL 5/35/70 Series User’s Guide Figure 312 Menu 12. 1: Edit IP Static Route Menu 12.1 - Edit IP Static Route Route #: 3 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL: `The following table describes the IP Static Route Menu fields. Table 213 Menu 12. 1: Edit IP Static Route FIELD DESCRIPTION Route # This is the index number of the static route that you chose in menu 12.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 42 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 42.1 Using NAT Note: You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 42.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. See Section 42.2.
ZyWALL 5/35/70 Series User’s Guide Figure 313 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following figure shows how you apply NAT to the remot
ZyWALL 5/35/70 Series User’s Guide The following table describes the fields in this menu. Table 214 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION OPTIONS Network Address Translation When you select this option the SMT will use Address Mapping Set 1 (menu 15.1 - see Section 42.2.1 on page 561 for further discussion). You can configure any of the mapping types described in Chapter 22 on page 370. Choose Full Feature if you have multiple public WAN IP addresses for your ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 42.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. Figure 316 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. NAT_SET 2. example 255. SUA (read only) Enter Menu Selection Number: 42.2.1.1 SUA Address Mapping Set Enter 255 to display the next screen (see also Section 42.1.1 on page 558). The fields in this menu cannot be changed. Figure 317 Menu 15.1.255: SUA Address Mapping Rules Menu 15.1.
ZyWALL 5/35/70 Series User’s Guide Note: Menu 15.1.255 is read-only. Table 215 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create. Idx This is the index or rule number. Local Start IP Local Start IP is the starting local IP address (ILA). Local End IP Local End IP is the ending local IP address (ILA). If the rule is for all local IPs, then the start IP is 0.0.0.0 and the end IP is 255.255.255.
ZyWALL 5/35/70 Series User’s Guide Figure 318 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- -0.0.0.0 255.255.255.255 0.0.0.0 M-1 0.0.0.0 Server Action= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: Note: The Type, Local and Global Start/End IPs are configured in menu 15.1.1.
ZyWALL 5/35/70 Series User’s Guide Note: You must press [ENTER] at the bottom of the screen to save the whole set. You must do this again if you make any changes to the set – including deleting a rule. No changes to the set take place until this action is taken. Selecting Edit in the Action field and then selecting a rule brings up the following menu, Menu 15.1.1.1 - Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs.
ZyWALL 5/35/70 Series User’s Guide Table 217 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Server Mapping Set This field is available only when you select Server in the Type field. Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. 42.
ZyWALL 5/35/70 Series User’s Guide Figure 321 Menu 15.2.1: NAT Server Sets Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 No 0 0 0.0.0.0 002 No 0 0 0.0.0.0 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.
ZyWALL 5/35/70 Series User’s Guide Figure 322 15.2.1.2: NAT Server Configuration 15.2.1.2 - NAT Server Configuration Wan= 1 Index= 2 -----------------------------------------------Name= 1 Active= Yes Start port= 21 End port= 25 IP Address= 192.168.1.33 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 218 15.2.1.
ZyWALL 5/35/70 Series User’s Guide Figure 323 Menu 15.2.1: NAT Server Setup Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 No 0 0 0.0.0.0 002 Yes 21 25 192.168.1.33 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.
ZyWALL 5/35/70 Series User’s Guide Figure 325 NAT Example 1 Figure 326 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: From menu 4 shown above, simply ch
ZyWALL 5/35/70 Series User’s Guide 42.4.2 Example 2: Internet Access with an Default Server Figure 327 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2.1 to specify the Default Server behind the NAT as shown in the next figure. Figure 328 Menu 15.2.1: Specifying an Inside Server Menu 15.2.1 - NAT Server Setup Default Server: 192.168.1.10 Rule Act.
ZyWALL 5/35/70 Series User’s Guide 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 3 Map the other outgoing LAN traffic to IGA3 (Many : 1 mapping). 4 You also map your third IGA to the web server and mail server on the LAN.
ZyWALL 5/35/70 Series User’s Guide Figure 330 Example 3: Menu 11.1.2 Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= 2 Private= RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: The following figure shows how to configure the first rule. Figure 331 Example 3: Menu 15.1.1.1 Menu 15.1.1.
ZyWALL 5/35/70 Series User’s Guide Figure 332 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Idx Local Start IP --- --------------1. 192.168.1.10 2 192.168.1.11 3. 0.0.0.0 4. 5. 6. 7. 8. 9. 10. Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --10.132.50.1 1-1 10.132.50.2 1-1 255.255.255.255 10.132.50.3 M-1 10.132.50.
ZyWALL 5/35/70 Series User’s Guide 42.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types. The following figure illustrates this.
ZyWALL 5/35/70 Series User’s Guide Figure 336 Example 4: Menu 15.1.1: Address Mapping Rules Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- --192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3 M-1-1 Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: 42.
ZyWALL 5/35/70 Series User’s Guide Note: Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 - Trigger Ports. For a ZyWALL with multiple WAN ports, enter 1 or 2 from menu 15.3 to go to Menu 15.3.1 or Menu 15.3.2 - Trigger Port Setup and configure trigger port rules for the first or second WAN port. Figure 337 Menu 15.3.1: Trigger Port Setup Menu 15.3.
ZyWALL 5/35/70 Series User’s Guide 577 Chapter 42 Network Address Translation (NAT)
ZyWALL 5/35/70 Series User’s Guide CHAPTER 43 Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 43.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next. Figure 338 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: 43.1.
ZyWALL 5/35/70 Series User’s Guide Figure 339 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies. You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so. Active: Yes You can use the Web Configurator to configure the firewall.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 44 Filter Configuration This chapter shows you how to create and apply filters. 44.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later. Data filtering screens the data to determine if the packet should be allowed to pass.
ZyWALL 5/35/70 Series User’s Guide 44.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set.
ZyWALL 5/35/70 Series User’s Guide Figure 341 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
ZyWALL 5/35/70 Series User’s Guide 44.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 342 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: 2 Enter 1 to bring up the following menu. Figure 343 Menu 21.1: Filter Set Configuration Menu 21.
ZyWALL 5/35/70 Series User’s Guide Table 220 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION A Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here. M More. “Y” means there are more rules to check which form a rule chain with the present rule. An action cannot be taken until the rule chain is complete. “N” means there are no more rules to check.
ZyWALL 5/35/70 Series User’s Guide To speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or generic filters. The class of a filter set is determined by the first rule that you create. When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets. If you include a protocol filter set in a device filter field or vice versa, the ZyWALL will warn you and will not allow you to save. 44.2.
ZyWALL 5/35/70 Series User’s Guide Table 222 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Destination IP Addr Enter the destination IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0. IP Mask Enter the IP mask to apply to the Destination: IP Addr. Port # Enter the destination port of the packets that you wish to filter. The range of this field is 0 to 65535. This field is ignored if it is 0.
ZyWALL 5/35/70 Series User’s Guide Figure 345 Executing an IP Filter 44.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule.
ZyWALL 5/35/70 Series User’s Guide to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The ZyWALL applies the Mask (bit-wise ANDing) to the data portion before comparing the result against the Value to determine a match.
ZyWALL 5/35/70 Series User’s Guide Table 223 Generic Filter Rule Menu Fields FIELD DESCRIPTION More If Yes, a matching packet is passed to the next filter rule before an action is taken; else the packet is disposed of according to the action fields. If More is Yes, then Action Matched and Action Not Matched will be No. Log Select the logging option from the following: None - No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged.
ZyWALL 5/35/70 Series User’s Guide Figure 348 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
ZyWALL 5/35/70 Series User’s Guide M = N means an action can be taken immediately. The action is to drop the packet (m = D) if the action is matched and to forward the packet immediately (n = F) if the action is not matched no matter whether there are more rules to be checked (there aren’t in this example). After you’ve created the filter set, you must apply it. 1 Enter 11 from the main menu to go to menu 11. 2 Enter 1 or 2 to open Menu 11.x - Remote Node Profile.
ZyWALL 5/35/70 Series User’s Guide 44.6 Applying a Filter This section shows you where to apply the filter(s) after you design it (them). The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections. Note: If you do not activate the firewall, it is advisable to apply filters. 44.6.1 Applying LAN Filters LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.
ZyWALL 5/35/70 Series User’s Guide Figure 352 Filtering DMZ Traffic Menu 5.1 - DMZ Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 44.6.3 Applying Remote Node Filters Go to menu 11.1.4 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 45 SNMP Configuration This chapter explains SNMP configuration menu 22. 45.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password. Figure 354 Menu 22: SNMP Configuration Menu 22 - SNMP Configuration SNMP: Get Community= public Set Community= public Trusted Host= 0.0.0.0 Trap: Community= public Destination= 0.0.0.
ZyWALL 5/35/70 Series User’s Guide Table 224 SNMP Configuration Menu Fields (continued) FIELD DESCRIPTION Destination Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. 45.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 46 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 46.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below. Figure 355 Menu 24: System Maintenance Menu 24 - System Maintenance 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
ZyWALL 5/35/70 Series User’s Guide 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 356 Menu 24.1: System Maintenance: Status Menu 24.
ZyWALL 5/35/70 Series User’s Guide Table 226 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION Rx B/s This field shows the reception speed in Bytes per second on this port. Up Time This is the total amount of time the line has been up. Ethernet Address This is the Ethernet address of the port listed on the left. IP Address This is the IP address of the port listed on the left. IP Mask This is the IP mask of the port listed on the left.
ZyWALL 5/35/70 Series User’s Guide Figure 358 Menu 24.2.1: System Maintenance: Information Menu 24.2.1 - System Maintenance - Information Name: Routing: IP ZyNOS F/W Version: V4.00(WM.0)b2 | 07/25/2005 Country Code: 255 LAN Ethernet Address: 00:A0:C5:01:23:45 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: The following table describes the fields in this screen.
ZyWALL 5/35/70 Series User’s Guide Figure 359 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 - System Maintenance - Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel:Press Space Bar to Toggle. 46.4 Log and Trace There are two logging facilities in the ZyWALL. The first is the error logs and trace records that are stored locally. The second is the UNIX syslog facility for message logging. 46.4.
ZyWALL 5/35/70 Series User’s Guide Figure 361 Examples of Error and Information Messages 52 Thu Jul 53 Thu Jul 54 Thu Jul 55 Thu Jul 57 Thu Jul 58 Thu Jul 59 Thu Jul 60 Thu Jul 61 Thu Jul 62 Thu Jul 63 Thu Jul Clear Error 1 05:54:53 1 05:54:53 1 05:54:56 1 05:54:56 1 05:54:56 1 05:54:56 1 05:54:56 1 05:55:26 1 05:56:56 1 07:50:58 1 07:53:28 Log (y/n): 2004 2004 2004 2004 2004 2004 2004 2004 2004 2004 2004 PP05 ERROR PINI INFO PP05 -WARN PP0d INFO PP0d INFO PINI INFO PINI INFO PSSV -WARN PINI INFO PINI IN
ZyWALL 5/35/70 Series User’s Guide Your ZyWALL sends five types of syslog messages.
ZyWALL 5/35/70 Series User’s Guide Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol ("TCP","UDP","ICMP") spo: Source port dpo: Destination portMar 03 10:39:43 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.
ZyWALL 5/35/70 Series User’s Guide 46.4.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in menu 24.1 in hex format. An example is shown next.
ZyWALL 5/35/70 Series User’s Guide 1 From the main menu, select option 24 to open Menu 24 - System Maintenance. 2 From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic. Figure 364 Menu 24.4: System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. Internet Setup Test System 11. Reboot System Enter Menu Selection Number: WAN= Host IP Address= N/A 46.5.
ZyWALL 5/35/70 Series User’s Guide Table 229 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings. WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings. Internet Setup Test Enter 4 to test the Internet setup. You can also test the Internet setup in Menu 4 - Internet Access.
ZyWALL 5/35/70 Series User’s Guide 607 Chapter 46 System Information & Diagnosis
ZyWALL 5/35/70 Series User’s Guide CHAPTER 47 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 47.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its firmware. After you configure your ZyWALL, you can backup the configuration file to a computer.
ZyWALL 5/35/70 Series User’s Guide The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.
ZyWALL 5/35/70 Series User’s Guide Figure 366 Telnet into Menu 24.5 Menu 24.5 - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested. 3. Locate the 'rom-0' file. 4. Type 'get rom-0' to back up the current router configuration to your workstation.
ZyWALL 5/35/70 Series User’s Guide 47.3.3 Example of FTP Commands from the Command Line Figure 367 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit 47.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients.
ZyWALL 5/35/70 Series User’s Guide 4 The IP you entered in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyWALL will disconnect the Telnet session immediately. 5 You have an SMT console session running. 47.3.6 Backup Configuration Using TFTP The ZyWALL supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP should work over WAN as well, it is not recommended.
ZyWALL 5/35/70 Series User’s Guide 47.3.8 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients. Table 232 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the ZyWALL. 192.168.1.1 is the ZyWALL’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the ZyWALL and “Fetch” to back up the file on your computer. Local File Enter the path and name of the firmware file (*.
ZyWALL 5/35/70 Series User’s Guide Figure 370 Backup Configuration Example Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive. 4 After a successful backup you will see the following screen. Press any key to return to the SMT menu. Figure 371 Successful Backup Confirmation Screen ** Backup Configuration completed. OK. ### Hit any key to continue.### 47.
ZyWALL 5/35/70 Series User’s Guide Figure 372 Telnet into Menu 24.6 Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested. 3.
ZyWALL 5/35/70 Series User’s Guide 47.4.2 Restore Using FTP Session Example Figure 373 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Refer to Section 47.3.5 on page 611 to read about configurations that disallow TFTP and FTP over WAN. 47.4.
ZyWALL 5/35/70 Series User’s Guide 4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu. Figure 377 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot. 47.5 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files. You can upload configuration files by following the procedure in Section 47.
ZyWALL 5/35/70 Series User’s Guide Figure 378 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested. 3.
ZyWALL 5/35/70 Series User’s Guide 47.5.3 FTP File Upload Command from the DOS Prompt Example 1 Launch the FTP client on your computer. 2 Enter “open”, followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is “1234”). 5 Enter “bin” to set transfer mode to binary. 6 Use “put” to transfer files from the computer to the ZyWALL, for example, “put firmware.bin ras” transfers the firmware on your computer (firmware.
ZyWALL 5/35/70 Series User’s Guide 1 Use telnet from your computer to connect to the ZyWALL and log in. Because TFTP does not have any security checks, the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address. 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance. 3 Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted.
ZyWALL 5/35/70 Series User’s Guide Figure 381 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atur" after "Enter Debug Mode" message. 3. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. 4. After successful firmware upload, enter "atgo" to restart the router.
ZyWALL 5/35/70 Series User’s Guide Figure 383 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To 1. 2. 3. upload system configuration file: Enter "y" at the prompt below to go into debug mode. Enter "atlc" after "Enter Debug Mode" message. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. 4. After successful firmware upload, enter "atgo" to restart the system. Warning: 1.
ZyWALL 5/35/70 Series User’s Guide 623 Chapter 47 Firmware and Configuration File Maintenance
ZyWALL 5/35/70 Series User’s Guide CHAPTER 48 System Maintenance Menus 8 to 10 This chapter leads you through SMT menus 24.8 to 24.10. 48.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8.
ZyWALL 5/35/70 Series User’s Guide The required fields in a command are enclosed in angle brackets <>. The optional fields in a command are enclosed in square brackets []. The |symbol means “or”. For example, sys filter netbios config means that you must specify the type of netbios filter and whether to turn it on or off. 48.1.2 Command Usage A list of commands can be found by typing help or ? at the command prompt. Always type the full command.
ZyWALL 5/35/70 Series User’s Guide 48.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1. The budget management function allows you to set a limit on the total outgoing call time of the ZyWALL within certain times.
ZyWALL 5/35/70 Series User’s Guide Figure 388 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.WAN_1 No Budget No Budget 2.WAN_2 No Budget No Budget 3.Dial No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked.
ZyWALL 5/35/70 Series User’s Guide Figure 389 Call History Menu 24.9.2 - Call History Phone Number Dir Rate #call Max Min Total 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 235 Call History FIELD DESCRIPTION Phone Number The PPPoE service names are shown here. Dir This shows whether the call was incoming or outgoing. Rate This is the transfer rate of the call.
ZyWALL 5/35/70 Series User’s Guide Figure 390 Menu 24: System Maintenance Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Upload Firmware 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: Enter 10 to go to Menu 24.
ZyWALL 5/35/70 Series User’s Guide Table 236 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main differences between them are the format. Daytime (RFC 867) format is day/month/year/time zone of the server.
ZyWALL 5/35/70 Series User’s Guide Table 236 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION End Date (mmnth-week-hr) Configure the day and time when Daylight Saving Time ends if you selected Yes in the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the last Sunday of October. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 49 Remote Management This chapter covers remote management found in SMT menu 24.11. 49.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. You may manage your ZyWALL from a remote location via: • Internet (WAN only) • ALL (LAN&WAN&DMZ&WLAN) • LAN only, • DMZ only, • WLAN only, • Neither (Disable).
ZyWALL 5/35/70 Series User’s Guide Figure 392 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: FTP Server: SSH Server: HTTPS Server: HTTP Server: SNMP Service: DNS Service: Port = 23 Access = ALL Secure Client IP = 0.0.0.0 Port = 21 Access = ALL Secure Client IP = 0.0.0.0 Certificate = auto_generated_self_signed_cert Port = 22 Access = ALL Secure Client IP = 0.0.0.
ZyWALL 5/35/70 Series User’s Guide 49.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1 A filter in menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2 You have disabled that service in menu 24.11. 3 The IP address in the Secure Client IP field (menu 24.11) does not match the client IP address. If it does not match, the ZyWALL will disconnect the session immediately. 4 There is an SMT console session running.
ZyWALL 5/35/70 Series User’s Guide 635 Chapter 49 Remote Management
ZyWALL 5/35/70 Series User’s Guide CHAPTER 50 IP Policy Routing This chapter covers setting and applying policies used for IP routing. This chapter applies to the ZyWALL 35 and ZyWALL 70. 50.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a single policy, and whether a policy is active or not. Each policy contains two lines. The former part is the criteria of the incoming packet and the latter is the action.
ZyWALL 5/35/70 Series User’s Guide Table 238 Menu 25: Sample IP Routing Policy Summary (continued) FIELD DESCRIPTION Criteria/Action This displays the details about to which packets the policy applies and how the policy has the ZyWALL handle those packets. Refer to Table 239 on page 637 for detailed information. Select Command Press [SPACE BAR] to choose from None, Edit, Delete, Go To Rule, Next Page or Previous Page and then press [ENTER].
ZyWALL 5/35/70 Series User’s Guide 1 Type 25 in the main menu to open Menu 25 - IP Routing Policy Summary. 2 Select Edit in the Select Command field; type the index number of the rule you want to configure in the Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure). Figure 394 Menu 25.1: IP Routing Policy Setup Menu 25.
ZyWALL 5/35/70 Series User’s Guide Table 240 Menu 25.1: IP Routing Policy Setup FIELD DESCRIPTION port start / end Source port number range from start to end; applicable only for TCP/UDP. Destination addr start / end Destination IP address range from start to end. port start / end Destination port number range from start to end; applicable only for TCP/UDP. Action Specifies whether action should be taken on criteria Matched or Not Matched.
ZyWALL 5/35/70 Series User’s Guide Figure 395 Menu 25.1.1: IP Routing Policy Setup Menu 25.1.1 - IP Routing Policy Setup Apply policy to packets received from: LAN= No DMZ= No WLAN= No ALL WAN= Yes Selected Remote Node index= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 241 Menu 25.1.1: IP Routing Policy Setup FIELD DESCRIPTION LAN/DMZ/WLAN/ ALL WAN Press [SPACE BAR] to select Yes or No.
ZyWALL 5/35/70 Series User’s Guide Figure 396 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the ZyWALL, follow the steps as shown next. 1 Create a rule in Menu 25.1 - IP Routing Policy Setup as shown next. Figure 397 IP Routing Policy Example 1 Menu 25.
ZyWALL 5/35/70 Series User’s Guide 4 Create another rule in menu 25.1 for this rule to route packets from any host (IP=0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100). Figure 398 IP Routing Policy Example 2 Menu 25.1 - IP Routing Policy Setup Rule Index= 2 Active= No Criteria: IP Protocol = 6 Type of Service= Don't Care Packet length= 10 Precedence = Don't Care Len Comp= Equal Source: addr start= 0.0.0.
ZyWALL 5/35/70 Series User’s Guide 643 Chapter 50 IP Policy Routing
ZyWALL 5/35/70 Series User’s Guide CHAPTER 51 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 51.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long. This feature is similar to the scheduler in a videocassette recorder (you can specify a time period for the VCR to record). You can apply up to 4 schedule sets in Menu 11.
ZyWALL 5/35/70 Series User’s Guide Figure 400 Schedule Set Setup Menu 26.1 - Schedule Set Setup Active= Yes How Often= Once Start Date(yyyy-mm-dd) = N/A Once: Date(yyyy-mm-dd)= 2000 - 01 - 01 Weekdays: Sunday= N/A Monday= N/A Tuesday= N/A Wednesday= N/A Thursday= N/A Friday= N/A Saturday= N/A Start Time (hh:mm)= 00 : 00 Duration (hh:mm)= 00 : 00 Action= Forced On Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle If a connection has been already established, your ZyWALL will not drop it.
ZyWALL 5/35/70 Series User’s Guide Table 242 Schedule Set Setup (continued) FIELD DESCRIPTION Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field. Forced Down means that the connection is blocked whether or not there is a demand call on the line. Enable Dial-On-Demand means that this schedule permits a demand call on the line.
ZyWALL 5/35/70 Series User’s Guide Figure 402 Applying Schedule Set(s) to a Remote Node (PPTP) Menu 11.
ZyWALL 5/35/70 Series User’s Guide CHAPTER 52 Troubleshooting This chapter covers potential problems and possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our included disk for further information. 52.1 Problems Starting Up the ZyWALL Table 243 Troubleshooting the Start-Up of Your ZyWALL PROBLEM CORRECTIVE ACTION None of the LEDs turn on when you turn on the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 52.3 Problems with the DMZ Interface Table 245 Troubleshooting the DMZ Interface PROBLEM CORRECTIVE ACTION Cannot access servers on the DMZ from the LAN. Check your Ethernet cable type and connections. Refer to the Quick Start Guide for DMZ connection instructions. Make sure the Ethernet adapters on the LAN computer and the DMZ server are installed and functioning properly. Verify that the IP address of the DMZ port and the LAN port are on separate subnets.
ZyWALL 5/35/70 Series User’s Guide 52.5 Problems Accessing the ZyWALL Table 247 Troubleshooting Accessing the ZyWALL PROBLEM CORRECTIVE ACTION Cannot access the ZyWALL. The default password is “1234”. The password field is case sensitive. Make sure that you enter the correct password using the proper casing. Use the Reset button to restore the factory default configuration file. This will restore all of the factory defaults including the password. See Section 2.
ZyWALL 5/35/70 Series User’s Guide • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Note: Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary. 52.5.1.1 Internet Explorer Pop-up Blockers You may have to disable pop-up blocking to log into your device.
ZyWALL 5/35/70 Series User’s Guide Figure 404 Internet Options: Privacy 3 Click Apply to save this setting. 52.5.1.1.2 Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settings…to open the Pop-up Blocker Settings screen.
ZyWALL 5/35/70 Series User’s Guide Figure 405 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites.
ZyWALL 5/35/70 Series User’s Guide Figure 406 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. 52.5.1.2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed. 1 In Internet Explorer, click Tools, Internet Options and then the Security tab.
ZyWALL 5/35/70 Series User’s Guide Figure 407 Internet Options: Security 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window.
ZyWALL 5/35/70 Series User’s Guide Figure 408 Security Settings - Java Scripting 52.5.1.3 Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window.
ZyWALL 5/35/70 Series User’s Guide Figure 409 Security Settings - Java 52.5.1.3.1 JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for
ZyWALL 5/35/70 Series User’s Guide Figure 410 Java (Sun) 52.6 Packet Flow The following is the packet check flow on the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide 659 Chapter 52 Troubleshooting
ZyWALL 5/35/70 Series User’s Guide APPENDIX A Product Specifications See also the Introduction chapter for a general overview of the key features. Specification Tables Table 248 Device Specifications Default IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) Default Password 1234 DHCP Pool 192.168.1.33 to 192.168.1.160 Dimensions ZyWALL 70: 355(L) x 200(D) x 55(H) mm ZyWALL 5 and ZyWALL 35: 242.0(W) x 175.0(D) x 35.
ZyWALL 5/35/70 Series User’s Guide Table 248 Device Specifications (continued) Operation Humidity 20% ~ 95% RH (non-condensing) Storage Humidity 20% ~ 95% RH (non-condensing) Certifications EMC: FCC Class B, CE-EMC Class B, C-Tick Class B, VCCI Class B Safety: CSA International, CE EN60950-1 MTBF (Mean Time Between Failures) (Bellcore model) ZyWALL 70: 40.9 years ZyWALL 35: 41.8 years ZyWALL 5: 41.
ZyWALL 5/35/70 Series User’s Guide Table 250 Firmware Features (continued) Anti-Spam Spam, Phishing detection Configurable white and black lists SMTP, POP3 support External Spam database Content Filtering Web page blocking by URL keyword IKE + PKI support External database content filtering Java/ActiveX /Cookie/News blocking Traffic Management Guaranteed/Maximum Bandwidth Policy-based Traffic shaping Priority-bandwidth utilization Load Balancing (for the ZyWALL 35 and ZyWALL 70) Bandwidth Management St
ZyWALL 5/35/70 Series User’s Guide Table 250 Firmware Features (continued) Other Protocol Support PPP (Point-to-Point Protocol) link layer protocol. Transparent bridging for unsupported network layer protocols.
ZyWALL 5/35/70 Series User’s Guide Compatible ZyXEL WLAN Cards The following table lists the ZyXEL WLAN cards that you can use in the ZyWALL at the time of writing. It also shows the security features that each card supports. Note: Check the product page on the www.zyxel.com website for updates on ZyXEL WLAN cards that you can use in the ZyWALL.
ZyWALL 5/35/70 Series User’s Guide Figure 411 WLAN Card Installation Cable Pin Assignments In a serial communications connection, generally a computer is DTE (Data Terminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment). The ZyWALL is DCE when you connect a computer to the console port. The ZyWALL is DTE when you connect a modem to the dial backup port.2 Figure 412 Console/Dial Backup Port Pin Layout 2. 665 Pins 2,3 and 5 are used.
ZyWALL 5/35/70 Series User’s Guide Table 253 Console/Dial Backup Port Pin Assignments CONSOLE Port RS – 232 (Female) DB-9F DIAL BACKUP RS – 232 (Male) DB-9M (Not on all models) Pin 1 = NON Pin 2 = DCE-TXD Pin 3 = DCE –RXD Pin 4 = DCE –DSR Pin 5 = GND Pin 6 = DCE –DTR Pin 7 = DCE –CTS Pin 8 = DCE –RTS PIN 9 = NON Pin 1 = NON Pin 2 = DTE-RXD Pin 3 = DTE-TXD Pin 4 = DTE-DTR Pin 5 = GND Pin 6 = DTE-DSR Pin 7 = DTE-RTS Pin 8 = DTE-CTS PIN 9 = NON. The CON/AUX port also has these pin assignments.
ZyWALL 5/35/70 Series User’s Guide 667 Appendix A Product Specifications
ZyWALL 5/35/70 Series User’s Guide APPENDIX B Hardware Installation The ZyWALL can be placed on a desktop or rack-mounted on a standard EIA rack. Use the brackets in a rack-mounted installation. General Installation Instructions Read all the safety warnings in the beginning of this User's Guide before you begin and make sure you follow them. Perform the installation as follows: 1 Make sure the ZyWALL is off. 2 Install the hardware first.
ZyWALL 5/35/70 Series User’s Guide Figure 414 Attaching Rubber Feet Note: Do not block the ventilation holes. Leave space between ZyWALLs when stacking. Rack-mounted Installation Requirements The ZyWALL can be mounted on an EIA standard size, 19-inch rack or in a wiring closet with other equipment. Follow the steps below to mount your ZyWALL on a standard EIA rack using a rack-mounting kit. Note: Make sure the rack will safely support the combined weight of all the equipment it contains.
ZyWALL 5/35/70 Series User’s Guide Figure 415 Attaching Mounting Brackets and Screws 3 After attaching both mounting brackets, position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack. Secure the ZyWALL to the rack with the rack-mounting screws.
ZyWALL 5/35/70 Series User’s Guide 671 Appendix B Hardware Installation
ZyWALL 5/35/70 Series User’s Guide APPENDIX C Removing and Installing a Fuse This appendix shows you how to remove and install fuses for the ZyWALL. If you need to install a new fuse, follow the procedure below. Note: If you use a fuse other than the included fuses, make sure it matches the fuse specifications in the appendix on product specifications. Removing a Fuse Note: Disconnect all power from the ZyWALL before you begin this procedure. 1 Place the rear panel of the ZyWALL in front of you.
ZyWALL 5/35/70 Series User’s Guide 673 Appendix C Removing and Installing a Fuse
ZyWALL 5/35/70 Series User’s Guide APPENDIX D Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.
ZyWALL 5/35/70 Series User’s Guide Figure 417 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add. 2 Select Adapter and then click Add. 3 Select the manufacturer and model of your network adapter and then click OK. If you need TCP/IP: 1 In the Network window, click Add.
ZyWALL 5/35/70 Series User’s Guide 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click OK. 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • • If your IP address is dynamic, select Obtain an IP address automatically.
ZyWALL 5/35/70 Series User’s Guide Figure 419 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • • If you do not know your gateway’s IP address, remove previously installed gateways. If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your Prestige and restart your computer when prompted.
ZyWALL 5/35/70 Series User’s Guide Figure 420 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 421 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties.
ZyWALL 5/35/70 Series User’s Guide Figure 422 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 423 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). • 679 If you have a dynamic IP address click Obtain an IP address automatically.
ZyWALL 5/35/70 Series User’s Guide • • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced. Figure 424 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.
ZyWALL 5/35/70 Series User’s Guide Figure 425 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
ZyWALL 5/35/70 Series User’s Guide Figure 426 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT). 11Turn on your Prestige and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt.
ZyWALL 5/35/70 Series User’s Guide Figure 427 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 428 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list.
ZyWALL 5/35/70 Series User’s Guide 4 For statically assigned settings, do the following: • • • • From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your Prestige in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration. 7 Turn on your Prestige and restart your computer (if prompted).
ZyWALL 5/35/70 Series User’s Guide Figure 430 Macintosh OS X: Network 4 For statically assigned settings, do the following: • • • • From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your Prestige in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your Prestige and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the Network window.
ZyWALL 5/35/70 Series User’s Guide Note: Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network. Figure 431 Red Hat 9.0: KDE: Network Configuration: Devices 2 Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown.
ZyWALL 5/35/70 Series User’s Guide • • If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields. 3 Click OK to save the changes and close the Ethernet Device General screen. 4 If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen.
ZyWALL 5/35/70 Series User’s Guide 1 Assuming that you have only one network card on the computer, locate the ifconfigeth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor. • If you have a dynamic IP address, enter dhcp in the BOOTPROTO= field. The following figure shows an example. Figure 435 Red Hat 9.
ZyWALL 5/35/70 Series User’s Guide Figure 438 Red Hat 9.0: Restart Ethernet Card [root@localhost init.d]# network restart Shutting down interface eth0: Shutting down loopback interface: Setting network parameters: Bringing up loopback interface: Bringing up interface eth0: [OK] [OK] [OK] [OK] [OK] Verifying Settings Enter ifconfig in a terminal screen to check your TCP/IP properties. Figure 439 Red Hat 9.
ZyWALL 5/35/70 Series User’s Guide APPENDIX E IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1. IP addresses are categorized into different classes. The class of an address depends on the value of its first octet. • Class “A” addresses have a 0 in the left most bit.
ZyWALL 5/35/70 Series User’s Guide Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B” address has a valid range of 128 to 191. The first octet of a class “C” address begins with “110”, and therefore has a range of 192 to 223.
ZyWALL 5/35/70 Series User’s Guide Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a “/” followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with mask 255.255.255.128.
ZyWALL 5/35/70 Series User’s Guide Note: In the following charts, shaded/bolded last octet bit values indicate host ID bits “borrowed” to form network ID bits. The number of “borrowed” host ID bits determines the number of subnets you can have. The remaining number of host ID bits (after “borrowing”) determines the number of hosts you can have on each subnet. Table 259 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. 0 IP Address (Binary) 11000000.10101000.00000001.
ZyWALL 5/35/70 Series User’s Guide Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets. Similarly to divide a class “C” address into four subnets, you need to “borrow” two host ID bits to give four possible combinations of 00, 01, 10 and 11. The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192.
ZyWALL 5/35/70 Series User’s Guide Table 264 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. 192 IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.192 Lowest Host ID: 192.168.1.193 Broadcast Address: 192.168.1.255 Highest Host ID: 192.168.1.254 Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110).
ZyWALL 5/35/70 Series User’s Guide Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID. A class “B” address has two host ID octets available for subnetting and a class “A” address has three host ID octets (see Table 254 on page 690) available for subnetting. The following table is a summary for class “B” subnet planning. Table 267 Class B Subnet Planning NO.
ZyWALL 5/35/70 Series User’s Guide 697 Appendix E IP Subnetting
ZyWALL 5/35/70 Series User’s Guide APPENDIX F PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM PVC (Permanent Virtual Circuit) which connects to a DSL Access Concentrator where the PPP session terminates (see Figure 440 on page 699). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
ZyWALL 5/35/70 Series User’s Guide Figure 440 Single-Computer per Router Hardware Configuration How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
ZyWALL 5/35/70 Series User’s Guide APPENDIX G PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a computer to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the computer and the modem over Ethernet.
ZyWALL 5/35/70 Series User’s Guide PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacks and forms one end of the PPTP tunnel. The PAC is the box that dials/answers the phone calls and relays the PPP frames to the PNS.
ZyWALL 5/35/70 Series User’s Guide Figure 444 Example Message Exchange between Computer and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
ZyWALL 5/35/70 Series User’s Guide 703 Appendix G PPTP
ZyWALL 5/35/70 Series User’s Guide APPENDIX H Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless stations (A, B, C).
ZyWALL 5/35/70 Series User’s Guide Figure 446 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.
ZyWALL 5/35/70 Series User’s Guide Figure 447 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.
ZyWALL 5/35/70 Series User’s Guide Figure 448 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations. RTS/CTS is designed to prevent collisions due to hidden nodes.
ZyWALL 5/35/70 Series User’s Guide A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.
ZyWALL 5/35/70 Series User’s Guide IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are: • User based identification that allows for roaming.
ZyWALL 5/35/70 Series User’s Guide • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another AccessRequest message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: • Accounting-Request Sent by the access point requesting accounting.
ZyWALL 5/35/70 Series User’s Guide 3 The wireless station replies with identity information, including username and password. 4 The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station. Types of Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAPTTLS, PEAP and LEAP. The type of authentication you use depends on the RADIUS server or the AP.
ZyWALL 5/35/70 Series User’s Guide PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco.
ZyWALL 5/35/70 Series User’s Guide Figure 450 WEP Authentication Steps Open system authentication involves an unencrypted two-message procedure. A wireless station sends an open system authentication request to the AP, which will then automatically accept and connect the wireless station to the network. In effect, open system is not authentication at all as any station can gain access to the network. Shared key authentication involves a four-message procedure.
ZyWALL 5/35/70 Series User’s Guide Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.
ZyWALL 5/35/70 Series User’s Guide The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped.
ZyWALL 5/35/70 Series User’s Guide In a network environment with multiple access points, wireless stations are able to switch from one access point to another as they move between the coverage areas. This is roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriate access point depending on the signal strength, network utilization or other factors.
ZyWALL 5/35/70 Series User’s Guide Requirements for Roaming The following requirements must be met in order for wireless stations to roam between the coverage areas. 1 All the access points must be on the same subnet and configured with the same ESSID. 2 If IEEE 802.1x user authentication is enabled and to be done locally on the access point, the new access point must have the user profile for the wireless station.
ZyWALL 5/35/70 Series User’s Guide APPENDIX I Triangle Route The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks. Figure 452 Ideal Setup The “Triangle Route” Problem A traffic route is a path for sending or receiving data packets between two Ethernet devices.
ZyWALL 5/35/70 Series User’s Guide Figure 453 “Triangle Route” Problem The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyWALL supports up to three logical LAN interfaces with the ZyWALL being the gateway for each logical network.
ZyWALL 5/35/70 Series User’s Guide Figure 454 IP Alias Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN. Therefore your LAN is protected. Figure 455 Gateways on the WAN Side Configuring Triangle Route via Commands 1 From the SMT main menu, enter 24. 2 Enter “8” in menu 24 to enter CI command mode.
ZyWALL 5/35/70 Series User’s Guide 721 Appendix I Triangle Route
ZyWALL 5/35/70 Series User’s Guide APPENDIX J Windows 98 SE/Me Requirements for Anti-Virus Message Display With the anti-virus packet scan, when a virus is detected, an alert message is displayed on Miscrosoft Windows-based computers. For Windows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages. For Windows 2000 and later versions, a message window automatically displays when an alert is received. Click Start, Run and enter “winpopup” in the field provided and click OK.
ZyWALL 5/35/70 Series User’s Guide Figure 457 WIndows 98 SE: Program Task Bar 2 Click the Start Menu Programs tab and click Advanced ... Figure 458 Windows 98 SE: Task Bar Properties 3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut.
ZyWALL 5/35/70 Series User’s Guide Figure 459 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next. Figure 460 Windows 98 SE: Startup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish.
ZyWALL 5/35/70 Series User’s Guide Figure 461 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane. Restart the computer when prompted. Figure 462 Windows 98 SE: Startup: Shortcut Note: The WinPopup window displays after the computer finishes the startup process (see Figure 456 on page 722).
ZyWALL 5/35/70 Series User’s Guide APPENDIX K VPN Setup This appendix will help you to quickly create a IPSec/VPN connection between two ZyXEL IPSec routers. It should be considered a quick reference for experienced users. General Notes • The private networks behind the IPSec routers must be on different subnets. For example, 192.168.10.0/24 and 192.168.20.0/24.
ZyWALL 5/35/70 Series User’s Guide The following pages show a typical configuration that builds a tunnel between two private networks. One network is the headquarters (HQ) and the other is a branch office. Both sites have static (fixed) public addresses. Replace the Remote Gateway Address and Local/ Remote Starting IP Address settings with your own values. VPN Configuration This section gives a VPN rule configuration example using the web configurator. 1 Click VPN to display the following screen.
ZyWALL 5/35/70 Series User’s Guide Figure 464 Headquarters Gateway Policy Edit The IP address of the branch office IPSec router.
ZyWALL 5/35/70 Series User’s Guide Figure 465 Branch Office Gateway Policy Edit The IP address of the headquarters IPSec router. 3 Click the add network policy ( configure a VPN policy.
ZyWALL 5/35/70 Series User’s Guide Figure 466 Headquarters VPN Rule Figure 467 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply.
ZyWALL 5/35/70 Series User’s Guide Figure 468 Headquarters Network Policy Edit Activate the network policy. IP addresses on different subnets.
ZyWALL 5/35/70 Series User’s Guide Figure 469 Branch Office Network Policy Edit Activate the network policy. IP addresses on different subnets. Dialing the VPN Tunnel via Web Configurator To test whether the IPSec routers can build the VPN tunnel, click the dial ( VPN Rules (IKE) screen to have the IPSec routers set up the tunnel.
ZyWALL 5/35/70 Series User’s Guide Figure 470 VPN Rule Configured The following screen displays. Figure 471 VPN Dial This screen displays later if the IPSec routers can build the VPN tunnel.
ZyWALL 5/35/70 Series User’s Guide VPN Troubleshooting If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers. Check the settings in each field methodically and slowly. VPN Log The system log can often help to identify a configuration problem. Use the web configurator LOGS Log Settings screen to enable IKE and IPSec logging at both ends, clear the log and then build the tunnel.
ZyWALL 5/35/70 Series User’s Guide Figure 473 VPN Log Example ras> sys log disp ike ipsec # .time source destination message 0|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 Rule [ex-1] Tunnel built successfully 1|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 2|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 Send:[HASH] 3|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.3 The cookie pair is : 0xDAC0B43FBDE154F5 / 0xC5156C099C3F7DCA 4|01/11/2001 18:47:22 |5.6.7.8 |5.1.2.
ZyWALL 5/35/70 Series User’s Guide IPSec Debug If you are having difficulty building an IPSec tunnel to a non-ZyXEL IPSec router, advanced users may wish to examine the IPSec debug feature (Menu 24.8). Note: If any of your VPN rules have an active network policy set to nailed-up, using the IPSec debug feature may cause the ZyWALL to continuously display new information. Type ipsec debug level 0 and press [ENTER] to stop it.
ZyWALL 5/35/70 Series User’s Guide Use a VPN Tunnel A VPN tunnel gives you a secure connection to another computer or network. The VPN Status screen displays whether or not your VPN tunnel is connected. Example VPN tunnel uses are securely sending and retrieving files, and accessing corporate network drives, web servers and email. Services work as if you were at the office instead of connected through the Internet.
ZyWALL 5/35/70 Series User’s Guide APPENDIX L Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in the following screen to do this.
ZyWALL 5/35/70 Series User’s Guide Figure 476 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 477 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard.
ZyWALL 5/35/70 Series User’s Guide Figure 478 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 479 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard.
ZyWALL 5/35/70 Series User’s Guide Figure 480 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store.
ZyWALL 5/35/70 Series User’s Guide Figure 482 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
ZyWALL 5/35/70 Series User’s Guide Figure 483 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
ZyWALL 5/35/70 Series User’s Guide Figure 484 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard.
ZyWALL 5/35/70 Series User’s Guide Figure 485 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 486 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
ZyWALL 5/35/70 Series User’s Guide Figure 487 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 488 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process.
ZyWALL 5/35/70 Series User’s Guide Figure 489 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 490 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field.
ZyWALL 5/35/70 Series User’s Guide Figure 492 SSL Client Authentication 3 You next see the ZyWALL login screen.
ZyWALL 5/35/70 Series User’s Guide 749 Appendix L Importing Certificates
ZyWALL 5/35/70 Series User’s Guide APPENDIX M Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Note: Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.
ZyWALL 5/35/70 Series User’s Guide 751 Appendix M Command Interpreter
ZyWALL 5/35/70 Series User’s Guide APPENDIX N Firewall Commands The following describes the firewall commands. See Appendix M on page 750 for information on the command structure. Table 271 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall active This command turns the firewall on or off. config retrieve firewall This command returns the previously saved firewall settings. config save firewall This command saves the current firewall settings.
ZyWALL 5/35/70 Series User’s Guide Table 271 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION E-mail config edit firewall e-mail mail-server This command sets the IP address to which the e-mail messages are sent. config edit firewall e-mail return-addr This command sets the source e-mail address of the firewall e-mails.
ZyWALL 5/35/70 Series User’s Guide Table 271 Firewall Commands (continued) FUNCTION Sets COMMAND DESCRIPTION config edit firewall attack minute-high <0-255> This command sets the threshold rate of new half-open sessions per minute where the ZyWALL starts deleting old half-opened sessions until it gets them down to the minutelow threshold. config edit firewall attack minute-low <0-255> This command sets the threshold of half-open sessions where the ZyWALL stops deleting half-opened sessions.
ZyWALL 5/35/70 Series User’s Guide Table 271 Firewall Commands (continued) FUNCTION Rules 755 COMMAND DESCRIPTION Config edit firewall set tcp-idle-timeout This command sets how long ZyWALL lets an inactive TCP connection remain open before considering it closed. Config edit firewall set log This command sets whether or not the ZyWALL creates logs for packets that match the firewall’s default rule set.
ZyWALL 5/35/70 Series User’s Guide Table 271 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION config edit firewall set rule destaddrsubnet This command sets a rule to have the ZyWALL check for traffic with a particular subnet destination (defined by IP address and subnet mask).
ZyWALL 5/35/70 Series User’s Guide 757 Appendix N Firewall Commands
ZyWALL 5/35/70 Series User’s Guide APPENDIX O NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See Appendix M on page 750 for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
ZyWALL 5/35/70 Series User’s Guide The filter types and their default settings are as follows. Table 272 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN and WAN This field displays whether NetBIOS packets are blocked or forwarded Block between the LAN and the WAN. Between LAN and DMZ This field displays whether NetBIOS packets are blocked or forwarded Block between the LAN and the DMZ.
ZyWALL 5/35/70 Series User’s Guide sys filter netbios config 3 on This command blocks IPSec NetBIOS packets. sys filter netbios config 4 off This command stops NetBIOS commands from initiating calls.
ZyWALL 5/35/70 Series User’s Guide 761 Appendix O NetBIOS Filter Commands
ZyWALL 5/35/70 Series User’s Guide APPENDIX P Certificates Commands The following describes the certificate commands. See Appendix M on page 750 for information on the command structure. All of these commands start with certificates. Table 273 Certificates Commands COMMAND DESCRIPTION my_cert create create selfsigned [key size] Create a self-signed local host certificate. specifies a descriptive name for the generated certificate.
ZyWALL 5/35/70 Series User’s Guide Table 273 Certificates Commands (continued) COMMAND DESCRIPTION create cmp_enroll [key size] Create a certificate request and enroll for a certificate immediately online using CMP protocol. specifies a descriptive name for the enrolled certificate. specifies the CA server address. specifies the name of the CA certificate. specifies the id and key used for user authentication.
ZyWALL 5/35/70 Series User’s Guide Table 273 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate using your device MAC address that will be specific to this device. The factory default certificate is a common default certificate for all ZyWALL models. replace_fact ory ca_trusted import Import the PEM-encoded certificate from stdin. specifies the name as which the imported CA certificate is to be saved.
ZyWALL 5/35/70 Series User’s Guide Table 273 Certificates Commands (continued) COMMAND DESCRIPTION delete Delete the specified trusted remote host certificate. specifies the name of the certificate to be deleted. List all trusted remote host certificate names and basic information. list rename Rename the specified trusted remote host certificate. specifies the name of the certificate to be renamed.
ZyWALL 5/35/70 Series User’s Guide APPENDIX Q Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See Appendix M on page 750 for information on the command structure.
ZyWALL 5/35/70 Series User’s Guide 767 Appendix Q Brute-Force Password Guessing Protection
ZyWALL 5/35/70 Series User’s Guide APPENDIX R Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you have access to a series of boot module commands, for example ATUR (for uploading firmware) and ATLC (for uploading the configuration file).
ZyWALL 5/35/70 Series User’s Guide Figure 495 Boot Module Commands AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.
ZyWALL 5/35/70 Series User’s Guide APPENDIX S Log Descriptions This appendix provides descriptions of example log messages. Table 275 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is successful The router has adjusted its time based on information from the time server. Time calibration failed The router failed to get information from the time server. WAN interface gets IP: %s A WAN interface got a new IP address from the DHCP, PPPoE, PPTP or dial-up server.
ZyWALL 5/35/70 Series User’s Guide Table 275 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION Configuration Change: PC = 0x%x, Task ID = 0x%x The router is saving configuration changes. Successful SSH login Someone has logged on to the router’s SSH server. SSH login failed Someone has failed to log on to the router’s SSH server. Successful HTTPS login Someone has logged on to the router's web configurator interface using HTTPS protocol.
ZyWALL 5/35/70 Series User’s Guide Table 276 System Error Logs (continued) LOG MESSAGE DESCRIPTION WAN connection is down. A WAN connection is down. You cannot access the network through this interface. Dial Backup starts Dial backup started working. Dial Backup ends Dial backup stopped working. DHCP Server cannot assign the static IP %S (out of range). The LAN subnet, LAN alias 1, or LAN alias 2 was changed and the specified static DHCP IP addresses are no longer valid.
ZyWALL 5/35/70 Series User’s Guide Table 278 TCP Reset Logs LOG MESSAGE DESCRIPTION Under SYN flood attack, sent TCP RST The router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.) Exceed TCP MAX incomplete, sent TCP RST The router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold. (the TCP incomplete count is per destination host.
ZyWALL 5/35/70 Series User’s Guide For type and code details, see Table 294 on page 785. Table 280 ICMP Logs LOG MESSAGE DESCRIPTION Firewall default policy: ICMP , , ICMP access matched the default policy and was blocked or forwarded according to the user's setting.
ZyWALL 5/35/70 Series User’s Guide Table 282 PPP Logs (continued) LOG MESSAGE DESCRIPTION ppp:LCP Closing The PPP connection’s Link Control Protocol stage is closing. ppp:IPCP Closing The PPP connection’s Internet Protocol Control Protocol stage is closing. Table 283 UPnP Logs LOG MESSAGE DESCRIPTION UPnP pass through Firewall UPnP packets can pass through the firewall.
ZyWALL 5/35/70 Series User’s Guide Table 284 Content Filtering Logs (continued) LOG MESSAGE DESCRIPTION Connecting to content filter server fail The connection to the external content filtering server failed. License key is invalid The external content filtering license key is invalid. For type and code details, see Table 294 on page 785. Table 285 Attack Logs LOG MESSAGE DESCRIPTION attack [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack.
ZyWALL 5/35/70 Series User’s Guide Table 285 Attack Logs (continued) LOG MESSAGE DESCRIPTION Firewall sent TCP packet in response to DoS attack TCP The firewall sent TCP packet in response to a DoS attack ICMP Source Quench ICMP The firewall detected an ICMP Source Quench attack. ICMP Time Exceed ICMP The firewall detected an ICMP Time Exceed attack. ICMP Destination Unreachable ICMP The firewall detected an ICMP Destination Unreachable attack. ping of death.
ZyWALL 5/35/70 Series User’s Guide Table 287 Wireless Logs LOG MESSAGE DESCRIPTION WLAN MAC Filter Fail The MAC filter blocked a wireless station from connecting to the device. WLAN MAC Filter Success The MAC filter allowed a wireless station to connect to the device. WLAN STA Association A wireless station associated with the device. WLAN STA Association List Full The maximum number of associated wireless clients has been reached.
ZyWALL 5/35/70 Series User’s Guide Table 289 IKE Logs LOG MESSAGE DESCRIPTION Active connection allowed exceeded The IKE process for a new connection failed because the limit of simultaneous phase 2 SAs has been reached. Start Phase 2: Quick Mode Phase 2 Quick Mode has started. Verifying Remote ID failed: The connection failed during IKE phase 2 because the router and the peer’s Local/Remote Addresses don’t match.
ZyWALL 5/35/70 Series User’s Guide Table 289 IKE Logs (continued) LOG MESSAGE DESCRIPTION Remote IP / conflicts The security gateway is set to “0.0.0.0” and the router used the peer’s “Local Address” as the router’s “Remote Address”. This information conflicted with static rule #d; thus the connection is not allowed. Phase 1 ID type mismatch This router’s "Peer ID Type" is different from the peer IPSec router's "Local ID Type".
ZyWALL 5/35/70 Series User’s Guide Table 289 IKE Logs (continued) LOG MESSAGE DESCRIPTION Rule [%d] Phase 2 authentication algorithm mismatch The listed rule’s IKE phase 2 authentication algorithm did not match between the router and the peer. Rule [%d] Phase 2 encapsulation mismatch The listed rule’s IKE phase 2 encapsulation did not match between the router and the peer.
ZyWALL 5/35/70 Series User’s Guide Table 290 PKI Logs LOG MESSAGE DESCRIPTION Enrollment successful The SCEP online certificate enrollment was successful. The Destination field records the certification authority server IP address and port. Enrollment failed The SCEP online certificate enrollment failed. The Destination field records the certification authority server’s IP address and port.
ZyWALL 5/35/70 Series User’s Guide Table 291 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION 1 Algorithm mismatch between the certificate and the search constraints. 2 Key usage mismatch between the certificate and the search constraints. 3 Certificate was not valid in the time interval. 4 (Not used) 5 Certificate is not valid. 6 Certificate signature was not verified correctly. 7 Certificate was revoked by a CRL. 8 Certificate was not added to the cache.
ZyWALL 5/35/70 Series User’s Guide Table 292 802.1X Logs (continued) LOG MESSAGE DESCRIPTION Local User Database does not find user`s credential. A user was not authenticated by the local user database because the user is not listed in the local user database. RADIUS accepts user. A user was authenticated by the RADIUS Server. RADIUS rejects user. Pls check RADIUS Server. A user was not authenticated by the RADIUS Server. Please check the RADIUS Server.
ZyWALL 5/35/70 Series User’s Guide Table 293 ACL Setting Notes (continued) PACKET DIRECTION DIRECTION DESCRIPTION (L to L/ZW) LAN to LAN/ ZyWALL ACL set for packets traveling from the LAN to the LAN or the ZyWALL. (W to W/ZW) WAN to WAN/ ZyWALL ACL set for packets traveling from the WAN to the WAN or the ZyWALL. (D to D/ZW) DMZ to DMZ/ ZyWALL ACL set for packets traveling from the DMZ to the DM or the ZyWALL. (L to WL) LAN to WLAN ACL set for packets traveling from the LAN to the WLAN.
ZyWALL 5/35/70 Series User’s Guide Table 294 ICMP Notes (continued) TYPE CODE DESCRIPTION Time Exceeded 11 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded Parameter Problem 12 0 Pointer indicates the error Timestamp 13 0 Timestamp request message Timestamp Reply 14 0 Timestamp reply message Information Request 15 0 Information request message Information Reply 16 0 Information reply message Table 295 IDP Logs LOG MESSAGE DESCRIPTION The buffer size is too small! Th
ZyWALL 5/35/70 Series User’s Guide Table 295 IDP Logs (continued) LOG MESSAGE DESCRIPTION Signature update OK - New signature version: Release Date: ! The device updated the signature file successfully. The signature file’s version and release date are included. The turbo card is not ready , please insert the card and reboot! The turbo card is not installed.
ZyWALL 5/35/70 Series User’s Guide Table 296 AV Logs (continued) LOG MESSAGE DESCRIPTION The turbo card is not ready , please insert the card and reboot! The turbo card is not installed. The system is doing signature update now , please wait! The device is updating the signature file. Table 297 AS Logs LOG MESSAGE DESCRIPTION Mail is in the Black List - Mail From:%EMAIL_ADDRESS% Subject:%MAIL_SUBJECT%! An e-mail with the listed source and subject matched an anti-spam blacklist entry.
ZyWALL 5/35/70 Series User’s Guide Table 297 AS Logs (continued) LOG MESSAGE DESCRIPTION Remove rating server [%Rating Server IP Address%] from server list! The listed server IP address has been removed from the list of antispam external database servers. "This is a phishing mail The spam score (listed) for the e-mail with the listed source and subject was higher than the spam score threshold. The anti-spam - Spam Score:%d Mail external database identified the e-mail as a phishing mail.
ZyWALL 5/35/70 Series User’s Guide Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on.
ZyWALL 5/35/70 Series User’s Guide Table 298 Syslog Logs (continued) LOG MESSAGE DESCRIPTION Event Log: Mon dd hr:mm:ss hostname src="" dst="" ob="<0|1>" ob_mac="" msg="" note="" devID="" cat="IDP" class="" sid=" act="" count="1" This message is sent by the device ("RAS" displays as the system name if you haven’t configured one) at the time when this syslog is generated.
ZyWALL 5/35/70 Series User’s Guide Log Commands Go to the command interpreter interface. Appendix M on page 750 explains how to access and use the commands. Configuring What You Want the ZyWALL to Log 1 Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyWALL is to record. 2 Use sys logs category to view a list of the log categories.
ZyWALL 5/35/70 Series User’s Guide • Use the sys logs clear command to erase all of the ZyWALL’s logs. Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results. ras> ras> ras> ras> # sys sys sys sys .time logs logs logs logs load category access 3 save display access source destination message 0|06/08/2004 05:58:21 |172.21.4.154 |224.0.1.24 BLOCK Firewall default policy: IGMP (W to W/ZW) 1|06/08/2004 05:58:20 |172.21.3.56 |239.255.
ZyWALL 5/35/70 Series User’s Guide Index Numerics 10/100 Mbps Ethernet WAN 51 110V AC 5 230V AC 5 A Abnormal Working Conditions 6 AC 5 Access control 243 Access Point 541 Accessories 5 Action for Matched Packets 221 Action for No Spam Score 269 Action for Spam Mails 267 Active 515, 517, 548 Acts of God 6 Address Assignment 138, 414 Advanced Encryption Standard (AES) 300 AES 300 AH 300, 304 Airflow 5 alert message 722 ALG 52, 462 Allocated Budget 516, 550 Alternative Subnet Mask Notation 692 Anti-Probing 2
ZyWALL 5/35/70 Series User’s Guide C CA 711 Cable Modem 199 Cables, Connecting 5 Call Back Delay 514 Call Control 626 Call History 627, 628 Call Scheduling 55, 644 Max Number of Schedule Sets 644 PPPoE 646 Precedence 644 Call-Triggering Packet 604 CardBus slot 52 Central Network Management 56 certificate 317 Certificate Authority 711 Certifications 3 Changes or Modifications 3 Changing the Password 502 Channel 706 Interference 706 Channel ID 187, 541 CHAP 515, 550 Charge 6 Circuit 3 Class B 3 Command Inter
ZyWALL 5/35/70 Series User’s Guide DNS 448 DNS Server For VPN Host 415 Domain Name 138, 272, 380, 480, 599 DoS Basics 200 Types 201 DoS (Denial of Service) 53 Drop Timeout 514 DSL Modem 58, 549 DTR 155, 513 Dust 5 Dynamic DNS 424 Dynamic DNS Support 56 Dynamic WEP Key Exchange 713 DYNDNS Wildcard 415, 424 E EAP 178, 179, 183 EAP Authentication 710, 711 ECHO 380 Edit IP 516, 548 e-Donkey 243 Efficiency 265 Electric Shock 5 Electrical Pipes 5 E-Mail 272 E-mail Attributes 265 E-mail virus 254 e-Mule 243 Enab
ZyWALL 5/35/70 Series User’s Guide Firmware File Maintenance 608 Fitness 6 Flow Control 496 Fragmentation Threshold 707 Fragmentation threshold 707 France, Contact Information 7 Fraudsters 264 FTP 380, 424, 428, 443, 610, 634 File Upload 619 GUI-based Clients 611 Restoring Files 614 FTP File Transfer 617 FTP Restrictions 428, 611, 634 FTP Server 57, 571 Full Network Management 57 Functionally Equivalent 6 Fuse Replacement 672 Type 660 G Gas Pipes 5 Gateway IP Addr 552 Gateway IP Address 529, 557 Gateway P
ZyWALL 5/35/70 Series User’s Guide IP Addressing 690 IP Alias 56, 526 IP Alias Setup 526 IP Classes 690 IP Multicast 56 Internet Group Management Protocol (IGMP) 56 IP Policy Routing 56 IP Pool 110, 160, 172, 524 IP Pool Setup 106 IP Ports 200 IP Routing Policy (IPPR) 392 Benefits 392 Cost Savings 392 Criteria 392 Load Sharing 392 IP Spoofing 201, 204 IP Static Route 556, 557 Active 557 Destination IP Address 557 IP Subnet Mask 557 Name 557 Route Number 557 IP Subnet Mask 518, 526 Remote 518 IPSec 298 IPSe
ZyWALL 5/35/70 Series User’s Guide MIME 269 MIME Header 272 MIME Headers 266 MIME Value 272 Modifications 3 MSDU 541 Multicast 108, 110, 172, 519, 525, 553 Multimedia 231, 465 Multipurpose Internet Mail Extensions 266 Mutation virus 254 My IP Addr 551 My Login 515, 548 My Login Name 529 My Password 515, 529, 548 My Server IP Addr 551 My WAN Address 518 MyDoom 237, 239 mySecurity Zone 250, 259 myZyXEL.
ZyWALL 5/35/70 Series User’s Guide Levels 244 Policy-based Routing 392 Polyphormic virus 254 Pool 5 POP2 265 POP3 200, 265, 267, 269, 380 Port Forwarding 57 Port Restricted Cone NAT 373 port scans 236 Post Office Protocol 265 Postage Prepaid.
ZyWALL 5/35/70 Series User’s Guide Return Material Authorization (RMA) Number 6 Returned Products 6 Returns 6 RFC 1889 463 RFC 3489 465 Rights 2 Rights, Legal 6 RIP 107, 108, 519, 525, 526, 553 Direction 526 Version 526, 553 Risk 5 Risks 5 RMA 6 RoadRunner Support 57 Roaming 715 Example 716 Requirements 717 Root bridge 119 Root Class 406 Route 548 Routing Policy 392 RTC 482, 628 RTC See Real Time Chip 52 RTP 463 RTS (Request To Send) 707 RTS (Request To Send) threshold 187 RTS Threshold 706, 707 RTS/CTS ha
ZyWALL 5/35/70 Series User’s Guide SSH 53, 437 SSH Implementation 438 startup 724 Stateful Inspection 53, 198, 199, 204, 205 Process 205 ZyWALL 206 Static Route 388 Storage Space 270 STP (Spanning Tree Protocol) 52 STP Port States 120 STP See Spanning Tree Protocol 118 STP Terminology 119 SUA (Single User Account) 374, 558 Sub-class Layers 406 Subnet Mask 107, 109, 121, 171, 221, 272, 518, 525, 529, 552, 557 Subnet Masks 691 Subnetting 691 Supply Voltage 5 Support E-mail 7 Supporting Disk 48 Sweden, Contac
ZyWALL 5/35/70 Series User’s Guide Unsolicited Commercial E-mail 262 Upload Firmware 617 UPnP 54, 452 UPnP Examples 455 UPnP Port Mapping 454 Upper Layer Protocols 206, 207 Use Server Detected IP 509 User Authentication 183, 714 User Name 506 User Profiles 366 V Value 6 Vendor 5 Ventilation Slots 5 Viewing Certifications 3 Virtual Private Network 53 virus 244 Virus attack 254 Virus life cycle 254 Voltage Supply 5 Voltage, High 5 VPN 146 encapsulation 300 keep alive 306 key management 300 secure gateway 30
