ZyWALL 5/35/70 Series Internet Security Appliance User’s Guide Version 4.04 03/2008 Edition 1 DEFAULT LOGIN IP Address http://192.168.1.1 Password 1234 www.zyxel.
About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the ZyWALL using the web configurator or System Management Terminal (SMT). You should have at least a basic knowledge of TCP/IP networking concepts and topology. Related Documentation • Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access.
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. 1 " Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations. Syntax Conventions • The ZyWALL 5/35/70 series may be referred to as the “ZyWALL”, the “device” or the “system” in this User’s Guide.
Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device.
Safety Warnings Safety Warnings 1 For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. • Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. • Connect ONLY suitable accessories to the device.
Safety Warnings This product is recyclable. Dispose of it properly.
Safety Warnings 8 ZyWALL 5/35/70 Series User’s Guide
Contents Overview Contents Overview Introduction ............................................................................................................................ 49 Getting to Know Your ZyWALL .................................................................................................. 51 Hardware Installation ................................................................................................................. 55 Introducing the Web Configurator ................................
Contents Overview Reports, Logs and Maintenance ......................................................................................... 537 Reports Screens ...................................................................................................................... 539 Logs Screens .......................................................................................................................... 555 Maintenance Screens ......................................................................
Table of Contents Table of Contents About This User's Guide .......................................................................................................... 3 Document Conventions............................................................................................................ 4 Safety Warnings........................................................................................................................ 6 Contents Overview .......................................................
Table of Contents 3.2 Accessing the ZyWALL Web Configurator .......................................................................... 61 3.3 Resetting the ZyWALL ......................................................................................................... 63 3.3.1 Procedure To Use The Reset Button ......................................................................... 63 3.3.2 Uploading a Configuration File Via Console Port ....................................................... 63 3.
Table of Contents 5.1.5 Using the Dynamic VPN Rule for More VPN Tunnels ...............................................119 5.2 Security Settings for VPN Traffic ........................................................................................119 5.2.1 IDP for From VPN Traffic Example .......................................................................... 120 5.2.2 IDP for To VPN Traffic Example ............................................................................... 121 5.
Table of Contents 8.1 Overview ............................................................................................................................ 161 8.1.1 What You Can Do in the Bridge Screens ................................................................. 161 8.1.2 What You Need To Know About Bridging ................................................................. 162 8.2 The Bridge Screen ......................................................................................................
Table of Contents Chapter 11 WLAN Screens ...................................................................................................................... 219 11.1 Overview .......................................................................................................................... 219 11.1.1 What You Can Do in the WLAN Screens ............................................................... 219 11.1.2 What You Need to Know About WLAN ......................................................
Table of Contents 13.7 The Firewall Thresholds Screen ..................................................................................... 264 13.8 The Firewall Services Screen ......................................................................................... 266 13.8.1 The Firewall Edit Custom Service Screen ............................................................. 267 13.8.2 My Service Firewall Rule Example ......................................................................... 268 13.
Table of Contents 16.1.1 What You Can Do in the Antispam Screens ........................................................... 313 16.1.2 What You Need to Know About Antispam .............................................................. 314 16.2 The General Screen ........................................................................................................ 315 16.3 The External DB Screen ............................................................................................. 318 16.
Table of Contents 19.11 Telecommuter VPN/IPSec Examples ............................................................................. 382 19.11.1 Telecommuters Sharing One VPN Rule Example ................................................ 383 19.11.2 Telecommuters Using Unique VPN Rules Example ............................................. 383 19.12 VPN and Remote Management ..................................................................................... 385 19.13 Hub-and-spoke VPN ....................
Table of Contents Chapter 22 Network Address Translation (NAT).................................................................................... 435 22.1 Overview .......................................................................................................................... 435 22.1.1 What You Can Do Using the NAT Screens ............................................................ 435 22.1.2 What You Need To Know About NAT .....................................................................
Table of Contents 25.2 The Summary Screen ...................................................................................................... 467 25.2.1 Maximize Bandwidth Usage Example .................................................................... 470 25.2.2 Reserving Bandwidth for Non-Bandwidth Class Traffic .......................................... 471 25.3 The Class Setup Screen ................................................................................................. 471 25.
Table of Contents 27.9 The SNMP Screen ......................................................................................................... 510 27.9.1 Configuring the SNMP Screen ............................................................................... 512 27.10 The DNS Screen .......................................................................................................... 513 27.11 The CNM Screen ..........................................................................................
Table of Contents 31.2.4 System Reports Specifications ............................................................................... 545 31.3 The IDP Screen ............................................................................................................. 545 31.4 The Anti-Virus Screen ................................................................................................... 547 31.5 The Anti-Spam Screen ...............................................................................
Table of Contents 34.3 Navigating the SMT Interface .......................................................................................... 606 34.3.1 Main Menu ............................................................................................................. 607 34.3.2 SMT Menus Overview ............................................................................................ 609 34.4 Changing the System Password ............................................................................
Table of Contents 39.1 Configuring DMZ Setup ................................................................................................... 645 39.2 DMZ Port Filter Setup ...................................................................................................... 645 39.3 TCP/IP Setup ................................................................................................................... 646 39.3.1 IP Address ........................................................................
Table of Contents 44.3 Configuring a Server behind NAT .................................................................................... 681 44.4 General NAT Examples ................................................................................................... 683 44.4.1 Internet Access Only .............................................................................................. 683 44.4.2 Example 2: Internet Access with a Default Server .................................................
Table of Contents 48.3.2 Console Port Speed ............................................................................................... 716 48.4 Log and Trace .................................................................................................................. 717 48.4.1 Viewing Error Log ................................................................................................... 717 48.4.2 Syslog Logging ..............................................................................
Table of Contents 50.2.1 Budget Management .............................................................................................. 740 50.2.2 Call History ............................................................................................................. 741 50.3 Time and Date Setting ..................................................................................................... 742 Chapter 51 Remote Management.........................................................................
Table of Contents Appendix C Wireless LANs .................................................................................................. 787 Appendix D Windows 98 SE/Me Requirements for Anti-Virus Message Display ................. 801 Appendix E Legal Information .............................................................................................. 805 Appendix F Customer Support ............................................................................................. 809 Index............
List of Figures List of Figures Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ................................................... 52 Figure 2 VPN Application ....................................................................................................................... 53 Figure 3 3G WAN Application ................................................................................................................. 53 Figure 4 Attaching Rubber Feet ...................................
List of Figures Figure 39 VPN Wizard Setup Complete ............................................................................................... 104 Figure 40 Anti-Spam Wizard: Email Server Location Setting .............................................................. 105 Figure 41 Anti-Spam Wizard: Direction Recommendations ................................................................. 106 Figure 42 Anti-Spam Wizard: Direction Configuration ..........................................................
List of Figures Figure 82 LAN and WAN ..................................................................................................................... 149 Figure 83 NETWORK > LAN ................................................................................................................ 153 Figure 84 NETWORK > LAN > Static DHCP ........................................................................................ 156 Figure 85 Physical Network & Partitioned Logical Networks .....................
List of Figures Figure 125 WLAN Port Role Example ................................................................................................. 226 Figure 126 NETWORK > WLAN > Port Roles ..................................................................................... 227 Figure 127 NETWORK > WLAN > Port Roles: Change Complete ....................................................... 227 Figure 128 WLAN Overview .........................................................................................
List of Figures Figure 168 SECURITY > IDP > Signature: Query View ....................................................................... 285 Figure 169 SECURITY > IDP > Signature: Query by Partial Name ..................................................... 287 Figure 170 SECURITY > IDP > Signature: Query by Complete ID ...................................................... 288 Figure 171 Signature Query by Attribute. ..........................................................................................
List of Figures Figure 211 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy ........................................... 368 Figure 212 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding ............. 373 Figure 213 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy ........................................ 374 Figure 214 SECURITY > VPN > VPN Rules (Manual) ........................................................................
List of Figures Figure 254 Multiple Servers Behind NAT Example .............................................................................. 442 Figure 255 Port Translation Example ................................................................................................... 443 Figure 256 ADVANCED > NAT > Port Forwarding ............................................................................... 444 Figure 257 Trigger Port Forwarding Process: Example .............................................
List of Figures Figure 297 SSL Client Authentication ................................................................................................... 502 Figure 298 Secure Web Configurator Login Screen ............................................................................. 502 Figure 299 SSH Example 1: Store Host Key ........................................................................................ 503 Figure 300 SSH Example 2: Test ...........................................................
List of Figures Figure 340 MAINTENANCE > General Setup ...................................................................................... 586 Figure 341 MAINTENANCE > Password ............................................................................................ 587 Figure 342 MAINTENANCE > Time and Date ...................................................................................... 588 Figure 343 Synchronization in Process ..................................................................
List of Figures Figure 383 Menu 4: Internet Access Setup (Ethernet) ......................................................................... 640 Figure 384 Internet Access Setup (PPTP) ........................................................................................... 642 Figure 385 Internet Access Setup (PPPoE) ......................................................................................... 643 Figure 386 Menu 5: DMZ Setup .................................................................
List of Figures Figure 426 Example 3: Menu 11.1.2 ..................................................................................................... 687 Figure 427 Example 3: Menu 15.1.1.1 ................................................................................................. 687 Figure 428 Example 3: Final Menu 15.1.1 ............................................................................................ 688 Figure 429 Example 3: Menu 15.2.1 ..............................................
List of Figures Figure 469 Restore Using FTP Session Example ................................................................................ 732 Figure 470 System Maintenance: Restore Configuration ..................................................................... 732 Figure 471 System Maintenance: Starting Xmodem Download Screen ............................................... 732 Figure 472 Restore Configuration Example ..................................................................................
List of Tables List of Tables Table 1 ZyWALL Model Specific Features ............................................................................................. 52 Table 2 Front Panel Lights ..................................................................................................................... 59 Table 3 Title Bar: Web Configurator Icons ............................................................................................. 64 Table 4 Web Configurator HOME Screen in Router Mode ......
List of Tables Table 39 Load Balancing: Weighted Round Robin .............................................................................. 180 Table 40 Load Balancing: Spillover ...................................................................................................... 181 Table 41 Private IP Address Ranges ................................................................................................... 182 Table 42 NETWORK > WAN > WAN (Ethernet Encapsulation) ................................
List of Tables Table 82 SECURITY > IDP > Signature: Query View .......................................................................... 285 Table 83 SECURITY > IDP > Anomaly ................................................................................................ 290 Table 84 SECURITY > IDP > Update .................................................................................................. 292 Table 85 SECURITY > ANTI-VIRUS > General .........................................................
List of Tables Table 125 SECURITY > CERTIFICATES > Directory Servers ............................................................ 425 Table 126 SECURITY > CERTIFICATES > Directory Server > Add ................................................... 426 Table 127 SECURITY > AUTH SERVER > Local User Database ....................................................... 430 Table 128 SECURITY > AUTH SERVER > RADIUS ..........................................................................
List of Tables Table 168 REPORTS > Anti-Spam ...................................................................................................... 549 Table 169 REPORTS > E-mail Report ................................................................................................. 552 Table 170 LOGS > View Log ............................................................................................................... 556 Table 171 Log Description Example ...............................................
List of Tables Table 211 Menu 1: General Setup (Bridge Mode) ............................................................................... 614 Table 212 Menu 1.1: Configure Dynamic DNS .................................................................................... 615 Table 213 Menu 1.1.1: DDNS Host Summary ..................................................................................... 616 Table 214 Menu 1.1.1: DDNS Edit Host ....................................................................
List of Tables Table 254 System Maintenance Menu Syslog Parameters ................................................................. 718 Table 255 System Maintenance Menu Diagnostic ............................................................................... 724 Table 256 Filename Conventions ........................................................................................................ 726 Table 257 General Commands for GUI-based FTP Clients ....................................................
List of Tables 48 ZyWALL 5/35/70 Series User’s Guide
P ART I Introduction Getting to Know Your ZyWALL (51) Hardware Installation (55) Introducing the Web Configurator (61) Wizard Setup (87) Tutorials (109) Registration Screens (141) 49
CHAPTER 1 Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. 1.1 ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with security features including VPN, firewall, content filtering, antispam, IDP (Intrusion Detection and Prevention), anti-virus and certificates. The ZyWALL’s De-Militarized Zone (DMZ) increases LAN security by providing separate ports for connecting publicly accessible servers.
Chapter 1 Getting to Know Your ZyWALL " See Chapter 55 on page 769 for a complete list of features. Table 1 ZyWALL Model Specific Features MODEL # FEATURE 70 35 Two WAN Ports Y Y 5 3G Card Supported Y Load Balancing Y Changing Port Roles between LAN and DMZ Changing Port Roles between LAN and WLAN Y Y Y Y Y Y Y Table Key: A Y in a model’s column shows that the model has the specified feature.
Chapter 1 Getting to Know Your ZyWALL 1.3.2 VPN Application ZyWALL VPN is an ideal cost-effective way to securely connect branch offices, business partners and telecommuters over the Internet without the need (and expense) for leased lines between sites. Figure 2 VPN Application 1.3.3 3G WAN Application (ZyWALL 5 Only) Insert a 3G card to have the ZyWALL (in router mode) wirelessly access the Internet via a 3G base station.
Chapter 1 Getting to Know Your ZyWALL 1.4 Ways to Manage the ZyWALL Use any of the following methods to manage the ZyWALL. • Web Configurator. This is recommended for everyday management of the ZyWALL using a (supported) web browser. • Command Line Interface. Line commands are mostly used for troubleshooting by service engineers. See the Command Reference Guide for more information about the CLI. • SMT. System Management Terminal is a text-based configuration menu that you can use to configure your device.
CHAPTER 2 Hardware Installation The ZyWALL can be placed on a desktop or rack-mounted on a standard EIA rack. Use the brackets in a rack-mounted installation. 2.1 General Installation Instructions Read all the safety warnings in the beginning of this User's Guide before you begin and make sure you follow them. Perform the installation as follows: 1 Make sure the ZyWALL is off. 2 Install the hardware first.
Chapter 2 Hardware Installation Figure 4 Attaching Rubber Feet " Do not block the ventilation holes. Leave space between ZyWALLs when stacking. 2.3 Rack-mounted Installation Requirements The ZyWALL can be mounted on an EIA standard size, 19-inch rack or in a wiring closet with other equipment. Follow the steps below to mount your ZyWALL on a standard EIA rack using a rack-mounting kit. " Make sure the rack will safely support the combined weight of all the equipment it contains.
Chapter 2 Hardware Installation 2.4 Rack-Mounted Installation 1 Align one bracket with the holes on one side of the ZyWALL and secure it with the bracket screws (smaller than the rack-mounting screws). 2 Attach the other bracket in a similar fashion. Figure 5 Attaching Mounting Brackets and Screws 3 After attaching both mounting brackets, position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack.
Chapter 2 Hardware Installation 2.5 3G Card, WLAN Card and ZyWALL Turbo Card Installation " Do not insert or remove a card with the ZyWALL turned on. Make sure the ZyWALL is off before inserting or removing an 802.11b/g-compliant wireless LAN PCMCIA or CardBus card, 3G card or ZyWALL Turbo Card (to avoid damage). Slide the connector end of the card into the slot as shown next. " Only certain ZyXEL wireless LAN cards or 3G card are compatible with the ZyWALL. Only the ZyWALL 5 can use a 3G card.
Chapter 2 Hardware Installation 2.6 Front Panel Lights Figure 8 ZyWALL 70 Front Panel Figure 9 ZyWALL 35 Front Panel Figure 10 ZyWALL 5 Front Panel The following table describes the lights. Table 2 Front Panel Lights LED COLOR STATUS DESCRIPTION Off The ZyWALL is turned off. Green On The ZyWALL is turned on. Red On The power to the ZyWALL is too low. Green Off The ZyWALL is not ready or has failed. On The ZyWALL is ready and running. Flashing The ZyWALL is restarting.
Chapter 2 Hardware Installation Table 2 Front Panel Lights (continued) LED WAN1/2 10/ 100 or WAN 10/100 COLOR Green Orange DMZ 10/100 (ZyWALL 70 only) Green Orange LAN/DMZ 10/ 100 Green (ZyWALL 35 and ZyWALL 5) Orange 60 STATUS DESCRIPTION Off The WAN connection is not ready, or has failed. On The ZyWALL has a successful 10 Mbps WAN connection. Flashing The 10M WAN is sending or receiving packets. On The ZyWALL has a successful 100 Mbps WAN connection.
CHAPTER 3 Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 3.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.
Chapter 3 Introducing the Web Configurator 5 You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore. Figure 11 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device.
Chapter 3 Introducing the Web Configurator 3.3 Resetting the ZyWALL If you forget your password or cannot access the web configurator, you will need to reload the factory-default configuration file or use the RESET button on the back of the ZyWALL. Uploading this configuration file replaces the current configuration file with the factorydefault configuration file.
Chapter 3 Introducing the Web Configurator 3.4 Navigating the ZyWALL Web Configurator The following summarizes how to navigate the web configurator from the HOME screen. This guide uses the ZyWALL 70 screenshots as an example. The screens may vary slightly for different ZyWALL models. Figure 14 HOME Screen A C B D As illustrated above, the main screen is divided into these parts: • • • • A - title bar B - navigation panel C - main window D - status bar 3.4.
Chapter 3 Introducing the Web Configurator 3.4.2 Main Window The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document. Right after you log in, the HOME screen is displayed. The screen varies according to the device mode you select in the MAINTENANCE > Device Mode screen. 3.4.3 HOME Screen: Router Mode The following screen displays when the ZyWALL is set to router mode. This screen displays general status information about the ZyWALL.
Chapter 3 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION System Name This is the System Name you enter in the MAINTENANCE > General screen. It is for identification purposes. Click the field label to go to the screen where you can specify a name for this ZyWALL. Model This is the model name of your ZyWALL. Bootbase Version This is the bootbase version and the date created.
Chapter 3 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Status For the LAN, DMZ and WLAN ports, this displays the port speed and duplex setting. Ethernet port connections can be in half-duplex or full-duplex mode. Fullduplex refers to a device's ability to send and receive simultaneously, while halfduplex indicates that traffic can flow in only one direction at a time.
Chapter 3 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Router Mode (continued) 68 LABEL DESCRIPTION Virus Detected This displays how many virus-infected files the ZyWALL has detected since it last started up. It also displays the percentage of virus-infected files out of the total number of files that the ZyWALL has scanned (since it last started up). N/A displays when the ZyWALL has never had an anti-virus subscription or there is no Turbo Card installed.
Chapter 3 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Last Connection Up Time This displays how long the 3G connection has been up. Tx Bytes This displays the total number of data frames transmitted. Rx Bytes This displays the total number of data frames received. 3G Card Manufacturer This displays the manufacturer of your 3G card. 3G Card Model This displays the model name of your 3G card.
Chapter 3 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Disable budget control This field displays if you have enabled budget control but insert a 3G card with a different user account from the one for which you configured budget control. Select this option to disable budget control. If you want to enable and configure new budget control settings for the new user account, go to the 3G (WAN 2) screen.
Chapter 3 Introducing the Web Configurator 3.4.4 HOME Screen: Bridge Mode The following screen displays when the ZyWALL is set to bridge mode. In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall). The ZyWALL bridges traffic traveling between the ZyWALL's interfaces and still filters and inspects packets. You do not need to change the configuration of your existing network. In bridge mode, the ZyWALL cannot get an IP address from a DHCP server.
Chapter 3 Introducing the Web Configurator Table 5 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION Bootbase Version This is the bootbase version and the date created. Firmware Version This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file. Up Time This field displays how long the ZyWALL has been running since it last started up.
Chapter 3 Introducing the Web Configurator Table 5 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION Bridge Hello Time This is the interval of BPDUs (Bridge Protocol Data Units) from the root bridge. Bridge Max Age This is the predefined interval that a bridge waits to get a Hello message (BPDU) from the root bridge. Forward Delay This is the forward delay interval. Bridge Port This is the port type.
Chapter 3 Introducing the Web Configurator Table 5 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION Spam Mail Detected This displays how many spam e-mails the ZyWALL has detected since it last started up. It also displays the percentage of spam e-mail out of the total number of e-mails that the ZyWALL has scanned (since it last started up). Disable displays when the anti-spam threat statistics collection is disabled.
Chapter 3 Introducing the Web Configurator Table 6 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE ROUTER MODE WAN Y DMZ Y Bridge Y WLAN Y Wireless Card Y Y Firewall Y Y IDP Y Y Anti-Virus Y Y Anti-Spam Y Y Content Filter Y Y VPN Y Y Certificates Y Y Authentication Server Y Y NAT Y Static Route Y Policy Route Y Bandwidth Management Y DNS Y Y Remote Management Y UPnP Y Y Custom Application Y Y ALG Y Y Reports Y Y Logs Y Y Mainten
Chapter 3 Introducing the Web Configurator Table 7 Screens Summary (continued) LINK TAB FUNCTION LAN LAN Use this screen to configure LAN DHCP and TCP/IP settings. Static DHCP Use this screen to assign fixed IP addresses on the LAN. IP Alias Use this screen to partition your LAN interface into subnets. Port Roles (ZyWALL 5 and ZyWALL 35) Use this screen to change the LAN/DMZ/WLAN port roles. Bridge Use this screen to change the bridge settings on the ZyWALL.
Chapter 3 Introducing the Web Configurator Table 7 Screens Summary (continued) LINK TAB FUNCTION FIREWALL Default Rule Use this screen to activate/deactivate the firewall and the direction of network traffic to which to apply the rule Rule Summary This screen shows a summary of the firewall rules, and allows you to edit/add a firewall rule. IDP ANTI-VIRUS ANTI-SPAM CONTENT FILTER VPN Anti-Probing Use this screen to change your anti-probing settings.
Chapter 3 Introducing the Web Configurator Table 7 Screens Summary (continued) LINK TAB CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage certificates and certification requests. AUTH SERVER FUNCTION Trusted CAs Use this screen to view and manage the list of the trusted CAs. Trusted Remote Hosts Use this screen to view and manage the certificates belonging to the trusted remote hosts.
Chapter 3 Introducing the Web Configurator Table 7 Screens Summary (continued) LINK TAB FUNCTION REMOTE MGMT WWW Use this screen to configure through which interface(s) and from which IP address(es) users can use HTTPS or HTTP to manage the ZyWALL. SSH Use this screen to configure through which interface(s) and from which IP address(es) users can use Secure Shell to manage the ZyWALL.
Chapter 3 Introducing the Web Configurator Table 7 Screens Summary (continued) LINK TAB FUNCTION MAINTENANCE General This screen contains administrative. Password Use this screen to change your password. Time and Date Use this screen to change your ZyWALL’s time and date. Device Mode Use this screen to configure and have your ZyWALL work as a router or a bridge.
Chapter 3 Introducing the Web Configurator Table 8 HOME > Port Statistics (continued) LABEL DESCRIPTION Status For the WAN interface(s) and the Dial Backup port, this displays the port speed and duplex setting if you’re using Ethernet encapsulation or the remote node name for a PPP connection and Down (line is down or not connected), Idle (line (ppp) idle), Dial (starting to trigger a call) or Drop (dropping a call) if you’re using PPPoE encapsulation. Dial backup is not available in bridge mode.
Chapter 3 Introducing the Web Configurator The following table describes the labels in this screen. Table 9 HOME > Show Statistics > Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen. Port Select the check box(es) to display the throughput statistics of the corresponding interface(s). B/s Specify the direction of the traffic for which you want to show throughput statistics in this table.
Chapter 3 Introducing the Web Configurator Table 10 HOME > Show DHCP Table (continued) LABEL DESCRIPTION MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network) is unique to your computer (six pairs of hexadecimal notation). A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory. This address follows an industry standard that ensures no other adapter has a similar address.
Chapter 3 Introducing the Web Configurator Table 11 HOME > VPN Status LABEL DESCRIPTION IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). Automatic Refresh Interval Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics.
Chapter 3 Introducing the Web Configurator Table 12 ADVANCED > BW MGMT > Monitor LABEL DESCRIPTION Automatic Refresh Interval Select a number of seconds or None from the drop-down list box to update all screen statistics automatically at the end of every time interval or to not update the screen statistics. Refresh Click this button to update the screen’s statistics immediately. A.
Chapter 3 Introducing the Web Configurator 86 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 4 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode. 4.1 Wizard Setup Overview The web configurator's setup wizards help you configure Internet and VPN connection settings. In the HOME screen, click the Wizard icon to open the Wizard Setup Welcome screen.
Chapter 4 Wizard Setup 4.2 Internet Access The Internet access wizard screen has three variations depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information. 4.2.1 ISP Parameters The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE. The wizard screen varies according to the type of encapsulation that you select in the Encapsulation field. 4.2.1.
Chapter 4 Wizard Setup Table 13 ISP Parameters: Ethernet Encapsulation LABEL DESCRIPTION IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection. Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static. My WAN IP Address Enter your WAN IP address in this field. My WAN IP Subnet Mask Enter the IP subnet mask in this field.
Chapter 4 Wizard Setup The following table describes the labels in this screen. Table 14 ISP Parameters: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet forms a dial-up connection. Service Name Type the name of your service provider. User Name Type the user name given to you by your ISP. Password Type the password associated with the user name above.
Chapter 4 Wizard Setup Figure 25 ISP Parameters: PPTP Encapsulation The following table describes the labels in this screen. Table 15 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. User Name Type the user name given to you by your ISP.
Chapter 4 Wizard Setup Table 15 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address. This is the default selection. Select Static If the ISP assigned a fixed IP address. The fields below are available only when you select Static. My WAN IP Address Enter your WAN IP address in this field.
Chapter 4 Wizard Setup Figure 27 Internet Access Setup Complete 4.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 26 on page 92), the following screen displays. Use this screen to register the ZyWALL with myZyXEL.com. You must register your ZyWALL before you can activate trial applications of services like content filtering, antispam, anti-virus and IDP.
Chapter 4 Wizard Setup The following table describes the labels in this screen. Table 16 Internet Access Wizard: Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com account If you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL. Existing myZyXEL.
Chapter 4 Wizard Setup Figure 30 Internet Access Wizard: Status A screen similar to the following appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings. Figure 31 Internet Access Wizard: Registration Failed 4.2.
Chapter 4 Wizard Setup Figure 33 Internet Access Wizard: Activated Services 4.3 VPN Wizard Gateway Setting Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel. Click VPN Setup in the Wizard Setup Welcome screen (Figure 22 on page 87) to open the VPN configuration wizard. The first screen displays as shown next. Figure 34 VPN Wizard: Gateway Setting The following table describes the labels in this screen.
Chapter 4 Wizard Setup Table 17 VPN Wizard: Gateway Setting LABEL DESCRIPTION My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address or the domain name of your ZyWALL or leave the field set to 0.0.0.0. The following applies if the My ZyWALL field is configured as 0.0.0.0: When the WAN interface operation mode is set to Active/Passive, the ZyWALL uses the IP address (static or dynamic) of the WAN interface that is in use.
Chapter 4 Wizard Setup Figure 35 VPN Wizard: Network Setting The following table describes the labels in this screen. Table 18 VPN Wizard: Network Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel. Clear the Active check box to turn the network policy off. The ZyWALL does not apply the policy. Packets for the tunnel do not trigger the tunnel.
Chapter 4 Wizard Setup Table 18 VPN Wizard: Network Setting LABEL DESCRIPTION Starting IP Address When the Remote Network field is configured to Single, enter a (static) IP address on the network behind the remote IPSec router. When the Remote Network field is configured to Range IP, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router.
Chapter 4 Wizard Setup The following table describes the labels in this screen. Table 19 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords. Note: Multiple SAs (security associations) connecting through a secure gateway must have the same negotiation mode.
Chapter 4 Wizard Setup Figure 37 VPN Wizard: IPSec Setting The following table describes the labels in this screen. Table 20 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tunnel is compatible with NAT, Transport is not. Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems. Tunnel mode is fundamentally an IP tunnel with authentication and encryption.
Chapter 4 Wizard Setup Table 20 VPN Wizard: IPSec Setting (continued) LABEL DESCRIPTION Perfect Forward Secret (PFS) Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 IPSec SA setup. This allows faster IPSec setup, but is not so secure. Select DH1, DH2 or DH5 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number (more secure, yet slower).
Chapter 4 Wizard Setup The following table describes the labels in this screen. Table 21 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy. Gateway Policy Setting My ZyWALL This is the WAN IP address or the domain name of your ZyWALL in router mode or the ZyWALL’s IP address in bridge mode. Remote Gateway Address This is the IP address or the domain name used to identify the remote IPSec router.
Chapter 4 Wizard Setup Table 21 VPN Wizard: VPN Status (continued) LABEL DESCRIPTION IPSec Protocol ESP or AH are the security protocols used for an SA. Encryption Algorithm This is the method of data encryption. Options can be DES, 3DES, AES or NULL. Authentication Algorithm MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. SA Life Time (Seconds) This is the length of time before an IKE SA automatically renegotiates.
Chapter 4 Wizard Setup Figure 40 Anti-Spam Wizard: Email Server Location Setting The following table describes the labels in this screen. Table 22 Anti-Spam Wizard: Email Server Location Setting LABEL DESCRIPTION Intranet These are the networks directly connected to the ZyWALL. • Select WLAN if you have an e-mail server(s) connected to the ZyWALL’s WLAN. • Select WAN 1 if you have an e-mail server(s) connected to the ZyWALL’s WAN 1.
Chapter 4 Wizard Setup Figure 41 Anti-Spam Wizard: Direction Recommendations • For e-mail servers on the LAN, DMZ, or WLAN the ZyWALL recommends checking traffic that comes from the WAN to the zone(s) where the e-mail server is located. This is to check for spam coming to the ZyWALL’s e-mail server from outside e-mail servers. • For e-mail servers on the Internet, the ZyWALL recommends checking traffic that comes from the WAN to the LAN, DMZ, and WLAN zones.
Chapter 4 Wizard Setup Figure 42 Anti-Spam Wizard: Direction Configuration The following table describes the labels in this screen. Table 23 Anti-Spam Wizard: Direction Configuration LABEL DESCRIPTION Enable Anti-Spam Select this check box to check traffic for spam SMTP (TCP port 25 and POP3 (TCP port 110) e-mail. From, To Select the directions of travel of packets that you want to check.
Chapter 4 Wizard Setup Table 23 Anti-Spam Wizard: Direction Configuration LABEL DESCRIPTION Back Click Back to return to the previous screen. Next Click Next to continue. 4.12 Anti-Spam Wizard: Setup Complete Congratulations! You have successfully set up the directions that the anti-spam feature checks for spam. This does not enable the anti-spam feature. Go to the SECURITY > ANTI-SPAM screens to enable anti-spam.
CHAPTER 5 Tutorials This chapter gives examples of how to configure some of your ZyWALL’s key features. See the related chapter on a feature for more details. 5.1 Dynamic VPN Rule Configuration Dynamic VPN rules allow VPN connections from IPSec routers with dynamic WAN IP addresses.
Chapter 5 Tutorials Table 24 Dynamic VPN Rule Tutorial Settings FIELD ZYWALL A (COMPANY) ZYWALL B (BOB) Local Network (network behind the local ZyWALL) 10.0.0.2 ~10.0.0.64 192.168.167.2 Remote Network (network behind the peer ZyWALL) 0.0.0.0 10.0.0.2 ~10.0.0.
Chapter 5 Tutorials 1 Click SECURITY > VPN > VPN Rules (IKE), and then the add gateway policy ( ) icon to display the Edit Gateway Policy screen. Use this screen to configure the VPN gateway policy that identifies the ZyWALLs. The company’s ZyWALL (A) and the telecommuter’s ZyWALL (B) gateway policy edit screens are shown next. • The information that identifies the ZyWALL 70 (A) is circled in red. • The information that identifies the ZyWALL P1 (B) is circled in yellow.
Chapter 5 Tutorials Figure 45 VPN Gateway Policy Edit Screens Company Device (A) Remote Device (B) 2 After you click Apply, the A-B_Gateways gateway policy displays as shown next. Click SECURITY > VPN and the A-B_Gateways’ add network policy ( ) icon. The following figure shows ZyWALL A’s screen.
Chapter 5 Tutorials Figure 46 SECURITY > VPN > Add Network Policy (ZyWALL A) 3 Edit the VPN-Network Policy -Edit screen to configure network policies. A network policy identifies the devices behind the IPSec routers at either end of a VPN tunnel and specifies the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA. Here are the company’s ZyWALL (A) and the telecommuter’s ZyWALL (B) network policy edit screens. • The information that identifies network X is circled in red.
Chapter 5 Tutorials Figure 47 VPN Network Policy Edit Screens Company Device (A) 114 Telecommuter Device (B) ZyWALL 5/35/70 Series User’s Guide
Chapter 5 Tutorials 4 After you click Apply, the network policy displays with the gateway policy. 5 In the ZyWALL B, select "X-Y_Networks" in the Activating VPN Rule field to activate the VPN rule. The color of "X-Y_Networks" VPN policy changes to pink. Figure 48 Activate VPN Rule (ZyWALL B) 6 Review the settings on both ZyWALLs as shown next. • The information that identifies the ZyWALL 70 (A) and network X is circled in red.
Chapter 5 Tutorials Figure 49 Tutorial: VPN Summary Screens Comparison Example Company Device (A) Telecommuter Device (B) You have configured the company’s ZyWALL (A) and the telecommuter’s ZyWALL (B). 5.1.3 Configure Zero Configuration Mode on ZyWALL B The ZyWALL P1’s zero configuration mode provides a simplified user mode for the web configurator interface. The user uses this interface to configure the ZyWALL’s Internet access settings and log into the VPN tunnel (see Section 5.1.4 on page 117).
Chapter 5 Tutorials 3 Select Zero Configuration Mode. 4 Click Apply. The system reboots automatically and restarts in zero configuration mode. 5.1.4 Testing Your VPN Configuration Test the VPN configuration before giving the ZyWALL P1 to Bob. 1 ZyWALL A should already be connected to the Internet using it’s public WAN IP address. Connect ZyWALL B to the Internet. Make sure it gets a public WAN IP. You may have to take ZyWALL B to another location if it cannot get a public IP address at the company.
Chapter 5 Tutorials 3 Open a web browser (like Internet Explorer) to connect to the ZyWALL P1’s LAN IP address (http://192.168.167.1 in this example). 4 The user mode screen for VPN authentication displays. Enter the user name "SalesManager" and password "Manager1234". Click Activate. 5 ZyWALL B automatically initiates and negotiates the VPN tunnel with ZyWALL A after you pass the authentication. A successful screen displays. Click Return. 6 Send a ping from the telecommuter’s computer (IP address 192.
Chapter 5 Tutorials When you can ping IP address 10.0.0.2 from the computer with IP address 192.168.167.2 behind ZyWALL B, you know the VPN tunnel works. 5.1.5 Using the Dynamic VPN Rule for More VPN Tunnels Other remote users (like sales people and telecommuters) using IPSec routers with dynamic WAN IP addresses can also use the same gateway and network policy on ZyWALL A. The gateway policies you configure on the remote IPSec routers differ by user name and password.
Chapter 5 Tutorials " The security settings apply to VPN traffic going to or from the ZyWALL’s VPN tunnels. They do not apply to other VPN traffic for which the ZyWALL is not one of the gateways (VPN pass-through traffic). You can turn on content filtering for all of the ZyWALL’s VPN traffic (regardless of its direction of travel). You can apply firewall, IDP, anti-virus and anti-spam security to VPN traffic based on its direction of travel.
Chapter 5 Tutorials Figure 54 IDP Configuration for Traffic From VPN 5.2.2 IDP for To VPN Traffic Example You can also apply security settings to the To VPN packet direction to protect the remote networks from attacks, intrusions, viruses and spam originating from your own network. For example, you can use IDP to protect the remote networks from intrusions that might come in through your ZyWALL’s VPN tunnels. Figure 55 IDP for To VPN Traffic Here is how you would configure this example.
Chapter 5 Tutorials 1 Click SECURITY > IDP > General. 2 Select the To VPN column’s first check box (with the interface label) to select all of the To VPN packet directions. 3 Click Apply. Figure 56 IDP Configuration for To VPN Traffic 5.3 Firewall Rule for VPN Example The firewall provides even more fine-tuned control for VPN tunnels. You can configure default and custom firewall rules for VPN packets. Take the following example. You have a LAN FTP server with IP address 192.168.1.4 behind device A.
Chapter 5 Tutorials Figure 57 Firewall Rule for VPN 5.3.1 Configuring the VPN Rule This section shows how to configure a VPN rule on device A to let the network behind B access the FTP server. You would also have to configure a corresponding rule on device B. 1 Click Security > VPN to open the following screen. Click the Add Gateway Policy icon. Figure 58 SECURITY > VPN > VPN Rules (IKE) 2 Use this screen to set up the connection between the routers.
Chapter 5 Tutorials Figure 59 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy 3 Click the Add Network Policy icon.
Chapter 5 Tutorials Figure 60 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 4 Use this screen to specify which computers behind the routers can use the VPN tunnel. Configure the fields that are circled as follows and click Apply. You may notice that the example does not specify the port numbers. This is due to the following reasons. • While FTP uses a control session on port 20, the port for the data session is not fixed.
Chapter 5 Tutorials Figure 61 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 126 ZyWALL 5/35/70 Series User’s Guide
Chapter 5 Tutorials 5.3.2 Configuring the Firewall Rules Suppose you have several VPN tunnels but you only want to allow device B’s network to access the FTP server. You also only want FTP traffic to go to the FTP server, so you want to block all other traffic types (like chat, e-mail, web and so on). The following sections show how to configure firewall rules to enforce these restrictions. 5.3.2.
Chapter 5 Tutorials Figure 63 SECURITY > FIREWALL > Rule Summary > Edit: Allow 5 The rule displays in the summary list of VPN to LAN firewall rules.
Chapter 5 Tutorials Figure 64 SECURITY > FIREWALL > Rule Summary: Allow 5.3.2.2 Default Firewall Rule to Block Other Access Example Now you configure the default firewall rule to block all VPN to LAN traffic. This blocks any other types of access from VPN tunnels to the LAN FTP server. This means that you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN. 1 Click SECURITY > FIREWALL > Default Rule. 2 Configure the screen as follows and click Apply.
Chapter 5 Tutorials Figure 65 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN 5.4 How to Set up a 3G WAN Connection This section shows you how to configure and set up a 3G WAN connection on the ZyWALL. In this example, you have set up WAN 1 and want the ZyWALL to use both of the WAN interfaces (the physical WAN port and 3G card) for Internet access at the same time. 5.4.1 Inserting a 3G Card To enable and use the 3G WAN connection, you need to insert a 3G card into the ZyWALL.
Chapter 5 Tutorials 2 If you have a wireless card or Turbo card in the ZyWALL, remove it. 3 Slide the connector end of the 3G card into the slot. 4 Connect the ZyWALL’s power. 5.4.2 Configuring 3G WAN Settings You should already have an activated user account and network access information from the service provider. 1 Click NETWORK > WAN > 3G (WAN 2) on the ZyWALL. 2 Enable WAN 2. 3 The Access Point Name (APN) field displays with a GSM or HSDPA 3G card.
Chapter 5 Tutorials 5.4.3 Checking WAN Connections 1 Go to the web configurator’s Home screen. 2 In the network status table, make sure the status for WAN 1 and WAN 2 is not Down and there is an IP address. If the WAN 2 connection is not up, make sure you have entered the correct information in the NETWORK > WAN > 3G (WAN 2) screen and the signal strength to the service provider’s base station is not too low and can connect to a network. Figure 67 Tutorial: Home 5.
Chapter 5 Tutorials Figure 68 Tutorial: NETWORK > WAN > General 5.6 Configuring Content Filtering You can use the ZyWALL’s content filtering policies to apply specific content filtering settings to specific users. You can even filter certain things at certain times. For example, you decide to set the default policy to block access to several categories of web content including things like pornography, hacking, nudity, and arts and entertainment, and so on.
Chapter 5 Tutorials Use the REGISTRATION screens (see Chapter 6 on page 141) to create a myZyXEL.com account, register your device and activate the external content filtering service. 1 Click SECURITY > CONTENT FILTER. 2 Enable the content filter and external database content filtering. 3 Click Apply. Figure 69 SECURITY > CONTENT FILTER > General 5.6.2 Block Categories of Web Content Here is how to block access to web pages by category of content.
Chapter 5 Tutorials Figure 70 SECURITY > CONTENT FILTER > Policy 2 Select Active. 3 Select the categories to block. 4 Click Apply.
Chapter 5 Tutorials 5.6.3 Assign Bob’s Computer a Specific IP Address You will configure a content filtering policy for traffic from Bob’s computer’s IP address. Do the following to have the ZyWALL always give Bob’s computer the same IP address (192.168.1.33 in this example). 1 Click HOME > Show DHCP Table. 2 Find the entry for Bob’s computer and select the Reserve check box as shown next. 3 Click Apply. Figure 72 HOME > Show DHCP Table 5.6.
Chapter 5 Tutorials Figure 74 SECURITY > CONTENT FILTER > Policy > Insert 5.6.5 Set the Content Filter Schedule You want to let Bob access arts and entertainment web pages, but only during lunch. So you configure a schedule to only apply the Bob policy from 12:00 to 13:00. For the rest of the time, the ZyWALL applies the default content filter policy (which blocks access to arts and entertainment web pages). 1 Click SECURITY > CONTENT FILTER > Policy and then the Bob policy’s schedule icon.
Chapter 5 Tutorials Figure 76 SECURITY > CONTENT FILTER > Policy > Schedule (Bob) 5.6.6 Block Categories of Web Content for Bob Now you select the categories of web pages to block Bob from accessing. 1 Click SECURITY > CONTENT FILTER > Policy and then the Bob policy’s external database icon. Figure 77 SECURITY > CONTENT FILTER > Policy 2 Select Active.
Chapter 5 Tutorials 3 Select the categories to block. This is very similar to Section 5.6.2 on page 134, except you do not select the arts and entertainment category. 4 Click Apply.
Chapter 5 Tutorials 140 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 6 Registration Screens 6.1 Overview The registration screens let you activate and update your account with myZyXEL.com, allowing you access to subscription services required for the ZyWALL’s security features. 6.1.1 What You Can Do in the Registration Screens • Use the Registration screen (Section 6.2 on page 142) to register with myZyXEL.com and activate a service(s), or view your registration status. • Use the Service screen (Section 6.
Chapter 6 Registration Screens IDP IDP allows the ZyWALL to detect malicious or suspicious packets and respond immediately. Signatures This is the pattern of code used by a particular virus. The ZyWALL compares files with a database of signatures to identify possible viruses. The ID&P and anti-virus features use the same signature files on the ZyWALL to detect and scan for viruses.
Chapter 6 Registration Screens Figure 79 REGISTRATION > Registration The following table describes the labels in this screen. Table 25 REGISTRATION > Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com account If you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL. Existing myZyXEL.
Chapter 6 Registration Screens Table 25 REGISTRATION > Registration " LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated. Use the Service screen to update your service subscription status. Figure 80 REGISTRATION > Registration: Registered Device 6.
Chapter 6 Registration Screens Figure 81 REGISTRATION > Service The following table describes the labels in this screen. Table 26 REGISTRATION > Service LABEL DESCRIPTION Service Management Service This field displays the service name available on the ZyWALL. Status This field displays whether a service is activated (Active) or not (Inactive). Registration Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard).
Chapter 6 Registration Screens 146 ZyWALL 5/35/70 Series User’s Guide
P ART II Network LAN Screens (149) Bridge Screens (161) WAN Screens (169) DMZ Screens (207) WLAN Screens (219) Wireless Screens (229) 147
CHAPTER 7 LAN Screens 7.1 Overview A network is a shared communication system to which many computers are attached. The Local Area Network (LAN) includes the computers and networking devices in your home or office that you connect to the ZyWALL’s LAN ports. The Wide Area Network (WAN) is another network (most likely the Internet) that you connect to the ZyWALL’s WAN port. See Chapter 9 on page 169 for how to use the WAN screens to set up your WAN connection. The LAN and the WAN are two separate networks.
Chapter 7 LAN Screens • Use the IP Alias screen (Section 7.4 on page 156) to configure IP alias settings on the ZyWALL’s LAN ports. • Use the Port Roles screen (Section 7.5 on page 158) to configure LAN ports on the ZyWALL. The Port Roles screen is available on the ZyWALL 5 and ZyWALL 35. 7.1.2 What You Need to Know About LAN IP Address and Subnet Mask Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.
Chapter 7 LAN Screens " Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. MAC Address Every Ethernet device has a unique MAC (Media Access Control) address.
Chapter 7 LAN Screens Multicast Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1. IGMP (Internet Group Management Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
Chapter 7 LAN Screens Figure 83 NETWORK > LAN The following table describes the labels in this screen. Table 27 NETWORK > LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively, click the right mouse button to copy and/or paste the IP address. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Chapter 7 LAN Screens Table 27 NETWORK > LAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Chapter 7 LAN Screens Table 27 NETWORK > LAN (continued) LABEL DESCRIPTION Windows Networking (NetBIOS over TCP/IP) NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN.
Chapter 7 LAN Screens Figure 84 NETWORK > LAN > Static DHCP The following table describes the labels in this screen. Table 28 NETWORK > LAN > Static DHCP LABEL DESCRIPTION # This is the index number of the static IP table entry (row). MAC Address Type the MAC address of a computer on your LAN. IP Address Type the IP address that you want to assign to the computer on your LAN. Alternatively, click the right mouse button to copy and/or paste the IP address.
Chapter 7 LAN Screens The ZyWALL has a single LAN interface. Even though more than one of ports 1~4 may be in the LAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address. The ZyWALL supports three logical LAN interfaces via its single physical LAN Ethernet interface. The ZyWALL itself is the gateway for each of the logical LAN networks.
Chapter 7 LAN Screens The following table describes the labels in this screen. Table 29 NETWORK > LAN > IP Alias LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address. IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign.
Chapter 7 LAN Screens The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL 70, ports 1 to 4 are all DMZ ports by default. On the ZyWALL 5 or ZyWALL 35, ports 1 to 4 are all LAN ports by default. " Your changes are also reflected in the DMZ Port Roles and WLAN Port Roles screens. Figure 87 NETWORK > LAN > Port Roles The following table describes the labels in this screen.
Chapter 7 LAN Screens 160 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 8 Bridge Screens 8.1 Overview The ZyWALL can act as a bridge between a switch and a wired LAN or between two routers. This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall). The ZyWALL bridges traffic traveling between the ZyWALL's interfaces and still filters and inspects packets.
Chapter 8 Bridge Screens 8.1.2 What You Need To Know About Bridging Bridge Loop Be careful to avoid bridge loops when you enable bridging in the ZyWALL. Bridge loops cause broadcast traffic to circle the network endlessly, resulting in possible throughput degradation and disruption of communications.
Chapter 8 Bridge Screens 8.2 The Bridge Screen Select Bridge and click Apply in the MAINTENANCE > Device Mode screen to have the ZyWALL function as a bridge. You can use the firewall and VPN in bridge mode. See the user’s guide for a list of other features that are available in bridge mode. Click NETWORK > BRIDGE to display the screen shown next. Use this screen to configure bridge and RSTP (Rapid Spanning Tree Protocol) settings.
Chapter 8 Bridge Screens Table 31 NETWORK > Bridge (continued) LABEL DESCRIPTION First/Second/Third DNS Server DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The ZyWALL uses a system DNS server (in the order you specify here) to resolve domain names for content filtering, the time server, etc.
Chapter 8 Bridge Screens The radio buttons correspond to Ethernet ports on the front panel of the ZyWALL. On the ZyWALL 70, ports 1 to 4 are all DMZ ports by default. On the ZyWALL 5 or ZyWALL 35, ports 1 to 4 are all LAN ports by default. Figure 93 NETWORK > Bridge > Port Roles The following table describes the labels in this screen. Table 32 NETWORK > Bridge > Port Roles LABEL DESCRIPTION LAN Select a port’s LAN radio button to use the port as part of the LAN.
Chapter 8 Bridge Screens 8.4 Bridge Technical Reference STP Terminology The root bridge is the base of the spanning tree. Path cost is the cost of transmitting a frame from the root bridge to that port. It is assigned according to the speed of the link to which a port is attached. The slower the media, the higher the cost - see the next table.
Chapter 8 Bridge Screens STP Port States STP assigns five port states (see next table) to eliminate packet looping. A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops. Table 34 STP Port States PORT STATE DESCRIPTION Disabled STP is disabled (default). Blocking Only configuration and management BPDUs are received and processed. Listening All BPDUs are received and processed. Learning All BPDUs are received and processed.
Chapter 8 Bridge Screens 168 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 9 WAN Screens 9.1 Overview This chapter discusses the ZyWALL’s WAN screens. Use these screens to configure your ZyWALL for Internet access. A WAN (Wide Area Network) connection is an outside connection to another network or the Internet. It connects your private networks (such as a LAN (Local Area Network) and other networks, so that a computer in one location can communicate with computers in other locations.
Chapter 9 WAN Screens 9.1.1 What You Can Do in the WAN Screens • Use the General screen (Section 9.2 on page 172) to configure load balancing, route priority, and connection test settings for the ZyWALL. • Use the WAN 1 and 2 screens (Section 9.3 on page 182) to configure the WAN1 and WAN2 interfaces for Internet access on the ZyWALL. • Use the 3G (WAN2) screen (Section 9.4 on page 192 for 3G) to configure the WAN2 interface for Internet access on the ZyWALL. • Use the Traffic Redirect screen (Section 9.
Chapter 9 WAN Screens You can use policy routing to specify the WAN interface that specific services go through. An ISP may give traffic from certain (more expensive) connections priority over the traffic from other accounts. You could route delay intolerant traffic (like voice over IP calls) through this kind of connection. Other traffic could be routed through a cheaper broadband Internet connection that does not provide priority service.
Chapter 9 WAN Screens Lets say that you have the WAN operation mode set to active/passive, meaning the ZyWALL uses the second highest priority WAN interface as a back up. The WAN 1 route has a metric of "2", the WAN 2 route has a metric of "3", the traffic-redirect route has a metric of "14" and the dial-backup route has a metric of "15". In this case, the WAN 1 route acts as the primary default route. If the WAN 1 route fails to connect to the Internet, the ZyWALL tries the WAN 2 route next.
Chapter 9 WAN Screens Figure 97 Incorrect WAN IP Internet WAN 1 WAN 2 B LAN A C 1 LAN user A wants to download a file from a remote server on the Internet. The ZyWALL is using active/active load balancing and sends the request to an update server (B) through WAN 1. 2 Update server B sends a file list to LAN user A. The download address of the desired file is a file server (C).
Chapter 9 WAN Screens Figure 98 NETWORK > WAN > General 174 ZyWALL 5/35/70 Series User’s Guide
Chapter 9 WAN Screens The following table describes the labels in this screen. Table 35 NETWORK > WAN > General LABEL DESCRIPTION Active/Passive (Fail Over) Mode Select the Active/Passive (fail over) operation mode to have the ZyWALL use the second highest priority WAN interface as a back up. This means that the ZyWALL will normally use the highest priority (primary) WAN interface (depending on the priorities you configure in the Route Priority fields).
Chapter 9 WAN Screens Table 35 NETWORK > WAN > General (continued) 176 LABEL DESCRIPTION Check Fail Tolerance Type how many WAN connection checks can fail (1-10) before the connection is considered "down" (not connected). The ZyWALL still checks a "down" connection to detect if it reconnects. Check WAN1/2 Connectivity Select the check box to have the ZyWALL periodically test the respective WAN interface's connection.
Chapter 9 WAN Screens Table 35 NETWORK > WAN > General (continued) LABEL DESCRIPTION Allow Trigger Dial Select this option to allow NetBIOS packets to initiate calls. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 9.2.2 Configuring Load Balancing To configure load balancing on the ZyWALL, click NETWORK > WAN in the navigation panel. The WAN General screen displays by default.
Chapter 9 WAN Screens Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the ZyWALL will send the subsequent new session traffic through WAN 2. Table 36 Least Load First: Example 1 OUTBOUND AVAILABLE (A) MEASURED (M) LOAD BALANCING INDEX (M/A) WAN 1 512 K 412 K 0.8 WAN 2 256 K 198 K 0.
Chapter 9 WAN Screens The following table describes the related fields in this screen. Table 38 Load Balancing: Least Load First LABEL DESCRIPTION Active/Active Mode Select Active/Active Mode and set the related fields to enable load balancing on the ZyWALL. Load Balancing Algorithm Set the load balancing method to Least Load First.
Chapter 9 WAN Screens Figure 101 Weighted Round Robin Algorithm Example To load balance using the weighted round robin method, select Weighted Round Robin in the Load Balancing Algorithm field. Figure 102 Load Balancing: Weighted Round Robin The following table describes the related fields in this screen. Table 39 Load Balancing: Weighted Round Robin LABEL DESCRIPTION Active/Active Mode Select Active/Active Mode and set the related fields to enable load balancing on the ZyWALL.
Chapter 9 WAN Screens In cases where the primary WAN interface uses an unlimited access Internet connection and the secondary WAN uses a per-use timed access plan, the ZyWALL will only use the secondary WAN interface when the traffic load reaches the upper threshold on the primary WAN interface. This allows you to fully utilize the bandwidth of the primary WAN interface while avoiding overloading it and reducing Internet connection fees at the same time.
Chapter 9 WAN Screens Table 40 Load Balancing: Spillover (continued) LABEL DESCRIPTION WAN Interface to Local Host Mapping Timeout Select this option to have the ZyWALL send all of a local computer’s traffic through the same WAN interface for the period of time that you specify (1 to 600 seconds). This is useful when a redirect server forwards a local user’s request for a file and informs the file server that a particular WAN IP address is requesting the file.
Chapter 9 WAN Screens " Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. DNS Server Address Assignment Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2.
Chapter 9 WAN Screens Figure 105 NETWORK > WAN > WAN (Ethernet Encapsulation) The following table describes the labels in this screen. Table 42 NETWORK > WAN > WAN (Ethernet Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access 184 Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Chapter 9 WAN Screens Table 42 NETWORK > WAN > WAN (Ethernet Encapsulation) (continued) LABEL DESCRIPTION Login Server IP Address Type the authentication server IP address here if your ISP gave you one. This field is not available for Telia Login. Login Server (Telia Login only) Type the domain name of the Telia login server, for example login1.telia.com. Relogin Every(min) (Telia Login only) The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically.
Chapter 9 WAN Screens Table 42 NETWORK > WAN > WAN (Ethernet Encapsulation) (continued) LABEL DESCRIPTION Multicast Version Choose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Management Protocol) is a session-layer protocol used to establish membership in a Multicast group – it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
Chapter 9 WAN Screens Figure 106 NETWORK > WAN > WAN (PPPoE Encapsulation) The following table describes the labels in this screen. Table 43 NETWORK > WAN > WAN (PPPoE Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPPoE for a dial-up connection using PPPoE. Service Name Type the PPPoE service name provided to you by your ISP. PPPoE uses a service name to identify and reach the PPPoE server. User Name Type the user name given to you by your ISP.
Chapter 9 WAN Screens Table 43 NETWORK > WAN > WAN (PPPoE Encapsulation) (continued) LABEL DESCRIPTION Nailed-Up Select Nailed-Up if you do not want the connection to time out. Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL automatically disconnects from the PPPoE server. WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. This is the default selection.
Chapter 9 WAN Screens Table 43 NETWORK > WAN > WAN (PPPoE Encapsulation) (continued) LABEL DESCRIPTION Spoof WAN MAC Address from LAN You can configure the WAN port's MAC address by either using the factory assigned default MAC Address or cloning the MAC address of a computer on your LAN. By default, the ZyWALL uses the factory assigned MAC Address to identify itself on the WAN. Otherwise, select this option and enter the IP address of the computer on the LAN whose MAC you are cloning.
Chapter 9 WAN Screens Figure 107 NETWORK > WAN > WAN (PPTP Encapsulation) The following table describes the labels in this screen. Table 44 NETWORK > WAN > WAN (PPTP Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access 190 Encapsulation Set the encapsulation method to PPTP. The ZyWALL supports only one PPTP server connection at any given time.
Chapter 9 WAN Screens Table 44 NETWORK > WAN > WAN (PPTP Encapsulation) (continued) LABEL DESCRIPTION Authentication Type The ZyWALL supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms. Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node.
Chapter 9 WAN Screens Table 44 NETWORK > WAN > WAN (PPTP Encapsulation) (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M. RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Chapter 9 WAN Screens " The actual data rate you obtain varies depending the 3G card you use, the signal strength to the service provider’s base station, and so on. If the signal strength of a 3G network is too low, the 3G card may switch to an available 2.5G or 2.75G network. Refer to Section 9.8 on page 204 for a comparison between 2G, 2.5G, 2.75G and 3G wireless technologies. " " Turn the ZyWALL off before you install or remove the 3G card.
Chapter 9 WAN Screens Figure 108 NETWORK > WAN > 3G (WAN 2) The following table describes the labels in this screen. Table 45 NETWORK > WAN > 3G (WAN 2) 194 LABEL DESCRIPTION Enable Select this option to enable WAN 2. 3G Card Configuration The fields below display only when you enable WAN 2. 3G Wireless Card This displays the manufacturer and model name of your 3G card if you inserted one in the ZyWALL. Otherwise, it displays Not Installed.
Chapter 9 WAN Screens Table 45 NETWORK > WAN > 3G (WAN 2) (continued) LABEL DESCRIPTION Network Type Select the type of the network (UMTS/HSDPA only, GPRS/EDGE only, GSM all or WCDMA all) to which you want the card to connect. See Table 49 on page 204 for more information. Otherwise, select Automatically to have the card connect to an available network using the default settings on the 3G card. The types of the network vary depending on the 3G card you inserted.
Chapter 9 WAN Screens Table 45 NETWORK > WAN > 3G (WAN 2) (continued) LABEL DESCRIPTION Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL automatically disconnects from the ISP. WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use Fixed IP Address Select this option If the ISP assigned a fixed IP address.
Chapter 9 WAN Screens Table 45 NETWORK > WAN > 3G (WAN 2) (continued) LABEL DESCRIPTION Actions when over budget Specify the actions the ZyWALL takes when the time or data limit is exceeded. Select Log to create a log. Select Alert to create an alert. This option is available only when you select Log. If you select Log, you can also select recurring every to have the ZyWALL send a log (and alert if selected) for this event periodically.
Chapter 9 WAN Screens Figure 110 Traffic Redirect LAN Setup 9.6 Configuring the Traffic Redirect Screen To change your ZyWALL’s traffic redirect settings, click NETWORK > WAN > Traffic Redirect. The screen appears as shown. " For the ZyWALL 5, if the traffic redirect feature does not work after you configure the ZyWALL’s traffic redirect settings in the Traffic Redirect screen, you may need to turn on the WAN ping check by entering sys rn pingDrop in the command interpreter. See the CLI Reference Guide.
Chapter 9 WAN Screens 9.7 The Dial Backup Screen Click NETWORK > WAN > Dial Backup to display the Dial Backup screen. Use this screen to configure the backup WAN dial-up connection. Not all fields are available on all models.
Chapter 9 WAN Screens The following table describes the labels in this screen. Table 47 NETWORK > WAN > Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP. Retype to Confirm Type your password again to make sure that you have entered is correctly.
Chapter 9 WAN Screens Table 47 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M. RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Chapter 9 WAN Screens AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing. ATDT is the command for a switch that requires tone dialing. If your switch requires pulse dialing, change the string to ATDP. For ISDN lines, there are many more protocols and operational modes. Please consult the documentation of your TA. You may need additional commands in both Dial and Init strings.
Chapter 9 WAN Screens Figure 113 NETWORK > WAN > Dial Backup > Edit The following table describes the labels in this screen. Table 48 NETWORK > WAN > Dial Backup > Edit LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~+++~~ath" can be used if your modem has a slow response time. Answer Type the AT Command string to answer a call.
Chapter 9 WAN Screens Table 48 NETWORK > WAN > Dial Backup > Edit (continued) LABEL DESCRIPTION Retry Interval (sec) Type a number of seconds for the ZyWALL to wait before trying another call after a call has failed. This applies before a phone number is blacklisted. Drop Timeout (sec) Type the number of seconds for the ZyWALL to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation.
Chapter 9 WAN Screens A. The International Telecommunication Union (ITU) is an international organization within which governments and the private sector coordinate global telecom networks and services.
Chapter 9 WAN Screens 206 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 10 DMZ Screens 10.1 Overview The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death). These public servers can also still be accessed from the secure LAN. Figure 114 DMZ Overview Internet DMZ LAN 10.1.1 What You Can Do in the DMZ Screens • Use the DMZ screen (Section 10.
Chapter 10 DMZ Screens 10.1.2 What You Need To Know About DMZ DMZ and Security It is highly recommended that you connect all of your public servers to the DMZ port(s). It is also highly recommended that you keep all sensitive information off of the public servers connected to the DMZ port. Store sensitive information on LAN computers.
Chapter 10 DMZ Screens Figure 115 DMZ Public Address Example 10.1.4 DMZ Private and Public IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet. The DMZ port and server F use private IP addresses that are in one subnet.
Chapter 10 DMZ Screens Figure 116 DMZ Private and Public Address Example 10.2 The DMZ Screen Use this screen to configure TCP/IP, DHCP, IP/MAC binding and NetBIOS settings on the DMZ. The DMZ and the connected computers can have private or public IP addresses. When the DMZ uses public IP addresses, the WAN and DMZ ports must use public IP addresses that are on separate subnets. See Appendix E on page 817 for information on IP subnetting. From the main menu, click NETWORK > DMZ to open the DMZ screen.
Chapter 10 DMZ Screens Figure 117 NETWORK > DMZ The following table describes the labels in this screen. Table 50 NETWORK > DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your ZyWALL’s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Chapter 10 DMZ Screens Table 50 NETWORK > DMZ (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Chapter 10 DMZ Screens Table 50 NETWORK > DMZ (continued) LABEL DESCRIPTION Windows Networking (NetBIOS over TCP/IP) Allow between DMZ and LAN Select this check box to forward NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN. If your firewall is enabled with the default policy set to block DMZ to LAN traffic, you also need to configure a DMZ to LAN firewall rule that forwards NetBIOS traffic.
Chapter 10 DMZ Screens Figure 118 NETWORK > DMZ > Static DHCP The following table describes the labels in this screen. Table 51 NETWORK > DMZ > Static DHCP LABEL DESCRIPTION # This is the index number of the static IP table entry (row). MAC Address Type the MAC address of a computer on your DMZ. IP Address Type the IP address that you want to assign to the computer on your DMZ. Alternatively, click the right mouse button to copy and/or paste the IP address.
Chapter 10 DMZ Screens To change your ZyWALL’s IP alias settings, click NETWORK > DMZ > IP Alias. The screen appears as shown. Figure 119 NETWORK > DMZ > IP Alias The following table describes the labels in this screen. Table 52 NETWORK > DMZ > IP Alias LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure another DMZ network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation.
Chapter 10 DMZ Screens Table 52 NETWORK > DMZ > IP Alias (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 10.5 The DMZ Port Roles Screen Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. See Section 7.5 on page 158 for more information on port roles. To change your ZyWALL’s port role settings, click NETWORK > DMZ > Port Roles. The screen appears as shown.
Chapter 10 DMZ Screens ZyWALL 5/35/70 Series User’s Guide 217
Chapter 10 DMZ Screens 218 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 11 WLAN Screens 11.1 Overview A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-peer network or as complex as a number of computers with wireless LAN adapters communicating through access points which bridge network traffic to the wired LAN. To add a wireless network to the ZyWALL, install a wireless card or connect a wireless device such as an Access Point to one of the ZyWALL's Ethernet ports.
Chapter 11 WLAN Screens • Use the Port Roles screen (Section 11.5 on page 226) to set a port to be part of the WLAN and connect an Access Point (AP) to the WLAN interface to extend the ZyWALL’s wireless LAN coverage. 11.1.2 What You Need to Know About WLAN DHCP See Section 7.1.2 on page 150 for more information on DHCP. Like the LAN, the ZyWALL can also assign TCP/IP configuration via DHCP to computers connected to the WLAN ports. IP alias See Section 7.4 on page 156 for more information on IP alias.
Chapter 11 WLAN Screens Figure 122 NETWORK > WLAN The following table describes the labels in this screen. Table 54 NETWORK > WLAN LABEL DESCRIPTION WLAN TCP/IP IP Address Type the IP address of your ZyWALL’s WLAN interface in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets.
Chapter 11 WLAN Screens Table 54 NETWORK > WLAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Chapter 11 WLAN Screens Table 54 NETWORK > WLAN (continued) LABEL DESCRIPTION Windows Networking (NetBIOS over TCP/IP) NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN.
Chapter 11 WLAN Screens Figure 123 NETWORK > WLAN > Static DHCP The following table describes the labels in this screen. Table 55 NETWORK > WLAN > Static DHCP LABEL DESCRIPTION # This is the index number of the static IP table entry (row). MAC Address Type the MAC address of a computer on your WLAN. IP Address Type the IP address that you want to assign to the computer on your WLAN. Alternatively, click the right mouse button to copy and/or paste the IP address.
Chapter 11 WLAN Screens To change your ZyWALL’s IP alias settings, click NETWORK > WLAN > IP Alias. The screen appears as shown. Figure 124 NETWORK > WLAN > IP Alias The following table describes the labels in this screen. Table 56 NETWORK > WLAN > IP Alias LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure another WLAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation.
Chapter 11 WLAN Screens Table 56 NETWORK > WLAN > IP Alias (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 11.5 WLAN Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyWALL’s wireless LAN coverage.
Chapter 11 WLAN Screens Figure 126 NETWORK > WLAN > Port Roles The following table describes the labels in this screen. Table 57 NETWORK > WLAN > Port Roles LABEL DESCRIPTION LAN Select a port’s LAN radio button to use the port as part of the LAN. The port will use the LAN IP address. DMZ Select a port’s DMZ radio button to use the port as part of the DMZ. The port will use the DMZ IP address. WLAN Select a port’s WLAN radio button to use the port as part of the WLAN.
Chapter 11 WLAN Screens 228 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 12 Wireless Screens 12.1 Overview In this section you can enable your wireless card and configure wireless security. You can configure the ZyWALL to use data encryption and user authentication methods to help protect data transmitted on your network and to ensure only devices with permission to access your network can do so. The following diagram shows authenticated wireless devices transmitting encrypted data on a wireless network which an unauthenticated device cannot access.
Chapter 12 Wireless Screens The figure below shows the possible wireless security levels on your ZyWALL. Figure 129 ZyWALL Wireless Security Levels If you do not enable any wireless security on your ZyWALL, your network is accessible to any wireless networking device that is within range. ESSID ESSID (Extended Service Set IDentity) identifies the Service Set with which a wireless station is associated. If you hide the ESSID, then the ZyWALL cannot be seen when a wireless client scans for local APs.
Chapter 12 Wireless Screens • An optional network RADIUS server for remote user authentication and accounting. EAP Authentication EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform authentication.
Chapter 12 Wireless Screens Finding Out More • See Section 12.4 on page 244 for technical details on wireless security. 12.2 Wireless Card The wireless card provides wireless functionality to your ZyWALL. " " Turn the ZyWALL off before you install or remove the wireless LAN card. See the product specifications chapter for a list of compatible ZyXEL WLAN cards (and the WLAN security features each card supports) and how to install a WLAN card.
Chapter 12 Wireless Screens The following table describes the labels in this screen. Table 58 WIRELESS > Wi-Fi > Wireless Card: No Security LABEL DESCRIPTION Enable Wireless Card The wireless LAN through a wireless LAN card is turned off by default, before you enable the wireless LAN you should configure some security by setting MAC filters and/or 802.1x security; otherwise your wireless LAN will be vulnerable upon enabling it. Select the check box to enable the wireless LAN.
Chapter 12 Wireless Screens Table 58 WIRELESS > Wi-Fi > Wireless Card: No Security (continued) LABEL DESCRIPTION Security Select one of the security settings. No Security Static WEP WPA-PSK WPA 802.1x + Dynamic WEP 802.1x + Static WEP 802.1x + No WEP No Access 802.1x + Static WEP No Access 802.1x + No WEP Select No Security to allow wireless stations to communicate with the access points without any data encryption.
Chapter 12 Wireless Screens Figure 131 WIRELESS > Wi-Fi > Wireless Card: Static WEP The following table describes the wireless LAN security labels in this screen. Table 59 WIRELESS > Wi-Fi > Wireless Card: Static WEP LABEL DESCRIPTION Security Select Static WEP from the drop-down list. WEP Encryption WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over the wireless network.
Chapter 12 Wireless Screens Figure 132 WIRELESS > Wi-Fi > Wireless Card: WPA-PSK The following wireless LAN security fields become available when you select WPA-PSK in the Security drop down list-box. Table 60 WIRELESS > Wi-Fi > Wireless Card: WPA-PSK 236 LABEL DESCRIPTION Security Select WPA-PSK from the drop-down list. Pre-Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same.
Chapter 12 Wireless Screens 12.2.3 WPA Click WIRELESS > Wi-Fi > Wireless Card to display the Wireless Card screen. Select WPA from the Security list. Figure 133 WIRELESS > Wi-Fi > Wireless Card: WPA The following wireless LAN security fields become available when you select WPA in the Security drop down list-box. Table 61 WIRELESS > Wi-Fi > Wireless Card: WPA LABEL DESCRIPTION Security Select WPA from the drop-down list.
Chapter 12 Wireless Screens Table 61 WIRELESS > Wi-Fi > Wireless Card: WPA (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 12.2.4 IEEE 802.1x + Dynamic WEP Click WIRELESS > Wi-Fi > Wireless Card to display the Wireless Card screen. Select 802.1x + Dynamic WEP from the Security list. Figure 134 WIRELESS > Wi-Fi > Wireless Card: 802.
Chapter 12 Wireless Screens Table 62 WIRELESS > Wi-Fi > Wireless Card: 802.1x + Dynamic WEP LABEL DESCRIPTION Authentication Databases Click RADIUS to go to the RADIUS screen where you can configure the ZyWALL to check an external RADIUS server. Dynamic WEP Key Exchange Select 64-bit WEP or 128-bit WEP to enable data encryption. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 12.2.5 IEEE 802.
Chapter 12 Wireless Screens Table 63 WIRELESS > Wi-Fi > Wireless Card: 802.1x + Static WEP (continued) LABEL DESCRIPTION Key 1 to Key 4 If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters (ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key. If you chose 128-bit WEP in the WEP Encryption field, then enter 13 characters (ASCII string) or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.
Chapter 12 Wireless Screens Figure 136 WIRELESS > Wi-Fi > Wireless Card: 802.1x + No WEP The following wireless LAN security fields become available when you select 802.1x + No WEP in the Security drop down list-box. Table 64 WIRELESS > Wi-Fi > Wireless Card: 802.1x + No WEP LABEL DESCRIPTION Security Select 802.1x + No WEP from the drop-down list. ReAuthenticatio n Timer (Seconds) Specify how often wireless stations have to resend user names and passwords in order to stay connected.
Chapter 12 Wireless Screens Figure 137 WIRELESS > Wi-Fi > Wireless Card: No Access 802.1x + Static WEP The following wireless LAN security fields become available when you select No Access 802.1x + Static WEP in the Security drop down list-box. Table 65 WIRELESS > Wi-Fi > Wireless Card: No Access 802.1x + Static WEP LABEL DESCRIPTION Security Select No Access 802.1x + Static WEP from the drop-down list.
Chapter 12 Wireless Screens 12.3 MAC Filter The MAC filter screen allows you to configure the ZyWALL to give exclusive access to specific devices (Allow Association) or exclude specific devices from accessing the ZyWALL (Deny Association). You need to know the MAC addresses of the devices to configure this screen. To change your ZyWALL’s MAC filter settings, click WIRELESS > Wi-Fi > MAC Filter. The screen appears as shown.
Chapter 12 Wireless Screens 12.4 Technical Reference IRADIUS RADIUS user is a simple package exchange in which your ZyWALL acts as a message relay between the wireless station and the network RADIUS server. See RFC 2138 and RFC 2139 for more on RADIUS. Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication: • Access-Request Sent by an access point requesting authentication.
Chapter 12 Wireless Screens Figure 139 EAP Authentication The details below provide a general description of how IEEE 802.1x EAP authentication works. • The wireless station sends a start message to the ZyWALL. • The ZyWALL sends a request identity message to the wireless station for identity information. • The wireless station replies with identity information, including user name and password.
Chapter 12 Wireless Screens The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped.
Chapter 12 Wireless Screens 2 The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly. 3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.
Chapter 12 Wireless Screens 248 ZyWALL 5/35/70 Series User’s Guide
P ART III Security Firewall Screens (251) Intrusion Detection and Prevention (IDP) Screens (277) Anti-Virus Screens (299) Anti-Spam Screens (313) Content Filtering Screens (327) Content Filtering Reports (349) IPSec VPN (357) Certificates (399) Authentication Server Screens (427) 249
CHAPTER 13 Firewall Screens This chapter shows you how to configure your ZyWALL’s firewall. 13.1 Overview A firewall is a system that enforces an access-control policy between two networks. It is generally a mechanism used to protect a trusted network from an untrusted network. The ZyWALL physically separates the LAN, DMZ, WLAN and the WAN and acts as a secure gateway for all data passing between the networks.
Chapter 13 Firewall Screens 13.1.1 What You Can Do Using the Firewall Screens • Use the Default Rule screens (Section 13.4 on page 256) to configure general firewall settings when the ZyWALL is set to router mode or bridge mode. • Use the Rule Summary screens (Section 13.5 on page 259) to configure firewall rules. • Use the Anti-Probing screen (Section 13.
Chapter 13 Firewall Screens Figure 143 Blocking All LAN to WAN IRC Traffic Example Your firewall would have the following configuration. Table 67 Blocking All LAN to WAN IRC Traffic Example # SOURCE DESTINATIO N SCHEDULE SERVICE ACTION 1 Any Any Any IRC Drop Default Any Any Any Any Allow • The first row blocks LAN access to the IRC service on the WAN. • The second row is the firewall’s default policy that allows all traffic from the LAN to go to the WAN.
Chapter 13 Firewall Screens Figure 144 Limited LAN to WAN IRC Traffic Example Your firewall would have the following configuration. Table 68 Limited LAN to WAN IRC Traffic Example # SOURCE DESTINATIO N SCHEDULE SERVICE ACTION 1 192.168.1.7 Any Any IRC Allow 2 Any Any Any IRC Drop Default Any Any Any Any Allow • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN. • The second row blocks LAN access to the IRC service on the WAN.
Chapter 13 Firewall Screens Figure 145 SECURITY > FIREWALL > Default Rule (Router Mode) The following table describes the labels in this screen. Table 69 SECURITY > FIREWALL > Default Rule (Router Mode) LABEL DESCRIPTION 0-100% This bar displays the percentage of the ZyWALL’s firewall rules storage space that is currently in use. When the storage space is almost full, you should consider deleting unnecessary firewall rules before adding more firewall rules.
Chapter 13 Firewall Screens Table 69 SECURITY > FIREWALL > Default Rule (Router Mode) (continued) LABEL DESCRIPTION From, To The firewall rules are grouped by the direction of packet travel. The number of rules for each packet direction displays. Click Edit to go to a summary screen of the rules for that packet direction. Here are some example descriptions of the directions of travel.
Chapter 13 Firewall Screens Figure 146 SECURITY > FIREWALL > Default Rule (Bridge Mode) The following table describes the labels in this screen. Table 70 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION 0-100% This bar displays the percentage of the ZyWALL’s firewall rules storage space that is currently in use. When the storage space is almost full, you should consider deleting unnecessary firewall rules before adding more firewall rules.
Chapter 13 Firewall Screens Table 70 SECURITY > FIREWALL > Default Rule (Bridge Mode) (continued) LABEL DESCRIPTION From, To The firewall rules are grouped by the direction of packet travel. The number of rules for each packet direction displays. Click Edit to go to a summary screen of the rules for that packet direction. Here are some example descriptions of the directions of travel.
Chapter 13 Firewall Screens 13.5 The Firewall Rule Summary Screen Click SECURITY > FIREWALL > Rule Summary to open the screen. This screen displays a list of the configured firewall rules. " The ordering of your rules is very important as rules are applied in the order that they are listed. See Section 13.1 on page 251 for more information about the firewall. Figure 147 SECURITY > FIREWALL > Rule Summary The following table describes the labels in this screen.
Chapter 13 Firewall Screens Table 71 SECURITY > FIREWALL > Rule Summary LABEL DESCRIPTION Source Address This drop-down list box displays the source addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any. Destination Address This drop-down list box displays the destination addresses or ranges of addresses to which this firewall rule applies.
Chapter 13 Firewall Screens Figure 148 SECURITY > FIREWALL > Rule Summary > Edit ZyWALL 5/35/70 Series User’s Guide 261
Chapter 13 Firewall Screens The following table describes the labels in this screen. Table 72 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. Spaces are allowed. Edit Source/ Destination Address Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.
Chapter 13 Firewall Screens Table 72 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Action for Matched Packets Use the drop-down list box to select what the firewall is to do with packets that match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
Chapter 13 Firewall Screens The following table describes the labels in this screen. Table 73 SECURITY > FIREWALL > Anti-Probing LABEL DESCRIPTION Respond to PING on Select the check boxes of the interfaces that you want to reply to incoming Ping requests. Clear an interface’s check box to have the ZyWALL not respond to any Ping requests that come into that interface. Do not respond to requests for unauthorized services.
Chapter 13 Firewall Screens The following table describes the labels in this screen. Table 74 SECURITY > FIREWALL > Threshold LABEL DESCRIPTION Disable DoS Attack Protection on Select the check boxes of any interfaces (or all VPN tunnels) for which you want the ZyWALL to not use the Denial of Service protection thresholds. This disables DoS protection on the selected interface (or all VPN tunnels).
Chapter 13 Firewall Screens 13.8 The Firewall Services Screen Click SECURITY > FIREWALL > Service to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyWALL. Figure 151 SECURITY > FIREWALL > Service The following table describes the labels in this screen. Table 75 SECURITY > FIREWALL > Service 266 LABEL DESCRIPTION Custom Service This table shows all configured custom services.
Chapter 13 Firewall Screens Table 75 SECURITY > FIREWALL > Service (continued) LABEL DESCRIPTION Protocol This is the IP protocol type. There may be more than one IP protocol type. Attribute This is the IP port number or ICMP type and code that defines the service. 13.8.1 The Firewall Edit Custom Service Screen Click SECURITY > FIREWALL > Service > Add to display the following screen. Use this screen to configure a custom service entry not is not predefined in the ZyWALL.
Chapter 13 Firewall Screens 13.8.2 My Service Firewall Rule Example The following Internet firewall rule example allows a hypothetical My Service connection from the Internet. 1 In the Service screen, click Add to open the Edit Custom Service screen. Figure 153 My Service Firewall Rule Example: Service 2 Configure it as follows and click Apply. Figure 154 My Service Firewall Rule Example: Edit Custom Service 3 Click Rule Summary.
Chapter 13 Firewall Screens Figure 155 My Service Firewall Rule Example: Rule Summary 6 Enter the name of the firewall rule. 7 Select Any in the Destination Address(es) box and then click Delete. 8 Configure the destination address fields as follows and click Add. Figure 156 My Service Firewall Rule Example: Rule Edit 9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done.
Chapter 13 Firewall Screens Figure 157 My Service Firewall Rule Example: Rule Configuration 270 ZyWALL 5/35/70 Series User’s Guide
Chapter 13 Firewall Screens Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Figure 158 My Service Firewall Rule Example: Rule Summary 13.9 Technical Reference This technical reference contains the following sections: • • • • Packet Direction Examples Asymmetrical Routes DoS Thresholds Security Considerations Packet Direction Examples Firewall rules are grouped based on the direction of travel of packets to which they apply.
Chapter 13 Firewall Screens By default, the ZyWALL drops packets traveling in the following directions. • WAN 1 to LAN These rules specify which computers connected to WAN 1 can access which computers or services on the LAN. For example, you may create rules to: • Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN. • Allow public access to a Web server on your protected network.
Chapter 13 Firewall Screens Figure 159 From LAN to VPN Example From VPN Packet Direction You can also apply firewall rules to traffic that comes in through the ZyWALL’s VPN tunnels. The ZyWALL decrypts the VPN traffic and then applies the firewall rules. From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the selected “to” interface.
Chapter 13 Firewall Screens From VPN To VPN Packet Direction From VPN To VPN firewall rules apply to traffic that comes in through one of the ZyWALL’s VPN tunnels and terminates at the ZyWALL (like for remote management) or goes out through another of the ZyWALL’s VPN tunnels (this is called hub-and-spoke VPN, see Section 19.13 on page 385 for details). The ZyWALL decrypts the traffic and applies the firewall rules before re-encrypting it or allowing the traffic to terminate at the ZyWALL.
Chapter 13 Firewall Screens 3 The reply from the WAN goes to the ZyWALL. 4 The ZyWALL then sends it to the computer on the LAN in Subnet 1. Figure 162 Using IP Alias to Solve the Triangle Route Problem DoS Thresholds For TCP, half-open means that the session has not reached the established state-the TCP threeway handshake has not yet been completed. Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server.
Chapter 13 Firewall Screens 1 2 3 4 5 The maximum number of opened sessions. The minimum capacity of server backlog in your LAN network. The CPU power of servers in your LAN network. Network bandwidth. Type of traffic for certain servers. Reduce the threshold values if your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy).
CHAPTER 14 Intrusion Detection and Prevention (IDP) Screens 14.1 Overview An IDP system can detect malicious or suspicious packets and respond instantaneously. It can detect anomalies based on violations of protocol standards (RFCs – Requests for Comments) or traffic flows and abnormal flows such as port scans. The following figure represents a typical business network consisting of a LAN, a DMZ (DeMilitarized Zone) containing the company web, FTP, mail servers etc.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens • Use the Update screen (Section 14.5 on page 291) to immediately download or schedule new signature downloads. • Use the Backup & Restore screen (Section 14.6 on page 293) to back up IDP signatures with your custom configured settings, restore previously saved IDP signatures (with your custom configured settings) or revert to the original ZSRT-defined signature Active, Log, Alert and/or Action settings. 14.1.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens Finding out More See Section 14.7 on page 294 for more detailed information on IDP. 14.1.3 Before You Begin To use IDP on the ZyWALL, you need to insert the ZyWALL Turbo Card into the rear panel slot of the ZyWALL. See the ZyWALL Turbo Card guide for details. " Turn the ZyWALL off before you install or remove the ZyWALL Turbo card. The ZyWALL Turbo Card does not have a MAC address. 14.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens The following table describes the labels in this screen. Table 77 SECURITY > IDP > General Setup LABEL DESCRIPTION General Setup Enable Intrusion Detection and Protection Select this check box to enable IDP on the ZyWALL. When this check box is cleared the ZyWALL is in IDP “bypass” mode and no IDP checking is done. Turbo Card This field displays whether or not a ZyWALL Turbo Card is installed.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens 14.3 The Signatures Screen The rules that define how to identify and respond to intrusions are called “signatures”. Click SECURITY > IDP > Signatures to see the ZyWALL’s signatures. 14.3.1 Attack Types Click SECURITY > IDP > Signature. The Attack Type list box displays all intrusion types supported by the ZyWALL. Other covers all intrusion types not covered by other types listed.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens Table 78 SECURITY > IDP > Signature: Attack Types (continued) TYPE DESCRIPTION Web Attack Web attack signatures refer to attacks on web servers such as IIS (Internet Information Services). SPAM Spam is unsolicited "junk" e-mail sent to large numbers of people to promote products or services. Refer to the anti-spam chapter for more detailed information.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens 14.3.4 Configuring The IDP Signatures Screen Click SECURITY >IDP > Signature to see the ZyWALL’s “group view” signature screen where you can view signatures by attack type. To search for signatures based on other criteria such as signature name or ID, then click the Switch to query view link to go to the “query view” screen. You can take actions on these signatures as described in Section 14.3.3 on page 282.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens Table 81 SECURITY > IDP > Signature: Group View (continued) LABEL DESCRIPTION Active Select the check box in the heading row to automatically select all check boxes and enable all signatures. Clear it to clear all entries and disable all signatures on the current page. For example, you could clear all check boxes for signatures that targets operating systems not in your network. This would speed up the IDP signature checking process.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens Figure 168 SECURITY > IDP > Signature: Query View The following table describes the fields in this screen. Table 82 SECURITY > IDP > Signature: Query View LABEL DESCRIPTION Back to group view Click this button to go to the IDP group view screen where IDP signatures are grouped by attack type. Signature Search Select this to search for a specific signature name or ID (that you already know).
Chapter 14 Intrusion Detection and Prevention (IDP) Screens Table 82 SECURITY > IDP > Signature: Query View (continued) 286 LABEL DESCRIPTION Configure Signatures The results display in a table showing the criteria as selected in the search. Click a column’s header to sort the entries by that attribute. Go To Navigate between signatures found. This field is available only if there are more signatures than that can be displayed on one screen.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens 14.3.5.1 Query Example 1 1 1 2 3 " From the “group view” signature screen, click the Switch to query view link. Select Signature Search. Select By Name or By ID from the list box. Enter a name (complete or partial) or complete ID to display all relevant signatures in the signature database. A partial name may be searched but a complete ID number must be entered before a match can be found.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens Figure 170 SECURITY > IDP > Signature: Query by Complete ID 14.3.5.2 Query Example 2 1 From the “group view” signature screen, click the Switch to query view link. 1 Select Signature Search By Attributes. 2 Select the Severity, Type, Platform, Active, Log, Alert and/or Action items. In this example all severe DDoS type signatures that target the Windows operating system are displayed. 3 Click Search.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens Figure 171 Signature Query by Attribute. 14.4 The Anomaly Screen This section introduces ADP (Anomaly Detection and Prevention). An ADP system protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal flows such as port scans. Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder. Protocol anomaly rules may be updated when you upload new firmware.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens Figure 172 SECURITY > IDP > Anomaly The following table describes the labels in this screen. Table 83 SECURITY > IDP > Anomaly LABEL DESCRIPTION Protocol Anomaly HTTP Inspection/TCP Decoder/UDP Decoder/ICMP Decoder 290 Name This is the name of the protocol anomaly rule. Click a name to display more detailed information on a rule. ID This is the unique identifying number for the anomaly rule.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens Table 83 SECURITY > IDP > Anomaly (continued) LABEL Action DESCRIPTION Select what the ZyWALL should do when a packet matches a rule. No Action: The ZyWALL takes no action when a packet matches the signature(s). Drop Packet: The packet is silently discarded. Drop Session: When the firewall is enabled, subsequent TCP/IP packets belonging to the same connection are dropped. Neither sender nor receiver are sent TCP RST packets.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens 14.5.2 Configuring The IDP Update Screen When scheduling signature updates, you should choose a day and time when your network is least busy so as to minimize disruption to your network. Your custom signature configurations are not over-written when you download new signatures. File-based anti-virus signatures (see the anti-virus chapter) are included with IDP signatures.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens Table 84 SECURITY > IDP > Update (continued) LABEL DESCRIPTION Release Date This field displays the time (hour, minutes second) and date (month, date, year) that the above signature set was created. Last Update This field displays the last date and time you downloaded new signatures to the ZyWALL. It displays N/A if you have not downloaded any new signatures yet.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens Figure 174 SECURITY > IDP > Backup & Restore To back up IDP signatures, click Backup and then choose a location and filename for the IDP configuration set. To restore previously saved IDP signatures, type in the location where the previously saved file resides on your computer or click Browse ... to find it, then click Upload. To revert to the factory-default signature (Active, Log, Alert and/or Action) settings, click Reset. 14.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens IDS and IDP An Intrusion Detection System (IDS) can detect suspicious activity, but does not take action against attacks. On the other hand an IDP is a proactive defense mechanisms designed to detect malicious packets within normal network traffic and take an action (block, drop, log, send an alert) against the offending traffic automatically before it does any damage. An IDS only raises an alert after the malicious payload has been delivered.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens SQL Slammer Worm W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port. The worm has the unintended payload of performing a Denial of Service attack due to the large number of packets it sends.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens W32/MyDoom-A is a worm that is spread by email. When the infected attachment is launched, the worm gathers e-mail addresses from address books and from files with the following extensions: WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL. W32/ MyDoom-A creates a file called Message in the temp folder and runs Notepad to display the contents, which displays random characters.
Chapter 14 Intrusion Detection and Prevention (IDP) Screens 298 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 15 Anti-Virus Screens 15.1 Overview This section shows you how to configure the ZyWALL to scan files transmitted through the enabled interfaces into your network. As a network-based anti-virus scanner, the ZyWALL helps stop threats at the network edge before they reach the local host computers. The following figure shows the ZyWALL virus-scanning files going to the LAN from WAN1 and WAN2. Figure 175 ZyWALL Anti-virus Overview 15.1.
Chapter 15 Anti-Virus Screens 15.1.2 What You Need to Know About Antivirus Virus A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself. The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable.
Chapter 15 Anti-Virus Screens • Simultaneous downloads of a file using multiple connections. For example, when you use FlashGet to download sections of a file simultaneously. • Encrypted traffic (such as on a VPN) or password-protected files. • Traffic through custom (non-standard) ports. • ZIP file(s) within a ZIP file. ZyWALL Turbo Card To use the anti-virus scanner on the ZyWALL, you need to insert the ZyWALL Turbo Card into the rear panel slot of the ZyWALL. See the ZyWALL Turbo Card guide for details.
Chapter 15 Anti-Virus Screens Figure 176 SECURITY > ANTI-VIRUS > General The following table describes the labels in this screen. Table 85 SECURITY > ANTI-VIRUS > General LABEL DESCRIPTION General Setup Enable Anti-Virus Select this check box to check traffic for viruses. Enable ZIP File Scan Select this check box to have the ZyWALL scan a ZIP file (with the “zip”, “gzip” or “gz” file extension). The ZyWALL first decompresses the ZIP file and then scans the contents for viruses.
Chapter 15 Anti-Virus Screens Table 85 SECURITY > ANTI-VIRUS > General (continued) LABEL DESCRIPTION Service This field displays the services for which the ZyWALL can scan traffic for viruses. Select a service to be able to enable or disable anti-virus scanning on it’s traffic. Here are the services and default port numbers. FTP traffic using TCP ports 20 and 21 HTTP traffic using TCP ports 80, 8080 and 3128 POP3 traffic using TCP port 110 SMTP traffic using TCP port 25 See Section 29.
Chapter 15 Anti-Virus Screens Figure 177 SECURITY > ANTI-VIRUS > Signature: Query View The following table describes the labels in this screen. Table 86 SECURITY > ANTI-VIRUS > Signature: Query View 304 LABEL DESCRIPTION Query Signatures Select the criteria on which to perform the search. Signature Search Select this radio button if you would like to search the signatures by name or ID.
Chapter 15 Anti-Virus Screens Table 86 SECURITY > ANTI-VIRUS > Signature: Query View (continued) LABEL DESCRIPTION Configure Signatures The signature search results display in a table showing the SID, Name, Severity, Attack Type, Platform, Service, Activation, Log, and Action criteria as selected in the search. Click the SID column header to sort search results by SID. Go to Page Navigate between the pages of signature search results. Name This is the name of the anti-virus signature.
Chapter 15 Anti-Virus Screens Figure 179 Query Example Search Results 15.4 The Update Screen The ZyWALL comes with built-in signatures created by the ZyXEL Security Response Team (ZSRT). These are regularly updated as new intrusions evolve. Use the Update screen to immediately download or schedule new signature downloads. " 306 You should have already registered the ZyWALL at myZyXEL.com (http:// www.myzyxel.com/myzyxel/) and also have either activated the trial license or standard license (iCard).
Chapter 15 Anti-Virus Screens 15.4.1 mySecurityZone mySecurityZone is a web portal that provides all security-related information such as intrusion and anti-virus information for ZyXEL security products. You should have already registered your ZyWALL on myZyXEL.com at: http://www.myzyxel.com/myzyxel/. You can use your myZyXEL.com username and password to log into mySecurityZone. 15.4.
Chapter 15 Anti-Virus Screens The following table describes the labels in this screen. LABEL DESCRIPTION Signature Information Current Pattern Version This field displays the signatures version number currently used by the ZyWALL. This number is defined by the ZyXEL Security Response Team (ZSRT) who maintain and update them. This number increments as new signatures are added, so you should refer to this number regularly. Go to https://mysecurity.zyxel.
Chapter 15 Anti-Virus Screens 15.5 The Backup and Restore Screen Click ANTI-VIRUS > Backup & Restore. The screen displays as shown next. You can change the pre-defined Active, Log, Alert, Send Windows Message and/or Destroy File settings of individual signatures. Figure 181 SECURITY > ANTI-VIRUS > Backup and Restore Use the Backup & Restore screen to: • Back up anti-virus signatures with your custom configured settings to a computer.
Chapter 15 Anti-Virus Screens 15.6 Technical Reference Types of Computer Viruses The following table describes some of the common computer viruses. Table 87 Common Computer Virus Types TYPE DESCRIPTION File Infector This is a small program that embeds itself in a legitimate program. A file infector is able to copy and attach itself to other programs that are executed on an infected computer.
Chapter 15 Anti-Virus Screens A network-based anti-virus (NAV) scanner is often deployed as a dedicated security device (such as your ZyWALL) on the network edge. NAV scanners inspect real-time data traffic (such as E-mail messages or web) that tends to bypass HAV scanners. The following lists some of the benefits of NAV scanners. • NAV scanners stops virus threats at the network edge before they enter or exit a network.
Chapter 15 Anti-Virus Screens 312 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 16 Anti-Spam Screens 16.1 Overview The ZyWALL’s anti-spam feature identifies unsolicited commercial or junk e-mail (spam). You can set the ZyWALL to mark or discard spam. The ZyWALL can use an anti-spam external database to help identify spam. Use the whitelist to identify legitimate e-mail. Use the blacklist to identify spam e-mail. The following is an figure showing the ZyWALL checking e-mail with the external database.
Chapter 16 Anti-Spam Screens 16.1.2 What You Need to Know About Antispam MIME Headers MIME (Multipurpose Internet Mail Extensions) allows varied media types to be used in email. MIME headers describe an e-mail’s content encoding and type. For example, it may show which program generated the e-mail and what type of text is used in the e-mail body.
Chapter 16 Anti-Spam Screens SpamBulk Engine The e-mail fingerprint ID that the ZyWALL generates and sends to the anti-spam external database only includes the parts of the e-mail that are the most difficult for spammers (senders of spam) to change or fake. The anti-spam external database maintains a database of e-mail fingerprint IDs. The anti-spam external database SpamBulk engine then queries the database in analyzing later e-mails.
Chapter 16 Anti-Spam Screens The anti-spam external database checks for spoofing of e-mail attributes (like the IP address) and uses statistical analysis to detect phishing. Click SECURITY > ANTI-SPAM to open the Anti-Spam General screen. The following screen appears. Figure 183 SECURITY > ANTI-SPAM > General The following table describes the labels in this screen.
Chapter 16 Anti-Spam Screens Table 88 SECURITY > ANTI-SPAM > General LABEL DESCRIPTION From, To Select the directions of travel of packets that you want to check. Select or clear a row or column’s first check box (with the interface label) to select or clear the interface’s whole row or column. You could for example have the ZyWALL check packets traveling in from the WAN to the interface your e-mail server is on. For example, From WAN1 To DMZ, or From WAN2 To DMZ.
Chapter 16 Anti-Spam Screens Table 88 SECURITY > ANTI-SPAM > General LABEL DESCRIPTION Forward SMTP & POP3 mail with tag in mail subject Select this radio button to have the ZyWALL forward spam e-mail with the tag that you define. Even if you plan to use the discard option, you may want to use this initially as a test to check how accurate your anti-spam settings are.
Chapter 16 Anti-Spam Screens Figure 184 SECURITY > ANTI-SPAM > External DB The following table describes the labels in this screen. Table 89 SECURITY > ANTI-SPAM > External DB LABEL DESCRIPTION External Database Enable External Database Enable the anti-spam external database feature to have the ZyWALL calculate a digest of an e-mail and send it to an anti-spam external database. The anti-spam external database sends a spam score for the e-mail back to the ZyWALL.
Chapter 16 Anti-Spam Screens Table 89 SECURITY > ANTI-SPAM > External DB (continued) LABEL DESCRIPTION Action for No Spam Score Use this field to configure what the ZyWALL does if it does not receive a valid response from the anti-spam external database. If the ZyWALL does not receive a response within seven seconds, it sends the e-mail digest a second time. If the ZyWALL still does not receive a response after another seven seconds, it takes the action that you configure here.
Chapter 16 Anti-Spam Screens Figure 185 SECURITY > ANTI-SPAM > Lists The following table describes the labels in this screen. Table 90 SECURITY > ANTI-SPAM > Lists LABEL DESCRIPTION Resource Usage Whitelist & Blacklist Storage Space in Use This bar displays the percentage of the ZyWALL’s anti-spam whitelist and blacklist storage space that is currently in use. The bar turns from green to red when the maximum is being approached.
Chapter 16 Anti-Spam Screens Table 90 SECURITY > ANTI-SPAM > Lists (continued) LABEL DESCRIPTION Use Blacklist Select this check box to have the ZyWALL treat e-mail that matches a blacklist entry as spam. Active This field shows whether or not an entry is turned on. Type This field displays whether the entry is based on the e-mail’s source IP address, source e-mail address, an MIME header or the e-mail’s subject.
Chapter 16 Anti-Spam Screens The following table describes the labels in this screen. Table 91 SECURITY > ANTI-SPAM > Lists > Edit LABEL DESCRIPTION Rule Edit Active Turn this entry on to have the ZyWALL use it as part of the whitelist or blacklist. You must also turn on the use of the corresponding list (in the Anti-Spam Customization screen) and the anti-spam feature (in the Anti-Spam General screen).
Chapter 16 Anti-Spam Screens Table 91 SECURITY > ANTI-SPAM > Lists > Edit LABEL DESCRIPTION Value This field displays when you select the MIME Header type. Type the value part of an MIME header (up to 63 ASCII characters). In an MIME header, the part that comes after the colon is the value. For example, if you want the whitelist or blacklist entry to check for the MIME header “X-MSMail-Priority: Normal”, enter “Normal” here as the MIME value.
Chapter 16 Anti-Spam Screens SpamContent Engine The SpamContent engine examines the e-mail’s content to decide if it would generally be considered offensive. The vocabulary design, format and layout are considered as part of thousands of checks on message attributes that include the following.
Chapter 16 Anti-Spam Screens 326 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 17 Content Filtering Screens 17.1 Overview Content filtering allows you to block certain web features, such as cookies, and/or block access to specific websites. With content filtering, you can do the following: • Restrict web features. The ZyWALL can block web features such as ActiveX controls, Java applets, cookies and disable web proxies. • Create a filter list. You can select categories, such as pornography or racial intolerance, to block from a pre-defined list. • Customize web site access.
Chapter 17 Content Filtering Screens Figure 187 Content Filtering Lookup Procedure 1 A computer behind the ZyWALL tries to access a web site. 2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache. The ZyWALL blocks, blocks and logs or just logs the request based on your configuration.
Chapter 17 Content Filtering Screens Use the REGISTRATION screens (see Chapter 6 on page 141) to create a myZyXEL.com account, register your device and activate the external content filtering service. Figure 188 SECURITY > CONTENT FILTER > General The following table describes the labels in this screen. Table 92 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the content filter.
Chapter 17 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION Matched Web Pages Select Block to prevent users from accessing web pages that match the categories that you select below. When external database content filtering blocks access to a web page, it displays the denied access message that you configured in the CONTENT FILTER General screen along with the category of the blocked web page. Select Log to record attempts to access prohibited web pages.
Chapter 17 Content Filtering Screens Table 92 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION Message to display when a site is blocked Denied Access Message Enter a message to be displayed when a user tries to access a restricted web site. The default message is Please contact your network administrator! Redirect URL Enter the URL of the web page to which you want to send users when their web access is blocked by content filtering.
Chapter 17 Content Filtering Screens The following table describes the labels in this screen. Table 93 SECURITY > CONTENT FILTER > Policy LABEL DESCRIPTION Content Filter Storage Space in Use This bar displays the percentage of the ZyWALL’s content filter policies storage space that is currently in use. When the storage space is almost full, you should consider deleting unnecessary content filter policies before adding more. The following fields summarize the content filter policies you have created.
Chapter 17 Content Filtering Screens Figure 190 SECURITY > CONTENT FILTER > Policy > General The following table describes the labels in this screen. Table 94 SECURITY > CONTENT FILTER > Policy > General LABEL DESCRIPTION Active Select this option to turn on the content filter policy. Policy Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the content filter policy. Spaces are allowed.
Chapter 17 Content Filtering Screens Table 94 SECURITY > CONTENT FILTER > Policy > General (continued) LABEL DESCRIPTION Start IP Address Enter the single IP address or the starting IP address in a range here. End IP Address Enter the ending IP address in a range here. Subnet Mask Enter the subnet mask here, if applicable. Add Click Add to add a new address to the Configured Address box. You can add multiple addresses, ranges of addresses, and/or subnets.
Chapter 17 Content Filtering Screens The following table describes the labels in this screen. Table 95 SECURITY > CONTENT FILTER > Policy > External Database LABEL DESCRIPTION Policy Name This is the name of the content filter policy that you are configuring. Active Select this option to apply category based content filtering for this policy. Select Categories These are the categories available at the time of writing.
Chapter 17 Content Filtering Screens Table 95 SECURITY > CONTENT FILTER > Policy > External Database (continued) 336 LABEL DESCRIPTION Gambling Selecting this category excludes pages where a user can place a bet or participate in a betting pool (including lotteries) online. It also includes pages that provide information, assistance, recommendations, or training on placing bets or participating in games of chance. It does not include pages that sell gambling related products or machines.
Chapter 17 Content Filtering Screens Table 95 SECURITY > CONTENT FILTER > Policy > External Database (continued) LABEL DESCRIPTION Education Selecting this category excludes pages that offer educational information, distance learning and trade school information or programs. It also includes pages that are sponsored by schools, educational facilities, faculty, or alumni groups.
Chapter 17 Content Filtering Screens Table 95 SECURITY > CONTENT FILTER > Policy > External Database (continued) 338 LABEL DESCRIPTION Spyware/Malware Sources Selecting this category excludes pages which distribute spyware and other malware. Spyware is defined as software which takes control of your computer, modifies computer settings, collects or reports personal information, or misrepresents itself by tricking users to install, download, or enter personal information.
Chapter 17 Content Filtering Screens Table 95 SECURITY > CONTENT FILTER > Policy > External Database (continued) LABEL DESCRIPTION Religion Selecting this category excludes pages that promote and provide information on conventional or unconventional religious or quasireligious subjects, as well as churches, synagogues, or other houses of worship. It does not include pages containing alternative religions such as Wicca or witchcraft (Cult/Occult) or atheist beliefs (Political/Activist Groups).
Chapter 17 Content Filtering Screens Table 95 SECURITY > CONTENT FILTER > Policy > External Database (continued) LABEL DESCRIPTION Travel Selecting this category excludes pages that promote or provide opportunity for travel planning, including finding and making travel reservations, vehicle rentals, descriptions of travel destinations, or promotions for hotels or casinos.
Chapter 17 Content Filtering Screens 17.6 Content Filter Policy: Customization Click SECURITY > CONTENT FILTER > Policy and then a policy’s customization icon to display the following screen. Use this screen to select good (allowed) web site addresses for this policy and bad (blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list.
Chapter 17 Content Filtering Screens The following table describes the labels in this screen. Table 96 SECURITY > CONTENT FILTER > Policy > Customization LABEL DESCRIPTION Policy Name This is the name of the content filter policy that you are configuring. Web Site List Customization Enable Web site customization Select this check box to allow trusted web sites and block forbidden web sites. Content filter list customization may be enabled and disabled without re-entering these site names.
Chapter 17 Content Filtering Screens Figure 193 SECURITY > CONTENT FILTER > Policy > Schedule The following table describes the labels in this screen. Table 97 SECURITY > CONTENT FILTER > Policy > Schedule LABEL DESCRIPTION Policy Name This is the name of the content filter policy that you are configuring. Schedule Setup Content filtering scheduling applies to the filter list, customized sites and keywords. Restricted web server data, such as ActiveX, Java, Cookies and Web Proxy are not affected.
Chapter 17 Content Filtering Screens Use this screen to configure a list of allowed web site addresses for this policy and a list of blocked web site addresses. You can also block web sites based on whether the web site’s address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list.
Chapter 17 Content Filtering Screens The following table describes the labels in this screen. Table 98 SECURITY > CONTENT FILTER > Object LABEL DESCRIPTION Trusted Web Sites These are sites that you want to allow access to, regardless of their content rating, can be allowed by adding them to this list. You can enter up to 32 entries. Add Trusted Web Site Enter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”.
Chapter 17 Content Filtering Screens 17.9 Content Filtering Cache Click SECURITY > CONTENT FILTER > Cache to display the CONTENT FILTER Cache screen. Use this screen to view and configure your ZyWALL’s URL caching. You can also configure how long a categorized web site address remains in the cache as well as view those web site addresses to which access has been allowed or blocked based on the responses from the external content filtering server.
Chapter 17 Content Filtering Screens ZyWALL 5/35/70 Series User’s Guide 347
Chapter 17 Content Filtering Screens 348 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 18 Content Filtering Reports 18.1 Overview This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. See Chapter 6 on page 141 on how to create a myZyXEL.com account, register your device and activate the subscription services using the REGISTRATION screens. 18.2 Checking Content Filtering Activation After you activate content filtering, you need to wait up to five minutes for content filtering to be turned on.
Chapter 18 Content Filtering Reports Figure 196 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 198 on page 351). Figure 197 myZyXEL.com: Welcome 4 In the Service Management screen click Content Filter in the Service Name field to open the Blue Coat login screen.
Chapter 18 Content Filtering Reports Figure 198 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 198 on page 351). Type your myZyXEL.com account password in the Password field. 6 Click Submit. Figure 199 Blue Coat: Login 7 In the Web Filter Home screen, click the Reports tab.
Chapter 18 Content Filtering Reports Figure 200 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 201 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Chapter 18 Content Filtering Reports Figure 202 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.
Chapter 18 Content Filtering Reports Figure 203 Requested URLs Example 18.4 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review. 1 Log into the content filtering reports web site (see Section 18.3 on page 349).
Chapter 18 Content Filtering Reports Figure 204 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed.
Chapter 18 Content Filtering Reports 356 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 19 IPSec VPN 19.1 Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Chapter 19 IPSec VPN • Use the VPN Global Setting screen (see Section 19.10 on page 379) to change settings that apply to all of your VPN tunnels. 19.1.2 What You Need to Know About IPSec VPN An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router.
Chapter 19 IPSec VPN Figure 207 Gateway and Network Policies This figure helps explain the main fields in the VPN setup. Figure 208 IPSec Fields Summary Negotiation Mode It takes several steps to establish an IKE SA. The negotiation mode determines the number of steps to use. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. " Both routers must use the same negotiation mode.
Chapter 19 IPSec VPN You can usually provide a static IP address or a domain name for the ZyWALL. Sometimes, your ZyWALL might also offer another alternative, such as using the IP address of a port or interface. You can usually provide a static IP address or a domain name for the remote IPSec router as well. Sometimes, you might not know the IP address of the remote IPSec router (for example, telecommuters).
Chapter 19 IPSec VPN Table 100 SECURITY > VPN > VPN Rules (IKE) (continued) LABEL DESCRIPTION Gateway Policies The first row of each VPN rule represents the gateway policy. The gateway policy identifies the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA (click the edit icon to display the other settings). My ZyWALL This represents your ZyWALL.
Chapter 19 IPSec VPN Use this screen to configure a VPN gateway policy. The gateway policy identifies the IPSec routers at either end of a VPN tunnel (My ZyWALL and Remote Gateway) and specifies the authentication, encryption and other settings needed to negotiate a phase 1 IKE SA.
Chapter 19 IPSec VPN The following table describes the labels in this screen. Table 101 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy LABEL DESCRIPTION Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces. NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers.
Chapter 19 IPSec VPN Table 101 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Fall back to Primary Remote Gateway when possible Select this to have the ZyWALL change back to using the primary remote gateway if the connection becomes available again. Fall Back Check Interval* Set how often the ZyWALL should check the connection to the primary remote gateway while connected to the redundant remote gateway. Each gateway policy uses one or more network policies.
Chapter 19 IPSec VPN Table 101 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Key to Pre-shared Key. Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address. Select from the following when you set Authentication Key to Certificate.
Chapter 19 IPSec VPN Table 101 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Server Mode Select Server Mode to have this ZyWALL authenticate extended authentication clients that request this VPN connection. You must also configure the extended authentication clients’ usernames and passwords in the authentication server’s local user database or a RADIUS server (see Chapter 21 on page 427).
Chapter 19 IPSec VPN Table 101 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Enable Multiple Proposals Select this to allow the ZyWALL to use any of its phase 1 key groups and encryption and authentication algorithms when negotiating an IKE SA.
Chapter 19 IPSec VPN Figure 211 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy 368 ZyWALL 5/35/70 Series User’s Guide
Chapter 19 IPSec VPN The following table describes the labels in this screen. Table 102 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel. Clear the Active check box to turn the network policy off. The ZyWALL does not apply the policy. Packets for the tunnel do not trigger the tunnel.
Chapter 19 IPSec VPN Table 102 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) 370 LABEL DESCRIPTION Port Forwarding Rules If you are configuring a Many-to-One rule, click this button to go to a screen where you can configure port forwarding for your VPN tunnels. The VPN network policy port forwarding rules let the ZyWALL forward traffic coming in through the VPN tunnel to the appropriate IP address.
Chapter 19 IPSec VPN Table 102 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Ending IP Address/ Subnet Mask When the Address Type field is configured to Single Address, this field is N/A. When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Address Type field is configured to Subnet Address, this is a subnet mask on the LAN behind your ZyWALL.
Chapter 19 IPSec VPN Table 102 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION SA Life Time (Seconds) Define the length of time before an IPSec SA automatically renegotiates in this field. The minimum value is 180 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
Chapter 19 IPSec VPN Figure 212 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding The following table describes the labels in this screen. Table 103 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen.
Chapter 19 IPSec VPN 19.6 The Network Policy Move Screen Click the move ( ) icon in the VPN Rules (IKE) screen to display the VPN Rules (IKE): Network Policy Move screen. A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. Each VPN tunnel uses a single gateway policy and one or more network policies. • The gateway policy contains the IKE SA settings. It identifies the IPSec routers at either end of a VPN tunnel.
Chapter 19 IPSec VPN 19.7 The VPN Rules (Manual) Screen Refer to Figure 208 on page 359 for a graphical representation of the fields in the web configurator. Click SECURITY > VPN > VPN Rules (Manual) to open the VPN Rules (Manual) screen. Use this screen to manage the ZyWALL’s list of VPN rules (tunnels) that use manual keys. You may want to configure a VPN rule that uses manual key management if you are having problems with IKE key management.
Chapter 19 IPSec VPN Table 105 SECURITY > VPN > VPN Rules (Manual) (continued) LABEL DESCRIPTION Encap. This field displays Tunnel or Transport mode (Tunnel is the default selection). IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). Remote Gateway Address This is the static WAN IP address of the remote IPSec router. Modify Click the edit icon to edit the VPN policy.
Chapter 19 IPSec VPN The following table describes the labels in this screen. Table 106 SECURITY > VPN > VPN Rules (Manual) > Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces. Allow NetBIOS Traffic Through IPSec Tunnel This field is not available when the ZyWALL is in bridge mode.
Chapter 19 IPSec VPN Table 106 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Ending IP Address/Subnet Mask When the Address Type field is configured to Single Address, this field is N/A. When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Address Type field is configured to Subnet Address, enter a subnet mask on the network behind the remote IPSec router.
Chapter 19 IPSec VPN Table 106 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 19.9 The VPN SA Monitor Screen In the web configurator, click SECURITY > VPN > SA Monitor. Use this screen to display and manage active VPN connections. A Security Association (SA) is the group of security settings related to a specific VPN tunnel.
Chapter 19 IPSec VPN Local and Remote IP Address Conflict Resolution Normally, you do not configure your local VPN policy rule’s IP addresses to overlap with the remote VPN policy rule’s IP addresses. For example, you usually would not configure both with 192.168.1.0. However, overlapping local and remote network IP addresses can occur with dynamic VPN rules or IP alias.
Chapter 19 IPSec VPN Figure 218 Overlap in IP Alias and VPN Remote Networks In this case, if you want to send packets from network A to an overlapped IP (ex. 10.1.2.241) that is in the IP alias network M, you have to set Local and Remote IP Address Conflict Resolution to The Local Network. Figure 219 SECURITY > VPN > Global Setting The following table describes the labels in this screen.
Chapter 19 IPSec VPN Table 108 SECURITY > VPN > Global Setting (continued) LABEL DESCRIPTION Gateway Domain Name Update Timer If you use dynamic domain names in VPN rules to identify the ZyWALL and/ or the remote IPSec router, the IP address mapped to the domain name can change. The VPN tunnel stops working after the IP address changes. Any users of the VPN tunnel are disconnected until the ZyWALL gets the new IP address from a DNS server and rebuilds the VPN tunnel.
Chapter 19 IPSec VPN 19.11.1 Telecommuters Sharing One VPN Rule Example See the following figure and table for an example configuration that allows multiple telecommuters (A, B and C in the figure) to use one VPN rule to simultaneously access a ZyWALL at headquarters (HQ in the figure). The telecommuters do not have domain names mapped to the WAN IP addresses of their IPSec routers.
Chapter 19 IPSec VPN See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a ZyWALL located at headquarters. The ZyWALL at headquarters (HQ in the figure) identifies each incoming SA by its ID type and content and uses the appropriate VPN rule to establish the VPN connection. The ZyWALL at headquarters can also initiate VPN connections to the telecommuters since it can find the telecommuters by resolving their domain names.
Chapter 19 IPSec VPN Table 110 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS Telecommuter C (telecommuterc.dydns.org) Headquarters ZyWALL Rule 3: Local ID Type: E-mail Peer ID Type: E-mail Local ID Content: myVPN@myplace.com Peer ID Content: myVPN@myplace.com Local IP Address: 192.168.4.15 Remote Gateway Address: telecommuterc.dydns.org Remote Address 192.168.4.15 19.
Chapter 19 IPSec VPN Figure 223 VPN Topologies Hub-and-spoke VPN reduces the number of VPN connections that you have to set up and maintain in the network. Small office or telecommuter IPSec routers that support a limited number of VPN tunnels are also able to use VPN to connect to more networks. Hub-and-spoke VPN makes it easier for the hub router to manage the traffic between the spoke routers.
Chapter 19 IPSec VPN Figure 224 Hub-and-spoke VPN Example 19.13.2 Hub-and-spoke Example VPN Rule Addresses The VPN rules for this hub-and-spoke example would use the following address settings. Branch Office A: • Remote Gateway: 10.0.0.1 • Local IP address: 192.168.167.0/255.255.255.0 • Remote IP address: 192.168.168.0~192.168.169.255 Headquarters: Rule 1: • Remote Gateway: 10.0.0.2 • Local IP address: 192.168.168.0~192.168.169.255 • Remote IP address:192.168.167.0/255.255.255.
Chapter 19 IPSec VPN • The hub router must have at least one separate VPN rule for each spoke. In the local IP address, specify the IP addresses of the hub-and-spoke networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule. • If you want to have the spoke routers access the Internet through the hub-and-spoke VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address.
Chapter 19 IPSec VPN Diffie-Hellman (DH) Key Exchange The ZyWALL and the remote IPSec router use a DH key exchange to establish a shared secret, which is used to generate encryption keys for IKE SA and IPSec SA. In main mode, the DH key exchange is done in steps 3 and 4, as illustrated below. Figure 226 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange The DH key exchange is based on DH key groups. Each key group is a fixed number of bits long.
Chapter 19 IPSec VPN The ZyWALL and the remote IPSec router each has its own identity, so each one must store two sets of information, one for itself and one for the other router. Local ID type and ID content refers to the ID type and ID content that applies to the router itself, and peer ID type and ID content refers to the ID type and ID content that applies to the other router in the IKE SA.
Chapter 19 IPSec VPN " You must set up the certificates for the ZyWALL and remote IPSec router before you can use certificates in IKE SA. See Chapter 20 on page 399 for more information about certificates. Extended Authentication Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router. For example, this might be used with telecommuters.
Chapter 19 IPSec VPN VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Y. Figure 228 VPN/NAT Example If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. The routers cannot establish a VPN tunnel. Most routers like router A now have an IPSec pass-through feature.
Chapter 19 IPSec VPN You can configure a remote network as 0.0.0.0 (any) when: • Forwarding all outgoing traffic to the remote gateway. • The remote network's addresses are unknown or there are many remote networks using one VPN rule (see Section 19.11.1 on page 383 for an example of telecommuters sharing one VPN rule). " It is not recommended to set a VPN rule’s local and remote network settings both to 0.0.0.0 (any).
Chapter 19 IPSec VPN Figure 229 Virtual Mapping of Local and Remote Network IP Addresses Computers on network X use IP addresses 192.168.1.2 to 192.168.1.4 to access local network devices and IP addresses 172.21.2.2 to 172.21.2.27 to access the remote network devices. Computers on network Y use IP addresses 192.168.1.2 to 192.168.1.27 to access local network devices and IP addresses 10.0.0.2 to 10.0.0.4 to access the remote network devices.
Chapter 19 IPSec VPN In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet. As a result, there are two IP headers: • Outside header: The outside IP header contains the IP address of the ZyWALL or remote IPSec router, whichever is the destination. • Inside header: The inside IP header contains the IP address of the computer behind the ZyWALL or remote IPSec router. The header for the active protocol (AH or ESP) appears between the IP headers.
Chapter 19 IPSec VPN Additional IPSec VPN Topics This section discusses other IPSec VPN topics that apply to either IKE SAs or IPSec SAs or both. Relationships between the topics are also highlighted. SA Life Time SAs have a lifetime that specifies how long the SA lasts until it times out.
Chapter 19 IPSec VPN Figure 231 IPSec High Availability When setting up an IPSec high availability VPN tunnel, the remote IPSec router: • Must have multiple WAN connections • Only needs one corresponding IPSec rule • Should only have IPSec high availability settings in its corresponding IPSec rule if your ZyWALL has multiple WAN connections • Should ideally identify itself by a domain name or dynamic domain name (it must otherwise have My Address set to 0.0.0.
Chapter 19 IPSec VPN 398 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 20 Certificates 20.1 Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication. 20.1.1 What You Can Do in the Certificate Screens • Use the My Certificate screens (see Section 20.
Chapter 20 Certificates The ZyWALL uses certificates based on public-key cryptology to authenticate users attempting to establish a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm. The certification authority uses its private key to sign certificates. Anyone can then use the certification authority’s public key to verify the certificates.
Chapter 20 Certificates Figure 233 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 20.2 The My Certificates Screen Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen.
Chapter 20 Certificates Figure 234 SECURITY > CERTIFICATES > My Certificates The following table describes the labels in this screen. Table 113 SECURITY > CERTIFICATES > My Certificates 402 LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
Chapter 20 Certificates Table 113 SECURITY > CERTIFICATES > My Certificates (continued) LABEL DESCRIPTION Issuer This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field. Valid From This field displays the date that the certificate becomes applicable.
Chapter 20 Certificates Figure 235 SECURITY > CERTIFICATES > My Certificates > Details The following table describes the labels in this screen. Table 114 SECURITY > CERTIFICATES > My Certificates > Details 404 LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).
Chapter 20 Certificates Table 114 SECURITY > CERTIFICATES > My Certificates > Details (continued) LABEL DESCRIPTION Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same as the Subject Name field. Signature Algorithm This field displays the type of algorithm that was used to sign the certificate.
Chapter 20 Certificates 20.3 The My Certificate Export Screen Click SECURITY > CERTIFICATES > My Certificates and then a certificate’s export icon to open the My Certificate Export screen. Follow the instructions in this screen to choose the file format to use for saving the certificate from the ZyWALL to a computer. You can export a certificate in one of these file formats: • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
Chapter 20 Certificates 20.4 The My Certificate Import Screen You can only import a certificate that matches a corresponding certification request that was generated by the ZyWALL (the certification request contains the private key). The certificate you import replaces the corresponding request in the My Certificates screen. One exception is that you can import a PKCS#12 format certificate without a corresponding certification request since the certificate includes the private key.
Chapter 20 Certificates Figure 237 SECURITY > CERTIFICATES > My Certificates > Import The following table describes the labels in this screen. Table 116 SECURITY > CERTIFICATES > My Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the ZyWALL.
Chapter 20 Certificates 20.5 The My Certificate Create Screen Click SECURITY > CERTIFICATES > My Certificates > Create to open the My Certificate Create screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.
Chapter 20 Certificates Figure 240 SECURITY > CERTIFICATES > My Certificates > Create (Advanced) The following table describes the labels in this screen. Table 118 SECURITY > CERTIFICATES > My Certificates > Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Subject Information Use these fields to record information that identifies the owner of the certificate.
Chapter 20 Certificates Table 118 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL DESCRIPTION Common Name Select a radio button to identify the certificate’s owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided. The domain name or email address can be up to 31 ASCII characters. The domain name or e-mail address is for identification purposes only and can be any string.
Chapter 20 Certificates Table 118 SECURITY > CERTIFICATES > My Certificates > Create (continued) 412 LABEL DESCRIPTION Subject Alternative Name Select a radio button to identify the certificate’s owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided. The domain name or email address can be up to 31 ASCII characters.
Chapter 20 Certificates Table 118 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL DESCRIPTION RA Signing Certificate If you select Enrollment via an RA, select the CA’s RA signing certificate from the drop-down list box. You must have the certificate already imported in the Trusted CAs screen. Click Trusted CAs to go to the Trusted CAs screen where you can view (and manage) the ZyWALL's list of certificates of trusted certification authorities.
Chapter 20 Certificates Figure 241 SECURITY > CERTIFICATES > Trusted CAs The following table describes the labels in this screen. Table 119 SECURITY > CERTIFICATES > Trusted CAs 414 LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
Chapter 20 Certificates Table 119 SECURITY > CERTIFICATES > Trusted CAs (continued) LABEL DESCRIPTION Modify Click the details icon to open a screen with an in-depth list of information about the certificate. Use the export icon to save the certificate to a computer. Click the icon and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save. Click the delete icon to remove the certificate.
Chapter 20 Certificates Figure 242 SECURITY > CERTIFICATES > Trusted CAs > Details The following table describes the labels in this screen. Table 120 SECURITY > CERTIFICATES > Trusted CAs > Details 416 LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Chapter 20 Certificates Table 120 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate.
Chapter 20 Certificates Table 120 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION CRL Distribution Points This field displays how many directory servers with Lists of revoked certificates the issuing certification authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers. MD5 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm.
Chapter 20 Certificates Figure 243 SECURITY > CERTIFICATES > Trusted CAs > Import The following table describes the labels in this screen. Table 121 SECURITY > CERTIFICATES > Trusted CAs Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the ZyWALL.
Chapter 20 Certificates Figure 244 SECURITY > CERTIFICATES > Trusted Remote Hosts The following table describes the labels in this screen. Table 122 SECURITY > CERTIFICATES > Trusted Remote Hosts 420 LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
Chapter 20 Certificates 20.10 The Trusted Remote Hosts Import Screen Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. You may have peers with certificates that you want to trust, but the certificates were not signed by one of the certification authorities on the Trusted CAs screen. Follow the instructions in this screen to save a peer’s certificates from a computer to the ZyWALL.
Chapter 20 Certificates 20.11 The Trusted Remote Host Certificate Details Screen Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen. Click the details icon to open the Trusted Remote Host Details screen. You can use this screen to view in-depth information about the trusted remote host’s certificate and/or change the certificate’s name.
Chapter 20 Certificates The following table describes the labels in this screen. Table 124 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Chapter 20 Certificates Table 124 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details (continued) LABEL DESCRIPTION MD5 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm. The ZyWALL uses one of its own self-signed certificates to sign the imported trusted remote host certificates. This changes the fingerprint value displayed here (so it does not match the original). See Section 20.1.
Chapter 20 Certificates The following table describes the labels in this screen. Table 125 SECURITY > CERTIFICATES > Directory Servers LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates. # The index number of the directory server. The servers are listed in alphabetical order.
Chapter 20 Certificates The following table describes the labels in this screen. Table 126 SECURITY > CERTIFICATES > Directory Server > Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list box to select the access protocol used by the directory server.
CHAPTER 21 Authentication Server Screens 21.1 Overview This chapter discusses how to configure the ZyWALL’s authentication server feature. A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users. The ZyWALL uses the same local user database for VPN extended authentication and wireless LAN security. 21.1.
Chapter 21 Authentication Server Screens 21.2 The Local User Database Screen Click SECURITY > AUTH SERVER to open the Local User Database screen. The local user database is a list of user profiles stored on the ZyWALL. The ZyWALL can use this list of user profiles to authenticate users. Use this screen to change your ZyWALL’s list of user profiles.
Chapter 21 Authentication Server Screens Figure 249 SECURITY > AUTH SERVER > Local User Database ZyWALL 5/35/70 Series User’s Guide 429
Chapter 21 Authentication Server Screens The following table describes the labels in this screen. Table 127 SECURITY > AUTH SERVER > Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 21.
Chapter 21 Authentication Server Screens Table 128 SECURITY > AUTH SERVER > RADIUS LABEL DESCRIPTION Key Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL. The key is not sent over the network. This key must be the same on the external authentication server and ZyWALL. Accounting Server Active Select the check box to enable user accounting through an external authentication server.
Chapter 21 Authentication Server Screens 432 ZyWALL 5/35/70 Series User’s Guide
P ART IV Advanced Network Address Translation (NAT) (435) Static Route Screens (451) Policy Route Screens (457) Bandwidth Management Screens (465) DNS Screens (479) Remote Management Screens (491) UPnP Screens (519) Custom Application Screen (529) ALG Screen (531) 433
CHAPTER 22 Network Address Translation (NAT) 22.1 Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. 22.1.1 What You Can Do Using the NAT Screens • Use the NAT Overview screen (Section 22.2 on page 436) to configure global NAT settings and enable NAT on a WAN interface.
Chapter 22 Network Address Translation (NAT) The following table summarizes the NAT mapping types.
Chapter 22 Network Address Translation (NAT) Figure 251 ADVANCED > NAT > NAT Overview The following table describes the labels in this screen. Table 130 ADVANCED > NAT > NAT Overview LABEL DESCRIPTION Global Settings Max. Concurrent Sessions This read-only field displays the highest number of NAT sessions that the ZyWALL will permit at one time. Max. Concurrent Sessions Per Host Use this field to set the highest number of NAT sessions that the ZyWALL will permit a host to have at one time.
Chapter 22 Network Address Translation (NAT) Table 130 ADVANCED > NAT > NAT Overview (continued) LABEL DESCRIPTION Address Mapping Rules Select SUA if you have just one public WAN IP address for your ZyWALL. This lets the ZyWALL use its permanent, pre-defined NAT address mapping rules. Select Full Feature if you have multiple public WAN IP addresses for your ZyWALL. This lets the ZyWALL use the address mapping rules that you configure.
Chapter 22 Network Address Translation (NAT) Figure 252 ADVANCED > NAT > Address Mapping The following table describes the labels in this screen. Table 131 ADVANCED > NAT > Address Mapping LABEL DESCRIPTION SUA Address Mapping Rules This read-only table displays the default address mapping rules. Full Feature Address Mapping Rules WAN Interface Select the WAN interface for which you want to view or configure address mapping rules.
Chapter 22 Network Address Translation (NAT) Table 131 ADVANCED > NAT > Address Mapping (continued) LABEL DESCRIPTION Global Start IP This refers to the Inside Global IP Address (IGA), that is the starting global IP address. 0.0.0.0 is for a dynamic IP address from your ISP with Many-to-One and Server mapping types. Global End IP This is the ending Inside Global Address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types. Type 1.
Chapter 22 Network Address Translation (NAT) The following table describes the labels in this screen. Table 132 ADVANCED > NAT > Address Mapping > Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-One NAT mapping type. 2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e.
Chapter 22 Network Address Translation (NAT) " If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. 22.4.2 Port Forwarding: Services and Port Numbers The ZyWALL provides the additional safety of the DMZ ports for connecting your publicly accessible servers. This makes the LAN more secure by physically separating it from your public servers.
Chapter 22 Network Address Translation (NAT) 22.4.5 Port Translation The ZyWALL can translate the destination port number or a range of port numbers of packets coming from the WAN to another destination port number or range of port numbers on the local network. When you use port forwarding without port translation, a single server on the local network can use a specific port number and be accessible to the outside world through a single WAN IP address.
Chapter 22 Network Address Translation (NAT) " The last port forwarding rule is reserved for Roadrunner services. The rule is activated only when you set the WAN Encapsulation to Ethernet and the Service Type to something other than Standard. Figure 256 ADVANCED > NAT > Port Forwarding The following table describes the labels in this screen.
Chapter 22 Network Address Translation (NAT) Table 133 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION Name Enter a name to identify this port-forwarding rule. Incoming Port(s) Enter a port number here. To forward only one port, enter it again in the second field. To specify a range of ports, enter the last port to be forwarded in the second field. Port Translation Enter the port number here to which you want the ZyWALL to translate the incoming port.
Chapter 22 Network Address Translation (NAT) 2 Port 7070 is a “trigger” port and causes the ZyWALL to record Jane’s computer IP address. The ZyWALL associates Jane's computer IP address with the "incoming" port range of 6970-7170. 3 The Real Audio server responds using a port number ranging between 6970-7170. 4 The ZyWALL forwards the traffic to Jane’s computer IP address. 5 Only Jane can connect to the Real Audio server until the connection is closed or times out.
Chapter 22 Network Address Translation (NAT) Table 134 ADVANCED > NAT > Port Triggering LABEL DESCRIPTION Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The ZyWALL forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service. Start Port Type a port number or the starting port number in a range of port numbers.
Chapter 22 Network Address Translation (NAT) What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.
Chapter 22 Network Address Translation (NAT) NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter. Figure 260 NAT Application With IP Alias Port Restricted Cone NAT ZyWALL ZyNOS version 4.00 and later uses port restricted cone NAT.
Chapter 22 Network Address Translation (NAT) Figure 261 Port Restricted Cone NAT Example 450 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 23 Static Route Screens 23.1 Overview This chapter shows you how to configure static routes for your ZyWALL. The ZyWALL usually uses the default gateway to route outbound traffic from local computers to the Internet. To have the ZyWALL send data to devices not reachable through the default gateway, use static routes. For example, the next figure shows a computer (A) connected to the ZyWALL’s LAN interface. The ZyWALL routes most traffic from A to the Internet through the default gateway (R1).
Chapter 23 Static Route Screens • Use the IP Static Route Edit screen (Section 23.2.1 on page 454) to configure the required information for a static route. 23.2 The IP Static Route Screen Click ADVANCED > STATIC ROUTE to open the IP Static Route screen (some of the screen’s blank rows are not shown). The first two static route entries are for default WAN 1 and WAN 2 routes on a ZyWALL with multiple WAN interfaces. You cannot modify or delete a static default route.
Chapter 23 Static Route Screens Figure 263 ADVANCED > STATIC ROUTE > IP Static Route The following table describes the labels in this screen. Table 135 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION # This is the number of an individual static route. Name This is the name that describes or identifies this route. Active This field shows whether this static route is active (Yes) or not (No). Destination This parameter specifies the IP network address of the final destination.
Chapter 23 Static Route Screens Table 135 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION Gateway This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the ZyWALL’s interface. The gateway helps forward packets to their destinations. Modify Click the edit icon to go to the screen where you can set up a static route on the ZyWALL. Click the delete icon to remove a static route from the ZyWALL.
Chapter 23 Static Route Screens Table 136 ADVANCED > STATIC ROUTE > IP Static Route > Edit LABEL DESCRIPTION Private This parameter determines if the ZyWALL will include this route to a remote node in its RIP broadcasts. Select this check box to keep this route private and not included in RIP broadcasts. Clear this check box to propagate this route to other hosts through RIP broadcasts. Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving.
Chapter 23 Static Route Screens 456 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 24 Policy Route Screens 24.1 Overview This chapter covers setting and applying policies used for IP routing. Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Chapter 24 Policy Route Screens Routing Policy Individual routing policies are used as part of the overall IPPR process. A policy defines the matching criteria and the action to take when a packet meets the criteria. The action is taken only when all the criteria are met. The criteria include the source address and port, IP protocol (ICMP, UDP, TCP, etc.), destination address and port, ToS and precedence (fields in the IP header) and length.
Chapter 24 Policy Route Screens Figure 265 ADVANCED > POLICY ROUTE > Policy Route Summary The following table describes the labels in this screen. Table 137 ADVANCED > POLICY ROUTE > Policy Route Summary LABEL DESCRIPTION # This is the number of an individual policy route. Active This field shows whether the policy is active or inactive. Source Address/Port This is the source IP address range and/or port number range.
Chapter 24 Policy Route Screens Table 137 ADVANCED > POLICY ROUTE > Policy Route Summary LABEL DESCRIPTION Gateway Enter the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations. Protocol This is the IP protocol and can be ALL(0), ICMP(1), IGMP(2), TCP(6), UDP(17), GRE(47), ESP(50) or AH(51).
Chapter 24 Policy Route Screens Figure 266 ADVANCED > POLICY ROUTE > Edit The following table describes the labels in this screen. Table 138 ADVANCED > POLICY ROUTE > Edit LABEL DESCRIPTION Criteria Active Select the check box to activate the policy. Rule Index This is the index number of the policy route. IP Protocol Select Predefined and then the IP protocol from ALL(0), ICMP(1), IGMP(2), TCP(6), UDP(17), GRE(47), ESP(50) or AH(51). Otherwise, select Custom and enter a number from 0 to 255.
Chapter 24 Policy Route Screens Table 138 ADVANCED > POLICY ROUTE > Edit (continued) LABEL DESCRIPTION Length Comparison Choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Equal. Application Select a predefined application (FTP, H.323 or SIP) for the policy rule. If you do not want to use a predefined application, select Custom. You can also configure the source and destination port numbers if you set IP protocol to TCP or UDP.
Chapter 24 Policy Route Screens Table 138 ADVANCED > POLICY ROUTE > Edit (continued) LABEL DESCRIPTION Gateway Select User-Defined and enter the IP address of the gateway if you want to specify the IP address of the gateway. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination. The gateway must be a router on the same segment as your ZyWALL's LAN or WAN interface.
Chapter 24 Policy Route Screens 464 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 25 Bandwidth Management Screens 25.1 Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the ZyWALL forwards certain types of traffic, such as Voice-over-IP (VoIP), with minimum delay.
Chapter 25 Bandwidth Management Screens Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth. Application-based Bandwidth Management You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, Email and Video for example).
Chapter 25 Bandwidth Management Screens 25.1.4 Over Allotment of Bandwidth Example It is possible to set the bandwidth management speed for an interface higher than the interface’s actual transmission speed. Higher priority traffic gets to use up to its allocated bandwidth, even if it takes up all of the interface’s available bandwidth. This could stop lower priority traffic from being sent. The following is an example.
Chapter 25 Bandwidth Management Screens You can configure up to one bandwidth filter per bandwidth class. You can also configure bandwidth classes without bandwidth filters. However, it is recommended that you configure sub-classes with filters for any classes that you configure without filters. The ZyWALL leaves the bandwidth budget allocated and unused for a class that does not have a filter or sub-classes with filters.
Chapter 25 Bandwidth Management Screens The following table describes the labels in this screen. Table 141 ADVANCED > BW MGMT > Summary LABEL DESCRIPTION Class These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Bandwidth management applies to all traffic flowing out of the router through the interface, regardless of the traffic’s source. Note: The WLAN class refers to the Ethernet interfaces in the WLAN port role.
Chapter 25 Bandwidth Management Screens 25.2.1 Maximize Bandwidth Usage Example Here is an example of a ZyWALL that has maximize bandwidth usage enabled on an interface. The following table shows each bandwidth class’s bandwidth budget. The classes are set up based on subnets. The interface is set to 10240 kbps. Each subnet is allocated 2048 kbps. The unbudgeted 2048 kbps allows traffic not defined in any of the bandwidth filters to go out when you do not select the maximize bandwidth option.
Chapter 25 Bandwidth Management Screens 25.2.1.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the amount of bandwidth that each class gets. Table 144 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES AND ALLOTMENTS Root Class: 10240 kbps Administration: 1024 kbps Sales: 3072 kbps Marketing: 3072 kbps Research: 3072 kbps Suppose that all of the classes except for the administration class need more bandwidth.
Chapter 25 Bandwidth Management Screens Figure 269 ADVANCED > BW MGMT > Class Setup The following table describes the labels in this screen. Table 145 ADVANCED > BW MGMT > Class Setup LABEL DESCRIPTION Interface Select an interface for which you want to set up bandwidth management classes. Bandwidth management controls outgoing traffic on an interface, not incoming. So, in order to limit the download bandwidth of the LAN users, set the bandwidth management class on the LAN.
Chapter 25 Bandwidth Management Screens Table 145 ADVANCED > BW MGMT > Class Setup (continued) LABEL DESCRIPTION Destination Port This is the destination port for connections to which this bandwidth management class applies. Source IP Address This is the source IP address for connections to which this bandwidth management class applies. Source Port This is the source port for connections to which this bandwidth management class applies.
Chapter 25 Bandwidth Management Screens Figure 270 ADVANCED > BW MGMT > Class Setup > Add Sub-Class The following table describes the labels in this screen. Table 146 ADVANCED > BW MGMT > Class Setup > Add Sub-Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces. Bandwidth Budget (kbps) Specify the maximum bandwidth allowed for the class in kbps.
Chapter 25 Bandwidth Management Screens Table 146 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Enable Bandwidth Filter Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).
Chapter 25 Bandwidth Management Screens Table 146 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Source Address Type Do you want your rule to apply to packets coming from a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.50) or a subnet? Select Single Address, Range Address or Subnet Address. Source IP Address Enter the single IP address or the starting IP address in a range here.
Chapter 25 Bandwidth Management Screens • The Research Software and Hardware classes can both borrow unused bandwidth from the Research class because the Research Software and Hardware classes both have bandwidth borrowing enabled. • The Research Software and Hardware classes can also borrow unused bandwidth from the Root class because the Research class also has bandwidth borrowing enabled. 25.
Chapter 25 Bandwidth Management Screens 25.6 The Monitor Screen Click ADVANCED > BW MGMT > Monitor to open the following screen. Use this screen to view the device’s bandwidth usage and allotments. Figure 272 ADVANCED > BW MGMT > Monitor The following table describes the labels in this screen. LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes. Class This field displays the name of the bandwidth class.
CHAPTER 26 DNS Screens 26.1 Overview This chapter shows you how to configure the DNS screens. DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The ZyWALL uses a system DNS server (in the order you specify in the DNS System screen) to resolve domain names, for example, VPN, DDNS and the time server. 26.1.
Chapter 26 DNS Screens 3 You can manually enter the IP addresses of other DNS servers. These servers can be public or private. A DNS server could even be behind a remote IPSec router (see Section on page 480). Address Record An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.
Chapter 26 DNS Screens Figure 273 Private DNS Server Example " If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network. DDNS DDNS (Dynamic DNS) allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.).
Chapter 26 DNS Screens Figure 274 ADVANCED > DNS > System DNS The following table describes the labels in this screen. 482 LABEL DESCRIPTION Address Record An address record specifies the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
Chapter 26 DNS Screens LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. From This field displays whether the IP address of a DNS server is from a WAN interface (and which it is) or specified by the user. DNS Server This is the IP address of a DNS server. Modify Click a triangle icon to move the record up or down in the list.
Chapter 26 DNS Screens The following table describes the labels in this screen. Table 148 ADVANCED > DNS > Add (Address Record) LABEL DESCRIPTION FQDN Type a fully qualified domain name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
Chapter 26 DNS Screens The following table describes the labels in this screen. LABEL DESCRIPTION Domain Zone This field is optional. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address.
Chapter 26 DNS Screens Figure 277 ADVANCED > DNS > Cache The following table describes the labels in this screen. LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS Resolutions Select the check box to record the positive DNS resolutions in the cache. Caching positive DNS resolutions helps speed up the ZyWALL’s processing of commonly queried domain names and reduces the amount of traffic that the ZyWALL sends out to the WAN. Maximum TTL Type the maximum time to live (TTL) (60 to 3600 seconds).
Chapter 26 DNS Screens LABEL DESCRIPTION Remaining Time (sec) This is the number of seconds left before the DNS resolution entry is discarded from the cache. Modify Click the delete icon to remove the DNS resolution entry from the cache. 26.4 The DHCP Screen Click ADVANCED > DNS > DHCP to open the DNS DHCP screen shown next. Use this screen to configure the DNS server information that the ZyWALL sends to its LAN, DMZ or WLAN DHCP clients.
Chapter 26 DNS Screens LABEL DESCRIPTION IP Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address). Use the drop-down list box to select a DNS server IP address that the ISP assigns in the field to the right. Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you click Apply.
Chapter 26 DNS Screens High Availability A DNS server maps a domain name to a port's IP address. If that WAN port loses its connection, high availability allows the router to substitute another port's IP address for the domain name mapping. 26.6 Configuring the Dynamic DNS Screen To change your ZyWALL’s DDNS, click ADVANCED > DNS > DDNS. The screen appears as shown. Figure 279 ADVANCED > DNS > DDNS The following table describes the labels in this screen.
Chapter 26 DNS Screens LABEL DESCRIPTION Domain Name 1~5 Enter the host names in these fields. DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider if you have selected WWW.DynDNS.COM. Select Dynamic if you have the Dynamic DNS service. Select Static if you have the Static DNS service. Select Custom if you have the Custom DNS service. Offline This option is available when Custom is selected in the DDNS Type field.
CHAPTER 27 Remote Management Screens 27.1 Overview This chapter provides information on the remote management screens. Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. The following figure shows secure and insecure management of the ZyWALL coming in from the WAN. HTTPS and SSH access are secure. HTTP and Telnet access are not secure. Figure 280 Secure and Insecure Remote Management From the WAN 27.1.
Chapter 27 Remote Management Screens 27.1.2 What You Need To Know About Remote Management Firewall Rules When you configure remote management to allow management from any network except the LAN, you still need to configure a firewall rule to allow access. See Chapter 13 on page 251 for details on configuring firewall rules. You can also disable a service on the ZyWALL by not allowing access for the service/protocol through any of the ZyWALL interfaces.
Chapter 27 Remote Management Screens 27.2 HTTPS Example If you haven’t changed the default HTTPS port on the ZyWALL, then in your browser enter “https://ZyWALL IP Address/” as the web site address where “ZyWALL IP Address” is the IP address or domain name of the ZyWALL you wish to access. 27.2.1 Internet Explorer Warning Messages When you attempt to access the ZyWALL HTTPS server, a Windows dialog box pops up asking if you trust the server certificate.
Chapter 27 Remote Management Screens Figure 282 Security Certificate 1 (Netscape) Figure 283 Security Certificate 2 (Netscape) 27.2.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
Chapter 27 Remote Management Screens 6a Click REMOTE MGMT. Write down the name of the certificate displayed in the Server Certificate field. 6b Click CERTIFICATES. Find the certificate and check its Subject column. CN stands for certificate’s common name (see Figure 286 on page 496 for an example). Use this procedure to have the ZyWALL use a certificate with a common name that matches the ZyWALL’s actual IP address.
Chapter 27 Remote Management Screens Figure 286 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate. You will then see this information in the My Certificates screen. Figure 287 Common ZyWALL Certificate 27.2.5 Enrolling and Importing SSL Client Certificates (Example) The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL.
Chapter 27 Remote Management Screens Figure 288 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). 27.2.6 Installing the CA’s Certificate (Example) 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
Chapter 27 Remote Management Screens Figure 289 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. 27.2.7 Installing Your Personal Certificate(s) (Example) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard.
Chapter 27 Remote Management Screens Figure 290 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 291 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
Chapter 27 Remote Management Screens Figure 292 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 293 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process.
Chapter 27 Remote Management Screens Figure 294 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 295 Personal Certificate Import Wizard 6 27.2.8 Using a Certificate When Accessing the ZyWALL (Example) Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field.
Chapter 27 Remote Management Screens Figure 297 SSL Client Authentication 3 You next see the web configurator login screen. Figure 298 Secure Web Configurator Login Screen 27.2.9 Secure Telnet Using SSH Examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyWALL. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user’s guide. 27.2.9.
Chapter 27 Remote Management Screens Figure 299 SSH Example 1: Store Host Key Enter the password to log in to the ZyWALL. The SMT main menu displays next. 27.2.9.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions. 1 Test whether the SSH service is available on the ZyWALL. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER].
Chapter 27 Remote Management Screens 3 The SMT main menu displays next. 27.2.9.3 Secure FTP Using SSH Example This section shows an example on file transfer using the OpenSSH client program. The configuration and connection steps are similar for other SSH client programs. Refer to your SSH client program user’s guide. 1 Enter “sftp –1 192.168.1.1”. This command forces your computer to connect to the ZyWALL for secure file transfer using SSH version 1.
Chapter 27 Remote Management Screens requires it to do so (select Authenticate Client Certificates in the REMOTE MGMT > WWW screen). Authenticate Client Certificates is optional and if selected means the SSLclient must send the ZyWALL a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL. Please refer to the following figure. 1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the ZyWALL’s WS (web server).
Chapter 27 Remote Management Screens Figure 304 ADVANCED > REMOTE MGMT > WWW The following table describes the labels in this screen. Table 149 ADVANCED > REMOTE MGMT > WWW LABEL DESCRIPTION HTTPS Server Certificate Select the Server Certificate that the ZyWALL will use to identify itself. The ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Chapter 27 Remote Management Screens Table 149 ADVANCED > REMOTE MGMT > WWW (continued) LABEL DESCRIPTION Server Access Select the interface(s) through which a computer may access the ZyWALL using this service. Secure Client IP Address A secure client is a “trusted” computer that is allowed to communicate with the ZyWALL using this service. Select All to allow any computer to access the ZyWALL using this service.
Chapter 27 Remote Management Screens " It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 306 ADVANCED > REMOTE MGMT > SSH The following table describes the labels in this screen. Table 150 ADVANCED > REMOTE MGMT > SSH LABEL DESCRIPTION Server Host Key Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections.
Chapter 27 Remote Management Screens " It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 307 ADVANCED > REMOTE MGMT > Telnet The following table describes the labels in this screen. Table 151 ADVANCED > REMOTE MGMT > Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Chapter 27 Remote Management Screens " It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 308 ADVANCED > REMOTE MGMT > FTP The following table describes the labels in this screen. Table 152 ADVANCED > REMOTE MGMT > FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Chapter 27 Remote Management Screens Figure 309 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
Chapter 27 Remote Management Screens SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs: Table 153 SNMP Traps TRAP # TRAP NAME DESCRIPTION 0 coldStart (defined in RFC-1215) A trap is sent after booting (power on). 1 warmStart (defined in RFC1215) A trap is sent after booting (software reboot).
Chapter 27 Remote Management Screens The following table describes the labels in this screen. Table 154 ADVANCED > REMOTE MGMT > SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests. Set Community Enter the Set community, which is the password for incoming Set requests from the management station.
Chapter 27 Remote Management Screens Figure 311 ADVANCED > REMOTE MGMT > DNS The following table describes the labels in this screen. Table 155 ADVANCED > REMOTE MGMT > DNS LABEL DESCRIPTION Server Port The DNS service port number is 53 and cannot be changed here. Service Access Select the interface(s) through which a computer may send DNS queries to the ZyWALL. Secure Client IP Address A secure client is a “trusted” computer that is allowed to send DNS queries to the ZyWALL.
Chapter 27 Remote Management Screens Figure 312 ADVANCED > REMOTE MGMT > CNM The following table describes the labels in this screen. Table 156 ADVANCED > REMOTE MGMT > CNM LABEL DESCRIPTION Registration Information Registration Status This read only field displays Not Registered when Enable is not selected. It displays Registering when the ZyWALL first connects with the Vantage CNM server and then Registered after it has been successfully registered with the Vantage CNM server.
Chapter 27 Remote Management Screens Table 156 ADVANCED > REMOTE MGMT > CNM (continued) LABEL DESCRIPTION Encryption Algorithm The Encryption Algorithm field is used to encrypt communications between the ZyWALL and the Vantage CNM server. Choose from None (no encryption), DES or 3DES. The Encryption Key field appears when you select DES or 3DES. The ZyWALL must use the same encryption algorithm as the Vantage CNM server.
Chapter 27 Remote Management Screens The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. 2 Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use.
Chapter 27 Remote Management Screens 518 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 28 UPnP Screens 28.1 Overview This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
Chapter 28 UPnP Screens Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the ZyWALL allows multicast messages on the LAN only.
Chapter 28 UPnP Screens 28.2.1.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start, Settings and Control Panel. Double-click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. 4 Click OK to go back to the Add/ Remove Programs Properties window and click Next.
Chapter 28 UPnP Screens 28.2.1.2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP. 1 Click Start, Settings and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. The Windows Optional Networking Components Wizard window displays. 4 Select Networking Service in the Components selection box and click Details.
Chapter 28 UPnP Screens 28.2.2.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or window, click Settings to see the port click Add to manually add port mappings. mappings that were automatically created.
Chapter 28 UPnP Screens " When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 4 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray. 5 Double-click the icon to display your current Internet connection status. 28.2.2.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first.
Chapter 28 UPnP Screens Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays.
Chapter 28 UPnP Screens 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. 28.3 The UPnP Screen Click ADVANCED > UPnP to display the UPnP screen. Figure 314 ADVANCED > UPnP The following table describes the fields in this screen. Table 157 ADVANCED > UPnP LABEL DESCRIPTION UPnP Setup 526 Device Name This identifies the ZyXEL device in UPnP applications.
Chapter 28 UPnP Screens Table 157 ADVANCED > UPnP LABEL DESCRIPTION Allow users to make configuration changes through UPnP Select this check box to allow UPnP-enabled applications to automatically configure the ZyWALL so that they can communicate through the ZyWALL, for example by using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device; this eliminates the need to manually configure port forwarding for the UPnP enabled a
Chapter 28 UPnP Screens Table 158 ADVANCED > UPnP > Ports (continued) 528 LABEL DESCRIPTION # This is the index number of the UPnP-created NAT mapping rule entry. Remote Host This field displays the source IP address (on the WAN) of inbound IP packets. Since this is often a wildcard, the field may be blank. When the field is blank, the ZyWALL forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port.
CHAPTER 29 Custom Application Screen 29.1 Overview Use custom application to have the ZyWALL’s ALG, anti-spam, anti-virus, and content filtering features monitor traffic on custom ports, in addition to the default ports. 29.1.1 What You Can Do in the Custom Application Screen Use the Custom App screen (Section 29.2 on page 529) to configure custom application settings on the ZyWALL. 29.1.
Chapter 29 Custom Application Screen " Changes in the Custom APP screen do not apply to the firewall. Figure 316 ADVANCED > Custom APP The following table describes the labels in this screen. Table 159 ADVANCED > Custom APP 530 LABEL DESCRIPTION Application Select the application for which you want the ZyWALL to monitor specific ports. You can use the same application in more than one entry. To remove an entry, select Select a Type.
CHAPTER 30 ALG Screen 30.1 Overview This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer. The ZyWALL can function as an ALG to allow certain NAT unfriendly applications (such as SIP) to operate properly through the ZyWALL.
Chapter 30 ALG Screen ALG and the Firewall The ZyWALL uses the dynamic port that the session uses for data transfer in creating an implicit temporary firewall rule for the session’s traffic. The firewall rule only allows the session’s traffic to go through in the direction that the ZyWALL determines from its inspection of the data payload of the application’s packets. The firewall rule is automatically deleted after the application’s traffic has gone through.
Chapter 30 ALG Screen • You must configure the firewall and port forwarding to allow incoming (peer-to-peer) calls from the WAN to a private IP address on the LAN, DMZ or WLAN. The following example shows H.323 signaling (1) and audio (2) sessions between H.323 devices A and B. Figure 317 H.
Chapter 30 ALG Screen Figure 319 H.323 Calls from the WAN with Multiple Outgoing Calls • The H.323 ALG operates on TCP packets with a port 1720 destination. • The ZyWALL allows H.323 audio connections. • The ZyWALL can also apply bandwidth management to traffic that goes through the H.323 ALG. SIP The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet.
Chapter 30 ALG Screen Figure 320 SIP ALG Example SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL. If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout default (60 minutes), the ZyWALL SIP ALG drops any incoming calls after the timeout period.
Chapter 30 ALG Screen Figure 321 ADVANCED > ALG The following table describes the labels in this screen. Table 160 ADVANCED > ALG 536 LABEL DESCRIPTION Enable FTP ALG Select this check box to allow FTP sessions to pass through the ZyWALL. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail. Enable H.323 ALG Select this check box to allow H.323 sessions to pass through the ZyWALL. H.
P ART V Reports, Logs and Maintenance Reports Screens (539) Logs Screens (555) Maintenance Screens (585) 537
CHAPTER 31 Reports Screens 31.1 Overview The Reports screens display statistics about network usage and IDP, anti-virus and anti-spam statistics. You can also configure how reports are emailed. 31.1.1 What You Can Do in the Reports Screens • Use the Traffic Statistics screen (Section 31.2 on page 539) to view statistics on traffic on an interface. • Use the IDP screen (Section 31.3 on page 545) to view statistics on intrusion detection. • Use the Anti-Virus screen (Section 31.
Chapter 31 Reports Screens " The web site hit count may not be 100% accurate because sometimes when an individual web page loads, it may contain references to other web sites that also get counted as hits. Figure 322 REPORTS > Traffic Statistics " Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen.
Chapter 31 Reports Screens Table 161 REPORTS > Traffic Statistics " LABEL DESCRIPTION Report Type Use the drop-down list box to select the type of reports to display. Web Site Hits displays the web sites that have been visited the most often from the LAN and how many times they have been visited. Protocol/Port displays the protocols or service ports that have been used the most and the amount of traffic for the most used protocols or service ports.
Chapter 31 Reports Screens Figure 323 REPORTS > Traffic Statistics: Web Site Hits Example The following table describes the label in this screen. Table 162 REPORTS > Traffic Statistics: Web Site Hits Report LABEL DESCRIPTION Web Site This column lists the domain names of the web sites visited most often from computers on the LAN, DMZ or WLAN. The names are ranked by the number of visits to each web site and listed in descending order with the most visited web site listed first.
Chapter 31 Reports Screens " Computers take turns using dynamically assigned LAN, DMZ or WLAN IP addresses. The ZyWALL continues recording the bytes sent to or from a LAN, DMZ or WLAN IP address when it is assigned to a different computer. Figure 324 REPORTS > Traffic Statistics: Host IP Address Example The following table describes the labels in this screen.
Chapter 31 Reports Screens Figure 325 REPORTS > Traffic Statistics: Protocol/Port Example The following table describes the labels in this screen. Table 164 REPORTS > Traffic Statistics: Protocol/ Port 544 LABEL DESCRIPTION Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL. The protocols or service ports are listed in descending order with the most used protocol or service port listed first.
Chapter 31 Reports Screens 31.2.4 System Reports Specifications The following table lists detailed specifications on the reports feature. Table 165 Report Specifications LABEL DESCRIPTION Number of web sites/protocols or ports/IP addresses listed: 20 Hit count limit: Up to 232 hits can be counted per web site. The count starts over at 0 if it passes four billion. Bytes count limit: Up to 264 bytes can be counted per protocol/port or LAN IP address. The count starts over at 0 if it passes 264 bytes.
Chapter 31 Reports Screens The following table describes the labels in this screen. Table 166 REPORTS > IDP LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect IDP statistics. The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here. The format is year, month, day and hour, minute, second.
Chapter 31 Reports Screens Figure 327 REPORTS > IDP > Source The statistics display as follows when you display the top entries by destination. Figure 328 REPORTS > IDP > Destination 31.4 The Anti-Virus Screen Click REPORTS > Anti-Virus to display the Anti-Virus screen. This screen displays antivirus statistics.
Chapter 31 Reports Screens The following table describes the labels in this screen. Table 167 REPORTS > Anti-Virus LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect anti-virus statistics. The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here. The format is year, month, day and hour, minute, second.
Chapter 31 Reports Screens Figure 331 REPORTS > Anti-Virus > Destination 31.5 The Anti-Spam Screen Click REPORTS > Anti-Spam to display the Anti-Spam screen. This screen displays antispam statistics. Figure 332 REPORTS > Anti-Spam The following table describes the labels in this screen. Table 168 REPORTS > Anti-Spam LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect anti-spam statistics. The collection starting time displays after you click Apply.
Chapter 31 Reports Screens Table 168 REPORTS > Anti-Spam (continued) LABEL DESCRIPTION Phishing Mail Detected This field displays the number of e-mails that the ZyWALL has classified as phishing. No Score Mail Detected This field displays the number of e-mails for which the ZyWALL did not receive a spam score. Mail Session Forwarded You can set the action that the ZyWALL takes when an e-mail session goes over the threshold of concurrent sessions that the ZyWALL checks for spam.
Chapter 31 Reports Screens Figure 333 REPORTS > Anti-Spam > Source The statistics display as follows when you display the score distribution. Figure 334 REPORTS > Anti-Spam > Score Distribution 31.6 The E-mail Report Screen You can configure the ZyWALL to email a report including the information on network traffic, IDP, anti-virus and anti-spam statistics provided in the report screens. Click REPORTS > E-mail Report to display the following screen.
Chapter 31 Reports Screens Figure 335 REPORTS > E-mail Report The following table describes the labels in this screen. Table 169 REPORTS > E-mail Report LABEL DESCRIPTION General Setup Enable E-mail Report Select this to turn on the e-mail report feature. You must then specify a valid e-mail server in order to send reports.
Chapter 31 Reports Screens Table 169 REPORTS > E-mail Report (continued) LABEL DESCRIPTION Send Report Now Click this to send the report e-mail immediately. Schedule Reporting Frequency Select the frequency of the report e-mail from the drop-down box. Options are None, Hourly, Daily and Weekly. If you select Daily or Weekly, specify a time of day for the ZyWALL to generate and send diagnostic e-mails. If you select Weekly, then also specify which day of the week.
Chapter 31 Reports Screens 554 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 32 Logs Screens 32.1 Overview In the log screens you can configure general log settings and view the ZyWALL’s logs. The logs cover categories such as system maintenance, system errors, access control, allowed or blocked web sites, blocked web features (such as ActiveX controls, java and cookies), attacks (such as DoS) and IPSec. 32.1.1 What You Can Do in the Log Screens • Use the View Log screen (Section 32.
Chapter 32 Logs Screens Figure 336 LOGS > View Log The following table describes the labels in this screen. Table 170 LOGS > View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see Section 32.3 on page 558) display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.
Chapter 32 Logs Screens 5|06/08/2004 05:58:20 |172.21.4.187:137 |ACCESS BLOCK |172.21.255.255:137 Firewall default policy: UDP (W to W/ZW) Table 171 Log Description Example LABEL DESCRIPTION # This is log number five. time The log was generated on June 8, 2004 at 5:58 and 20 seconds AM. source The log was generated due to a NetBIOS packet sent from IP address 172.21.4.187 port 137. destination The NetBIOS packet was sent to the 172.21.255.255 subnet port 137.
Chapter 32 Logs Screens Figure 337 myZyXEL.com: Download Center 3 Click the link in the Certificate Download screen. Figure 338 myZyXEL.com: Certificate Download 32.3 The Log Settings Screen To change your ZyWALL’s log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send.
Chapter 32 Logs Screens Figure 339 LOGS > Log Settings The following table describes the labels in this screen. Table 172 LOGS > Log Settings LABEL DESCRIPTION E-mail Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail.
Chapter 32 Logs Screens Table 172 LOGS > Log Settings (continued) LABEL DESCRIPTION Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the ZyWALL sends. Mail Sender Enter the e-mail address that you want to be in the from/sender line of the log e-mail message that the ZyWALL sends. If you activate SMTP authentication, the e-mail address must be able to be authenticated by the mail server as well.
Chapter 32 Logs Screens Table 172 LOGS > Log Settings (continued) LABEL DESCRIPTION Active Some logs (such as the Attacks logs) may be so numerous that it becomes easy to ignore other important log messages. Select this check box to merge logs with identical messages into one log. See the CLI Reference Guide for how to see what log messages will be consolidated. Log Consolidation Period Specify the time interval during which the ZyWALL merges logs with identical messages into one log.
Chapter 32 Logs Screens Table 173 System Maintenance Logs (continued) 562 LOG MESSAGE DESCRIPTION Starting Connectivity Monitor Starting Connectivity Monitor. Time initialized by Daytime Server The router got the time and date from the Daytime server. Time initialized by Time server The router got the time and date from the time server. Time initialized by NTP server The router got the time and date from the NTP server.
Chapter 32 Logs Screens Table 173 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION %s The myZyXEL.com service registration failed due to the error listed. If you are unable to register for services at myZYXEL.com, the error message displayed in this log may be useful when contacting customer support. Remote node is connecting. A remote user is connecting using PPP. Other PPP connection requests must wait until this process is complete.
Chapter 32 Logs Screens Table 175 Access Control Logs (continued) LOG MESSAGE DESCRIPTION Triangle route packet forwarded: [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall allowed a triangle route session to pass through. Packet without a NAT table entry blocked: [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The router blocked a packet that didn't have a corresponding NAT table entry.
Chapter 32 Logs Screens Table 176 TCP Reset Logs (continued) LOG MESSAGE DESCRIPTION Firewall session time out, sent TCP RST The router sent a TCP reset packet when a dynamic firewall session timed out. The default timeout values are as follows: ICMP idle timeout: 3 minutes UDP idle timeout: 3 minutes TCP connection (three way handshaking) timeout: 270 seconds TCP FIN-wait timeout: 2 MSL (Maximum Segment Lifetime set in the TCP header).
Chapter 32 Logs Screens Table 179 CDR Logs LOG MESSAGE DESCRIPTION board %d line %d channel %d, call %d, %s C01 Outgoing Call dev=%x ch=%x %s The router received the setup requirements for a call. “call” is the reference (count) number of the call. “dev” is the device type (3 is for dial-up, 6 is for PPPoE, 10 is for PPTP). "channel" or “ch” is the call channel ID. For example, "board 0 line 0 channel 0, call 3, C01 Outgoing Call dev=6 ch=0 "Means the router has dialed to the PPPoE server 3 times.
Chapter 32 Logs Screens Table 181 3G Logs (continued) LOG MESSAGE DESCRIPTION 3G SIM authentication failed because of no response from SIM card. SIM card authentication failed because the ZyWALL received a SIM busy message three times when querying for the card status. 3G card has no response, card is restarted. The card was reset due to no response from the card for a period of time. 3G SIM card PIN code is incorrect. The specified PIN code does not match the inserted GSM 3G card.
Chapter 32 Logs Screens Table 183 Content Filtering Logs LOG MESSAGE DESCRIPTION %s: Keyword blocking The content of a requested web page matched a user defined keyword. %s: Not in trusted web list The web site is not in a trusted domain, and the router blocks all traffic except trusted domain sites. %s: Forbidden Web site The web site is in the forbidden web site list. %s: Contains ActiveX The web site contains ActiveX. %s: Contains Java applet The web site contains a Java applet.
Chapter 32 Logs Screens Table 184 Attack Logs (continued) LOG MESSAGE DESCRIPTION ip spoofing - WAN [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected an IP spoofing attack on the WAN port. ip spoofing - WAN ICMP (type:%d, code:%d) The firewall detected an ICMP IP spoofing attack on the WAN port. icmp echo : ICMP (type:%d, code:%d) The firewall detected an ICMP echo attack. syn flood TCP The firewall detected a TCP syn flood attack.
Chapter 32 Logs Screens Table 185 Remote Management Logs LOG MESSAGE DESCRIPTION Remote Management: FTP denied Attempted use of FTP service was blocked according to remote management settings. Remote Management: TELNET denied Attempted use of TELNET service was blocked according to remote management settings. Remote Management: HTTP or UPnP denied Attempted use of HTTP or UPnP service was blocked according to remote management settings.
Chapter 32 Logs Screens Table 187 IPSec Logs LOG MESSAGE DESCRIPTION Discard REPLAY packet The router received and discarded a packet with an incorrect sequence number. Inbound packet authentication failed The router received a packet that has been altered. A third party may have altered or tampered with the packet. Receive IPSec packet, but no corresponding tunnel exists The router dropped an inbound packet for which SPI could not find a corresponding phase 2 SA.
Chapter 32 Logs Screens Table 188 IKE Logs (continued) 572 LOG MESSAGE DESCRIPTION No proposal chosen Phase 1 or phase 2 parameters don’t match. Please check all protocols / settings. Ex. One device being configured for 3DES and the other being configured for DES causes the connection to fail. Local / remote IPs of incoming request conflict with rule <%d> The security gateway is set to “0.0.0.0” and the router used the peer’s “Local Address” as the router’s “Remote Address”.
Chapter 32 Logs Screens Table 188 IKE Logs (continued) LOG MESSAGE DESCRIPTION ERROR !!! build_id(): Unable to obtain my DSS keys RCA encryption in phase 1 failed because the ZyWALL did not receive the DSS (Digital Signature Standard) keys. Build Phase 1 ID The router has started to build the phase 1 ID. Adjust TCP MSS to %d The router automatically changed the TCP Maximum Segment Size value after establishing a tunnel.
Chapter 32 Logs Screens Table 188 IKE Logs (continued) LOG MESSAGE DESCRIPTION Rule [%d] Tunnel built successfully The listed rule’s IPSec tunnel has been built successfully. Rule [%d] Peer's public key not found The listed rule’s IKE phase 1 peer’s public key was not found. Rule [%d] Verify peer's signature failed The listed rule’s IKE phase 1verification of the peer’s signature failed. Rule [%d] Sending IKE request IKE sent an IKE request for the listed rule.
Chapter 32 Logs Screens Table 189 PKI Logs (continued) LOG MESSAGE DESCRIPTION Enrollment failed The CMP online certificate enrollment failed. The Destination field records the certification authority server’s IP address and port. Failed to resolve The CMP online certificate enrollment failed because the certification authority server’s IP address cannot be resolved.
Chapter 32 Logs Screens CODE DESCRIPTION 8 Certificate was not added to the cache. 9 Certificate decoding failed. 10 Certificate was not found (anywhere). 11 Certificate chain looped (did not find trusted root). 12 Certificate contains critical extension that was not handled. 13 Certificate issuer was not valid (CA specific information missing). 14 (Not used) 15 CRL is too old. 16 CRL is not valid. 17 CRL signature was not verified correctly. 18 CRL was not found (anywhere).
Chapter 32 Logs Screens Table 190 802.1X Logs (continued) LOG MESSAGE DESCRIPTION User logout because of no authentication response from user. The router logged out a user from which there was no authentication response. User logout because of idle timeout expired. The router logged out a user whose idle timeout period expired. User logout because of user request. A user logged out. Local User Database does not support authentication mothed.
Chapter 32 Logs Screens Table 191 ACL Setting Notes (continued) PACKET DIRECTION DIRECTION DESCRIPTION (D to WL) DMZ to WLAN ACL set for packets traveling from the DMZ to the WLAN. (WL to D) WLAN to DMZ ACL set for packets traveling from the WLAN to the DMZ. (WL to WL) WLAN to WLAN/ ZyWALL ACL set for packets traveling from the WLAN to the WLAN or the ZyWALL.
Chapter 32 Logs Screens Table 192 ICMP Notes (continued) TYPE CODE DESCRIPTION Information Reply 16 0 Information reply message Table 193 IDP Logs LOG MESSAGE DESCRIPTION The buffer size is too small! The buffer for holding IDP information such as the signature file version was too small to hold any more information. The format of the user config file is incorrect! There was a format error in the configuration backup file that someone attempted to load into the system.
Chapter 32 Logs Screens Table 194 AV Logs (continued) LOG MESSAGE DESCRIPTION SMTP Virus infected - %s! The device detected a virus in a SMTP connection. The format of %s is “ID” Virus ID number, virus name, filename. For example, ID:30001,CIH.Win95,/game.exe. POP3 Virus infected - %s! The device detected a virus in a POP3 connection. The format of %s is “ID” Virus ID number, virus name, filename. For example, ID:30001,CIH.Win95,/game.exe.
Chapter 32 Logs Screens Table 194 AV Logs (continued) LOG MESSAGE DESCRIPTION SMTP Block. The session is over maximun ZIP sessions - %s! %PACKET_DIRECTION% The number of zip files in SMTP connections has exceeded the maximum number that can be concurrently scanned. “%s” is the name of the zip file which has exceeded the limit. POP3 Block.
Chapter 32 Logs Screens Table 195 AS Logs (continued) 582 LOG MESSAGE DESCRIPTION Mail From:Email address Subject:Mail Subject! This is the source and subject of an e-mail for which the anti-spam external database query failed. Remove rating server [%Rating Server IP Address%] from server list! The listed server IP address has been removed from the list of antispam external database servers.
Chapter 32 Logs Screens Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on.
Chapter 32 Logs Screens Table 196 Syslog Logs (continued) LOG MESSAGE DESCRIPTION Event Log: Mon dd hr:mm:ss hostname src="" dst="" ob="<0|1>" ob_mac="" msg="" note="" devID="" cat="IDP" class="" sid=" act="" count="1" This message is sent by the device ("RAS" displays as the system name if you haven’t configured one) at the time when this syslog is generated.
CHAPTER 33 Maintenance Screens 33.1 Overview This chapter displays information on the maintenance screens. The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL. 33.1.1 What You Can Do in the Maintenance Screens • Use the General Setup screen (Section 33.2 on page 585) to configure administrative and system-related information. • Use the Password screen (Section 33.3 on page 586) to change the ZyWALL’s management password.
Chapter 33 Maintenance Screens • In Windows XP, click Start, My Computer, View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyWALL System Name. Click MAINTENANCE to open the General screen. Use this screen to configure administrative and system-related information. Figure 340 MAINTENANCE > General Setup The following table describes the labels in this screen.
Chapter 33 Maintenance Screens Figure 341 MAINTENANCE > Password The following table describes the labels in this screen. Table 199 MAINTENANCE > Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field. If you forget the password, you may have to use the hardware RESET button. This restores the default password of 1234. New Password Type your new system password (up to 30 characters).
Chapter 33 Maintenance Screens When the ZyWALL uses the NTP time server pools, it randomly selects one pool and tries to synchronize with a server in it. If the synchronization fails, then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the predefined NTP time server pools have been tried. Resetting the Time The ZyWALL resets the time in the following instances: • • • • When you click Synchronize Now. On saving your changes.
Chapter 33 Maintenance Screens Table 200 MAINTENANCE > Time and Date (continued) LABEL DESCRIPTION Manual Select this radio button to enter the time and date manually. If you configure a new time and date, Time Zone and Daylight Saving at the same time, the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it. New Time (hh:mm:ss) This field displays the last updated time from the time server or the last time configured manually.
Chapter 33 Maintenance Screens Table 200 MAINTENANCE > Time and Date (continued) LABEL DESCRIPTION End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the first Sunday of November. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time.
Chapter 33 Maintenance Screens Figure 345 Synchronization Fail 33.5 The Device Mode Screen Use this screen to configure your ZyWALL as a router or a bridge. In router mode, the ZyWALL functions as a router. In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall). Introduction To Transparent Bridging A transparent bridge is invisible to the operation of a network in that it does not modify the frames it forwards.
Chapter 33 Maintenance Screens • If no association is found, the frame is flooded to all ports except the inbound port. Broadcasts and multicasts also are flooded in this way. • If the associated port is the same as the incoming port, then the frame is dropped (filtered).
Chapter 33 Maintenance Screens Figure 346 MAINTENANCE > Device Mode (Router Mode) The following table describes the labels in this screen. Table 202 MAINTENANCE > Device Mode (Router Mode) LABEL DESCRIPTION Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge. Device Mode Setup Router When the ZyWALL is in router mode, there is no need to select or clear this radio button.
Chapter 33 Maintenance Screens In bridge mode, the ZyWALL cannot get an IP address from a DHCP server. The LAN, WAN, DMZ and WLAN interfaces all have the same (static) IP address and subnet mask. You can configure the ZyWALL's IP address in order to access the ZyWALL for management. If you connect your computer directly to the ZyWALL, you also need to assign your computer a static IP address in the same subnet as the ZyWALL's IP address in order to access the ZyWALL.
Chapter 33 Maintenance Screens Table 203 MAINTENANCE > Device Mode (Bridge Mode) (continued) LABEL DESCRIPTION Bridge When the ZyWALL is in bridge mode, there is no need to select or clear this radio button. IP Address Click Bridge to go to the Bridge screen where you can view and/or change the bridge settings. Apply Click Apply to save your changes back to the ZyWALL.
Chapter 33 Maintenance Screens 1 Do not turn off the ZyWALL while firmware upload is in progress! After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. Figure 349 Firmware Upload In Process The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Chapter 33 Maintenance Screens 33.9 The Backup and Restore Screen See Section 49.5 on page 733 for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE > Backup & Restore. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next. Figure 352 MAINTENANCE > Backup and Restore Backup Configuration Backup configuration allows you to back up (save) the ZyWALL’s current configuration to a file on your computer.
Chapter 33 Maintenance Screens After you see a “restore configuration successful” screen, you must then wait one minute before logging into the ZyWALL again. Figure 353 Configuration Upload Successful The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Chapter 33 Maintenance Screens Figure 356 Reset Warning Message You can also press the hardware RESET button to reset the factory defaults of your ZyWALL. Refer to Section 3.3 on page 63 for more information on the RESET button. 33.10 The Restart Screen System restart allows you to reboot the ZyWALL without turning the power off. Click MAINTENANCE > Restart. Click Restart to have the ZyWALL reboot.
Chapter 33 Maintenance Screens Figure 358 MAINTENANCE > Diagnostics The following table describes the labels in this screen. Table 206 MAINTENANCE > Diagnostics LABEL DESCRIPTION General Setup Enable Diagnostics Select this option to turn on the diagnostics feature. Perform Diagnostics when CPU utilization exceeds Set the ZyWALL to generate and send a diagnostic e-mail every time the CPU usage goes over the specified percent for more than 60 seconds.
Chapter 33 Maintenance Screens Table 206 MAINTENANCE > Diagnostics (continued) LABEL DESCRIPTION Send Report to Diagnostic files are sent to the e-mail address specified in this field. If this field is left blank, diagnostic files will not be sent via e-mail. SMTP Authentication SMTP (Simple Mail Transfer Protocol) is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. Select the check box to activate SMTP authentication.
Chapter 33 Maintenance Screens 602 ZyWALL 5/35/70 Series User’s Guide
P ART VI SMT Introducing the SMT (605) SMT Menu 1 - General Setup (613) WAN and Dial Backup Setup (619) LAN Setup (633) Internet Access (639) DMZ Setup (645) Route Setup (649) Wireless Setup (653) Remote Node Setup (659) IP Static Route Setup (669) Network Address Translation (NAT) (673) Introducing the ZyWALL Firewall (693) Filter Configuration (695) SNMP Configuration (711) System Information & Diagnosis (713) Firmware and Configuration File Maintenance (725) System Maintenance Menus 8 to 10 (739) Remote
CHAPTER 34 Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. 34.1 Introduction to the SMT The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection. This chapter shows you how to access the SMT (System Management Terminal) menus via console port, how to navigate the SMT and how to configure SMT menus. 34.
Chapter 34 Introducing the SMT Figure 359 Initial Screen Copyright (c) 1994 - 2007 ZyXEL Communications Corp. initialize ch =0, ethernet initialize ch =1, ethernet initialize ch =2, ethernet initialize ch =3, ethernet initialize ch =4, ethernet AUX port init . done Modem init . inactive address: address: address: address: address: 00:A0:C5:01:23:45 00:A0:C5:01:23:46 00:A0:C5:01:23:47 00:A0:C5:01:23:48 00:00:00:00:00:00 Press ENTER to continue... 34.2.
Chapter 34 Introducing the SMT Table 207 Main Menu Commands OPERATION KEYSTROKES DESCRIPTION Move the cursor [ENTER] or [UP]/ [DOWN] arrow keys Within a menu, press [ENTER] to move to the next field. You can also use the [UP]/[DOWN] arrow keys to move to the previous and the next field, respectively. When you are at the top of a menu, press the [UP] arrow key to move to the bottom of a menu. Entering information Fill in, or press [SPACE BAR], then press [ENTER] to select from choices.
Chapter 34 Introducing the SMT Figure 362 Main Menu (Bridge Mode) Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ZyWALL 70 Main Menu Getting Started 1. General Setup Advanced Management 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24. System Maintenance 7. Wireless Setup 99. Exit Enter Menu Selection Number: The following table describes the fields in this menu. Table 208 Main Menu Summary 608 NO .
Chapter 34 Introducing the SMT Table 208 Main Menu Summary NO . MENU TITLE FUNCTION 26 Schedule Setup Use this menu to schedule outgoing calls. 99 Exit Use this menu to exit (necessary for remote configuration). 34.3.2 SMT Menus Overview The following table gives you an overview of your ZyWALL’s various SMT menus. Table 209 SMT Menus Overview MENUS SUB MENUS 1 General Setup 1.1 Configure Dynamic DNS 2 WAN Setup 2.1 Advanced WAN Setup 3 LAN Setup 3.1 LAN Port Filter Setup 3.
Chapter 34 Introducing the SMT Table 209 SMT Menus Overview (continued) MENUS SUB MENUS 21 Filter and Firewall Setup 21.1 Filter Set Configuration 21.1.x Filter Rules Summary 21.1.x.x Generic Filter Rule 21.1.x.x TCP/IP Filter Rule 21.2 Firewall Setup 22 SNMP Configuration 23 System Password 24 System Maintenance 24.1 System Status 24.2 System Information and Console Port Speed 24.2.1 System Information 24.3 Log and Trace 24.3.1 View Error Log 24.2.2 Console Port Speed 24.3.2 Syslog Logging 24.
Chapter 34 Introducing the SMT Figure 363 Menu 23: System Password Menu 23 - System Password Old Password= ? New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: 2 Type your existing password and press [ENTER]. 3 Type your new system password and press [ENTER]. 4 Re-type your new system password for confirmation and press [ENTER]. Note that as you type a password, the screen displays an “x” for each character you type. 34.5 Resetting the ZyWALL See Section 3.
Chapter 34 Introducing the SMT 612 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 35 SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 35.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 35.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - General Setup. 2 The Menu 1 - General Setup screen appears, as shown next. Fill in the required fields.
Chapter 35 SMT Menu 1 - General Setup Table 210 Menu 1: General Setup (Router Mode) (continued) FIELD DESCRIPTION Device Mode Press [SPACE BAR] and then [ENTER] to select Router Mode. Edit Dynamic DNS Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel.
Chapter 35 SMT Menu 1 - General Setup 35.2.1 Configuring Dynamic DNS To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1 - Configure Dynamic DNS (shown next). Figure 366 Menu 1.1: Configure Dynamic DNS Menu 1.1 - Configure Dynamic DNS Service Provider= WWW.DynDNS.
Chapter 35 SMT Menu 1 - General Setup Figure 367 Menu 1.1.1: DDNS Host Summary Menu 1.1.
Chapter 35 SMT Menu 1 - General Setup Figure 368 Menu 1.1.1: DDNS Edit Host Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy: Let DDNS Server Auto Detect= Yes Use User-Defined= N/A Use WAN IP Address= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 214 Menu 1.1.
Chapter 35 SMT Menu 1 - General Setup Table 214 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION IP Address Update Policy: You can select Yes in either the Let DDNS Server Auto Detect field (recommended) or the Use User-Defined field, but not both. With the Let DDNS Server Auto Detect and Use User-Defined fields both set to No, the DDNS server automatically updates the IP address of the host name(s) with the ZyWALL’s WAN IP address. DDNS does not work with a private IP address.
CHAPTER 36 WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 36.1 Introduction to WAN and Dial Backup Setup This chapter explains how to configure settings for your, a dial backup connection using the SMT menus. 36.2 WAN Setup From the main menu, enter 2 to open menu 2.
Chapter 36 WAN and Dial Backup Setup The following table describes the fields in this screen. Table 215 MAC Address Cloning in WAN Setup FIELD DESCRIPTION (WAN 1/2) MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address. Choose Factory Default to select the factory assigned default MAC Address. Choose IP address attached on LAN to use the MAC Address of that computer whose IP you give in the following field.
Chapter 36 WAN and Dial Backup Setup Figure 370 Menu 2: Dial Backup Setup Menu 2 - WAN Setup WAN 1 MAC Address: Assigned By= Factory default IP Address= N/A WAN 2 MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= Yes Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Chapter 36 WAN and Dial Backup Setup To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes and then press [ENTER]. Figure 371 Menu 2.1: Advanced WAN Setup Menu 2.
Chapter 36 WAN and Dial Backup Setup Table 218 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value. Retry Count Enter a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number.
Chapter 36 WAN and Dial Backup Setup The following table describes the fields in this menu. Table 219 Menu 11.3: Remote Node Profile (Backup ISP) FIELD DESCRIPTION Rem Node Name Enter a descriptive name for the remote node. This field can be up to eight characters. Active Press [SPACE BAR] and then [ENTER] to select Yes to enable the remote node or No to disable the remote node. Outgoing My Login Enter the login name assigned by your ISP for this remote node.
Chapter 36 WAN and Dial Backup Setup 36.3.4 Editing TCP/IP Options Move the cursor to the Edit IP field in menu 11.3, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3.2 - Remote Node Network Layer Options. Not all fields are available on all models. Figure 373 Menu 11.3.2: Remote Node Network Layer Options Menu 11.3.2 - Remote Node Network Layer Options IP Address Assignment= Static Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.
Chapter 36 WAN and Dial Backup Setup Table 220 Menu 11.3.2: Remote Node Network Layer Options FIELD DESCRIPTION Network Address Translation Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet). Press [SPACE BAR] and then [ENTER] to select either Full Feature, None or SUA Only.
Chapter 36 WAN and Dial Backup Setup To handle the first prompt, you specify “ogin: ” as the ‘Expect’ string and “myLogin” as the ‘Send’ string in set 1. The reason for leaving out the leading “L” is to avoid having to know exactly whether it is upper or lower case. Similarly, you specify “word: ” as the ‘Expect’ string and your password as the ‘Send’ string for the second prompt in set 2.
Chapter 36 WAN and Dial Backup Setup The following table describes the fields in this menu. Table 221 Menu 11.3.3: Remote Node Script FIELD DESCRIPTION Active Press [SPACE BAR] and then [ENTER] to select either Yes to enable the AT strings or No to disable them. Set 1-6: Expect Enter an Expect string to match. After matching the Expect string, the ZyWALL returns the string in the Send field. Set 1-6: Send Enter a string to send out after the Expect string is matched. 36.3.
Chapter 36 WAN and Dial Backup Setup 36.3.7 3G Modem Setup From the main menu, enter 2 to open menu 2 on the ZyWALL that supports a 3G card. " It is not necessary to configure menu 2 with a Sierra Wireless AC595 3G card.
Chapter 36 WAN and Dial Backup Setup Table 222 3G Modem Setup in WAN Setup (ZyWALL 5) (continued) FIELD DESCRIPTION PIN Code A PIN (Personal Identification Number) code is a key to a 3G card. Without the PIN code, you cannot use the 3G card. Enter the 4-digit PIN code (0000 for example) provided by your ISP. If you enter the PIN code incorrectly, the 3G card may be blocked by your ISP and you cannot use the account to access the Internet.
Chapter 36 WAN and Dial Backup Setup Table 223 Menu 11.2: Remote Node Profile (3G WAN) (continued) FIELD DESCRIPTION Retype to Confirm Enter your password again to make sure that you have entered is correctly. Authen This field sets the authentication protocol used for outgoing calls. Options for this field are: CHAP/PAP - Your ZyWALL will accept either CHAP or PAP when requested by this remote node. CHAP - accept CHAP only. PAP - accept PAP only.
Chapter 36 WAN and Dial Backup Setup 632 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 37 LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 37.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections. 37.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 - LAN Setup. Figure 378 Menu 3: LAN Setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: 37.
Chapter 37 LAN Setup Figure 379 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 37.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup. Figure 380 Menu 3: TCP/IP and DHCP Setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2.
Chapter 37 LAN Setup Figure 381 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server Client IP Pool: Starting Address= 192.168.1.33 Size of Client IP Pool= 128 TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-1 Multicast= None Edit IP Alias= No DHCP Server Address= N/A Press ENTER to Confirm or ESC to Cancel: Follow the instructions in the next table on how to configure the DHCP fields. Table 224 Menu 3.
Chapter 37 LAN Setup Table 225 Menu 3.2: LAN TCP/IP Setup Fields (continued) FIELD DESCRIPTION IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL. RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction. Options are: Both, In Only, Out Only or None. Version Press [SPACE BAR] and then [ENTER] to select the RIP version.
Chapter 37 LAN Setup Use the instructions in the following table to configure IP alias parameters. Table 226 Menu 3.2.1: IP Alias Setup FIELD DESCRIPTION IP Alias 1, 2 Choose Yes to configure the LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
Chapter 37 LAN Setup 638 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 38 Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 38.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet. There are three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation. Contact your ISP to determine what encapsulation type you should use.
Chapter 38 Internet Access Figure 383 Menu 4: Internet Access Setup (Ethernet) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Chapter 38 Internet Access Table 227 Menu 4: Internet Access Setup (Ethernet) (continued) FIELD DESCRIPTION Gateway IP Address Enter the gateway IP address associated with your static IP. Network Address Translation Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).
Chapter 38 Internet Access Figure 384 Internet Access Setup (PPTP) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPTP Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following table contains instructions about the new fields when you choose PPTP in the Encapsulation fie
Chapter 38 Internet Access Figure 385 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following table contains instructions about the new fields when you choose PPPoE in the Encapsulation
Chapter 38 Internet Access 644 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 39 DMZ Setup This chapter describes how to configure the ZyWALL’s DMZ using Menu 5 - DMZ Setup. 39.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup. Figure 386 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1. DMZ Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: 39.2 DMZ Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to your public server(s) traffic. Figure 387 Menu 5.1: DMZ Port Filter Setup Menu 5.
Chapter 39 DMZ Setup 39.3 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 7 on page 149. 39.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155). Figure 388 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1. DMZ Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: From menu 5, select the submenu option 2. TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 5.
Chapter 39 DMZ Setup " DMZ, WLAN and LAN IP addresses must be on separate subnets. You must also configure NAT for the DMZ port (see Chapter 44 on page 673) in menus 15.1 and 15.2. 39.3.2 IP Alias Setup Use menu 5.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to open Menu 5.2.1 - IP Alias Setup, as shown next. Use this menu to configure the second and third networks. Figure 390 Menu 5.2.1: IP Alias Setup Menu 5.2.
Chapter 39 DMZ Setup 648 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 40 Route Setup This chapter describes how to configure the ZyWALL's traffic redirect. 40.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup. Figure 391 Menu 6: Route Setup Menu 6 - Route Setup 1. Route Assessment 2. Traffic Redirect 3. Route Failover Enter Menu Selection Number: 40.2 Route Assessment This menu allows you to configure traffic redirect properties. Figure 392 Menu 6.1: Route Assessment Menu 6.
Chapter 40 Route Setup The following table describes the fields in this menu. Table 230 Menu 6.1: Route Assessment FIELD DESCRIPTION Probing WAN 1/2 Check Point Press [SPACE BAR] and then press [ENTER] to choose Yes to test your ZyWALL's WAN accessibility.
Chapter 40 Route Setup 40.4 Route Failover This menu allows you to configure how the ZyWALL uses the route assessment ping check function. Figure 394 Menu 6.3: Route Failover Menu 6.3 - Route Failover Period= 5 Timeout=: 3 Fail Tolerance= 3 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu. Table 232 Menu 6.
Chapter 40 Route Setup 652 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 41 Wireless Setup Use menu 7 to set up your ZyWALL as the wireless access point. 41.1 Wireless LAN Setup " If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s ESSID or WEP settings, you will lose your wireless connection when you press [ENTER] to confirm. You must then change the wireless settings of your computer to match the ZyWALL’s new settings.
Chapter 41 Wireless Setup " The settings of all client stations on the wireless LAN must match those of the ZyWALL. Follow the instructions in the next table on how to configure the wireless LAN parameters. Table 233 Menu 7.1: Wireless Setup FIELD DESCRIPTION Enable Wireless LAN Press [SPACE BAR] to select Yes to turn on the wireless LAN. The wireless LAN is off by default. Configure wireless LAN security features such as Mac filters and 802.1X before you turn on the wireless LAN.
Chapter 41 Wireless Setup Table 233 Menu 7.1: Wireless Setup FIELD DESCRIPTION Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyWALL and the wireless stations must use the same WEP key for data transmission. If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F"). If you chose 128-bit WEP in the WEP Encryption field, then enter 13 ASCII characters or 26 hexadecimal characters ("0-9", "A-F").
Chapter 41 Wireless Setup The following table describes the fields in this menu. Table 234 Menu 7.1.1: WLAN MAC Address Filter FIELD DESCRIPTION Active To enable MAC address filtering, press [SPACE BAR] to select Yes and press [ENTER]. Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table. To deny access to the ZyWALL, press [SPACE BAR] to select Deny Association and press [ENTER]. MAC addresses not listed will be allowed to access the router.
Chapter 41 Wireless Setup Figure 398 Menu 7.2: TCP/IP and DHCP Ethernet Setup Menu 7.2 - TCP/IP and DHCP Ethernet Setup DHCP= None Client IP Pool: Starting Address= N/A Size of Client IP Pool= N/A TCP/IP Setup: IP Address= 0.0.0.0 IP Subnet Mask= 0.0.0.0 RIP Direction= None Version= N/A Multicast= IGMP-v2 Edit IP Alias= No DHCP Server Address= N/A Press ENTER to Confirm or ESC to Cancel: The DHCP and TCP/IP setup fields are the same as the ones in Menu 3.2 - TCP/IP and DHCP Ethernet Setup.
Chapter 41 Wireless Setup Figure 399 Menu 7.2.1: IP Alias Setup Menu 7.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Enter here to CONFIRM or ESC to CANCEL: Refer to Table 226 on page 637 for instructions on configuring IP alias parameters.
CHAPTER 42 Remote Node Setup This chapter shows you how to configure a remote node. 42.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node. The following describes how to configure Menu 11.x (where x is 1 or 2) - Remote Node Profile, Menu 11.x.
Chapter 42 Remote Node Setup 42.3 Remote Node Profile Setup The following explains how to configure the remote node profile menu. Not all fields are available on all models. 42.3.1 Ethernet Encapsulation There are three variations of menu 11.x depending on whether you choose Ethernet Encapsulation, PPPoE Encapsulation or PPTP Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet. The first menu 11.x screen you see is for Ethernet encapsulation shown next.
Chapter 42 Remote Node Setup Table 235 Menu 11.1: Remote Node Profile for Ethernet Encapsulation (continued) FIELD DESCRIPTION My Password Enter the password assigned by your ISP when the ZyWALL calls this remote node. Valid for PPPoE encapsulation only. Retype to Confirm Type your password again to make sure that you have entered it correctly. Server This field is valid only when RoadRunner is selected in the Service Type field.
Chapter 42 Remote Node Setup Figure 402 Menu 11.1: Remote Node Profile for PPPoE Encapsulation Menu 11.
Chapter 42 Remote Node Setup 42.3.2.3 Metric See Section on page 171 for details on the Metric field. Table 236 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here. Only valid with PPPoE encapsulation. Authen This field sets the authentication protocol used for outgoing calls.
Chapter 42 Remote Node Setup Figure 403 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= WAN 1 Active= Yes Route= IP Encapsulation= PPTP Service Type= Standard Edit IP= No Telco Option: Allocated Budget(min)= 0 Period(hr)= 0 Schedules= Nailed-Up Connection= No Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP PPTP: My IP Addr= 10.0.0.140 My IP Mask= 255.255.255.0 Server IP Addr= 10.0.0.
Chapter 42 Remote Node Setup Figure 404 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.
Chapter 42 Remote Node Setup Table 238 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION NAT Lookup Set If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.
Chapter 42 Remote Node Setup Figure 405 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 406 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.1.
Chapter 42 Remote Node Setup 668 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 43 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 43.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1. " " The first two static route entries are for default WAN1 and WAN2 routes on a ZyWALL with multiple WAN interfaces. You cannot modify or delete a static default route.
Chapter 43 IP Static Route Setup Figure 407 Menu 12: IP Static Route Setup Menu 12 - IP Static Route Setup 1. Reserved 2. Reserved 3. ________ 4. ________ 5. ________ 6. ________ 7. ________ 8. ________ 9. ________ 10. ________ 11. ________ 12. ________ 13. ________ 14. ________ 15. ________ 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ 31. 32. 33. 34. 35.
Chapter 43 IP Static Route Setup Table 239 Menu 12. 1: Edit IP Static Route FIELD DESCRIPTION Destination IP Address This parameter specifies the IP network address of the final destination. Routing is always based on network number. If you need to specify a route to a single host, use a subnet mask of 255.255.255.255 in the subnet mask field to force the network number to be identical to the host ID. IP Subnet Mask Enter the IP subnet mask for this destination.
Chapter 43 IP Static Route Setup 672 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 44 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 44.1 Using NAT " You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 44.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. See Section 44.2.
Chapter 44 Network Address Translation (NAT) Figure 409 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following figure shows how you apply NAT t
Chapter 44 Network Address Translation (NAT) The following table describes the fields in this menu. Table 240 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION OPTIONS Network Address Translation When you select this option the SMT will use Address Mapping Set 1 (menu 15.1 - see Section 44.2.1 on page 676 for further discussion). You can configure any of the mapping types described in Chapter 22 on page 435. Choose Full Feature if you have multiple public WAN IP addresses for your ZyWALL.
Chapter 44 Network Address Translation (NAT) " Configure DMZ, WLAN and LAN IP addresses in NAT menus 15.1 and 15.2. DMZ, WLAN and LAN IP addresses must be on separate subnets. 44.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. Figure 412 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. NAT_SET 2. example 255. SUA (read only) Enter Menu Selection Number: 44.2.1.1 SUA Address Mapping Set Enter 255 to display the next screen (see also Section 44.1.
Chapter 44 Network Address Translation (NAT) " Menu 15.1.255 is read-only. Table 241 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create. Idx This is the index or rule number. Local Start IP Local Start IP is the starting local IP address (ILA). Local End IP Local End IP is the ending local IP address (ILA). If the rule is for all local IPs, then the start IP is 0.0.0.0 and the end IP is 255.
Chapter 44 Network Address Translation (NAT) Figure 414 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- -0.0.0.0 255.255.255.255 0.0.0.0 M-1 0.0.0.0 Server Action= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: " The Type, Local and Global Start/End IPs are configured in menu 15.1.1.
Chapter 44 Network Address Translation (NAT) Now if you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6. Table 242 Fields in Menu 15.1.1 " FIELD DESCRIPTION Set Name Enter a name for this set of rules. This is a required field. If this field is left blank, the entire set will be deleted.
Chapter 44 Network Address Translation (NAT) Figure 415 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= End = N/A Global IP: Start= End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu. Table 243 Menu 15.1.1.
Chapter 44 Network Address Translation (NAT) 44.3 Configuring a Server behind NAT " If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Follow these steps to configure a server behind NAT: 1 Enter 15 in the main menu to go to Menu 15 - NAT Setup. 2 Enter 2 to open menu 15.2. Figure 416 Menu 15.2: NAT Server Sets Menu 15.2 - NAT Server Sets 1. Server Set 1 2.
Chapter 44 Network Address Translation (NAT) 4 Select Edit Rule in the Select Command field; type the index number of the NAT server you want to configure in the Select Rule field and press [ENTER] to open Menu 15.2.x.x - NAT Server Configuration (see the next figure). Figure 418 15.2.x.x: NAT Server Configuration 15.2.1.2 - NAT Server Configuration Wan= 1 Index= 2 -----------------------------------------------Name= 1 Active= Yes Start port= 21 End port= 25 IP Address= 192.168.1.
Chapter 44 Network Address Translation (NAT) Figure 419 Menu 15.2.1: NAT Server Setup Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 No 0 0 0.0.0.0 002 Yes 21 25 192.168.1.33 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.
Chapter 44 Network Address Translation (NAT) Figure 421 NAT Example 1 Figure 422 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: From menu 4 shown above
Chapter 44 Network Address Translation (NAT) 44.4.2 Example 2: Internet Access with a Default Server Figure 423 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2.1 to specify the Default Server behind the NAT as shown in the next figure. Figure 424 Menu 15.2.1: Specifying an Inside Server Menu 15.2.1 - NAT Server Setup Default Server: 192.168.1.10 Rule Act.
Chapter 44 Network Address Translation (NAT) 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 3 Map the other outgoing LAN traffic to IGA3 (Many : 1 mapping). 4 You also map your third IGA to the web server and mail server on the LAN. Type Server allows you to specify multiple servers, of different types, to other computers behind NAT on the LAN.
Chapter 44 Network Address Translation (NAT) Figure 426 Example 3: Menu 11.1.2 Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only NAT Lookup Set= 255 Metric= 1 Private= N/A RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: The following figure shows how to configure the first rule. Figure 427 Example 3: Menu 15.1.1.1 Menu 15.1.1.
Chapter 44 Network Address Translation (NAT) Figure 428 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Idx Local Start IP --- --------------1. 192.168.1.10 2 192.168.1.11 3. 0.0.0.0 4. 5. 6. 7. 8. 9. 10. Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --10.132.50.1 1-1 10.132.50.2 1-1 255.255.255.255 10.132.50.3 M-1 10.132.50.
Chapter 44 Network Address Translation (NAT) 44.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-One-to-One mapping as port numbers do not change for Many-One-to-One (and One-to-One) NAT mapping types. The following figure illustrates this.
Chapter 44 Network Address Translation (NAT) Figure 432 Example 4: Menu 15.1.1: Address Mapping Rules Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- --192.168.1.10 192.168.1.12 10.132.50.1 10.132.50.3 M-1-1 Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: 44.
Chapter 44 Network Address Translation (NAT) " Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 - Trigger Ports. For a ZyWALL with multiple WAN interfaces, enter 1 or 2 from menu 15.3 to go to Menu 15.3.1 or Menu 15.3.2 - Trigger Port Setup and configure trigger port rules for the first or second WAN interface. Figure 433 Menu 15.3.1: Trigger Port Setup Menu 15.3.
Chapter 44 Network Address Translation (NAT) Table 245 Menu 15.3.1: Trigger Port Setup (continued) FIELD DESCRIPTION End Port Enter a port number or the ending port number in a range of port numbers. Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.
CHAPTER 45 Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 45.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next. Figure 434 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: 45.1.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen.
Chapter 45 Introducing the ZyWALL Firewall Figure 435 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies. You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so.
CHAPTER 46 Filter Configuration This chapter shows you how to create and apply filters. 46.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later. Data filtering screens the data to determine if the packet should be allowed to pass.
Chapter 46 Filter Configuration 46.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set.
Chapter 46 Filter Configuration Figure 437 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Chapter 46 Filter Configuration 46.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 438 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: 2 Enter 1 to bring up the following menu. Figure 439 Menu 21.1: Filter Set Configuration Menu 21.
Chapter 46 Filter Configuration Table 246 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION A Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here. M More. “Y” means there are more rules to check which form a rule chain with the present rule. An action cannot be taken until the rule chain is complete. “N” means there are no more rules to check.
Chapter 46 Filter Configuration 46.2.2 Configuring a TCP/IP Filter Rule This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP headers. To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.x.x - TCP/IP Filter Rule, as shown next. Figure 440 Menu 21.1.1.1: TCP/IP Filter Rule Menu 21.1.1.
Chapter 46 Filter Configuration Table 248 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Port # Comp Press [SPACE BAR] and then [ENTER] to select the comparison to apply to the destination port in the packet against the value given in Destination: Port #. Options are None, Equal, Not Equal, Less and Greater. Source IP Addr Enter the source IP Address of the packet you wish to filter. This field is ignored if it is 0.0.0.0. IP Mask Enter the IP mask to apply to the Source: IP Addr.
Chapter 46 Filter Configuration Figure 441 Executing an IP Filter 46.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.
Chapter 46 Filter Configuration For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The ZyWALL applies the Mask (bit-wise ANDing) to the data portion before comparing the result against the Value to determine a match. The Mask and Value are specified in hexadecimal numbers.
Chapter 46 Filter Configuration Table 249 Generic Filter Rule Menu Fields FIELD DESCRIPTION Log Select the logging option from the following: None - No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only packets that do not match the rule parameters will be logged. Both – All packets will be logged. Action Matched Select the action for a packet matching the rule. Options are Check Next Rule, Forward and Drop.
Chapter 46 Filter Configuration Figure 444 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Chapter 46 Filter Configuration After you’ve created the filter set, you must apply it. 1 2 3 4 Enter 11 from the main menu to go to menu 11. Enter 1 or 2 to open Menu 11.x - Remote Node Profile. Go to the Edit Filter Sets field, press [SPACE BAR] to select Yes and press [ENTER]. This brings you to menu 11.1.4. Apply a filter set (our example filter set 3) as shown in Figure 449 on page 709. 5 Press [ENTER] to confirm after you enter the set numbers and to leave menu 11.1.4. 46.
Chapter 46 Filter Configuration 46.5.1.1 When To Use Filtering 1 To block/allow LAN packets by their MAC addresses. 2 To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets. 3 To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A" and outside host/network "B". If the filter blocks the traffic from A to B, it also blocks the traffic from B to A.
Chapter 46 Filter Configuration " If you do not activate the firewall, it is advisable to apply filters. 46.6.1 Applying LAN Filters LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and enter the number(s) of the filter set(s) that you want to apply as appropriate. You can choose up to four filter sets (from twelve) by entering their numbers separated by commas, e.g., 3, 4, 6, 11.
Chapter 46 Filter Configuration 46.6.3 Applying Remote Node Filters Go to menu 11.1.4 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by entering their numbers separated by commas. The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections. Figure 449 Filtering Remote Node Traffic Menu 11.1.
Chapter 46 Filter Configuration 710 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 47 SNMP Configuration This chapter explains SNMP configuration menu 22. 47.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password. Figure 450 Menu 22: SNMP Configuration Menu 22 - SNMP Configuration SNMP: Get Community= public Set Community= public Trusted Host= 0.0.0.0 Trap: Community= public Destination= 0.0.0.
Chapter 47 SNMP Configuration Table 250 SNMP Configuration Menu Fields (continued) FIELD DESCRIPTION Destination Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. 47.
CHAPTER 48 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 48.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below. Figure 451 Menu 24: System Maintenance Menu 24 - System Maintenance 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.
Chapter 48 System Information & Diagnosis 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 or 2 drops the WAN1 or WAN2 connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 452 Menu 24.1: System Maintenance: Status Menu 24.
Chapter 48 System Information & Diagnosis Table 252 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION Cols This is the number of collisions on this port. Tx B/s This field shows the transmission speed in Bytes per second on this port. Rx B/s This field shows the reception speed in Bytes per second on this port. Up Time This is the total amount of time the line has been up. Ethernet Address This is the MAC address of the port listed on the left.
Chapter 48 System Information & Diagnosis Figure 454 Menu 24.2.1: System Maintenance: Information Menu 24.2.1 - System Maintenance - Information Name: Routing: IP ZyNOS F/W Version: V4.03(WM.0)b1 | 06/29/2007 Country Code: 255 LAN Ethernet Address: 00:13:49:00:00:02 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: The following table describes the fields in this screen.
Chapter 48 System Information & Diagnosis Figure 455 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 - System Maintenance - Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel:Press Space Bar to Toggle. 48.4 Log and Trace There are two logging facilities in the ZyWALL. The first is the error logs and trace records that are stored locally. The second is the UNIX syslog facility for message logging. 48.4.
Chapter 48 System Information & Diagnosis Figure 457 Examples of Error and Information Messages 52 Thu Jul 53 Thu Jul 54 Thu Jul 55 Thu Jul 57 Thu Jul 58 Thu Jul 59 Thu Jul 60 Thu Jul 61 Thu Jul 62 Thu Jul 63 Thu Jul Clear Error 1 05:54:53 1 05:54:53 1 05:54:56 1 05:54:56 1 05:54:56 1 05:54:56 1 05:54:56 1 05:55:26 1 05:56:56 1 07:50:58 1 07:53:28 Log (y/n): 2004 2004 2004 2004 2004 2004 2004 2004 2004 2004 2004 PP05 ERROR PINI INFO PP05 -WARN PP0d INFO PP0d INFO PINI INFO PINI INFO PSSV -WARN PINI INFO
Chapter 48 System Information & Diagnosis 1 CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call str = C01 Outgoing Call dev xx ch xx (dev:device No. ch:channel No.
Chapter 48 System Information & Diagnosis Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol ("TCP","UDP","ICMP") spo: Source port dpo: Destination portMar 03 10:39:43 202.132.155.
Chapter 48 System Information & Diagnosis 5 Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.
Chapter 48 System Information & Diagnosis Figure 459 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Frame Type: IP Header: IP Version Header Length Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr Options 0000: 02 04 02 00 44/ 44 Time: 17:02:44.
Chapter 48 System Information & Diagnosis Figure 460 Menu 24.4: System Maintenance: Diagnostic (ZyWALL 5) Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. PPPoE/PPTP/3G Setup Test System 11. Reboot System Enter Menu Selection Number: WAN= Host IP Address= N/A 48.5.1 WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in Figure 461 on page 723. LAN DHCP has already been discussed.
Chapter 48 System Information & Diagnosis Table 255 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN, DMZ, WLAN or WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings. WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings. Internet Setup Test or PPPoE/PPTP/3G Setup Test Enter 4 to test the Internet setup.
CHAPTER 49 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 49.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its firmware. After you configure your ZyWALL, you can backup the configuration file to a computer.
Chapter 49 Firmware and Configuration File Maintenance The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.
Chapter 49 Firmware and Configuration File Maintenance Figure 462 Telnet into Menu 24.5 Menu 24.5 - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "admin" and SMT password as requested. 3. Locate the 'rom-0' file. 4. Type 'get rom-0' to back up the current router configuration to your workstation.
Chapter 49 Firmware and Configuration File Maintenance 49.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients. Table 257 General Commands for GUI-based FTP Clients COMMAND DESCRIPTION Host Address Enter the address of the host server. Login Type Anonymous. This is when a user I.D. and password is automatically supplied to the server for anonymous access.
Chapter 49 Firmware and Configuration File Maintenance 4 Launch the TFTP client on your computer and connect to the ZyWALL. Set the transfer mode to binary before starting data transfer. 5 Use the TFTP client (see the example below) to transfer files between the ZyWALL and the computer. The file name for the configuration file is “rom-0” (rom-zero, not capital o). Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer.
Chapter 49 Firmware and Configuration File Maintenance Figure 464 System Maintenance: Backup Configuration Ready to backup Configuration via Xmodem. Do you want to continue (y/n): 2 The following screen indicates that the Xmodem download has started. Figure 465 System Maintenance: Starting Xmodem Download Screen You can enter ctrl-x to terminate operation any time. Starting XMODEM download... 3 Run the HyperTerminal program by clicking Transfer, then Receive File as shown in the following screen.
Chapter 49 Firmware and Configuration File Maintenance FTP is the preferred method for restoring your current computer configuration to your ZyWALL since FTP is faster. Please note that you must wait for the system to automatically restart after the file transfer is complete. " WARNING! Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL. When the Restore Configuration process is complete, the ZyWALL will automatically restart. 49.4.
Chapter 49 Firmware and Configuration File Maintenance 49.4.2 Restore Using FTP Session Example Figure 469 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Refer to Section 49.3.5 on page 728 to read about configurations that disallow TFTP and FTP over WAN. 49.4.
Chapter 49 Firmware and Configuration File Maintenance 4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu. Figure 473 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot. 49.5 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files. You can upload configuration files by following the procedure in Section 49.
Chapter 49 Firmware and Configuration File Maintenance Figure 474 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "admin" and SMT password as requested. 3.
Chapter 49 Firmware and Configuration File Maintenance 49.5.3 FTP File Upload Command from the DOS Prompt Example 1 2 3 4 5 6 Launch the FTP client on your computer. Enter “open”, followed by a space and the IP address of your ZyWALL. Press [ENTER] when prompted for a username. Enter your password as requested (the default is “1234”). Enter “bin” to set transfer mode to binary. Use “put” to transfer files from the computer to the ZyWALL, for example, “put firmware.
Chapter 49 Firmware and Configuration File Maintenance 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance. 3 Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “command sys stdio 5” to restore the fiveminute console timeout (default) when the file transfer is complete. 4 Launch the TFTP client on your computer and connect to the ZyWALL. Set the transfer mode to binary before starting data transfer.
Chapter 49 Firmware and Configuration File Maintenance Figure 477 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atur" after "Enter Debug Mode" message. 3. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. 4. After successful firmware upload, enter "atgo" to restart the router.
Chapter 49 Firmware and Configuration File Maintenance Figure 479 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To 1. 2. 3. upload system configuration file: Enter "y" at the prompt below to go into debug mode. Enter "atlc" after "Enter Debug Mode" message. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. 4. After successful firmware upload, enter "atgo" to restart the system. Warning: 1.
CHAPTER 50 System Maintenance Menus 8 to 10 This chapter leads you through SMT menus 24.8 to 24.10. 50.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8. Access can be by Telnet or by a serial connection to the console port, although some commands are only available with a serial connection.
Chapter 50 System Maintenance Menus 8 to 10 50.2 Call Control Support The ZyWALL provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1. The budget management function allows you to set a limit on the total outgoing call time of the ZyWALL within certain times.
Chapter 50 System Maintenance Menus 8 to 10 The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total budget is reset. The default for the total budget is 0 minutes and the period is 0 hours, meaning no budget control. You can reset the accumulated connection time in this menu by entering the index of a remote node.
Chapter 50 System Maintenance Menus 8 to 10 Table 260 Call History FIELD DESCRIPTION Rate This is the transfer rate of the call. #call This is the number of calls made to or received from that telephone number. Max This is the length of time of the longest telephone call. Min This is the length of time of the shortest telephone call. Total This is the total length of time of all the telephone calls to/from that telephone number. You may enter an entry number to delete it or ‘”0” to exit. 50.
Chapter 50 System Maintenance Menus 8 to 10 Figure 486 Menu 24.10 System Maintenance: Time and Date Setting Menu 24.10 - System Maintenance - Time and Date Setting Time Protocol= NTP (RFC-1305) Time Server Address= 0.pool.ntp.org Current Time: New Time (hh:mm:ss): 08 : 24 : 26 N/A N/A N/A Current Date: New Date (yyyy-mm-dd): 2005 - 07 - 27 N/A N/A N/A Time Zone= GMT Daylight Saving= No Start Date (mm-nth-week-hr): End Date (mm-nth-week-hr): Jan. - 1st Jan. - 1st - Sun. - Sun.
Chapter 50 System Maintenance Menus 8 to 10 Table 261 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Start Date (mmnth-week-hr) Configure the day and time when Daylight Saving Time starts if you selected Yes in the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time starts in most parts of the United States on the second Sunday of March. Each time zone in the United States starts using Daylight Saving Time at 2 A.M.
CHAPTER 51 Remote Management This chapter covers remote management found in SMT menu 24.11. 51.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. " When you configure remote management to allow management from any network except the LAN, you still need to configure a firewall rule to allow access. See Chapter 13 on page 251 for details on configuring firewall rules.
Chapter 51 Remote Management Figure 487 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: FTP Server: SSH Server: HTTPS Server: HTTP Server: SNMP Service: DNS Service: Port = 23 Access = Disable Secure Client IP = 0.0.0.0 Port = 21 Access = LAN+WAN1+DMZ+WLAN+WAN2 Secure Client IP = 0.0.0.0 Certificate = auto_generated_self_signed_cert Port = 22 Access = LAN+WAN1+DMZ+WLAN+WAN2 Secure Client IP = 0.0.0.
Chapter 51 Remote Management Table 262 Menu 24.11 – Remote Management Control (continued) FIELD DESCRIPTION Authenticate Client Certificates Select Yes by pressing [SPACE BAR], then [ENTER] to require the SSL client to authenticate itself to the ZyWALL by sending the ZyWALL a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyWALL (see Section 27.2.5 on page 496 for details).
Chapter 51 Remote Management 748 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 52 IP Policy Routing This chapter covers setting and applying policies used for IP routing. 52.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a single policy, and whether a policy is active or not. Each policy contains two lines. The former part is the criteria of the incoming packet and the latter is the action.
Chapter 52 IP Policy Routing Table 263 Menu 25: Sample IP Routing Policy Summary (continued) FIELD DESCRIPTION Criteria/Action This displays the details about to which packets the policy applies and how the policy has the ZyWALL handle those packets. Refer to Table 264 on page 750 for detailed information. Select Command Press [SPACE BAR] to choose from None, Edit, Delete, Go To Rule, Next Page or Previous Page and then press [ENTER].
Chapter 52 IP Policy Routing 2 Select Edit in the Select Command field; type the index number of the rule you want to configure in the Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure). Figure 489 Menu 25.1: IP Routing Policy Setup Menu 25.1 - IP Routing Policy Setup Rule Index= 1 Active= Yes Criteria: IP Protocol = 6 Type of Service= Normal Packet length= 40 Precedence = 0 Len Comp= Equal Source: addr start= 1.1.1.1 end= 1.1.1.
Chapter 52 IP Policy Routing Table 265 Menu 25.1: IP Routing Policy Setup FIELD DESCRIPTION addr start / end Destination IP address range from start to end. port start / end Destination port number range from start to end; applicable only for TCP/UDP. Action Specifies whether action should be taken on criteria Matched or Not Matched. Gateway Type Press [SPACE BAR] and then [ENTER] to select IP Address and enter the IP address of the gateway if you want to specify the IP address of the gateway.
Chapter 52 IP Policy Routing Figure 490 Menu 25.1.1: IP Routing Policy Setup Menu 25.1.1 - IP Routing Policy Setup Apply policy to packets received from: LAN= No DMZ= No WLAN= No ALL WAN= Yes Selected Remote Node index= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 266 Menu 25.1.1: IP Routing Policy Setup FIELD DESCRIPTION LAN/DMZ/WLAN/ ALL WAN Press [SPACE BAR] to select Yes or No.
Chapter 52 IP Policy Routing Figure 491 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the ZyWALL, follow the steps as shown next. 1 Create a rule in Menu 25.1 - IP Routing Policy Setup as shown next. Figure 492 IP Routing Policy Example 1 Menu 25.
Chapter 52 IP Policy Routing 2 Select Yes in the LAN field in menu 25.1.1 to apply the policy to packets received on the LAN port. 3 Check Menu 25 - IP Routing Policy Summary to see if the rule is added correctly. 4 Create another rule in menu 25.1 for this rule to route packets from any host (IP=0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100). Figure 493 IP Routing Policy Example 2 Menu 25.
Chapter 52 IP Policy Routing 756 ZyWALL 5/35/70 Series User’s Guide
CHAPTER 53 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 53.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long. This feature is similar to the scheduler in a video cassette recorder (you can specify a time period for the VCR to record). You can apply up to 4 schedule sets in Menu 11.1 - Remote Node Profile.
Chapter 53 Call Scheduling " To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] or [DEL] in the Edit Name field. To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next. Figure 495 Schedule Set Setup Menu 26.
Chapter 53 Call Scheduling Table 267 Schedule Set Setup (continued) FIELD DESCRIPTION Day If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER]. Start Time Enter the start time when you wish the schedule set to take effect in hour-minute format. Duration The duration determines how long the ZyWALL is to apply the action configured in the Action field.
Chapter 53 Call Scheduling Figure 497 Applying Schedule Set(s) to a Remote Node (PPTP) Menu 11.
P ART VII Troubleshooting and Product Specifications Troubleshooting (763) Product Specifications (769) 761
CHAPTER 54 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • • • • • Power, Hardware Connections, and LEDs ZyWALL Access and Login Internet Access Wireless Router/AP Troubleshooting UPnP 54.1 Power, Hardware Connections, and LEDs V The ZyWALL does not turn on. None of the LEDs turn on. 1 Make sure the ZyWALL is turned on.
Chapter 54 Troubleshooting 54.2 ZyWALL Access and Login V I forgot the LAN IP address for the ZyWALL. 1 The default LAN IP address is 192.168.1.1. 2 Use the console port to log in to the ZyWALL. 3 If you changed the IP address and have forgotten it, you might get the IP address of the ZyWALL by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig.
Chapter 54 Troubleshooting • If there is a DHCP server on your network, make sure your computer is using a dynamic IP address. See Appendix D on page 795. Your ZyWALL is a DHCP server by default. 6 Reset the device to its factory defaults, and try to access the ZyWALL with the default IP address. See Section 3.3 on page 63. 7 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.
Chapter 54 Troubleshooting See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. V I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. 54.3 Internet Access V I cannot get a WAN IP address from the ISP.
Chapter 54 Troubleshooting V I cannot access the Internet anymore. I had access to the Internet (with the ZyWALL), but my Internet connection is not available anymore. 1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 2.6 on page 59. 2 Check the schedule rules. Refer to Chapter 53 on page 757 (SMT). 3 If you use PPPoA or PPPoE encapsulation, check the idle time-out setting.
Chapter 54 Troubleshooting 5 Check that both the ZyWALL and your wireless station are using the same wireless and wireless security settings. 6 Make sure traffic between the WLAN and the LAN is not blocked by the firewall on the ZyWALL. 7 Make sure you allow the ZyWALL to be remotely accessed through the WLAN interface. Check your remote management settings. 54.5 UPnP V When using UPnP and the ZyWALL reboots, my computer cannot detect UPnP and refresh My Network Places > Local Network.
CHAPTER 55 Product Specifications The following tables summarize the ZyWALL’s hardware and firmware features. Table 268 Hardware Specifications Dimensions ZyWALL 70: 355(L) x 200(D) x 55(H) mm ZyWALL 5 and ZyWALL 35: 242.0(W) x 175.0(D) x 35.5(H) mm Weight ZyWALL 70: 2,600g ZyWALL 5 and ZyWALL 35: 1,200g Power Specification ZyWALL 70: 100 ~ 240 VAC ZyWALL 5 and ZyWALL 35: 12V DC Fuse Specifications ZyWALL 70: T 0.
Chapter 55 Product Specifications Table 269 Firmware Specifications FEATURE DESCRIPTION Default IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) Default Password 1234 Default DHCP Pool 192.168.1.33 to 192.168.1.160 Device Management Use the web configurator to easily configure the rich range of features on the ZyWALL. Wireless Functionality Allow the IEEE 802.11b and/or IEEE 802.11g wireless clients to connect to the ZyWALL wirelessly.
Chapter 55 Product Specifications Table 269 Firmware Specifications FEATURE DESCRIPTION Firewall You can configure firewall on the ZyXEL Device for secure Internet access. When the firewall is on, by default, all incoming traffic from the Internet to your network is blocked unless it is initiated from your network. This means that probes from the outside to your network are not allowed, but you can safely browse the Internet and download files for example.
Chapter 55 Product Specifications Table 270 Feature and Performance Specifications (continued) FEATURE ZYWALL 70 ZYWALL 35 ZYWALL 5 Anti-Spam Whitelist and Blacklist Entries 12,288 Kb Individual entries my vary in size. The total number you can configure is less than 860. 6,144 Kb Individual entries my vary in size. The total number you can configure is less than 450. 3,072 Kb Individual entries my vary in size. The total number you can configure is less than 220.
Chapter 55 Product Specifications 55.1 Compatible 3G Cards At the time of writing, you can use the following 3G wireless cards in the ZyWALL 5. The table also shows you the 3G features supported by the compatible 3G cards. Table 272 3G Features Supported By Compatible 3G Cards FEATURES SIERRA 3G CARD WIRELESS AC880/ AC881 SIERRA WIRELESS AC580 SIERRA WIRELESS AC595 SIERRA WIRELESS AC850/860 SIERRA WIRELESS AC875 Radio Technology HSDPA 1xEV-DO Rev. 0 1xEV-DO Rev.
Chapter 55 Product Specifications Table 273 3G Features Supported By Additional Compatible 3G Cards FEATURES 3G CARD HUAWEI E612 HUAWEI E620 HUAWEI E630 HUAWEI EC321 HUAWEI EC360 Manual or automatic service provider selection via the web configurator Y Y Y Signal strength update even when data is transmitting Y Y Y Budget Control Y Y Y Y Y Bandwidth Management Y Y Y Y Y Network type update even when data is transmitting Roaming status update even when data is transmitting Dormant
Chapter 55 Product Specifications Table 274 3G Features Supported By Additional Compatible 3G Cards FEATURES 3G CARD HUAWEI EC500 HUAWEI E220 OPTION GLOBETRO TTER HSDPA 7.2 READY NOVATEL MERLIN EX720 NOVATEL MERLIN PC720 Budget Control Y Y Y Y Y Bandwidth Management Y Y Y Y Y 55.2 Power Adaptor Specifications Table 275 North American Plug Standards AC POWER ADAPTOR MODEL PSA18R-120P (ZA)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 18 W MAX.
Chapter 55 Product Specifications Table 279 Japan Plug Standards OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 18 W MAX. SAFETY STANDARDS JET Table 280 China Plug Standards AC POWER ADAPTOR MODEL PSA18R-120P (ZA)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 18 W MAX. SAFETY STANDARDS CCC Cable Pin Assignments In a serial communications connection, generally a computer is DTE (Data Terminal Equipment) and a modem is DCE (Data Circuit-terminating Equipment).
Chapter 55 Product Specifications Table 282 Ethernet Cable Pin Assignments WAN / LAN ETHERNET CABLE PIN LAYOUT Straight-through Crossover (Switch) (Adapter) (Switch) (Switch) 1 IRD + 1 OTD + 1 IRD + 1 IRD + 2 IRD - 2 OTD - 2 IRD - 2 IRD - 3 OTD + 3 IRD + 3 OTD + 3 OTD + 6 OTD - 6 IRD - 6 OTD - 6 OTD - ZyWALL 5/35/70 Series User’s Guide 777
Chapter 55 Product Specifications 778 ZyWALL 5/35/70 Series User’s Guide
P ART VIII Appendices and Index Removing and Installing a Fuse (781) Common Services (783) Wireless LANs (787) Windows 98 SE/Me Requirements for Anti-Virus Message Display (801) Legal Information (805) Customer Support (809) Index (815) 779
APPENDIX A Removing and Installing a Fuse This appendix shows you how to remove and install fuses for the ZyWALL. If you need to install a new fuse, follow the procedure below. " If you use a fuse other than the included fuses, make sure it matches the fuse specifications in the product specifications chapter. Removing a Fuse " Disconnect all power from the ZyWALL before you begin this procedure. 1 Place the rear panel of the ZyWALL in front of you. 2 Remove the power cord from the back of the unit.
Appendix A Removing and Installing a Fuse 782 ZyWALL 5/35/70 Series User’s Guide
APPENDIX B Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. • Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like. • Protocol: This is the type of IP protocol used by the service.
Appendix B Common Services Table 283 Commonly Used Services (continued) 784 NAME PROTOCOL PORT(S) DESCRIPTION FTP TCP TCP 20 21 File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. H.323 TCP 1720 NetMeeting uses this protocol. HTTP TCP 80 Hyper Text Transfer Protocol - a client/ server protocol for the world wide web. HTTPS TCP 443 HTTPS is a secured http session often used in e-commerce.
Appendix B Common Services Table 283 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION RTELNET TCP 107 Remote Telnet. RTSP TCP/UDP 554 The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP TCP 115 Simple File Transfer Protocol. SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.
Appendix B Common Services 786 ZyWALL 5/35/70 Series User’s Guide
APPENDIX C Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS).
Appendix C Wireless LANs Figure 500 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.
Appendix C Wireless LANs Figure 501 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.
Appendix C Wireless LANs Figure 502 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations. RTS/CTS is designed to prevent collisions due to hidden nodes.
Appendix C Wireless LANs If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Preamble Type Preamble is used to signal that data is coming to the receiver. Short and long refer to the length of the synchronization field in a packet.
Appendix C Wireless LANs Wireless security methods available on the ZyWALL are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyWALL identity. The following figure shows the relative effectiveness of these wireless security methods available on your ZyWALL. Table 285 Wireless Security Levels SECURITY LEVEL SECURITY TYPE Least Secure Unique SSID (Default) Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802.
Appendix C Wireless LANs Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server.
Appendix C Wireless LANs For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. EAP-MD5 (Message-Digest Algorithm 5) MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client.
Appendix C Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen.
Appendix C Wireless LANs Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP. TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server.
Appendix C Wireless LANs Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's builtin "Zero Configuration" wireless client. However, you must run Windows XP to use it.
Appendix C Wireless LANs 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them.
Appendix C Wireless LANs Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN. Antenna Characteristics Frequency An antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz (IEEE 802.
Appendix C Wireless LANs Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For omni-directional antennas mounted on a wall or ceiling, point the antenna down.
APPENDIX D Windows 98 SE/Me Requirements for Anti-Virus Message Display With the anti-virus packet scan, when a virus is detected, an alert message is displayed on Miscrosoft Windows-based computers. For Windows 98 SE/Me, you must open the WinPopup window in order to view real-time alert messages. For Windows 2000 and later versions, a message window automatically displays when an alert is received. Click Start, Run and enter “winpopup” in the field provided and click OK.
Appendix D Windows 98 SE/Me Requirements for Anti-Virus Message Display Figure 506 WIndows 98 SE: Program Task Bar 2 Click the Start Menu Programs tab and click Advanced ... Figure 507 Windows 98 SE: Task Bar Properties 3 Double-click Programs and click StartUp. 4 Right-click in the StartUp pane and click New, Shortcut.
Appendix D Windows 98 SE/Me Requirements for Anti-Virus Message Display Figure 508 Windows 98 SE: StartUp 5 A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next. Figure 509 Windows 98 SE: Startup: Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish.
Appendix D Windows 98 SE/Me Requirements for Anti-Virus Message Display Figure 510 Windows 98 SE: Startup: Select a Title for the Program 7 A shortcut is created in the StartUp pane. Restart the computer when prompted. Figure 511 Windows 98 SE: Startup: Shortcut " 804 The WinPopup window displays after the computer finishes the startup process (see Figure 505 on page 801).
APPENDIX E Legal Information Copyright Copyright © 2008 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
Appendix E Legal Information This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
Appendix E Legal Information Viewing Certifications 1 Go to http://www.zyxel.com. 2 Select your product on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page. ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase.
Appendix E Legal Information 808 ZyWALL 5/35/70 Series User’s Guide
APPENDIX F Customer Support In the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in which you bought the device. Regional offices are listed below (see also http:// www.zyxel.com/web/contact_us.php). Please have the following information ready when you contact an office. Required Information • • • • Product model and serial number. Warranty Information.
Appendix F Customer Support • Address: 1005F, ShengGao International Tower, No.137 XianXia Rd., Shanghai • Web: http://www.zyxel.cn Costa Rica • • • • • • Support E-mail: soporte@zyxel.co.cr Sales E-mail: sales@zyxel.co.cr Telephone: +506-2017878 Fax: +506-2015098 Web: www.zyxel.co.cr Regular Mail: ZyXEL Costa Rica, Plaza Roble Escazú, Etapa El Patio, Tercer Piso, San José, Costa Rica Czech Republic • • • • • E-mail: info@cz.zyxel.com Telephone: +420-241-091-350 Fax: +420-241-091-359 Web: www.zyxel.
Appendix F Customer Support Germany • • • • • • Support E-mail: support@zyxel.de Sales E-mail: sales@zyxel.de Telephone: +49-2405-6909-69 Fax: +49-2405-6909-99 Web: www.zyxel.de Regular Mail: ZyXEL Deutschland GmbH., Adenauerstr. 20/A2 D-52146, Wuerselen, Germany Hungary • • • • • • Support E-mail: support@zyxel.hu Sales E-mail: info@zyxel.hu Telephone: +36-1-3361649 Fax: +36-1-3259100 Web: www.zyxel.hu Regular Mail: ZyXEL Hungary, 48, Zoldlomb Str.
Appendix F Customer Support Malaysia • • • • • • Support E-mail: support@zyxel.com.my Sales E-mail: sales@zyxel.com.my Telephone: +603-8076-9933 Fax: +603-8076-9833 Web: http://www.zyxel.com.my Regular Mail: ZyXEL Malaysia Sdn Bhd., 1-02 & 1-03, Jalan Kenari 17F, Bandar Puchong Jaya, 47100 Puchong, Selangor Darul Ehsan, Malaysia North America • • • • • • • Support E-mail: support@zyxel.com Support Telephone: +1-800-978-7222 Sales E-mail: sales@zyxel.
Appendix F Customer Support Singapore • • • • • • Support E-mail: support@zyxel.com.sg Sales E-mail: sales@zyxel.com.sg Telephone: +65-6899-6678 Fax: +65-6899-8887 Web: http://www.zyxel.com.sg Regular Mail: ZyXEL Singapore Pte Ltd., No. 2 International Business Park, The Strategy #03-28, Singapore 609930 Spain • • • • • • Support E-mail: support@zyxel.es Sales E-mail: sales@zyxel.es Telephone: +34-902-195-420 Fax: +34-913-005-345 Web: www.zyxel.
Appendix F Customer Support Turkey • • • • • Support E-mail: cso@zyxel.com.tr Telephone: +90 212 222 55 22 Fax: +90-212-220-2526 Web: http:www.zyxel.com.tr Address: Kaptanpasa Mahallesi Piyalepasa Bulvari Ortadogu Plaza N:14/13 K:6 Okmeydani/Sisli Istanbul/Turkey Ukraine • • • • • • Support E-mail: support@ua.zyxel.com Sales E-mail: sales@ua.zyxel.com Telephone: +380-44-247-69-78 Fax: +380-44-494-49-32 Web: www.ua.zyxel.com Regular Mail: ZyXEL Ukraine, 13, Pimonenko Str.
Index Index Numerics 9600 baud 605 A access control 281 active protocol 394 AH 394 and encapsulation 394 ESP 394 Address Assignment 479 address assignment 182 ADP (Anomaly, Detection and Prevention) 277, 289 Advanced Encryption Standard See AES.
Index Bridge Protocol Data Unit. See BPDU. broadcast 152 BSS 787 budget 663 budget management 740 buffer overflow 281 C CA 399, 794 call back delay 623 call control 740 call history 741 call scheduling 757 max number of schedule sets 757 PPPoE 759 precedence 757 setting up a schedule 758 call-triggering packet 721 certificate 364 Certificate Authority See CA. certificates 399 and IKE SA 390 CA 399 thumbprint algorithms 400 thumbprints 400 verifying fingerprints 400 Certification Authority. See CA.
Index diagnostic 722 diagnostics 599 dial timeout 623 Diffie-Hellman key group 389 Perfect Forward Secrecy (PFS) 395 digest 314 disclaimer 805 DMZ IP alias setup 647 port filter setup 645 setup 645 TCP/IP setup 646 DNS 513 DNS Server For VPN Host 480 DNS server address assignment 183 domain name 716 Domain Name System. See DNS. DoS 251, 265 drop timeout 623 DSL modem 661 DTR 202, 622 Dynamic DNS 481, 488 Dynamic Host Configuration Protocol. See DHCP.
Index one minute high 265 one minute low 265 rules 251 rules for VPN 122, 127 service type 266 SMT menus 693 stateful inspection 251 TCP maximum incomplete 265 three-way handshake 275 VPN 127 when to use 707 firmware file maintenance 725 upload 595 firmware upload 733 FTP 733 flow control 605 fragmentation threshold 790 From VPN traffic 120 FTP 481, 509 commands 727 file upload 735 firmware upload 733 GUI-based clients 728 restoring files 731 fuse replacement 781 type 769 G gateway IP address 641, 665, 67
Index IP address assignment 640, 665 pool 151, 154, 212, 222, 635 private 150 IP alias 636 IP alias setup 636 DMZ 647 IP policy routing 457, 749 IP protocol type 262 IP routing policy 749 IP static route 669 active 670 destination IP address 671 name 670 route number 670 IPSec 357 established in two phases 358 local network 357 NAT over 393 remote IPSec router 357 remote network 357 See also VPN.
Index N nailed-up connection 662, 664 NAT 150, 435, 441, 442, 626, 641, 665, 666, 706 and VPN 392 application 449 configuring 675 default server IP address 441 examples 683 in the SMT 673 inside global address 447 inside local address 447 Many to Many No Overload 435 Many to Many Overload 435 Many to One 435 mapping types 435 NAT unfriendly applications 689 One to One 435 ordering rules 678 over IPSec 393 port forwarding 441 port restricted cone 449 Server 435 server set 675 Single User Account 436 trigger
Index product registration 807 protocol filter 637 incoming 637 outgoing 637 PSK 796 Q QoS 457 Quality of Service. See QoS. query view (IDP) 284 R RADIUS 231, 244, 792 and IKE SA 391 message types 244, 793 messages 793 shared secret key 244, 793 Rapid Spanning Tree Protocol. See Rapid STP. Rapid STP 162 Real time Transport Protocol. See RTP.
Index scanner types 310 schedule 661, 664 duration 758 searching for IDP signatures 284 secure FTP using SSH 504 secure Telnet using SSH 502 security associations. See VPN. security settings for VPN traffic 119 server set 675 service set 230, 233 service type 266, 640, 660 services 141 Session Initiation Protocol. See SIP. severity levels of intrusions 282 signature categories backdoor/trojan 281 buffer overflow 281 IM 281 P2P 281 scan 281 virus/worm 281 Simple Mail Transfer Protocol. See SMTP.
Index time 588 and date setting 742 Daylight Saving Time 589 resetting 588 synchronization with server 590 zone 589, 744 Time protocol 589 time protocol 589 Daytime 589 NTP 589 Time 589 time setting 742 timeout system 492 TKIP 245 To VPN traffic 121 ToS 457 trace 717 trademarks 805 traffic from VPN 120 redirect 197 to VPN 121 transparent firewall 71, 161, 591, 593 triangle routes 274 vs virtual interfaces 274 trigger port forwarding 690 Trivial File Transfer Protocol. See TFTP.
Index warranty 807 note 807 web attack 282 web configurator 61 web site hits 541 WEP encryption 239, 242 whitelist 314, 321 Wi-Fi Protected Access 795 Wi-Fi Protected Access. See WPA. Windows Internet Naming Service. See WINS.
