ZyWALL 2 Plus Internet Security Appliance User’s Guide Version 4.02 3/2007 Edition 1 www.zyxel.
About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the ZyWALL using the web configurator or System Management Terminal (SMT). You should have at least a basic knowledge of TCP/IP networking concepts and topology. Related Documentation • Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access.
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. 1 " Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations. Syntax Conventions • The ZyWALL 2 Plus may be referred to as the “ZyWALL”, the “device” or the “system” in this User’s Guide.
Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device.
Safety Warnings Safety Warnings 1 For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. • Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. • Connect ONLY suitable accessories to the device.
Contents Overview Contents Overview Introduction and Registration ............................................................................................... 43 Getting to Know Your ZyWALL .................................................................................................. 45 Introducing the Web Configurator .............................................................................................. 49 Wizard Setup ........................................................................
Contents Overview SMT Menu 1 - General Setup .................................................................................................. 453 WAN and Dial Backup Setup ................................................................................................... 459 LAN Setup ............................................................................................................................... 469 Internet Access ............................................................................
Table of Contents Table of Contents About This User's Guide .......................................................................................................... 3 Document Conventions............................................................................................................ 4 Safety Warnings........................................................................................................................ 6 Contents Overview .......................................................
Table of Contents 2.4.6 Port Statistics ........................................................................................................... 62 2.4.7 DHCP Table Screen ................................................................................................ 63 2.4.8 VPN Status ................................................................................................................. 64 2.4.9 Bandwidth Monitor ...........................................................................
Table of Contents Part II: Network..................................................................................... 121 Chapter 6 LAN Screens.......................................................................................................................... 123 6.1 LAN, WAN and the ZyWALL .............................................................................................. 123 6.2 IP Address and Subnet Mask .................................................................................
Table of Contents 8.11 Advanced Modem Setup ................................................................................................ 158 8.11.1 AT Command Strings ............................................................................................. 158 8.11.2 DTR Signal ............................................................................................................. 159 8.11.3 Response Strings .......................................................................................
Table of Contents 11.9.1 Firewall Edit Rule 11.10 Anti-Probing .............................................................................................. 196 ............................................................................................................... 199 11.11 Firewall Thresholds ..................................................................................................... 200 11.11.1 Threshold Values ........................................................................
Table of Contents 14.6 IPSec SA Overview ..................................................................................................... 251 14.6.1 Local Network and Remote Network ...................................................................... 251 14.6.2 Virtual Address Mapping ........................................................................................ 252 14.6.3 Active Protocol .....................................................................................................
Table of Contents 15.13 Trusted Remote Hosts ................................................................................................. 293 15.14 Trusted Remote Host Certificate Details ..................................................................... 294 15.15 Trusted Remote Hosts Import ...................................................................................... 297 15.16 Directory Servers ..............................................................................................
Table of Contents 18.1 IP Static Route .............................................................................................................. 325 18.2 IP Static Route ................................................................................................................. 325 18.2.1 IP Static Route Edit .............................................................................................. 326 Chapter 19 Bandwidth Management.........................................................
Table of Contents 20.10 Dynamic DNS .............................................................................................................. 351 20.10.1 DYNDNS Wildcard ............................................................................................... 352 20.11 Configuring Dynamic DNS ............................................................................................. 352 Chapter 21 Remote Management................................................................................
Table of Contents 22.2 Configuring UPnP ............................................................................................................ 378 22.3 Displaying UPnP Port Mapping .................................................................................... 379 22.4 Installing UPnP in Windows Example .............................................................................. 380 22.4.1 Installing UPnP in Windows Me ..........................................................................
Table of Contents Chapter 25 Maintenance .......................................................................................................................... 427 25.1 Maintenance Overview .................................................................................................... 427 25.2 General Setup and System Name ................................................................................... 427 25.2.1 General Setup ....................................................................
Table of Contents Chapter 28 WAN and Dial Backup Setup................................................................................................ 459 28.1 Introduction to WAN and Dial Backup Setup ................................................................... 459 28.2 WAN Setup ...................................................................................................................... 459 28.3 Dial Backup ..................................................................................
Table of Contents Chapter 33 Remote Node Setup.............................................................................................................. 487 33.1 Introduction to Remote Node Setup ................................................................................ 487 33.2 Remote Node Setup ........................................................................................................ 487 33.3 Remote Node Profile Setup ...............................................................
Table of Contents 37.2.2 Configuring a TCP/IP Filter Rule ............................................................................ 524 37.2.3 Configuring a Generic Filter Rule ........................................................................... 527 37.3 Example Filter .................................................................................................................. 528 37.4 Filter Types and NAT .......................................................................................
Table of Contents 40.3.8 GUI-based TFTP Clients ........................................................................................ 553 40.3.9 Backup Via Console Port ....................................................................................... 554 40.4 Restore Configuration ...................................................................................................... 555 40.4.1 Restore Using FTP .........................................................................................
Table of Contents 44.4 Wireless Router/AP Troubleshooting ............................................................................... 584 44.5 UPnP ............................................................................................................................... 584 Part VII: Appendices and Index .......................................................... 587 Appendix A Product Specifications.......................................................................................
List of Figures List of Figures Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem ................................................... 46 Figure 2 VPN Application ....................................................................................................................... 46 Figure 3 Front Panel .............................................................................................................................. 47 Figure 4 Change Password Screen ............................
List of Figures Figure 39 SECURITY > FIREWALL > Rule Summary: Allow ................................................................. 92 Figure 40 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN ...................................... 92 Figure 41 Tutorial Example: Using NAT with Static Public IP Addresses ............................................... 93 Figure 42 Tutorial Example: WAN Connection with a Static Public IP Address .....................................
List of Figures Figure 82 NETWORK > LAN ................................................................................................................ 127 Figure 83 NETWORK > LAN > Static DHCP ........................................................................................ 129 Figure 84 Physical Network & Partitioned Logical Networks ................................................................ 130 Figure 85 NETWORK > LAN > IP Alias ..............................................................
List of Figures Figure 125 SECURITY > FIREWALL > Default Rule (Router Mode) ................................................... 191 Figure 126 SECURITY > FIREWALL > Default Rule (Bridge Mode) .................................................... 193 Figure 127 SECURITY > FIREWALL > Rule Summary ....................................................................... 195 Figure 128 SECURITY > FIREWALL > Rule Summary > Edit ............................................................
List of Figures Figure 168 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy ........................................... 255 Figure 169 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding ............. 260 Figure 170 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy ........................................ 261 Figure 171 SECURITY > VPN > VPN Rules (Manual) ........................................................................
List of Figures Figure 211 ADVANCED > STATIC ROUTE > IP Static Route .............................................................. 326 Figure 212 ADVANCED > STATIC ROUTE > IP Static Route > Edit .................................................... 327 Figure 213 Subnet-based Bandwidth Management Example .............................................................. 330 Figure 214 ADVANCED > BW MGMT > Summary ..............................................................................
List of Figures Figure 254 LOGS > View Log ........................................................................................................... 395 Figure 255 myZyXEL.com: Download Center ...................................................................................... 397 Figure 256 myZyXEL.com: Certificate Download ................................................................................. 398 Figure 257 LOGS > Log Settings ..............................................................
List of Figures Figure 297 Menu 3: LAN Setup ............................................................................................................ 469 Figure 298 Menu 3.1: LAN Port Filter Setup ........................................................................................ 470 Figure 299 Menu 3: TCP/IP and DHCP Setup .................................................................................... 470 Figure 300 Menu 3.2: TCP/IP and DHCP Ethernet Setup ....................................
List of Figures Figure 340 Example 3: Menu 15.1.1.1 ................................................................................................. 512 Figure 341 Example 3: Final Menu 15.1.1 ............................................................................................ 512 Figure 342 Example 3: Menu 15.2. ...................................................................................................... 513 Figure 343 NAT Example 4 ........................................................
List of Figures Figure 383 Restore Using FTP Session Example ................................................................................ 556 Figure 384 System Maintenance: Restore Configuration ..................................................................... 556 Figure 385 System Maintenance: Starting Xmodem Download Screen ............................................... 556 Figure 386 Restore Configuration Example ...................................................................................
List of Figures Figure 426 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 ............................................... 607 Figure 427 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 Figure 428 Red Hat 9.0: DNS Settings in resolv.conf Figure 429 Red Hat 9.0: Restart Ethernet Card ................................................... 607 ........................................................................ 607 ...........................................................................
List of Figures Figure 469 Boot Module Commands ....................................................................................................
List of Tables List of Tables Table 1 Front Panel LEDs ...................................................................................................................... 47 Table 2 Title Bar: Web Configurator Icons ............................................................................................. 52 Table 3 Web Configurator HOME Screen in Router Mode .................................................................... 53 Table 4 Web Configurator HOME Screen in Bridge Mode ...................
List of Tables Table 39 NETWORK > DMZ ................................................................................................................ 162 Table 40 NETWORK > DMZ > Static DHCP ........................................................................................ 165 Table 41 NETWORK > DMZ > IP Alias ............................................................................................... 166 Table 42 NETWORK > DMZ > Port Roles .........................................................
List of Tables Table 82 SECURITY > CERTIFICATES > Trusted CAs > Details ....................................................... 290 Table 83 SECURITY > CERTIFICATES > Trusted CAs Import ........................................................... 292 Table 84 SECURITY > CERTIFICATES > Trusted Remote Hosts ...................................................... 293 Table 85 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details .......................................
List of Tables Table 125 ADVANCED > REMOTE MGMT > CNM ............................................................................. 374 Table 126 ADVANCED > UPnP ........................................................................................................... 378 Table 127 ADVANCED > UPnP > Ports .............................................................................................. 379 Table 128 ADVANCED > ALG ................................................................................
List of Tables Table 168 Main Menu Commands ....................................................................................................... 446 Table 169 Main Menu Summary .......................................................................................................... 448 Table 170 SMT Menus Overview ......................................................................................................... 449 Table 171 Menu 1: General Setup (Router Mode) ....................................
List of Tables Table 211 Filename Conventions ........................................................................................................ 550 Table 212 General Commands for GUI-based FTP Clients ................................................................ 552 Table 213 General Commands for GUI-based TFTP Clients .............................................................. 553 Table 214 Valid Commands .........................................................................................
P ART I Introduction and Registration Getting to Know Your ZyWALL (45) Introducing the Web Configurator (49) Wizard Setup (67) Tutorial (85) Registration (117) 43
CHAPTER 1 Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. 1.1 ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with security features including VPN, firewall, content filtering and certificates. The ZyWALL’s De-Militarized Zone (DMZ) increases LAN security by providing separate ports for connecting publicly accessible servers. The ZyWALL provides the option to change port roles from LAN to DMZ.
Chapter 1 Getting to Know Your ZyWALL Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem 1.2.2 VPN Application ZyWALL VPN is an ideal cost-effective way to connect branch offices, business partners and telecommuters over the Internet without the need (and expense) for leased lines between sites. Figure 2 VPN Application 1.3 Ways to Manage the ZyWALL Use any of the following methods to manage the ZyWALL. • Web Configurator.
Chapter 1 Getting to Know Your ZyWALL 1.4 Good Habits for Managing the ZyWALL Do the following things regularly to make the ZyWALL more secure and to manage the ZyWALL more effectively. • Change the password. Use a password that’s not easy to guess and that consists of different types of characters, such as numbers and letters. • Write down the password and put it in a safe place. • Back up the configuration (and make sure you know how to restore it).
Chapter 1 Getting to Know Your ZyWALL Table 1 Front Panel LEDs (continued) LED COLOR WAN 10/100 Green Orange 48 STATUS DESCRIPTION Off The WAN connection is not ready, or has failed. On The ZyWALL has a successful 10Mbps WAN connection. Flashing The 10M WAN is sending or receiving packets. On The ZyWALL has a successful 100Mbps WAN connection. Flashing The 100M WAN is sending or receiving packets.
CHAPTER 2 Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.
Chapter 2 Introducing the Web Configurator 5 You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore. Figure 4 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device.
Chapter 2 Introducing the Web Configurator 2.3 Resetting the ZyWALL If you forget your password or cannot access the web configurator, you will need to reload the factory-default configuration file or use the RESET button on the back of the ZyWALL. Uploading this configuration file replaces the current configuration file with the factorydefault configuration file.
Chapter 2 Introducing the Web Configurator 2.4 Navigating the ZyWALL Web Configurator The following summarizes how to navigate the web configurator from the HOME screen. This guide uses the ZyWALL 70 screenshots as an example. The screens may vary slightly for different ZyWALL models. Figure 7 HOME Screen A C B D As illustrated above, the main screen is divided into these parts: • • • • A - title bar B - navigation panel C - main window D - status bar 2.4.
Chapter 2 Introducing the Web Configurator 2.4.2 Main Window The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document. Right after you log in, the HOME screen is displayed. The screen varies according to the device mode you select in the MAINTENANCE > Device Mode screen. 2.4.3 HOME Screen: Router Mode The following screen displays when the ZyWALL is set to router mode. This screen displays general status information about the ZyWALL.
Chapter 2 Introducing the Web Configurator Table 3 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Bootbase Version This is the bootbase version and the date created. Firmware Version This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file. Up Time This field displays how long the ZyWALL has been running since it last started up.
Chapter 2 Introducing the Web Configurator Table 3 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION IP Assignment For the WAN, if the ZyWALL gets its IP address automatically from an ISP, this displays DHCP client when you’re using Ethernet encapsulation and IPCP Client when you’re using PPPoE or PPTP encapsulation. Static displays if the WAN port is using a manually entered static (fixed) IP address.
Chapter 2 Introducing the Web Configurator You can use the firewall and VPN in bridge mode. See the user’s guide for a list of other features that are available in bridge mode. Figure 9 Web Configurator HOME Screen in Bridge Mode The following table describes the labels in this screen.
Chapter 2 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION System Time This field displays your ZyWALL’s present date (in yyyy-mm-dd format) and time (in hh:mm:ss format) along with the difference from the Greenwich Mean Time (GMT) zone. The difference from GMT is based on the time zone. It is also adjusted for Daylight Saving Time if you set the ZyWALL to use it.
Chapter 2 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION Port Status For the WAN, LAN, DMZ, and WLAN Interfaces, this displays the port speed and duplex setting. For the WAN port, it displays Down when the link is not ready or has failed. RSTP Status This is the RSTP status of the corresponding port. RSTP Active This shows whether or not RSTP is active on the corresponding port.
Chapter 2 Introducing the Web Configurator Table 5 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE WLAN ROUTER MODE O Firewall O O Content Filter O O VPN O O Certificates O O Authentication Server O O NAT O Static Route O Bandwidth Management O DNS O O Remote Management O UPnP O O ALG O O Logs O O Maintenance O O Table Key: An O in a mode’s column shows that the device mode has the specified feature.
Chapter 2 Introducing the Web Configurator Table 6 Screens Summary (continued) LINK TAB FUNCTION WAN Route This screen allows you to configure route priority. WAN Use this screen to configure the WAN port for internet access. Traffic Redirect Use this screen to configure your traffic redirect properties and parameters. Dial Backup Use this screen to configure the backup WAN dial-up connection. DMZ Use this screen to configure your DMZ connection.
Chapter 2 Introducing the Web Configurator Table 6 Screens Summary (continued) LINK TAB FUNCTION AUTH SERVER Local User Database Use this screen to configure the local user account(s) on the ZyWALL. RADIUS Configure this screen to use an external server to authenticate wireless and/or VPN users. NAT Overview Use this screen to enable NAT. Address Mapping Use this screen to configure network address translation mapping rules.
Chapter 2 Introducing the Web Configurator Table 6 Screens Summary (continued) LINK TAB FUNCTION LOGS View Log Use this screen to view the logs for the categories that you selected. Log Settings Use this screen to change your ZyWALL’s log settings. Reports Use this screen to have the ZyWALL record and display network usage reports. General This screen contains administrative. Password Use this screen to change your password.
Chapter 2 Introducing the Web Configurator Table 7 HOME > Show Statistics (continued) LABEL DESCRIPTION RxPkts This is the number of received packets on this port. Collisions This is the number of collisions on this port. Tx B/s This displays the transmission speed in bytes per second on this port. Rx B/s This displays the reception speed in bytes per second on this port. Up Time This is the total amount of time the line has been up. System Up Time This is the total time the ZyWALL has been on.
Chapter 2 Introducing the Web Configurator Table 8 HOME > DHCP Table (continued) LABEL DESCRIPTION MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network) is unique to your computer (six pairs of hexadecimal notation). A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory. This address follows an industry standard that ensures no other adapter has a similar address.
Chapter 2 Introducing the Web Configurator Table 9 HOME > VPN Status LABEL DESCRIPTION Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase ZyWALL processing requirements and communications latency (delay). Poll Interval(s) Enter a number of seconds to update all screen statistics automatically at the end of every time interval.
Chapter 2 Introducing the Web Configurator Table 10 ADVANCED > BW MGMT > Monitor LABEL DESCRIPTION Poll Interval(s) Enter a number of seconds to update all screen statistics automatically at the end of every time interval. Set Interval Click this button to apply the new poll interval you entered in the Poll Interval(s) field. Stop Update Click Stop Update to stop refreshing statistics. A.
CHAPTER 3 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you configure Internet and VPN connection settings. In the HOME screen, click the Wizard icon to open the Wizard Setup Welcome screen.
Chapter 3 Wizard Setup 3.2.1 ISP Parameters The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE. The wizard screen varies according to the type of encapsulation that you select in the Encapsulation field. 3.2.1.1 Ethernet For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your ISP to find the correct port number.
Chapter 3 Wizard Setup Table 11 ISP Parameters: Ethernet Encapsulation LABEL DESCRIPTION My WAN IP Address Enter your WAN IP address in this field. My WAN IP Subnet Mask Enter the IP subnet mask in this field. Gateway IP Address Enter the gateway IP address in this field. First DNS Server Second DNS Server Enter the DNS server's IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers.
Chapter 3 Wizard Setup The following table describes the labels in this screen. Table 12 ISP Parameters: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet forms a dial-up connection. Service Name Type the name of your service provider. This field is optional. User Name Type the user name given to you by your ISP. Password Type the password associated with the user name above.
Chapter 3 Wizard Setup Figure 17 ISP Parameters: PPTP Encapsulation The following table describes the labels in this screen. Table 13 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. User Name Type the user name given to you by your ISP.
Chapter 3 Wizard Setup Table 13 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP address of the PPTP server. Connection ID/ Name Enter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your xDSL modem.
Chapter 3 Wizard Setup Figure 19 Internet Access Setup Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 18 on page 72), the following screen displays. Use this screen to register the ZyWALL with myZyXEL.com. You must register your ZyWALL before you can activate trial application of service like content filtering. " If you want to activate a standard service with your iCard’s PIN number (license key), use the REGISTRATION > Service screen.
Chapter 3 Wizard Setup Figure 20 Internet Access Wizard: Registration The following table describes the labels in this screen. Table 14 Internet Access Wizard: Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.com account If you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL. Existing myZyXEL.
Chapter 3 Wizard Setup Figure 21 Internet Access Wizard: Registration in Progress Click Close to leave the wizard screen when the registration and activation are done. Figure 22 Internet Access Wizard: Status The following screen appears if the registration was not successful. Click Return to go back to the Device Registration screen and check your settings.
Chapter 3 Wizard Setup Figure 24 Internet Access Wizard: Registered Device Figure 25 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at either end of the VPN tunnel. Click VPN Setup in the Wizard Setup Welcome screen (Figure 14 on page 67) to open the VPN configuration wizard. The first screen displays as shown next.
Chapter 3 Wizard Setup Figure 26 VPN Wizard: Gateway Setting The following table describes the labels in this screen. Table 15 VPN Wizard: Gateway Setting LABEL DESCRIPTION Gateway Policy Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces. Gateway Policy Setting My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address or the domain name of your ZyWALL or leave the field set to 0.0.0.
Chapter 3 Wizard Setup Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time. Figure 27 VPN Wizard: Network Setting The following table describes the labels in this screen.
Chapter 3 Wizard Setup Table 16 VPN Wizard: Network Setting LABEL DESCRIPTION Remote Network Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. Select Single for a single IP address. Select Range IP for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
Chapter 3 Wizard Setup The following table describes the labels in this screen. Table 17 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords. Note: Multiple SAs (security associations) connecting through a secure gateway must have the same negotiation mode.
Chapter 3 Wizard Setup Figure 29 VPN Wizard: IPSec Setting The following table describes the labels in this screen. Table 18 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tunnel is compatible with NAT, Transport is not. Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems. Tunnel mode is fundamentally an IP tunnel with authentication and encryption.
Chapter 3 Wizard Setup Table 18 VPN Wizard: IPSec Setting (continued) LABEL DESCRIPTION Perfect Forward Secret (PFS) Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec SA setup. This allows faster IPSec setup, but is not so secure. Select DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number (more secure, yet slower). Back Click Back to return to the previous screen.
Chapter 3 Wizard Setup The following table describes the labels in this screen. Table 19 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy. Gateway Policy Setting My ZyWALL This is the WAN IP address or the domain name of your ZyWALL in router mode or the ZyWALL’s IP address in bridge mode. Remote Gateway Address This is the IP address or the domain name used to identify the remote IPSec router.
Chapter 3 Wizard Setup Table 19 VPN Wizard: VPN Status (continued) LABEL DESCRIPTION IPSec Protocol ESP or AH are the security protocols used for an SA. Encryption Algorithm This is the method of data encryption. Options can be DES, 3DES, AES or NULL. Authentication Algorithm MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. SA Life Time (Seconds) This is the length of time before an IKE SA automatically renegotiates.
CHAPTER 4 Tutorial This chapter describes how to apply security settings to VPN traffic, how to set up your ZyWALL if you have more than one fixed (static) IP address from your ISP and how to allocate bandwidth and apply priorities to traffic that flows out through the ZyWALL’s WAN port. 4.1 Security Settings for VPN Traffic The ZyWALL can apply the firewall and content filtering to the traffic going to or from the ZyWALL’s VPN tunnels.
Chapter 4 Tutorial Figure 32 Firewall Rule for VPN 4.1.2 Configuring the VPN Rule This section shows how to configure a VPN rule on device A to let the network behind B access the FTP server. You would also have to configure a corresponding rule on device B. 1 Click Security > VPN to open the following screen. Click the Add Gateway Policy icon. Figure 33 SECURITY > VPN > VPN Rules (IKE) 2 Use this screen to set up the connection between the routers.
Chapter 4 Tutorial Figure 34 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy 3 Click the Add Network Policy icon.
Chapter 4 Tutorial Figure 35 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 4 Use this screen to specify which computers behind the routers can use the VPN tunnel. Configure the fields that are circled as follows and click Apply. You may notice that the example does not specify the port numbers. This is due to the following reasons. • While FTP uses a control session on port 20, the port for the data session is not fixed.
Chapter 4 Tutorial Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 4.1.3 Configuring the Firewall Rules Suppose you have several VPN tunnels but you only want to allow device B’s network to access the FTP server. You also only want FTP traffic to go to the FTP server, so you want to block all other traffic types (like chat, e-mail, web and so on). The following sections show how to configure firewall rules to enforce these restrictions. 4.1.3.
Chapter 4 Tutorial 1 Click Security > Firewall > Rule Summary. 2 Select VPN to LAN as the packet direction and click Insert. Figure 37 SECURITY > FIREWALL > Rule Summary 3 Configure the rule as follows and click Apply. The source addresses are the VPN rule’s remote network and the destination address is the LAN FTP server.
Chapter 4 Tutorial Figure 38 SECURITY > FIREWALL > Rule Summary > Edit: Allow 4 The rule displays in the summary list of VPN to LAN firewall rules.
Chapter 4 Tutorial Figure 39 SECURITY > FIREWALL > Rule Summary: Allow 4.1.3.2 Default Firewall Rule to Block Other Access Example Now you configure the default firewall rule to block all VPN to LAN traffic. This blocks any other types of access from VPN tunnels to the LAN FTP server. This means that you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN. 1 Click SECURITY > FIREWALL > Default Rule. 2 Configure the screen as follows and click Apply.
Chapter 4 Tutorial 4.2.1 Example Parameters and Scenario The following table shows the public IP addresses from your ISP and your ZyWALL’s LAN IP address. Public IP Addresses 1.2.3.4 to 1.2.3.7 ZyWALL’s LAN IP Address 192.168.1.1 The following figure shows the network you want to set up in this example. • Assign the first public address (1.2.3.4) to the ZyWALL’s WAN port. • Map the second and third public IP addresses (1.2.3.5 and 1.2.3.6) to the web and mail servers (192.168.1.12 and 192.168.1.
Chapter 4 Tutorial 4.2.2 Configuring the WAN Connection with a Static IP Address The following table shows the information your ISP gave you for Internet connection. Encapsulation PPPoE Public IP Addresses 1.2.3.4 1.2.3.5 1.2.3.6 1.2.3.7 Gateway IP Address 1.2.3.89 Subnet Mask 255.255.255.0 User Name exampleuser Password abcd1234 DNS Server 1.2.1.1 1.2.1.2 Follow the steps below to configure your ZyWALL for Internet access using PPPoE in this example.
Chapter 4 Tutorial Figure 43 Tutorial Example: WAN Screen 6 Click ADVANCED > DNS. 7 The System screen displays. Click the Insert button to configure the IP address of the DNS server the ZyWALL can query to resolve domain names. Figure 44 Tutorial Example: DNS > System 8 Select Public DNS Server and enter the first DNS server’s IP address given by your ISP. Click Apply.
Chapter 4 Tutorial Figure 45 Tutorial Example: DNS > System Edit-1 9 Enter the rule number (2) where you want to put the second record and click the Insert button to configure the second DNS server’s IP address as follows. Click Apply. Note: To resolve a domain name, theZyWALL checks it against the name server record entries in the order that they appear in this list. Figure 46 Tutorial Example: DNS > System Edit-2 10The DNS > System screen should look as shown.
Chapter 4 Tutorial Figure 47 Tutorial Example: DNS > System: Done 11Go to the Home screen to check your WAN connection status. Make sure the status is not down. Figure 48 Tutorial Example: Status 4.2.3 Public IP Address Mapping To have the local computers and servers use specific WAN IP addresses, you need to map static public IP addresses to them.
Chapter 4 Tutorial Note: The one-to-one NAT address mapping rules are for both incoming and outgoing connections. The ZyWALL forwards traffic that is initiated from either the LAN or the WAN to the destination IP address. The many-to-one or many-to-many NAT address mapping rules are for outgoing connections only. That means only traffic initiated from the LAN or returned packets are allowed to go through the ZyWALL. In this example, you create two one-to-one rules to map the internal web server (192.168.1.
Chapter 4 Tutorial Figure 50 Tutorial Example: NAT > NAT Overview 3 Click the Address Mapping tab. 4 Click the first rule’s Edit icon ( Mapping Rule screen. ) in the Modify column to display the Address Figure 51 Tutorial Example: NAT > Address Mapping 5 Map a public IP address to the web server.
Chapter 4 Tutorial Select the One-to-One type and enter 192.168.1.12 as the local start IP address and 1.2.3.5 as the global start IP address. Click Apply. Figure 52 Tutorial Example: NAT Address Mapping Edit: One-to-One (1) 6 Click the second rule’s Edit icon ( ). 7 Map a public IP address to the mail server. Select the One-to-One type and enter 192.168.1.13 as the local start IP address and 1.2.3.6 as the global start IP address. Click Apply.
Chapter 4 Tutorial Figure 54 Tutorial Example: NAT Address Mapping Edit: Many-to-One 10After the configurations, the Address Mapping screen looks as shown. You still have one IP address (1.2.3.7) that can be assigned to another internal server when you expand your network. Figure 55 Tutorial Example: NAT Address Mapping Done Note: To allow traffic from the WAN to be forwarded through the ZyXEL Device, you must also create a firewall rule. Refer to Section 4.2.5 on page 103 for more information.
Chapter 4 Tutorial 4.2.4 Forwarding Traffic from the WAN to a Local Computer A server NAT address mapping rule allows computers behind the NAT be accessible to the outside world. To have the ZyWALL forward incoming traffic to a specific computer on your local network, you should also create a port forwarding (server mapping) rule. In this example, you want to forward FTP traffic using port 21 to the computer with the IP address of 192.168.1.39.
Chapter 4 Tutorial Figure 58 Tutorial Example: NAT Port Forwarding 4.2.5 Allow WAN-to-LAN Traffic through the Firewall By default, the ZyWALL blocks any traffic initiated from the WAN to the LAN. To have the ZyWALL forward traffic initiated from the WAN to a local computer or server on the LAN, you need to configure a firewall rule to allow it.
Chapter 4 Tutorial 1 Click SECURITY > FIREWALL. 2 Make sure the firewall is enabled and traffic from the WAN to the LAN is dropped. Figure 60 Tutorial Example: Firewall Default Rule 3 Go to the Rule Summary screen. 4 Select the WAN to LAN packet direction and click the Insert button to create a new firewall rule. Figure 61 Tutorial Example: Firewall Rule: WAN to LAN 5 Configure a firewall rule to allow traffic from the WAN to the web server. Enter a descriptive name (W-L_Web for example).
Chapter 4 Tutorial Figure 62 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for Web Server 6 Select Any(All) in the Available Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply.
Chapter 4 Tutorial 7 Click the Insert button to configure a firewall rule to allow traffic from the WAN to the mail server. Enter a descriptive name (W-L_Mail for example). Select Any in the Destination Address(es) box and click Delete. Select Single Address as the destination address type. Enter 192.168.1.13 and click Add.
Chapter 4 Tutorial Figure 65 Tutorial Example: Firewall Rule: WAN to LAN Service Edit for Mail Server 9 Click the Insert button to configure a firewall rule to allow FTP traffic from the WAN to the FTP server. Enter a descriptive name (W-L_FTP for example). Select Any in the Destination Address(es) box and click Delete. Select Single Address as the destination address type. Enter 192.168.1.39 and click Add.
Chapter 4 Tutorial Figure 66 Tutorial Example: Firewall Rule: WAN to LAN Address Edit for FTP Server 10Select FTP(TCP:20,21) in the Available Services box on the left, and click >> to add it to the Selected Service(s) box on the right. Click Apply.
Chapter 4 Tutorial 11When you are done, the Rule Summary screen looks as shown. Figure 68 Tutorial Example: Firewall Rule Summary 4.2.6 Testing the Connections 1 Open the web browser on one of the local computers and enter any web site’s URL in the address bar. If you can access the web site, your WAN connection and NAT address mapping are configured successfully. If you cannot access it, make sure you entered the correct information in the WAN and NAT Address Mapping screens.
Chapter 4 Tutorial In this example, you have four static IP addresses (1.2.3.4 to 1.2.3.7) from your ISP. After you set up your WAN connection (see Section 4.2.2 on page 94), use the NAT > Address Mapping screen to map the third and forth public IP addresses to the mail server (192.168.1.12) and web server (192.168.1.13) respectively. The first and second public IP addresses are mapped to other outgoing LAN traffic. See Section 4.2.3 on page 97 for more information about IP address mapping.
Chapter 4 Tutorial 4.4.1 Example Parameters and Scenario The following figure shows the network you want to set up in this example. The WAN port has an upstream (outgoing) speed of 512 kbps. To prevent SIP-based VoIP (Voice over IP) traffic from getting delayed due to heavy WWW or FTP traffic, you reserve 128 Kbps of bandwidth for outgoing VoIP traffic (from LAN to WAN) and higher priority than FTP or WWW traffic.
Chapter 4 Tutorial Figure 71 Tutorial Example: Bandwidth Management Summary 7 Click the Class Setup tab. 8 Select the WAN interface and click the Add Sub-Class button to create a rule for VoIP traffic. Figure 72 Tutorial Example: Bandwidth Management Class Setup 9 Enter a descriptive name (WAN_VoIP for example), the maximum bandwidth allowed and a priority for VoIP traffic. The higher the number, the higher the priority. 10Enable this filter and select the SIP service.
Chapter 4 Tutorial Figure 73 Tutorial Example: Bandwidth Management Class Setup: VoIP 12Click the Add Sub-Class button to create a rule for FTP traffic as follows. Click Apply. Figure 74 Tutorial Example: Bandwidth Management Class Setup: FTP 13Click the Add Sub-Class button to create a rule for WWW traffic as follows. Click Apply.
Chapter 4 Tutorial Figure 75 Tutorial Example: Bandwidth Management Class Setup: WWW 14When you are finished, the Class Setup screen looks as shown. Figure 76 Tutorial Example: Bandwidth Management Class Setup Done 15Use the Monitor screen to view the bandwidth usage and allotments for the WAN interface.
Chapter 4 Tutorial Figure 77 Tutorial Example: Bandwidth Management Monitor ZyWALL 2 Plus User’s Guide 115
Chapter 4 Tutorial 116 ZyWALL 2 Plus User’s Guide
CHAPTER 5 Registration 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. " You need to create an account before you can register your device and activate the services at myZyXEL.com. You can directly create a myZyXEL.com account, register your ZyWALL and activate a service using the REGISTRATION screen. Alternatively, go to http://www.myZyXEL.
Chapter 5 Registration 5.2 Registration To register your ZyWALL with myZyXEL.com and activate the content filtering service, click REGISTRATION in the navigation panel to open the screen as shown next. Figure 78 REGISTRATION The following table describes the labels in this screen. Table 20 REGISTRATION 118 LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available. New myZyXEL.
Chapter 5 Registration Table 20 REGISTRATION " LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated. Use the Service screen to update your service subscription status. Figure 79 REGISTRATION: Registered Device 5.
Chapter 5 Registration Figure 80 REGISTRATION > Service The following table describes the labels in this screen. Table 21 REGISTRATION > Service LABEL DESCRIPTION Service Management Service This field displays the service name available on the ZyWALL. Status This field displays whether a service is activated (Active) or not (Inactive). Registration Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard).
P ART II Network LAN Screens (123) Bridge Screens (135) WAN Screens (141) DMZ Screens (161) Wireless LAN (171) 121
CHAPTER 6 LAN Screens This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode. 6.1 LAN, WAN and the ZyWALL A network is a shared communication system to which many computers are attached. The Local Area Network (LAN) includes the computers and networking devices in your home or office that you connect to the ZyWALL’s LAN ports.
Chapter 6 LAN Screens Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
Chapter 6 LAN Screens 6.3 DHCP The ZyWALL can use DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) to automatically assign IP addresses subnet masks, gateways, and some network information like the IP addresses of DNS servers to the computers on your LAN. You can alternatively have the ZyWALL relay DHCP information from another DHCP server. If you disable the ZyWALL’s DHCP service, you must have another DHCP server on your LAN, or else the computers must be manually configured. 6.3.
Chapter 6 LAN Screens 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group. The ZyWALL supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2).
Chapter 6 LAN Screens Figure 82 NETWORK > LAN The following table describes the labels in this screen. Table 22 NETWORK > LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default. Alternatively, click the right mouse button to copy and/or paste the IP address. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Chapter 6 LAN Screens Table 22 NETWORK > LAN (continued) LABEL DESCRIPTION Multicast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
Chapter 6 LAN Screens 6.8 LAN Static DHCP This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC addresses. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. To change your ZyWALL’s static DHCP settings, click NETWORK > LAN > Static DHCP. The screen appears as shown.
Chapter 6 LAN Screens The following table describes the labels in this screen. Table 23 NETWORK > LAN > Static DHCP LABEL DESCRIPTION # This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your LAN. IP Address Type the IP address that you want to assign to the computer on your LAN. Alternatively, click the right mouse button to copy and/or paste the IP address. Apply Click Apply to save your changes back to the ZyWALL.
Chapter 6 LAN Screens Figure 85 NETWORK > LAN > IP Alias The following table describes the labels in this screen. Table 24 NETWORK > LAN > IP Alias LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.
Chapter 6 LAN Screens 6.10 LAN Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Ports 1~4 on the ZyWALL can be part of the LAN, DMZ or WLAN interface. " Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1 A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP address.
Chapter 6 LAN Screens Table 25 NETWORK > LAN > Port Roles (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. After you change the LAN/DMZ/WLAN port roles and click Apply, please wait for few seconds until the following screen appears. Click Return to go back to the Port Roles screen.
Chapter 6 LAN Screens 134 ZyWALL 2 Plus User’s Guide
CHAPTER 7 Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. 7.1 Bridge Loop The ZyWALL can act as a bridge between a switch and a wired LAN or between two routers. Be careful to avoid bridge loops when you enable bridging in the ZyWALL. Bridge loops cause broadcast traffic to circle the network endlessly, resulting in possible throughput degradation and disruption of communications.
Chapter 7 Bridge Screens 7.2 Spanning Tree Protocol (STP) STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network. 7.2.1 Rapid STP The ZyWALL uses IEEE 802.
Chapter 7 Bridge Screens Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down. This bridge then initiates negotiations with other bridges to reconfigure the network to re-establish a valid network topology. 7.2.
Chapter 7 Bridge Screens Figure 89 NETWORK > Bridge The following table describes the labels in this screen. Table 28 NETWORK > Bridge LABEL DESCRIPTION Bridge IP Address Setup IP Address 138 Type the IP address of your ZyWALL in dotted decimal notation. Use an IP address in the same subnet as the network to which you connect the ZyWALL. Make sure the IP address does not conflict with any other device on the network.
Chapter 7 Bridge Screens Table 28 NETWORK > Bridge (continued) LABEL DESCRIPTION Rapid Spanning Tree Protocol Setup Enable Rapid Spanning Tree Protocol Select the check box to activate RSTP on the ZyWALL. Bridge Priority Enter a number between 0 and 61440 as bridge priority of the ZyWALL. Bridge priority is used in determining the root switch, root port and designated port. The switch with the highest priority (lowest numeric value) becomes the root.
Chapter 7 Bridge Screens Figure 90 NETWORK > Bridge > Port Roles The following table describes the labels in this screen. Table 29 NETWORK > Bridge > Port Roles LABEL DESCRIPTION LAN Select a port’s LAN radio button to use the port as part of the LAN. DMZ Select a port’s DMZ radio button to use the port as part of the DMZ. WLAN Select a port’s WLAN radio button to use the port as part of the WLAN. Apply Click Apply to save your changes back to the ZyWALL.
CHAPTER 8 WAN Screens This chapter describes how to configure WAN settings. 8.1 WAN Overview • Use the Route screen to configure route priority for the ZyWALL. • Use the WAN screen to configure the WAN port for Internet access on the ZyWALL. • Use the Traffic Redirect screen to configure your traffic redirect properties and parameters. • Use the Dial Backup screen to configure the backup WAN dial-up connection. 8.2 TCP/IP Priority (Metric) The metric represents the "cost of transmission".
Chapter 8 WAN Screens Figure 92 NETWORK > WAN Route The following table describes the labels in this screen. Table 30 NETWORK > WAN Route LABEL DESCRIPTION Route Priority 142 WAN Traffic Redirect Dial Backup The default WAN connection is "1' as your broadband connection via the WAN port should always be your preferred method of accessing the WAN.
Chapter 8 WAN Screens Table 30 NETWORK > WAN Route (continued) LABEL DESCRIPTION Allow Trigger Dial Select this option to allow NetBIOS packets to initiate calls. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 8.4 WAN IP Address Assignment Every computer on the Internet must have a unique IP address.
Chapter 8 WAN Screens 3 You can manually enter the IP addresses of other DNS servers. These servers can be public or private. A DNS server could even be behind a remote IPSec router (see Section 20.5.1 on page 344). 8.6 WAN MAC Address Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Chapter 8 WAN Screens Figure 93 NETWORK > WAN > WAN (Ethernet Encapsulation) The following table describes the labels in this screen. Table 33 NETWORK > WAN > WAN (Ethernet Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Chapter 8 WAN Screens Table 33 NETWORK > WAN > WAN (Ethernet Encapsulation) (continued) LABEL DESCRIPTION Relogin Every(min) (Telia Login only) The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically. Type the number of minutes from 1 to 59 (30 default) for the ZyWALL to wait between logins. WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address. This is the default selection.
Chapter 8 WAN Screens Table 33 NETWORK > WAN > WAN (Ethernet Encapsulation) (continued) LABEL DESCRIPTION Multicast Version Choose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group – it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
Chapter 8 WAN Screens Figure 94 NETWORK > WAN > WAN (PPPoE Encapsulation) The following table describes the labels in this screen. Table 34 NETWORK > WAN > WAN (PPPoE Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access 148 Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (i.e.
Chapter 8 WAN Screens Table 34 NETWORK > WAN > WAN (PPPoE Encapsulation) (continued) LABEL DESCRIPTION Authentication Type Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node. CHAP - Your ZyWALL accepts CHAP only. PAP - Your ZyWALL accepts PAP only. Nailed-Up Select Nailed-Up if you do not want the connection to time out.
Chapter 8 WAN Screens Table 34 NETWORK > WAN > WAN (PPPoE Encapsulation) (continued) LABEL DESCRIPTION Multicast Version Choose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group – it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
Chapter 8 WAN Screens Figure 95 NETWORK > WAN > WAN (PPTP Encapsulation) The following table describes the labels in this screen. Table 35 NETWORK > WAN > WAN (PPTP Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Chapter 8 WAN Screens Table 35 NETWORK > WAN > WAN (PPTP Encapsulation) (continued) LABEL DESCRIPTION Authentication Type Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node. CHAP - Your ZyWALL accepts CHAP only. PAP - Your ZyWALL accepts PAP only. Nailed-up Select Nailed-Up if you do not want the connection to time out.
Chapter 8 WAN Screens Table 35 NETWORK > WAN > WAN (PPTP Encapsulation) (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M. RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Chapter 8 WAN Screens Figure 96 Traffic Redirect WAN Setup IP alias allows you to avoid triangle route security issues when the backup gateway is connected to the LAN or DMZ. Use IP alias to configure the LAN into two or three logical networks with the ZyWALL itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2).
Chapter 8 WAN Screens The following table describes the labels in this screen. Table 36 NETWORK > WAN > Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down. Backup Gateway IP Address Type the IP address of your backup gateway in dotted decimal notation. The ZyWALL automatically forwards traffic to this IP address if the ZyWALL's Internet connection terminates.
Chapter 8 WAN Screens Figure 99 NETWORK > WAN > Dial Backup The following table describes the labels in this screen. Table 37 NETWORK > WAN > Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings 156 Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP. Retype to Confirm Type your password again to make sure that you have entered is correctly.
Chapter 8 WAN Screens Table 37 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION Primary/ Secondary Phone Number Type the first (primary) phone number from the ISP for this remote node. If the Primary Phone number is busy or does not answer, your ZyWALL dials the Secondary Phone number if available. Some areas require dialing the pound sign # before the phone number for local calls. Include a # symbol at the beginning of the phone numbers as required.
Chapter 8 WAN Screens Table 37 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, In Only or Out Only. When set to Both or Out Only, the ZyWALL will broadcast its routing table periodically. When set to Both or In Only, the ZyWALL will incorporate RIP information that it receives.
Chapter 8 WAN Screens 8.11.2 DTR Signal The majority of WAN devices default to hanging up the current call when the DTR (Data Terminal Ready) signal is dropped by the DTE. When the Drop DTR When Hang Up check box is selected, the ZyWALL uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command ATH. 8.11.3 Response Strings The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the WAN device.
Chapter 8 WAN Screens The following table describes the labels in this screen. Table 38 NETWORK > WAN > Dial Backup > Edit LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~+++~~ath" can be used if your modem has a slow response time. Answer Type the AT Command string to answer a call.
CHAPTER 9 DMZ Screens This chapter describes how to configure the ZyWALL’s DMZ. 9.1 DMZ The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death). These public servers can also still be accessed from the secure LAN.
Chapter 9 DMZ Screens Figure 101 NETWORK > DMZ The following table describes the labels in this screen. Table 39 NETWORK > DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your ZyWALL’s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets. 162 IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Chapter 9 DMZ Screens Table 39 NETWORK > DMZ (continued) LABEL DESCRIPTION Multicast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
Chapter 9 DMZ Screens 9.3 DMZ Static DHCP This table allows you to assign IP addresses on the DMZ to specific individual computers based on their MAC addresses. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. To change your ZyWALL’s static DHCP settings on the DMZ, click NETWORK > DMZ > Static DHCP. The screen appears as shown.
Chapter 9 DMZ Screens The following table describes the labels in this screen. Table 40 NETWORK > DMZ > Static DHCP LABEL DESCRIPTION # This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your DMZ. IP Address Type the IP address that you want to assign to the computer on your DMZ. Alternatively, click the right mouse button to copy and/or paste the IP address. Apply Click Apply to save your changes back to the ZyWALL.
Chapter 9 DMZ Screens Figure 103 NETWORK > DMZ > IP Alias The following table describes the labels in this screen. Table 41 NETWORK > DMZ > IP Alias LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure another DMZ network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets.
Chapter 9 DMZ Screens 9.5 DMZ Public IP Address Example The following figure shows a simple network setup with public IP addresses on the WAN and DMZ and private IP addresses on the LAN. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet. The DMZ port and connected servers (D through F) use public IP addresses that are in another subnet.
Chapter 9 DMZ Screens Figure 105 DMZ Private and Public Address Example 9.7 DMZ Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Ports 1~4 on the ZyWALL can be part of the LAN, DMZ or WLAN interface.
Chapter 9 DMZ Screens Figure 106 NETWORK > DMZ > Port Roles The following table describes the labels in this screen. Table 42 NETWORK > DMZ > Port Roles LABEL DESCRIPTION LAN Select a port’s LAN radio button to use the port as part of the LAN. The port will use the ZyWALL’s LAN IP address and MAC address. DMZ Select a port’s DMZ radio button to use the port as part of the DMZ. The port will use the ZyWALL’s DMZ IP address and MAC address.
Chapter 9 DMZ Screens 170 ZyWALL 2 Plus User’s Guide
CHAPTER 10 Wireless LAN This chapter discusses how to configure wireless LAN on the ZyWALL. 10.1 Wireless LAN Introduction A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-peer network or as complex as a number of computers with wireless LAN adapters communicating through access points which bridge network traffic to the wired LAN. To add a wireless network to the ZyWALL, you can connect an Access Point to a port in the WLAN role. 10.
Chapter 10 Wireless LAN Figure 107 NETWORK > WLAN The following table describes the labels in this screen. Table 43 NETWORK > WLAN LABEL DESCRIPTION WLAN TCP/IP IP Address Type the IP address of your ZyWALL’s WLAN interface in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets.
Chapter 10 Wireless LAN Table 43 NETWORK > WLAN (continued) LABEL DESCRIPTION Multicast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use.
Chapter 10 Wireless LAN 10.3 WLAN Static DHCP This table allows you to assign IP addresses on the WLAN to specific individual computers based on their MAC addresses. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. To change your ZyWALL’s WLAN static DHCP settings, click NETWORK >WLAN > Static DHCP. The screen appears as shown.
Chapter 10 Wireless LAN The following table describes the labels in this screen. Table 44 NETWORK > WLAN > Static DHCP LABEL DESCRIPTION # This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your WLAN. IP Address Type the IP address that you want to assign to the computer on your WLAN. Alternatively, click the right mouse button to copy and/or paste the IP address. Apply Click Apply to save your changes back to the ZyWALL.
Chapter 10 Wireless LAN Figure 109 NETWORK > WLAN > IP Alias The following table describes the labels in this screen. Table 45 NETWORK > WLAN > IP Alias 176 LABEL DESCRIPTION Enable IP Alias 1, 2 Select the check box to configure another WLAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.
Chapter 10 Wireless LAN 10.5 WLAN Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Ports 1~4 on the ZyWALL can be part of the LAN, DMZ or WLAN interface. Connect wireless LAN Access Points (APs) to WLAN interfaces to extend the ZyWALL’s wireless LAN coverage. The WLAN port role allows the ZyWALL’s firewall to treat traffic from connected APs as part of the ZyWALL’s WLAN. You can specify firewall rules for traffic going to or from the WLAN.
Chapter 10 Wireless LAN Figure 111 NETWORK > WLAN > Port Roles The following table describes the labels in this screen. Table 46 NETWORK > WLAN > Port Roles LABEL DESCRIPTION LAN Select a port’s LAN radio button to use the port as part of the LAN. The port will use the LAN IP address. DMZ Select a port’s DMZ radio button to use the port as part of the DMZ. The port will use the DMZ IP address. WLAN Select a port’s WLAN radio button to use the port as part of the WLAN.
P ART III Security Firewall (181) Content Filtering Screens (211) Content Filtering Reports (227) IPSec VPN (235) Certificates (275) Authentication Server (301) 179
CHAPTER 11 Firewall This chapter shows you how to configure your ZyWALL’s firewall. 11.1 Firewall Overview The networking term firewall is a system or group of systems that enforces an access-control policy between two networks. It is generally a mechanism used to protect a trusted network from an untrusted network. The ZyWALL physically separates the LAN, DMZ, WLAN and the WAN and acts as a secure gateway for all data passing between the networks.
Chapter 11 Firewall Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule. 11.
Chapter 11 Firewall Figure 115 Default Block Traffic From WAN to DMZ Example 11.3 Packet Direction Examples Firewall rules are grouped based on the direction of travel of packets to which they apply. This section gives some examples of why you might configure firewall rules for specific connection directions. By default, the ZyWALL allows packets traveling in the following directions.
Chapter 11 Firewall By default, the ZyWALL drops packets traveling in the following directions. • WAN to LAN These rules specify which computers connected to the WAN can access which computers or services on the LAN. For example, you may create rules to: • Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN. • Allow public access to a Web server on your protected network.
Chapter 11 Firewall Figure 116 From LAN to VPN Example In order to do this, you would configure the SECURITY > FIREWALL > Default Rule screen as follows. Figure 117 Block DMZ to VPN Traffic by Default Example 11.3.2 From VPN Packet Direction You can also apply firewall rules to traffic that comes in through the ZyWALL’s VPN tunnels. The ZyWALL decrypts the VPN traffic and then applies the firewall rules.
Chapter 11 Firewall For example, by default the firewall allows traffic from any VPN tunnel to go to any of the ZyWALL’s interfaces, the ZyWALL itself and other VPN tunnels. You could edit the From VPN To LAN default firewall rule to silently block traffic from the VPN tunnels from going to the LAN computers. Figure 118 From VPN to LAN Example In order to do this, you would configure the SECURITY > FIREWALL > Default Rule screen as follows.
Chapter 11 Firewall 11.3.3 From VPN To VPN Packet Direction From VPN To VPN firewall rules apply to traffic that comes in through one of the ZyWALL’s VPN tunnels and terminates at the ZyWALL (like for remote management) or goes out through another of the ZyWALL’s VPN tunnels (this is called hub-and-spoke VPN, see Section 14.17 on page 271 for details). The ZyWALL decrypts the traffic and applies the firewall rules before re-encrypting it or allowing the traffic to terminate at the ZyWALL.
Chapter 11 Firewall 11.4 Security Considerations " Incorrectly configuring the firewall may block valid access or introduce security risks to the ZyWALL and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them.
Chapter 11 Firewall Your firewall would have the following configuration. Table 48 Blocking All LAN to WAN IRC Traffic Example # SOURCE DESTINATIO N SCHEDULE SERVICE ACTION 1 Any Any Any IRC Drop Default Any Any Any Any Allow • The first row blocks LAN access to the IRC service on the WAN. • The second row is the firewall’s default policy that allows all traffic from the LAN to go to the WAN. The ZyWALL applies the firewall rules in order.
Chapter 11 Firewall • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN. • The second row blocks LAN access to the IRC service on the WAN. • The third row is (still) the firewall’s default policy of allowing all traffic from the LAN to go to the WAN. The rule for the CEO must come before the rule that blocks all LAN to WAN IRC traffic.
Chapter 11 Firewall Figure 124 Using IP Alias to Solve the Triangle Route Problem 11.7 Firewall Default Rule (Router Mode) Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is set to router mode.
Chapter 11 Firewall The following table describes the labels in this screen. Table 50 SECURITY > FIREWALL > Default Rule (Router Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Chapter 11 Firewall Table 50 SECURITY > FIREWALL > Default Rule (Router Mode) (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 11.8 Firewall Default Rule (Bridge Mode) Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is set to bridge mode. See Section 11.1 on page 181 for more information about the firewall.
Chapter 11 Firewall The following table describes the labels in this screen. Table 51 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. From, To Set the firewall’s default actions based on the direction of travel of packets. Here are some example descriptions of the directions of travel.
Chapter 11 Firewall " The ordering of your rules is very important as rules are applied in the order that they are listed. See Section 11.1 on page 181 for more information about the firewall. • When the ZyWALL is in bridge mode, enable the default WAN to LAN firewall rule for the BOOTP_CLIENT service to let DHCP clients behind the ZyWALL use a DHCP server on the WAN.
Chapter 11 Firewall Table 52 SECURITY > FIREWALL > Rule Summary LABEL DESCRIPTION # This is your firewall rule number. The ordering of your rules is important as rules are applied in turn. Click + to expand or - to collapse the Source Address, Destination Address and Service Type drop down lists. Name This is the name of the firewall rule. Active This field displays whether a firewall is turned on (Y) or not (N).
Chapter 11 Firewall Figure 128 SECURITY > FIREWALL > Rule Summary > Edit ZyWALL 2 Plus User’s Guide 197
Chapter 11 Firewall The following table describes the labels in this screen. Table 53 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. Spaces are allowed. Edit Source/ Destination Address Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (for example 192.168.1.10 to 192.169.1.
Chapter 11 Firewall Table 53 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Action for Matched Packets Use the drop-down list box to select what the firewall is to do with packets that match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender. Select Reject to deny the packets and send a TCP reset packet (for a TCP packet) or an ICMP destination-unreachable message (for a UDP packet) to the sender.
Chapter 11 Firewall The following table describes the labels in this screen. Table 54 SECURITY > FIREWALL > Anti-Probing LABEL DESCRIPTION Respond to PING on Select the check boxes of the interfaces that you want to reply to incoming Ping requests. Clear an interface’s check box to have the ZyWALL not respond to any Ping requests that come into that interface. Do not respond to requests for unauthorized services.
Chapter 11 Firewall 11.11.1 Threshold Values If everything is working properly, you probably do not need to change the threshold settings as the default threshold values should work for most small offices. Tune these parameters when you believe the ZyWALL has been receiving DoS attacks that are not recorded in the logs or the logs show that the ZyWALL is classifying normal traffic as DoS attacks. Factors influencing choices for threshold values are: 1 2 3 4 5 The maximum number of opened sessions.
Chapter 11 Firewall The following table describes the labels in this screen. Table 55 SECURITY > FIREWALL > Threshold 202 LABEL DESCRIPTION Disable DoS Attack Protection on Select the check boxes of any interfaces (or all VPN tunnels) for which you want the ZyWALL to not use the Denial of Service protection thresholds. This disables DoS protection on the selected interface (or all VPN tunnels).
Chapter 11 Firewall 11.13 Service Click SECURITY > FIREWALL > Service to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyWALL. See Section 11.1 on page 181 for more information about the firewall. Figure 132 SECURITY > FIREWALL > Service The following table describes the labels in this screen.
Chapter 11 Firewall Table 56 SECURITY > FIREWALL > Service (continued) LABEL DESCRIPTION Attribute This is the IP port number or ICMP type and code that defines the service. Modify Click the edit icon to go to the screen where you can edit the service. Click the delete icon to remove an existing service. A window displays asking you to confirm that you want to delete the service. Note that subsequent services move up by one when you take this action.
Chapter 11 Firewall Table 57 SECURITY > FIREWALL > Service > Add (continued) LABEL DESCRIPTION Port Range Enter the port number (from 1 to 255) that defines the customized service To specify one port only, enter the port number in the From field and enter it again in the To field. To specify a span of ports, enter the first port in the From field and enter the last port in the To field. Type/Code This field is available only when you select ICMP in the IP Protocol field.
Chapter 11 Firewall 4 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type 6, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7. 5 Click Insert to display the firewall rule configuration screen. Figure 136 My Service Firewall Rule Example: Rule Summary 6 Enter the name of the firewall rule. 7 Select Any in the Destination Address(es) box and then click Delete.
Chapter 11 Firewall 9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done. " Custom services show up with an * before their names in the Services list box and the Rule Summary list box.
Chapter 11 Firewall Figure 138 My Service Firewall Rule Example: Rule Configuration Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.
Chapter 11 Firewall Figure 139 My Service Firewall Rule Example: Rule Summary ZyWALL 2 Plus User’s Guide 209
Chapter 11 Firewall 210 ZyWALL 2 Plus User’s Guide
CHAPTER 12 Content Filtering Screens This chapter provides an overview of content filtering. 12.1 Content Filtering Overview Content filtering allows you to block certain web features, such as Cookies, and/or block access to specific websites. With content filtering, you can do the following: 12.1.1 Restrict Web Features The ZyWALL can block web features such as ActiveX controls, Java applets, cookies and disable web proxies. 12.1.
Chapter 12 Content Filtering Screens Figure 140 SECURITY > CONTENT FILTER > General The following table describes the labels in this screen. Table 58 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the content filter. Content filtering works on HTTP traffic that is using TCP ports 80, 119, 3128 or 8080.
Chapter 12 Content Filtering Screens Table 58 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION Java Applet Java is a programming language and development environment for building downloadable Web components or Internet and intranet business applications of all kinds. Cookies Cookies are files stored on a computer’s hard drive. Some web servers use them to track usage and provide service based on ID.
Chapter 12 Content Filtering Screens 12.3 Content Filtering with an External Database When you register for and enable external database content filtering, your ZyWALL accesses an external database that has millions of web sites categorized based on content. You can have the ZyWALL block, block and/or log access to web sites based on these categories. The content filtering lookup process is described below.
Chapter 12 Content Filtering Screens 2 Click Content Filter in the Service Name field to open the Blue Coat login screen. 3 Enter your ZyWALL's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 147 on page 229). Type your myZyXEL.com account password in the Password field. Click Submit.
Chapter 12 Content Filtering Screens The following table describes the labels in this screen. Table 59 SECURITY > CONTENT FILTER > Categories LABEL DESCRIPTION Auto Category Setup Enable External Database Content Filtering Enable external database content filtering to have the ZyWALL check an external database to find to which category a requested web page belongs. The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page.
Chapter 12 Content Filtering Screens Table 59 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Sex Education Selecting this category excludes pages that provide graphic information (sometimes graphic) on reproduction, sexual development, safe sex practices, sexuality, birth control, and sexual development. It also includes pages that offer tips for better sex as well as products used for sexual enhancement.
Chapter 12 Content Filtering Screens Table 59 SECURITY > CONTENT FILTER > Categories (continued) 218 LABEL DESCRIPTION Phishing Selecting this category excludes pages that are designed to appear as a legitimate bank or retailer with the intent to fraudulently capture sensitive data (i.e. credit card numbers, pin numbers).
Chapter 12 Content Filtering Screens Table 59 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Health Selecting this category excludes pages that provide advice and information on general health such as fitness and well-being, personal health or medical services, drugs, alternative and complimentary therapies, medical information about ailments, dentistry, optometry, general psychiatry, self-help, and support organizations dedicated to a disease or condition.
Chapter 12 Content Filtering Screens Table 59 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Society/Lifestyle Selecting this category excludes pages providing information on matters of daily life. This does not include pages relating to entertainment, sports, jobs, sex or pages promoting alternative lifestyles such as homosexuality. Personal homepages fall within this category if they cannot be classified in another category.
Chapter 12 Content Filtering Screens Table 59 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Content Filter Service Status This read-only field displays the status of your category-based content filtering (using an external database) service subscription. License Inactive displays if you have not registered and activated the category-based content filtering service.
Chapter 12 Content Filtering Screens Figure 143 SECURITY > CONTENT FILTER > Customization The following table describes the labels in this screen. Table 60 SECURITY > CONTENT FILTER > Customization LABEL DESCRIPTION Web Site List Customization 222 Enable Web site customization Select this check box to allow trusted web sites and block forbidden web sites. Content filter list customization may be enabled and disabled without re-entering these site names.
Chapter 12 Content Filtering Screens Table 60 SECURITY > CONTENT FILTER > Customization (continued) LABEL DESCRIPTION Add Click this button when you have finished adding the host name in the text field above. Delete Select a web site name from the Trusted Web Site List, and then click this button to delete it from that list. Forbidden Web Site List Sites that you want to block access to, regardless of their content rating, can be allowed by adding them to this list. You can enter up to 32 entries.
Chapter 12 Content Filtering Screens For example, with the URL www.zyxel.com.tw/news/pressroom.php, content filtering only searches for keywords within www.zyxel.com.tw. 12.6.2 Full Path URL Checking Full path URL checking has the ZyWALL check the characters that come before the last slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, full path URL checking searches for keywords within www.zyxel.com.tw/news/.
Chapter 12 Content Filtering Screens Figure 144 SECURITY > CONTENT FILTER > Cache The following table describes the labels in this screen. Table 61 SECURITY > CONTENT FILTER > Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL Type the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyWALL is to allow an entry to remain in the URL cache before discarding it. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
Chapter 12 Content Filtering Screens 226 ZyWALL 2 Plus User’s Guide
CHAPTER 13 Content Filtering Reports This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. See Chapter 5 on page 117 on how to create a myZyXEL.com account, register your device and activate the subscription services using the REGISTRATION screens. 13.1 Checking Content Filtering Activation After you activate content filtering, you need to wait up to five minutes for content filtering to be turned on.
Chapter 13 Content Filtering Reports Figure 145 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 147 on page 229). Figure 146 myZyXEL.com: Welcome 4 In the Service Management screen click Content Filter in the Service Name field to open the Blue Coat login screen.
Chapter 13 Content Filtering Reports Figure 147 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 147 on page 229). Type your myZyXEL.com account password in the Password field. 6 Click Submit. Figure 148 Blue Coat: Login 7 In the Web Filter Home screen, click the Reports tab.
Chapter 13 Content Filtering Reports Figure 149 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 150 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Chapter 13 Content Filtering Reports Figure 151 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.
Chapter 13 Content Filtering Reports Figure 152 Requested URLs Example 13.3 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review. 1 Log into the content filtering reports web site (see Section 13.2 on page 227).
Chapter 13 Content Filtering Reports Figure 153 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed.
Chapter 13 Content Filtering Reports 234 ZyWALL 2 Plus User’s Guide
CHAPTER 14 IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. First, it provides an overview of IPSec VPNs. Then, it introduces each screen for IPSec VPN in the ZyWALL. 14.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing.
Chapter 14 IPSec VPN A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router.
Chapter 14 IPSec VPN You can usually provide a static IP address or a domain name for the ZyWALL. Sometimes, your ZyWALL might also offer another alternative, such as using the IP address of a port or interface. You can usually provide a static IP address or a domain name for the remote IPSec router as well. Sometimes, you might not know the IP address of the remote IPSec router (for example, telecommuters).
Chapter 14 IPSec VPN Figure 158 SECURITY > VPN > VPN Rules (IKE) The following table describes the labels in this screen. Table 62 SECURITY > VPN > VPN Rules (IKE) LABEL DESCRIPTION VPN Rules These VPN rules define the settings for creating VPN tunnels for secure connection to other computers or networks. Click this icon to add a VPN gateway policy (or IPSec rule). Gateway Policies The first row of each VPN rule represents the gateway policy.
Chapter 14 IPSec VPN Table 62 SECURITY > VPN > VPN Rules (IKE) (continued) LABEL DESCRIPTION Click this icon to display a screen in which you can change the settings of a gateway or network policy. Click this icon to delete a gateway or network policy. Click this icon to establish a VPN connection to a remote network. This indicates that a network policy is not active. Recycle Bin The recycle bin holds any network policies without an associated gateway policy. 14.
Chapter 14 IPSec VPN 14.3.1.1 Diffie-Hellman (DH) Key Exchange The ZyWALL and the remote IPSec router use a DH key exchange to establish a shared secret, which is used to generate encryption keys for IKE SA and IPSec SA. In main mode, the DH key exchange is done in steps 3 and 4, as illustrated below. Figure 160 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange The DH key exchange is based on DH key groups. Each key group is a fixed number of bits long.
Chapter 14 IPSec VPN The ZyWALL and the remote IPSec router each has its own identity, so each one must store two sets of information, one for itself and one for the other router. Local ID type and ID content refers to the ID type and ID content that applies to the router itself, and peer ID type and ID content refers to the ID type and ID content that applies to the other router in the IKE SA.
Chapter 14 IPSec VPN " You must set up the certificates for the ZyWALL and remote IPSec router before you can use certificates in IKE SA. See Chapter 15 on page 275 for more information about certificates. 14.3.1.3 Extended Authentication Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router. For example, this might be used with telecommuters. Extended authentication occurs right after the authentication described in Section 14.3.1.
Chapter 14 IPSec VPN 14.3.1.5 VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Y. Figure 162 VPN/NAT Example If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. The routers cannot establish a VPN tunnel. Most routers like router A now have an IPSec pass-through feature.
Chapter 14 IPSec VPN " If the IKE SA times out while an IPSec SA is connected, the IPSec SA stays connected. An IPSec SA can be set to nailed up. Normally, the ZyWALL drops the IPSec SA when the life time expires or after two minutes of outbound traffic with no inbound traffic. If you set the IPSec SA to nailed up, the ZyWALL automatically renegotiates the IPSec SA when the SA life time expires, and it does not drop the IPSec SA if there is no inbound traffic.
Chapter 14 IPSec VPN If the remote IPSec router is not a ZyWALL, you may also want to avoid setting the IPSec rule to nailed up. 14.4.3 Encryption and Authentication Algorithms In most ZyWALLs, you can select one of the following encryption algorithms for each proposal. The encryption algorithms are listed here in order from weakest to strongest. • Data Encryption Standard (DES) is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data.
Chapter 14 IPSec VPN Figure 164 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy 246 ZyWALL 2 Plus User’s Guide
Chapter 14 IPSec VPN The following table describes the labels in this screen. Table 65 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy LABEL DESCRIPTION Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces. NAT Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers.
Chapter 14 IPSec VPN Table 65 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Fall back to Primary Remote Gateway when possible Select this to have the ZyWALL change back to using the primary remote gateway if the connection becomes available again. Fall Back Check Interval* Set how often the ZyWALL should check the connection to the primary remote gateway while connected to the redundant remote gateway. Each gateway policy uses one or more network policies.
Chapter 14 IPSec VPN Table 65 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Key to Pre-shared Key. Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address. Select from the following when you set Authentication Key to Certificate.
Chapter 14 IPSec VPN Table 65 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Server Mode Select Server Mode to have this ZyWALL authenticate extended authentication clients that request this VPN connection. You must also configure the extended authentication clients’ usernames and passwords in the authentication server’s local user database or a RADIUS server (see Chapter 16 on page 301).
Chapter 14 IPSec VPN Table 65 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Associated Network Policies The following table shows the policy(ies) you configure for this rule. To add a VPN policy, click the add network policy ( ) icon in the VPN Rules (IKE) screen (see Figure 158 on page 238). Refer to Section 14.8 on page 259 for more information. # This field displays the policy index number. Name This field displays the policy name.
Chapter 14 IPSec VPN 14.6.1.1 Overlapping Local And Remote Network IP Addresses Devices behind the ZyWALL (local devices) and the devices behind the remote IPSec router (remote devices) may use private IP addresses. Therefore it is possible that local devices and remote devices may have the same IP addresses. This is known as overlapping local and remote IP addresses. For example, local network X uses IP addresses 192.168.1.2 to 192.168.1.4. Remote network Y uses IP addresses 192.168.1.2 to 192.168.1.27.
Chapter 14 IPSec VPN • On ZyWALL A, you specify 172.21.2.2 to 172.21.2.27 as the remote network. On ZyWALL B, you specify 10.0.0.2 to 10.0.0.4 as the remote network. Figure 166 Virtual Mapping of Local and Remote Network IP Addresses Computers on network X use IP addresses 192.168.1.2 to 192.168.1.4 to access local network devices and IP addresses 172.21.2.2 to 172.21.2.27 to access the remote network devices. Computers on network Y use IP addresses 192.168.1.2 to 192.168.1.
Chapter 14 IPSec VPN " The ZyWALL and remote IPSec router must use the same encapsulation. These modes are illustrated below. Figure 167 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Header Data Transport Mode Packet IP Header AH/ESP Header TCP Header Data Tunnel Mode Packet IP Header AH/ESP Header IP Header TCP Header Data In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet.
Chapter 14 IPSec VPN 14.7 VPN Rules (IKE): Network Policy Edit Click SECURITY > VPN and the add network policy ( ) icon in the VPN Rules (IKE) screen to display the VPN-Network Policy -Edit screen. Use this screen to configure a network policy. A network policy identifies the devices behind the IPSec routers at either end of a VPN tunnel and specifies the authentication, encryption and other settings needed to negotiate a phase 2 IPSec SA.
Chapter 14 IPSec VPN The following table describes the labels in this screen. Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel. Clear the Active check box to turn the network policy off. The ZyWALL does not apply the policy. Packets for the tunnel do not trigger the tunnel.
Chapter 14 IPSec VPN Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Port Forwarding Rules If you are configuring a Many-to-One rule, click this button to go to a screen where you can configure port forwarding for your VPN tunnels. The VPN network policy port forwarding rules let the ZyWALL forward traffic coming in through the VPN tunnel to the appropriate IP address.
Chapter 14 IPSec VPN Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Ending IP Address/ Subnet Mask When the Address Type field is configured to Single Address, this field is N/A. When the Address Type field is configured to Range Address, enter the end (static) IP address, in a range of computers on the LAN behind your ZyWALL. When the Address Type field is configured to Subnet Address, this is a subnet mask on the LAN behind your ZyWALL.
Chapter 14 IPSec VPN Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION SA Life Time (Seconds) Define the length of time before an IPSec SA automatically renegotiates in this field. The minimum value is 180 seconds. A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, all users accessing remote resources are temporarily disconnected.
Chapter 14 IPSec VPN Figure 169 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding The following table describes the labels in this screen. Table 67 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding 260 LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen.
Chapter 14 IPSec VPN 14.9 VPN Rules (IKE): Network Policy Move Click the move ( ) icon in the VPN Rules (IKE) screen to display the VPN Rules (IKE): Network Policy Move screen. A VPN (Virtual Private Network) tunnel gives you a secure connection to another computer or network. Each VPN tunnel uses a single gateway policy and one or more network policies. • The gateway policy contains the IKE SA settings. It identifies the IPSec routers at either end of a VPN tunnel.
Chapter 14 IPSec VPN 14.10 IPSec SA Using Manual Keys You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA. In IPSec SAs using manual keys, the ZyWALL and remote IPSec router do not establish an IKE SA. They only establish an IPSec SA.
Chapter 14 IPSec VPN Figure 171 SECURITY > VPN > VPN Rules (Manual) The following table describes the labels in this screen. Table 69 SECURITY > VPN > VPN Rules (Manual) LABEL DESCRIPTION # This is the VPN policy index number. Name This field displays the identification name for this VPN policy. Active This field displays whether the VPN policy is active or not. A Yes signifies that this VPN policy is active. No signifies that this VPN policy is not active.
Chapter 14 IPSec VPN 14.12 VPN Rules (Manual): Edit Click the edit icon on the VPN Rules (Manual) screen to open the following screen. Use this screen to configure VPN rules that use manual keys. Manual key management is useful if you have problems with IKE key management. See Section 14.10 on page 262 for more information about IPSec SAs using manual keys. Figure 172 SECURITY > VPN > VPN Rules (Manual) > Edit The following table describes the labels in this screen.
Chapter 14 IPSec VPN Table 70 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Local Network Local IP addresses must be static and correspond to the remote IPSec router's configured remote IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both. You can configure multiple SAs between the same local and remote IP addresses, as long as only one is active at any time.
Chapter 14 IPSec VPN Table 70 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Primary Remote Gateway Type the WAN IP address or the domain name (up to 31 characters) of the IPSec router with which you're making the VPN connection. Manual Proposal SPI Type a unique SPI (Security Parameter Index) from one to four characters long. Valid Characters are "0, 1, 2, 3, 4, 5, 6, 7, 8, and 9". Encapsulation Mode Select Tunnel mode or Transport mode from the drop-down list box.
Chapter 14 IPSec VPN Figure 173 SECURITY > VPN > SA Monitor The following table describes the labels in this screen. Table 71 SECURITY > VPN > SA Monitor LABEL DESCRIPTION # This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
Chapter 14 IPSec VPN The following table describes the labels in this screen. Table 72 SECURITY > VPN > Global Setting 268 LABEL DESCRIPTION Output Idle Timer When traffic is sent to a remote IPSec router from which no reply is received after the specified time period, the ZyWALL checks the VPN connectivity. If the remote IPSec router does not reply, the ZyWALL automatically disconnects the VPN tunnel.
Chapter 14 IPSec VPN 14.15 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyWALL at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The ZyWALL at headquarters has a static public IP address. 14.15.
Chapter 14 IPSec VPN With aggressive negotiation mode (see Section 14.3.1.4 on page 242), the ZyWALL can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a ZyWALL at headquarters. They can use different IPSec parameters. The local IP addresses (or ranges of addresses) of the rules configured on the ZyWALL at headquarters can overlap.
Chapter 14 IPSec VPN Table 74 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS Local ID Type: DNS Peer ID Type: DNS Local ID Content: telecommuterb.com Peer ID Content: telecommuterb.com Local IP Address: 192.168.3.2 Remote Gateway Address: telecommuterb.dydns.org Remote Address 192.168.3.2 Telecommuter C (telecommuterc.dydns.org) Headquarters ZyWALL Rule 3: Local ID Type: E-mail Peer ID Type: E-mail Local ID Content: myVPN@myplace.com Peer ID Content: myVPN@myplace.
Chapter 14 IPSec VPN Figure 178 on page 272 shows some example network topologies. In the first (fully-meshed) approach, there is a VPN connection between every pair of routers. In the second (hub-andspoke) approach, there is a VPN connection between each spoke router (B, C, D, and E) and the hub router (A). The hub router routes VPN traffic between the spoke routers and itself.
Chapter 14 IPSec VPN Figure 179 Hub-and-spoke VPN Example 14.17.2 Hub-and-spoke Example VPN Rule Addresses The VPN rules for this hub-and-spoke example would use the following address settings. Branch Office A: • Remote Gateway: 10.0.0.1 • Local IP address: 192.168.167.0/255.255.255.0 • Remote IP address: 192.168.168.0~192.168.169.255 Headquarters: Rule 1: • Remote Gateway: 10.0.0.2 • Local IP address: 192.168.168.0~192.168.169.255 • Remote IP address:192.168.167.0/255.255.255.
Chapter 14 IPSec VPN The hub router must have at least one separate VPN rule for each spoke. In the local IP address, specify the IP addresses of the hub-and-spoke networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule. If you want to have the spoke routers access the Internet through the hub-and-spoke VPN tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address.
CHAPTER 15 Certificates This chapter gives background information about public-key certificates and explains how to use them. 15.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
Chapter 15 Certificates Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure). 15.1.
Chapter 15 Certificates Figure 181 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 15.4 Configuration Summary This section summarizes how to manage certificates on the ZyWALL.
Chapter 15 Certificates 15.5 My Certificates Click SECURITY > CERTIFICATES > My Certificates to open the My Certificates screen. This is the ZyWALL’s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray. Figure 183 SECURITY > CERTIFICATES > My Certificates The following table describes the labels in this screen.
Chapter 15 Certificates Table 75 SECURITY > CERTIFICATES > My Certificates (continued) LABEL DESCRIPTION Issuer This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field. Valid From This field displays the date that the certificate becomes applicable.
Chapter 15 Certificates Figure 184 SECURITY > CERTIFICATES > My Certificates > Details The following table describes the labels in this screen. Table 76 SECURITY > CERTIFICATES > My Certificates > Details 280 LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces).
Chapter 15 Certificates Table 76 SECURITY > CERTIFICATES > My Certificates > Details (continued) LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself). If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself).
Chapter 15 Certificates Table 76 SECURITY > CERTIFICATES > My Certificates > Details (continued) LABEL DESCRIPTION SHA1 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the SHA1 algorithm. Certificate in PEM (Base-64) Encoded Format This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form.
Chapter 15 Certificates Figure 185 SECURITY > CERTIFICATES > My Certificates > Export The following table describes the labels in this screen. Table 77 SECURITY > CERTIFICATES > My Certificates > Export LABEL DESCRIPTION Export the certificate in binary X.509 format. Binary X.509 is an ITU-T recommendation that defines the formats for X.509 certificates. Export the certificate along with the corresponding private key in PKCS#12 format.
Chapter 15 Certificates 15.8.1 Certificate File Formats The certification authority certificate that you want to import has to be in one of these file formats: • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. • PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X.509 certificate into a printable form.
Chapter 15 Certificates Table 78 SECURITY > CERTIFICATES > My Certificates > Import LABEL DESCRIPTION Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the My Certificates screen. When you import a binary PKCS#12 format certificate, another screen displays for you to enter the password. Figure 187 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 The following table describes the labels in this screen.
Chapter 15 Certificates Figure 188 SECURITY > CERTIFICATES > My Certificates > Create The following table describes the labels in this screen. Table 80 SECURITY > CERTIFICATES > My Certificates > Create 286 LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Subject Information Use these fields to record information that identifies the owner of the certificate.
Chapter 15 Certificates Table 80 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL DESCRIPTION Country Type up to 127 characters to identify the nation where the certificate owner is located. You may use any character, including spaces, but the ZyWALL drops trailing spaces. Key Length Select a number from the drop-down list box to determine how many bits the key should use (512 to 2048). The longer the key, the more secure it is. A longer key also uses more PKI storage space.
Chapter 15 Certificates After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyWALL is generating the self-signed certificate or certification request. After the ZyWALL successfully enrolls a certificate or generates a certification request or a self-signed certificate, you see a screen with a Return button that takes you back to the My Certificates screen.
Chapter 15 Certificates Table 81 SECURITY > CERTIFICATES > Trusted CAs (continued) LABEL DESCRIPTION Issuer This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field. Valid From This field displays the date that the certificate becomes applicable.
Chapter 15 Certificates Figure 190 SECURITY > CERTIFICATES > Trusted CAs > Details The following table describes the labels in this screen. Table 82 SECURITY > CERTIFICATES > Trusted CAs > Details 290 LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Chapter 15 Certificates Table 82 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION Certificate Information These read-only fields display detailed information about the certificate. Type This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). X.
Chapter 15 Certificates Table 82 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION Certificate in PEM (Base-64) Encoded Format This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses 64 ASCII characters to convert the binary certificate into a printable form.
Chapter 15 Certificates Table 83 SECURITY > CERTIFICATES > Trusted CAs Import LABEL DESCRIPTION Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the Trusted CAs screen. 15.13 Trusted Remote Hosts Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen. This screen displays a list of the certificates of peers that you trust but which are not signed by one of the certification authorities on the Trusted CAs screen.
Chapter 15 Certificates Table 84 SECURITY > CERTIFICATES > Trusted Remote Hosts (continued) LABEL DESCRIPTION Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired. Modify Click the details icon to open a screen with an in-depth list of information about the certificate. Use the export icon to save the certificate to a computer.
Chapter 15 Certificates Figure 193 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details The following table describes the labels in this screen. Table 85 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
Chapter 15 Certificates Table 85 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details (continued) 296 LABEL DESCRIPTION Version This field displays the X.509 version number. Serial Number This field displays the certificate’s identification number given by the device that created the certificate. Subject This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).
Chapter 15 Certificates Table 85 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. You can only change the name of the certificate. Cancel Click Cancel to quit configuring this screen and return to the Trusted Remote Hosts screen. 15.
Chapter 15 Certificates Table 86 SECURITY > CERTIFICATES > Trusted Remote Hosts > Import LABEL DESCRIPTION Apply Click Apply to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the Trusted Remote Hosts screen. 15.16 Directory Servers Click SECURITY > CERTIFICATES > Directory Servers to open the Directory Servers screen. This screen displays a summary list of directory servers (that contain lists of valid and revoked certificates) that have been saved into the ZyWALL.
Chapter 15 Certificates Table 87 SECURITY > CERTIFICATES > Directory Servers LABEL DESCRIPTION Modify Click the details icon to open a screen where you can change the information about the directory server. Click the delete icon to remove the directory server entry. A window displays asking you to confirm that you want to delete the directory server. Note that subsequent certificates move up by one when you take this action.
Chapter 15 Certificates Table 88 SECURITY > CERTIFICATES > Directory Server > Add LABEL DESCRIPTION Login Setting Login The ZyWALL may need to authenticate itself in order to assess the directory server. Type the login name (up to 31 ASCII characters) from the entity maintaining the directory server (usually a certification authority). Password Type the password (up to 31 ASCII characters) from the entity maintaining the directory server (usually a certification authority).
CHAPTER 16 Authentication Server This chapter discusses how to configure the ZyWALL’s authentication server feature. 16.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) server for an unlimited number of users. The ZyWALL uses the same local user database for VPN extended authentication. 16.1.
Chapter 16 Authentication Server Sent by an access point requesting authentication. • Access-Reject Sent by a RADIUS server rejecting access. • Access-Accept Sent by a RADIUS server allowing access. • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message.
Chapter 16 Authentication Server Figure 197 SECURITY > AUTH SERVER > Local User Database The following table describes the labels in this screen. Table 89 SECURITY > AUTH SERVER > Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile. Apply Click Apply to save your changes back to the ZyWALL.
Chapter 16 Authentication Server 16.3 RADIUS Click SECURITY > AUTH SERVER > RADIUS to open the RADIUS screen. Configure this screen to use an external RADIUS server to authenticate users. Figure 198 SECURITY > AUTH SERVER > RADIUS The following table describes the labels in this screen. Table 90 SECURITY > AUTH SERVER > RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication server.
Chapter 16 Authentication Server Table 90 SECURITY > AUTH SERVER > RADIUS LABEL DESCRIPTION Key Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external accounting server and the ZyWALL. The key is not sent over the network. This key must be the same on the external accounting server and ZyWALL. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
Chapter 16 Authentication Server 306 ZyWALL 2 Plus User’s Guide
P ART IV Advanced Network Address Translation (NAT) (309) Static Route (325) Bandwidth Management (329) DNS (343) Remote Management (355) UPnP (377) ALG Screen (387) 307
CHAPTER 17 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 17.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. 17.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the ZyWALL.
Chapter 17 Network Address Translation (NAT) " NAT never changes the IP address (either local or global) of an outside host. 17.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Chapter 17 Network Address Translation (NAT) 17.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP alias) behind the ZyWALL can communicate with three distinct WAN networks. More examples follow at the end of this chapter. Figure 200 NAT Application With IP Alias 17.1.5 Port Restricted Cone NAT ZyWALL ZyNOS version 4.00 and later uses port restricted cone NAT.
Chapter 17 Network Address Translation (NAT) Figure 201 Port Restricted Cone NAT Example 17.1.6 NAT Mapping Types NAT supports five types of IP/port mapping. They are: • One to One: In One-to-One mode, the ZyWALL maps one local IP address to one global IP address. • Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature (the SUA option).
Chapter 17 Network Address Translation (NAT) The following table summarizes the NAT mapping types. Table 92 NAT Mapping Types TYPE IP MAPPING SMT ABBREVIATION One-to-One ILA1 IJ IGA1 1-1 Many-to-One (SUA/PAT) ILA1 IJ IGA1 ILA2 IJ IGA1 … M-1 Many-to-Many Overload ILA IJ IGA1 ILA2 IJ IGA2 ILA3 IJ IGA1 ILA4 IJ IGA2 … M-M Ov Many-One-to-One ILA1 IJ IGA1 ILA2 IJ IGA2 ILA3 IJ IGA3 … M-1-1 Server Server 1 IP IJ IGA1 Server 2 IP IJ IGA1 Server 3 IP IJ IGA1 Server 17.
Chapter 17 Network Address Translation (NAT) Figure 202 ADVANCED > NAT > NAT Overview The following table describes the labels in this screen. Table 93 ADVANCED > NAT > NAT Overview LABEL DESCRIPTION NAT Setup 314 Max. Concurrent Sessions This read-only field displays the highest number of NAT sessions that the ZyWALL will permit at one time. Max. Concurrent Sessions Per Host Use this field to set the highest number of NAT sessions that the ZyWALL will permit a host to have at one time.
Chapter 17 Network Address Translation (NAT) 17.4 NAT Address Mapping Click ADVANCED > NAT > Address Mapping to open the following screen. 17.4.1 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Chapter 17 Network Address Translation (NAT) The following table describes the labels in this screen. Table 94 ADVANCED > NAT > Address Mapping LABEL DESCRIPTION SUA Address Mapping Rules This read-only table displays the default address mapping rules. Full Feature Address Mapping Rules # This is the rule index number. Local Start IP This refers to the Inside Local Address (ILA), which is the starting local IP address. If the rule is for all local IP addresses, then this field displays 0.0.0.
Chapter 17 Network Address Translation (NAT) Figure 204 ADVANCED > NAT > Address Mapping > Edit The following table describes the labels in this screen. Table 95 ADVANCED > NAT > Address Mapping > Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-One NAT mapping type. 2.
Chapter 17 Network Address Translation (NAT) You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers.
Chapter 17 Network Address Translation (NAT) Figure 205 Multiple Servers Behind NAT Example 17.5.4 Port Translation The ZyWALL can translate the destination port number or a range of port numbers of packets coming from the WAN to another destination port number or range of port numbers on the local network. When you use port forwarding without port translation, a single server on the local network can use a specific port number and be accessible to the outside world through a single WAN IP address.
Chapter 17 Network Address Translation (NAT) 17.6 Port Forwarding Screen Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen. " If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup. Refer to Appendix E on page 623 for port numbers commonly used for particular services. " The last port forwarding rule is reserved for Roadrunner services.
Chapter 17 Network Address Translation (NAT) The following table describes the labels in this screen. Table 96 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
Chapter 17 Network Address Translation (NAT) Figure 208 Trigger Port Forwarding Process: Example 1 Jane (A) requests a file from the Real Audio server (port 7070). 2 Port 7070 is a “trigger” port and causes the ZyWALL to record Jane’s computer IP address. The ZyWALL associates Jane's computer IP address with the "incoming" port range of 6970-7170. 3 The Real Audio server responds using a port number ranging between 6970-7170. 4 The ZyWALL forwards the traffic to Jane’s computer IP address.
Chapter 17 Network Address Translation (NAT) The following table describes the labels in this screen. Table 97 ADVANCED > NAT > Port Triggering LABEL DESCRIPTION # This is the rule index number (read-only). Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted - including spaces. Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service.
Chapter 17 Network Address Translation (NAT) 324 ZyWALL 2 Plus User’s Guide
CHAPTER 18 Static Route This chapter shows you how to configure static routes for your ZyWALL. 18.1 IP Static Route Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond. For instance, the ZyWALL knows about network N2 in the following figure through remote node Router 1.
Chapter 18 Static Route Figure 211 ADVANCED > STATIC ROUTE > IP Static Route The following table describes the labels in this screen. Table 98 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION # This is the number of an individual static route. Name This is the name that describes or identifies this route. Active This field shows whether this static route is active (Yes) or not (No). Destination This parameter specifies the IP network address of the final destination.
Chapter 18 Static Route Figure 212 ADVANCED > STATIC ROUTE > IP Static Route > Edit The following table describes the labels in this screen. Table 99 ADVANCED > STATIC ROUTE > IP Static Route > Edit LABEL DESCRIPTION Route Name Enter the name of the IP static route. Leave this field blank to delete this static route. Active This field allows you to activate/deactivate this static route. Destination IP Address This parameter specifies the IP network address of the final destination.
Chapter 18 Static Route 328 ZyWALL 2 Plus User’s Guide
CHAPTER 19 Bandwidth Management This chapter describes the functions and configuration of bandwidth management with multiple levels of sub-classes. 19.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the ZyWALL forwards certain types of traffic (especially real-time applications) with minimum delay.
Chapter 19 Bandwidth Management 19.3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth. 19.4 Application-based Bandwidth Management You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, Email and Video for example). 19.
Chapter 19 Bandwidth Management 19.7 Scheduler The scheduler divides up an interface’s bandwidth among the bandwidth classes. The ZyWALL has two types of scheduler: fairness-based and priority-based. 19.7.1 Priority-based Scheduler With the priority-based scheduler, the ZyWALL forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes. The larger a bandwidth class’s priority number is, the higher the priority.
Chapter 19 Bandwidth Management 19.7.5 Maximize Bandwidth Usage Example Here is an example of a ZyWALL that has maximize bandwidth usage enabled on an interface. The following table shows each bandwidth class’s bandwidth budget. The classes are set up based on subnets. The interface is set to 10240 kbps. Each subnet is allocated 2048 kbps. The unbudgeted 2048 kbps allows traffic not defined in any of the bandwidth filters to go out when you do not select the maximize bandwidth option.
Chapter 19 Bandwidth Management 19.7.5.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the amount of bandwidth that each class gets. Table 103 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES AND ALLOTMENTS Root Class: 10240 kbps Administration: 1024 kbps Sales: 3072 kbps Marketing: 3072 kbps Research: 3072 kbps Suppose that all of the classes except for the administration class need more bandwidth.
Chapter 19 Bandwidth Management Refer to the product specifications in the appendix to see how many class levels you can configure on your ZyWALL. Table 104 Bandwidth Borrowing Example BANDWIDTH CLASSES AND BANDWIDTH BORROWING SETTINGS Root Class: Administration: Borrowing Enabled Sales: Borrowing Disabled Marketing: Borrowing Enabled Research: Borrowing Enabled • The Administration class can borrow unused bandwidth from the Root class because the Administration class has bandwidth borrowing enabled.
Chapter 19 Bandwidth Management If you use VoIP and NetMeeting at the same time, the device allocates up to 500 Kbps of bandwidth to each of them before it allocates any bandwidth to FTP. As a result, FTP can only use bandwidth when VoIP and NetMeeting do not use all of their allocated bandwidth. Suppose you try to browse the web too. In this case, VoIP, NetMeeting and FTP all have higher priority, so they get to use the bandwidth first.
Chapter 19 Bandwidth Management Table 106 ADVANCED > BW MGMT > Summary (continued) LABEL DESCRIPTION Scheduler Select either Priority-Based or Fairness-Based from the drop-down menu to control the traffic flow. Select Priority-Based to give preference to bandwidth classes with higher priorities. Select Fairness-Based to treat all bandwidth classes equally. See Section 19.7 on page 331.
Chapter 19 Bandwidth Management The following table describes the labels in this screen. Table 107 ADVANCED > BW MGMT > Class Setup LABEL DESCRIPTION Interface Select an interface for which you want to set up bandwidth management classes. Bandwidth management controls outgoing traffic on an interface, not incoming. So, in order to limit the download bandwidth of the LAN users, set the bandwidth management class on the LAN.
Chapter 19 Bandwidth Management Figure 216 ADVANCED > BW MGMT > Class Setup > Add Sub-Class The following table describes the labels in this screen. Table 108 ADVANCED > BW MGMT > Class Setup > Add Sub-Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces. Bandwidth Budget (kbps) Specify the maximum bandwidth allowed for the class in kbps.
Chapter 19 Bandwidth Management Table 108 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Service This field simplifies bandwidth class configuration by allowing you to select a predefined application. When you select a predefined application, you do not configure the rest of the bandwidth filter fields (other than enabling or disabling the filter).
Chapter 19 Bandwidth Management Table 108 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Protocol ID Enter the protocol ID (service type) number, for example: 1 for ICMP, 6 for TCP or 17 for UDP. Apply Click Apply to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving.
Chapter 19 Bandwidth Management The following table describes the labels in this screen. Table 110 ADVANCED > BW MGMT > Class Setup > Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class. Tx Packets This field displays the total number of packets transmitted. Tx Bytes This field displays the total number of bytes transmitted.
Chapter 19 Bandwidth Management The following table describes the labels in this screen. Table 111 ADVANCED > BW MGMT > Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes. Class This field displays the name of the bandwidth class. A Default Class automatically displays for all the bandwidth in the Root Class that is not allocated to bandwidth classes.
CHAPTER 20 DNS This chapter shows you how to configure the DNS screens. 20.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The ZyWALL uses a system DNS server (in the order you specify in the DNS System screen) to resolve domain names, for example, VPN, DDNS and the time server. 20.
Chapter 20 DNS 20.4 Address Record An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain. mail.myZyXEL.com.tw is also a FQDN, where "mail" is the host, "myZyXEL" is the secondlevel domain, and "com.tw" is the top level domain.
Chapter 20 DNS Figure 219 Private DNS Server Example " If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network. 20.6 System Screen Click ADVANCED > DNS to display the following screen. Use this screen to configure your ZyWALL’s DNS address and name server records.
Chapter 20 DNS The following table describes the labels in this screen. Table 112 ADVANCED > DNS > System DNS LABEL DESCRIPTION Address Record An address record specifies the mapping of a fully qualified domain name (FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
Chapter 20 DNS An address record contains the mapping of a fully qualified domain name (FQDN) to an IP address. Configure address records about the ZyWALL itself or another device to keep a record of DNS names and addresses that people on your network may use frequently. If the ZyWALL receives a DNS query for an FQDN for which the ZyWALL has an address record, the ZyWALL can send the IP address in a DNS response without having to query a DNS name server. See Section 20.
Chapter 20 DNS Figure 222 ADVANCED > DNS > Insert (Name Server Record) The following table describes the labels in this screen. Table 114 ADVANCED > DNS > Insert (Name Server Record) 348 LABEL DESCRIPTION Domain Zone This field is optional. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the ZyWALL receives needs to resolve a zyxel.com.
Chapter 20 DNS 20.7 DNS Cache DNS cache is the temporary storage area where a router stores responses from DNS servers. When the ZyWALL receives a positive or negative response for a DNS query, it records the response in the DNS cache. A positive response means that the ZyWALL received the IP address for a domain name that it checked with a DNS server within the five second DNS timeout period.
Chapter 20 DNS Table 115 ADVANCED > DNS > Cache LABEL DESCRIPTION Maximum TTL Type the maximum time to live (TTL) (60 to 3600 seconds). This sets how long the ZyWALL is to allow a positive resolution entry to remain in the DNS cache before discarding it. Cache Negative DNS Resolutions Caching negative DNS resolutions helps speed up the ZyWALL’s processing of commonly queried domain names (for which DNS resolution has failed) and reduces the amount of traffic that the ZyWALL sends out to the WAN.
Chapter 20 DNS The following table describes the labels in this screen. Table 116 ADVANCED > DNS > DHCP LABEL DESCRIPTION DNS Servers Assigned by DHCP Server The ZyWALL passes a DNS (Domain Name System) server IP address to the DHCP clients. Selected Interface Select an interface from the drop-down list box to configure the DNS servers for the specified interface. DNS These read-only labels represent the DNS servers.
Chapter 20 DNS 20.10.1 DYNDNS Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname. " If you have a private WAN IP address, then you cannot use Dynamic DNS. 20.11 Configuring Dynamic DNS To change your ZyWALL’s DDNS, click ADVANCED > DNS > DDNS. The screen appears as shown.
Chapter 20 DNS Table 117 ADVANCED > DNS > DDNS LABEL DESCRIPTION Domain Name 1~5 Enter the host names in these fields. DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider. Select Dynamic if you have the Dynamic DNS service. Select Static if you have the Static DNS service. Select Custom if you have the Custom DNS service. Offline This option is available when Custom is selected in the DDNS Type field.
Chapter 20 DNS 354 ZyWALL 2 Plus User’s Guide
CHAPTER 21 Remote Management This chapter provides information on the Remote Management screens. 21.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. The following figure shows secure and insecure management of the ZyWALL coming in from the WAN. HTTPS and SSH access are secure. HTTP and Telnet access are not secure.
Chapter 21 Remote Management 3 Telnet 4 HTTPS and HTTP 21.1.1 Remote Management Limitations Remote management does not work when: 1 You have not enabled that service on the interface in the corresponding remote management screen. 2 You have disabled that service in one of the remote management screens. 3 The IP address in the Secure Client IP Address field does not match the client IP address. If it does not match, the ZyWALL will disconnect the session immediately.
Chapter 21 Remote Management 1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the ZyWALL’s WS (web server). 2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL’s WS (web server). Figure 227 HTTPS Implementation " If you disable the HTTP service in the REMOTE MGMT WWW screen, then the ZyWALL blocks all HTTP connection attempts. 21.3 WWW Configuration Click ADVANCED > REMOTE MGMT to open the WWW screen.
Chapter 21 Remote Management The following table describes the labels in this screen. Table 118 ADVANCED > REMOTE MGMT > WWW LABEL DESCRIPTION HTTPS Server Certificate Select the Server Certificate that the ZyWALL will use to identify itself. The ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Chapter 21 Remote Management 21.4.1 Internet Explorer Warning Messages When you attempt to access the ZyWALL HTTPS server, a Windows dialog box pops up asking if you trust the server certificate. Click View Certificate if you want to verify that the certificate is from the ZyWALL. You see the following Security Alert screen in Internet Explorer. Select Yes to proceed to the web configurator login screen; if you select No, then web configurator access is blocked.
Chapter 21 Remote Management Figure 230 Security Certificate 1 (Netscape) Figure 231 Security Certificate 2 (Netscape) 21.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings. • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
Chapter 21 Remote Management • Click CERTIFICATES. Find the certificate and check its Subject column. CN stands for certificate’s common name (see Figure 234 on page 362 for an example). Use this procedure to have the ZyWALL use a certificate with a common name that matches the ZyWALL’s actual IP address. You cannot use this procedure if you need to access the WAN port and it uses a dynamically assigned IP address.
Chapter 21 Remote Management Figure 233 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the following figure. Figure 234 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate.
Chapter 21 Remote Management 21.5 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s SMT or command line interface. Specify which interfaces allow SSH access and from which IP address the access can come. Unlike Telnet or FTP, which transmit data in plaintext (clear or unencrypted text), SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Chapter 21 Remote Management The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server. The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer.
Chapter 21 Remote Management Figure 238 ADVANCED > REMOTE MGMT > SSH The following table describes the labels in this screen. Table 119 ADVANCED > REMOTE MGMT > SSH LABEL DESCRIPTION Server Host Key Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 15 on page 275 for details).
Chapter 21 Remote Management Figure 239 SSH Example 1: Store Host Key Enter the password to log in to the ZyWALL. The SMT main menu displays next. 21.9.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions. 1 Test whether the SSH service is available on the ZyWALL. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER].
Chapter 21 Remote Management Figure 241 SSH Example 2: Log in $ ssh –1 192.168.1.1 The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.1's password: 3 The SMT main menu displays next. 21.
Chapter 21 Remote Management 21.11 Telnet You can use Telnet to access the ZyWALL’s SMT or command line interface. Specify which interfaces allow Telnet access and from which IP address the access can come. 21.12 Configuring TELNET Click ADVANCED > REMOTE MGMT > TELNET to open the following screen. Use this screen to specify which interfaces allow Telnet access and from which IP address the access can come.
Chapter 21 Remote Management 21.13 FTP You can use FTP (File Transfer Protocol) to upload and download the ZyWALL’s firmware and configuration files, please see the User’s Guide chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client. To change your ZyWALL’s FTP settings, click ADVANCED > REMOTE MGMT > FTP. The screen appears as shown.
Chapter 21 Remote Management 21.14 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1). The next figure illustrates an SNMP management operation. " SNMP is only available if TCP/IP is configured.
Chapter 21 Remote Management SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: • Get - Allows the manager to retrieve an object variable from the agent. • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent.
Chapter 21 Remote Management Figure 246 ADVANCED > REMOTE MGMT > SNMP The following table describes the labels in this screen. Table 123 ADVANCED > REMOTE MGMT > SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests. Set Community Enter the Set community, which is the password for incoming Set requests from the management station.
Chapter 21 Remote Management 21.15 DNS DNS (Domain Name System) maps a domain name to its corresponding IP address and vice versa. Refer to Chapter 8 on page 141 for more information. Click ADVANCED > REMOTE MGMT > DNS to change your ZyWALL’s DNS settings. Use this screen to set from which IP address the ZyWALL will accept DNS queries and on which interface it can send them your ZyWALL’s DNS settings. This feature is not available when the ZyWALL is set to bridge mode.
Chapter 21 Remote Management 21.17 Configuring CNM Vantage CNM is disabled on the device by default. Click ADVANCED > REMOTE MGMT > CNM to configure your device’s Vantage CNM settings. Figure 248 ADVANCED > REMOTE MGMT > CNM The following table describes the labels in this screen. Table 125 ADVANCED > REMOTE MGMT > CNM LABEL DESCRIPTION Registration Information Registration Status This read only field displays Not Registered when Enable is not selected.
Chapter 21 Remote Management Table 125 ADVANCED > REMOTE MGMT > CNM (continued) LABEL DESCRIPTION Vantage CNM Server Address If the Vantage server is on the same subnet as the ZyXEL device, enter the private or public IP address of the Vantage server. If the Vantage CNM server is on a different subnet to the ZyWALL, enter the public IP address of the Vantage server.
Chapter 21 Remote Management 376 ZyWALL 2 Plus User’s Guide
CHAPTER 22 UPnP This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. 22.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
Chapter 22 UPnP When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the ZyWALL allows multicast messages on the LAN only. All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 22.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.
Chapter 22 UPnP Table 126 ADVANCED > UPnP LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 22.3 Displaying UPnP Port Mapping Click ADVANCED > UPnP > Ports to display the UPnP Ports screen. Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL. Figure 250 ADVANCED > UPnP > Ports The following table describes the labels in this screen.
Chapter 22 UPnP Table 127 ADVANCED > UPnP > Ports (continued) LABEL DESCRIPTION Enabled This field displays whether or not this UPnP-created NAT mapping rule is turned on. The UPnP-enabled device that connected to the ZyWALL and configured the UPnP-created NAT mapping rule on the ZyWALL determines whether or not the rule is enabled. Description This field displays a text explanation of the NAT mapping rule. Lease Duration This field displays a dynamic port-mapping rule’s time to live (in seconds).
Chapter 22 UPnP 22.4.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start, Settings and Control Panel. Double-click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. 4 Click OK to go back to the Add/ Remove Programs Properties window and click Next.
Chapter 22 UPnP 22.4.2 Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP. 1 Click Start, Settings and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. The Windows Optional Networking Components Wizard window displays. 4 Select Networking Service in the Components selection box and click Details.
Chapter 22 UPnP 22.5.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or window, click Settings to see the port click Add to manually add port mappings. mappings that were automatically created.
Chapter 22 UPnP " When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 4 Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray. 5 Double-click the icon to display your current Internet connection status. 22.5.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first.
Chapter 22 UPnP Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays.
Chapter 22 UPnP 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device.
CHAPTER 23 ALG Screen This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 23.1 ALG Introduction An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer. The ZyWALL can function as an ALG to allow certain NAT unfriendly applications (such as SIP) to operate properly through the ZyWALL.
Chapter 23 ALG Screen 23.2 FTP File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files. The FTP ALG allows TCP packets with a port 21 destination to pass through.
Chapter 23 ALG Screen • The ZyWALL can also apply bandwidth management to traffic that goes through the H.323 ALG. 23.5 SIP The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol. SIP signaling is separate from the media for which it handles sessions.
Chapter 23 ALG Screen 23.5.3 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL. If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout default (60 minutes), the ZyWALL SIP ALG drops any incoming calls after the timeout period. 23.5.
Chapter 23 ALG Screen The following table describes the labels in this screen. Table 128 ADVANCED > ALG LABEL DESCRIPTION Enable FTP ALG Select this check box to allow FTP sessions to pass through the ZyWALL. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail. Enable H.323 ALG Select this check box to allow H.323 sessions to pass through the ZyWALL. H.323 is a protocol used for audio communications over networks.
Chapter 23 ALG Screen 392 ZyWALL 2 Plus User’s Guide
P ART V Logs and Maintenance Logs Screens (395) Maintenance (427) 393
CHAPTER 24 Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to Section 24.5 on page 406 for example log message explanations. 24.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location. Click LOGS to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see Section 24.3 on page 398).
Chapter 24 Logs Screens The following table describes the labels in this screen. Table 129 LOGS > View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see Section 24.3 on page 398) display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page. # This field displays the log number. Time This field displays the time the log was recorded. See Section 25.
Chapter 24 Logs Screens Table 130 Log Description Example LABEL DESCRIPTION notes The ZyWALL blocked the packet. message The ZyWALL blocked the packet in accordance with the firewall’s default policy of blocking sessions that are initiated from the WAN. “UDP” means that this was a User Datagram Protocol packet. “W to W/ZW” indicates that the packet was traveling from the WAN to the WAN or the ZyWALL. 24.2.1 About the Certificate Not Trusted Log myZyXEL.
Chapter 24 Logs Screens Figure 256 myZyXEL.com: Certificate Download 24.3 Configuring Log Settings To change your ZyWALL’s log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send. An alert is a type of log that warrants more serious attention.
Chapter 24 Logs Screens Figure 257 LOGS > Log Settings ZyWALL 2 Plus User’s Guide 399
Chapter 24 Logs Screens The following table describes the labels in this screen. Table 131 LOGS > Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail. Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the ZyWALL sends.
Chapter 24 Logs Screens Table 131 LOGS > Log Settings (continued) LABEL DESCRIPTION Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instantly email alerts to the e-mail address specified in the Send Alerts To field. Log Consolidation Active Some logs (such as the Attacks logs) may be so numerous that it becomes easy to ignore other important log messages. Select this check box to merge logs with identical messages into one log.
Chapter 24 Logs Screens Figure 258 LOGS > Reports " Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 132 LOGS > Reports 402 LABEL DESCRIPTION Collect Statistics Select the check box and click Apply to have the ZyWALL record report data.
Chapter 24 Logs Screens " All of the recorded reports data is erased when you turn off the ZyWALL. 24.4.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited. Figure 259 LOGS > Reports: Web Site Hits Example The following table describes the label in this screen.
Chapter 24 Logs Screens " Computers take turns using dynamically assigned LAN, DMZ or WLAN IP addresses. The ZyWALL continues recording the bytes sent to or from a LAN, DMZ or WLAN IP address when it is assigned to a different computer. Figure 260 LOGS > Reports: Host IP Address Example The following table describes the labels in this screen.
Chapter 24 Logs Screens Figure 261 LOGS > Reports: Protocol/Port Example The following table describes the labels in this screen. Table 135 LOGS > Reports: Protocol/ Port LABEL DESCRIPTION Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL. The protocols or service ports are listed in descending order with the most used protocol or service port listed first.
Chapter 24 Logs Screens 24.4.4 System Reports Specifications The following table lists detailed specifications on the reports feature. Table 136 Report Specifications LABEL DESCRIPTION Number of web sites/protocols or ports/IP addresses listed: 20 Hit count limit: Up to 232 hits can be counted per web site. The count starts over at 0 if it passes four billion. Bytes count limit: Up to 264 bytes can be counted per protocol/port or LAN IP address. The count starts over at 0 if it passes 264 bytes.
Chapter 24 Logs Screens Table 137 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION Time initialized by NTP server The router got the time and date from the NTP server. Connect to Daytime server fail The router was not able to connect to the Daytime server. Connect to Time server fail The router was not able to connect to the Time server. Connect to NTP server fail The router was not able to connect to the NTP server.
Chapter 24 Logs Screens Table 138 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. number of session per host! This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host. setNetBIOSFilter: calloc error The router failed to allocate memory for the NetBIOS filter settings. readNetBIOSFilter: calloc error The router failed to allocate memory for the NetBIOS filter settings. WAN connection is down. A WAN connection is down.
Chapter 24 Logs Screens Table 140 TCP Reset Logs LOG MESSAGE DESCRIPTION Under SYN flood attack, sent TCP RST The router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.) Exceed TCP MAX incomplete, sent TCP RST The router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold. (the TCP incomplete count is per destination host.
Chapter 24 Logs Screens Table 142 ICMP Logs (continued) LOG MESSAGE DESCRIPTION Packet without a NAT table entry blocked: ICMP The router blocked a packet that didn’t have a corresponding NAT table entry. Unsupported/out-of-order ICMP: ICMP The firewall does not support this kind of ICMP packets or the ICMP packets are out of order. Router reply ICMP packet: ICMP The router sent an ICMP reply packet to the sender.
Chapter 24 Logs Screens Table 146 Content Filtering Logs LOG MESSAGE DESCRIPTION %s: Keyword blocking The content of a requested web page matched a user defined keyword. %s: Not in trusted web list The web site is not in a trusted domain, and the router blocks all traffic except trusted domain sites. %s: Forbidden Web site The web site is in the forbidden web site list. %s: Contains ActiveX The web site contains ActiveX. %s: Contains Java applet The web site contains a Java applet.
Chapter 24 Logs Screens Table 147 Attack Logs (continued) 412 LOG MESSAGE DESCRIPTION ip spoofing - WAN [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected an IP spoofing attack on the WAN port. ip spoofing - WAN ICMP (type:%d, code:%d) The firewall detected an ICMP IP spoofing attack on the WAN port. icmp echo : ICMP (type:%d, code:%d) The firewall detected an ICMP echo attack. syn flood TCP The firewall detected a TCP syn flood attack.
Chapter 24 Logs Screens Table 148 Remote Management Logs LOG MESSAGE DESCRIPTION Remote Management: FTP denied Attempted use of FTP service was blocked according to remote management settings. Remote Management: TELNET denied Attempted use of TELNET service was blocked according to remote management settings. Remote Management: HTTP or UPnP denied Attempted use of HTTP or UPnP service was blocked according to remote management settings.
Chapter 24 Logs Screens Table 150 IKE Logs 414 LOG MESSAGE DESCRIPTION Active connection allowed exceeded The IKE process for a new connection failed because the limit of simultaneous phase 2 SAs has been reached. Start Phase 2: Quick Mode Phase 2 Quick Mode has started. Verifying Remote ID failed: The connection failed during IKE phase 2 because the router and the peer’s Local/Remote Addresses don’t match.
Chapter 24 Logs Screens Table 150 IKE Logs (continued) LOG MESSAGE DESCRIPTION Remote IP / conflicts The security gateway is set to “0.0.0.0” and the router used the peer’s “Local Address” as the router’s “Remote Address”. This information conflicted with static rule #d; thus the connection is not allowed. Phase 1 ID type mismatch This router’s "Peer ID Type" is different from the peer IPSec router's "Local ID Type".
Chapter 24 Logs Screens Table 150 IKE Logs (continued) LOG MESSAGE DESCRIPTION Rule [%d] Phase 2 authentication algorithm mismatch The listed rule’s IKE phase 2 authentication algorithm did not match between the router and the peer. Rule [%d] Phase 2 encapsulation mismatch The listed rule’s IKE phase 2 encapsulation did not match between the router and the peer.
Chapter 24 Logs Screens Table 151 PKI Logs LOG MESSAGE DESCRIPTION Enrollment successful The SCEP online certificate enrollment was successful. The Destination field records the certification authority server IP address and port. Enrollment failed The SCEP online certificate enrollment failed. The Destination field records the certification authority server’s IP address and port.
Chapter 24 Logs Screens Table 152 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION 1 Algorithm mismatch between the certificate and the search constraints. 2 Key usage mismatch between the certificate and the search constraints. 3 Certificate was not valid in the time interval. 4 (Not used) 5 Certificate is not valid. 6 Certificate signature was not verified correctly. 7 Certificate was revoked by a CRL. 8 Certificate was not added to the cache.
Chapter 24 Logs Screens Table 153 ACL Setting Notes (continued) PACKET DIRECTION DIRECTION DESCRIPTION (L to L/ZW) LAN to LAN/ ZyWALL ACL set for packets traveling from the LAN to the LAN or the ZyWALL. (W to W/ZW) WAN to WAN/ ZyWALL ACL set for packets traveling from the WAN to the WAN or the ZyWALL. (D to D/ZW) DMZ to DMZ/ ZyWALL ACL set for packets traveling from the DMZ to the DM or the ZyWALL. (L to WL) LAN to WLAN ACL set for packets traveling from the LAN to the WLAN.
Chapter 24 Logs Screens Table 154 ICMP Notes (continued) TYPE CODE DESCRIPTION 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded Parameter Problem 12 0 Pointer indicates the error Timestamp 13 0 Timestamp request message Timestamp Reply 14 0 Timestamp reply message Information Request 15 0 Information request message Information Reply 16 0 Information reply message Table 155 IDP Logs 420 LOG MESSAGE DESCRIPTION The buffer size is too small! The buffer for holding I
Chapter 24 Logs Screens Table 155 IDP Logs (continued) LOG MESSAGE DESCRIPTION Signature update OK - New signature version: Release Date: ! The device updated the signature file successfully. The signature file’s version and release date are included. The turbo card is not ready , please insert the card and reboot! The turbo card is not installed. Table 156 AV Logs LOG MESSAGE DESCRIPTION HTTP Virus infected - %s! The device detected a virus in an HTTP connection.
Chapter 24 Logs Screens Table 156 AV Logs (continued) LOG MESSAGE DESCRIPTION The turbo card is not ready , please insert the card and reboot! The turbo card is not installed. The system is doing signature update now , please wait! The device is updating the signature file. Table 157 AS Logs 422 LOG MESSAGE DESCRIPTION Mail is in the Black List - Mail From:%EMAIL_ADDRESS% Subject:%MAIL_SUBJECT%! An e-mail with the listed source and subject matched an anti-spam blacklist entry.
Chapter 24 Logs Screens Table 157 AS Logs (continued) LOG MESSAGE DESCRIPTION "This is a phishing mail - Spam Score:%d Mail From:%EMAIL_ADDRESS% Subject:%MAIL_SUBJECT%! " The spam score (listed) for the e-mail with the listed source and subject was higher than the spam score threshold. The anti-spam external database identified the e-mail as a phishing mail. Invalid parameter for AsEngine! There was an internal AS system error. This type of error causes the device to restart.
Chapter 24 Logs Screens 24.6 Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on.
Chapter 24 Logs Screens Table 158 Syslog Logs (continued) LOG MESSAGE DESCRIPTION Event Log: Mon dd hr:mm:ss hostname src="" dst="" ob="<0|1>" ob_mac="" msg="" note="" devID="" cat="IDP" class="" sid=" act="" count="1" This message is sent by the device ("RAS" displays as the system name if you haven’t configured one) at the time when this syslog is generated.
Chapter 24 Logs Screens 426 ZyWALL 2 Plus User’s Guide
CHAPTER 25 Maintenance This chapter displays information on the maintenance screens. 25.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL. 25.2 General Setup and System Name General Setup contains administrative and system-related information. System Name is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name".
Chapter 25 Maintenance Figure 262 MAINTENANCE > General Setup The following table describes the labels in this screen. Table 160 MAINTENANCE > General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores "_" are accepted.
Chapter 25 Maintenance Figure 263 MAINTENANCE > Password The following table describes the labels in this screen. Table 161 MAINTENANCE > Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field. If you forget the password, you may have to use the hardware RESET button. This restores the default password of 1234. New Password Type your new system password (up to 30 characters).
Chapter 25 Maintenance Figure 264 MAINTENANCE > Time and Date The following table describes the labels in this screen. Table 162 MAINTENANCE > Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the ZyWALL’s present time. Current Date This field displays the ZyWALL’s present date. Time and Date Setup 430 Manual Select this radio button to enter the time and date manually.
Chapter 25 Maintenance Table 162 MAINTENANCE > Time and Date (continued) LABEL DESCRIPTION Time Protocol Select the time service protocol that your time server uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main difference between them is the format. Daytime (RFC 867) format is day/month/year/time zone of the server.
Chapter 25 Maintenance 25.5 Pre-defined NTP Time Server Pools When you turn on the ZyWALL for the first time, the date and time start at 2000-01-01 00:00:00. The ZyWALL then attempts to synchronize with an NTP time server from one of the 0.pool.ntp.org, 1.pool.ntp.org or 2.pool.ntp.org NTP time server pools. These are virtual clusters of time servers that use a round robin method to provide different NTP servers to clients.
Chapter 25 Maintenance Figure 266 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen. Figure 267 Synchronization Fail 25.6 Introduction To Transparent Bridging A transparent bridge is invisible to the operation of a network in that it does not modify the frames it forwards. The bridge checks the source address of incoming frames on the port and learns MAC addresses to associate with that port.
Chapter 25 Maintenance For example, if a bridge receives a frame via port 1 from host A (MAC address 00a0c5123478), the bridge associates host A with port 1. When the bridge receives another frame on one of its ports with destination address 00a0c5123478, it forwards the frame directly through port 1 after checking the internal table.
Chapter 25 Maintenance You can use the firewall and VPN in bridge mode. See the user’s guide for a list of other features that are available in bridge mode. The following applies when the ZyWALL is in router mode. Figure 268 MAINTENANCE > Device Mode (Router Mode) The following table describes the labels in this screen. Table 164 MAINTENANCE > Device Mode (Router Mode) LABEL DESCRIPTION Current Device Mode Device Mode This displays whether the ZyWALL is functioning as a router or a bridge.
Chapter 25 Maintenance 25.9 Configuring Device Mode (Bridge) Click MAINTENANCE > Device Mode to open the following screen. Use this screen to configure your ZyWALL as a router or a bridge. In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall). The ZyWALL bridges traffic traveling between the ZyWALL's interfaces and still filters and inspects packets. You do not need to change the configuration of your existing network.
Chapter 25 Maintenance Table 165 MAINTENANCE > Device Mode (Bridge Mode) (continued) LABEL DESCRIPTION LAN Interface IP Address Enter the IP address of your ZyWALL’ s LAN port in dotted decimal notation. 192.168.1.1 is the factory default. LAN Interface Subnet Mask Enter the IP subnet mask of the ZyWALL’s LAN port. DHCP DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (computers) to obtain TCP/IP configuration at startup from a server.
Chapter 25 Maintenance Figure 270 MAINTENANCE > Firmware Upload The following table describes the labels in this screen. Table 166 MAINTENANCE > Firmware Upload " LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process.
Chapter 25 Maintenance Figure 272 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the HOME screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen. Figure 273 Firmware Upload Error 25.11 Backup and Restore See Section 40.5 on page 557 for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE > Backup & Restore.
Chapter 25 Maintenance Figure 274 MAINTENANCE > Backup and Restore 25.11.1 Backup Configuration Backup configuration allows you to back up (save) the ZyWALL’s current configuration to a file on your computer. Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings.
Chapter 25 Maintenance After you see a “restore configuration successful” screen, you must then wait one minute before logging into the ZyWALL again. Figure 275 Configuration Upload Successful The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Chapter 25 Maintenance Figure 278 Reset Warning Message You can also press the hardware RESET button to reset the factory defaults of your ZyWALL. Refer to Section 2.3 on page 51 for more information on the RESET button. 25.12 Restart Screen System restart allows you to reboot the ZyWALL without turning the power off. Click MAINTENANCE > Restart. Click Restart to have the ZyWALL reboot. Restart is different to reset; (see Section 25.11.3 on page 441) reset returns the device to its default configuration.
P ART VI SMT and Troubleshooting Introducing the SMT (445) SMT Menu 1 - General Setup (453) WAN and Dial Backup Setup (459) LAN Setup (469) Internet Access (475) DMZ Setup (479) Remote Node Setup (487) IP Static Route Setup (497) Network Address Translation (NAT) (499) Introducing the ZyWALL Firewall (517) Filter Configuration (519) SNMP Configuration (535) System Information & Diagnosis (537) Firmware and Configuration File Maintenance (549) System Maintenance Menus 8 to 10 (563) Remote Management (571) Ca
CHAPTER 26 Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. 26.1 Introduction to the SMT The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection. This chapter shows you how to access the SMT (System Management Terminal) menus via console port, how to navigate the SMT and how to configure SMT menus. 26.
Chapter 26 Introducing the SMT Figure 280 Initial Screen Copyright (c) 1994 - 2007 ZyXEL Communications Corp. initialize ch =0, ethernet initialize ch =1, ethernet initialize ch =2, ethernet initialize ch =3, ethernet initialize ch =4, ethernet AUX port init . done Modem init . inactive address: address: address: address: address: 00:A0:C5:01:23:45 00:A0:C5:01:23:46 00:A0:C5:01:23:47 00:A0:C5:01:23:48 00:00:00:00:00:00 Press ENTER to continue... 26.2.
Chapter 26 Introducing the SMT Table 168 Main Menu Commands OPERATION KEYSTROKES DESCRIPTION Move the cursor [ENTER] or [UP]/ [DOWN] arrow keys Within a menu, press [ENTER] to move to the next field. You can also use the [UP]/[DOWN] arrow keys to move to the previous and the next field, respectively. When you are at the top of a menu, press the [UP] arrow key to move to the bottom of a menu. Entering information Fill in, or press [SPACE BAR], then press [ENTER] to select from choices.
Chapter 26 Introducing the SMT Figure 283 Main Menu (Bridge Mode) Copyright (c) 1994 - 2007 ZyXEL Communications Corp. ZyWALL 2 Plus Main Menu Getting Started 1. General Setup Advanced Management 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24. System Maintenance 7. Wireless Setup 99. Exit Enter Menu Selection Number: The following table describes the fields in this menu. Table 169 Main Menu Summary 448 NO .
Chapter 26 Introducing the SMT 26.3.2 SMT Menus Overview The following table gives you an overview of your ZyWALL’s various SMT menus. Table 170 SMT Menus Overview MENUS SUB MENUS 1 General Setup 1.1 Configure Dynamic DNS 2 WAN Setup 2.1 Advanced WAN Setup 3 LAN Setup 3.1 LAN Port Filter Setup 3.2 TCP/IP and DHCP Ethernet Setup 1.1.1 DDNS Host Summary 1.1.1 DDNS Edit Host 3.2.1 IP Alias Setup 4 Internet Access Setup 5 DMZ Setup 5.1 DMZ Port Filter Setup 5.2 TCP/IP and DHCP Ethernet Setup 5.2.
Chapter 26 Introducing the SMT Table 170 SMT Menus Overview (continued) MENUS SUB MENUS 24 System Maintenance 24.1 System Status 24.2 System Information and Console Port Speed 24.2.1 System Information 24.3 Log and Trace 24.3.1 View Error Log 24.2.2 Console Port Speed 24.3.2 Syslog Logging 24.3.4 Call-Triggering Packet 24.4 Diagnostic 24.5 Backup Configuration 24.6 Restore Configuration 24.7 Upload Firmware 24.7.1 Upload System Firmware 24.7.2 Upload System Configuration File 24.
Chapter 26 Introducing the SMT Note that as you type a password, the screen displays an “x” for each character you type. 26.5 Resetting the ZyWALL See Section 2.3 on page 51 for directions on resetting the ZyWALL.
Chapter 26 Introducing the SMT 452 ZyWALL 2 Plus User’s Guide
CHAPTER 27 SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 27.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 27.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - General Setup. 2 The Menu 1 - General Setup screen appears, as shown next. Fill in the required fields.
Chapter 27 SMT Menu 1 - General Setup Table 171 Menu 1: General Setup (Router Mode) (continued) FIELD DESCRIPTION Device Mode Press [SPACE BAR] and then [ENTER] to select Router Mode. Edit Dynamic DNS Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel.
Chapter 27 SMT Menu 1 - General Setup Figure 287 Menu 1.1: Configure Dynamic DNS Menu 1.1 - Configure Dynamic DNS Service Provider= WWW.DynDNS.ORG Active= No Username= Password= ******** Edit Host= No Press ENTER to Confirm or ESC to Cancel: Follow the instructions in the next table to configure Dynamic DNS parameters. Table 173 Menu 1.1: Configure Dynamic DNS FIELD DESCRIPTION Service Provider This is the name of your Dynamic DNS service provider.
Chapter 27 SMT Menu 1 - General Setup Figure 288 Menu 1.1.1: DDNS Host Summary Menu 1.1.
Chapter 27 SMT Menu 1 - General Setup Figure 289 Menu 1.1.1: DDNS Edit Host Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A IP Address Update Policy: Let DDNS Server Auto Detect= Yes Use User-Defined= N/A Use WAN IP Address= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 175 Menu 1.1.1: DDNS Edit Host FIELD DESCRIPTION Host Name Enter your host name in this field.
Chapter 27 SMT Menu 1 - General Setup Table 175 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION Use WAN IP Address Enter the static public IP address if you select Yes in the Use User-Defined field. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. The IP address updates when you reconfigure menu 1 or perform DHCP client renewal.
CHAPTER 28 WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 28.1 Introduction to WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN port and how to configure the ZyWALL for a dial backup connection. 28.2 WAN Setup From the main menu, enter 2 to open menu 2.
Chapter 28 WAN and Dial Backup Setup The following table describes the fields in this screen. Table 176 MAC Address Cloning in WAN Setup FIELD DESCRIPTION MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address. Choose Factory Default to select the factory assigned default MAC Address. Choose IP address attached on LAN to use the MAC Address of that computer whose IP you give in the following field.
Chapter 28 WAN and Dial Backup Setup Figure 291 Menu 2: Dial Backup Setup Menu 2 - WAN Setup MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu. Table 177 Menu 2: Dial Backup Setup FIELD DESCRIPTION Dial-Backup: Active Use this field to turn the dial-backup feature on (Yes) or off (No).
Chapter 28 WAN and Dial Backup Setup To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes and then press [ENTER]. Figure 292 Menu 2.1: Advanced WAN Setup Menu 2.
Chapter 28 WAN and Dial Backup Setup Table 179 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value. Retry Count Enter a number of times for the ZyWALL to retry a busy or no-answer phone number before blacklisting the number.
Chapter 28 WAN and Dial Backup Setup The following table describes the fields in this menu. Table 180 Menu 11.3: Remote Node Profile (Backup ISP) FIELD DESCRIPTION Rem Node Name Enter a descriptive name for the remote node. This field can be up to eight characters. Active Press [SPACE BAR] and then [ENTER] to select Yes to enable the remote node or No to disable the remote node. Outgoing My Login Enter the login name assigned by your ISP for this remote node.
Chapter 28 WAN and Dial Backup Setup 28.7 Editing TCP/IP Options Move the cursor to the Edit IP field in menu 11.2, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.2.2 - Remote Node Network Layer Options. Figure 294 Menu 11.2.2: Remote Node Network Layer Options Menu 11.2.2 - Remote Node Network Layer Options IP Address Assignment= Static Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.
Chapter 28 WAN and Dial Backup Setup Table 181 Menu 11.2.2: Remote Node Network Layer Options FIELD DESCRIPTION RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP Direction from Both, None, In Only, Out Only and None. Version Press [SPACE BAR] and then [ENTER] to select the RIP version from RIP-1, RIP-2B and RIP-2M. Multicast IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a Multicast group.
Chapter 28 WAN and Dial Backup Setup If there are errors in the script and it gets stuck at a set for longer than the “Dial Timeout” in menu 2 (default 60 seconds), the ZyWALL will timeout and drop the line. To debug a script, go to Menu 24.4 to initiate a manual call and watch the trace display to see if the sequence of messages and prompts from the server differs from what you expect. Figure 295 Menu 11.2.3: Remote Node Script Menu 11.2.
Chapter 28 WAN and Dial Backup Setup Figure 296 Menu 11.2.4: Remote Node Filter Menu 11.2.
CHAPTER 29 LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 29.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN connections. 29.2 Accessing the LAN Menus From the main menu, enter 3 to open Menu 3 - LAN Setup. Figure 297 Menu 3: LAN Setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: 29.
Chapter 29 LAN Setup Figure 298 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 29.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup. Figure 299 Menu 3: TCP/IP and DHCP Setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2.
Chapter 29 LAN Setup Figure 300 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server Client IP Pool: Starting Address= 192.168.1.33 Size of Client IP Pool= 128 First DNS Server= From ISP IP Address= N/A Second DNS Server= From ISP IP Address= N/A Third DNS Server= From ISP IP Address= N/A DHCP Server Address= N/A TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.
Chapter 29 LAN Setup Table 183 Menu 3.2: DHCP Ethernet Setup Fields FIELD DESCRIPTION First DNS Server Second DNS Server Third DNS Server The ZyWALL passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address). The IP Address field below displays the (read-only) DNS server IP address that the ISP assigns.
Chapter 29 LAN Setup 29.4.1 IP Alias Setup IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. Use menu 3.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to open Menu 3.2.1 - IP Alias Setup, as shown next.
Chapter 29 LAN Setup 474 ZyWALL 2 Plus User’s Guide
CHAPTER 30 Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 30.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet. There are three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation. Contact your ISP to determine what encapsulation type you should use. 30.
Chapter 30 Internet Access The following table describes the fields in this menu. Table 186 Menu 4: Internet Access Setup (Ethernet) FIELD DESCRIPTION ISP’s Name This is the descriptive name of your ISP for identification purposes. Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field.
Chapter 30 Internet Access 30.3 Configuring the PPTP Client " The ZyWALL supports only one PPTP server connection at any given time. To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. After configuring My Login and Password for PPP connection, press [SPACE BAR] and then [ENTER] in the Encapsulation field in Menu 4 -Internet Access Setup to choose PPTP as your encapsulation option.
Chapter 30 Internet Access Figure 304 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following table contains instructions about the new fields when you choose PPPoE in the Encapsulatio
CHAPTER 31 DMZ Setup This chapter describes how to configure the ZyWALL’s DMZ using Menu 5 - DMZ Setup. 31.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup. Figure 305 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1. DMZ Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: 31.2 DMZ Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to your public server(s) traffic. Figure 306 Menu 5.1: DMZ Port Filter Setup Menu 5.
Chapter 31 DMZ Setup 31.3 TCP/IP Setup For more detailed information about RIP setup, IP multicast and IP alias, please refer to Chapter 6 on page 123. 31.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155). Figure 307 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1. DMZ Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: From menu 5, select the submenu option 2. TCP/IP and DHCP Setup and press [ENTER]. The screen now displays Menu 5.
Chapter 31 DMZ Setup " DMZ, WLAN and LAN IP addresses must be on separate subnets. You must also configure NAT for the DMZ port (see Chapter 35 on page 499) in menus 15.1 and 15.2. 31.3.2 IP Alias Setup Use menu 5.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to open Menu 5.2.1 - IP Alias Setup, as shown next. Use this menu to configure the second and third networks. Figure 309 Menu 5.2.1: IP Alias Setup Menu 5.2.
Chapter 31 DMZ Setup 482 ZyWALL 2 Plus User’s Guide
CHAPTER 32 Wireless Setup Use menu 7 to configure the IP address for ZyWALL’s WLAN interface, other TCP/IP and DHCP settings. 32.1 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 6 on page 123. 32.1.1 IP Address From the main menu, enter 7 to open Menu 7 - WLAN Setup to configure TCP/IP (RFC 1155). Figure 310 Menu 7: WLAN Setup Menu 7 - WLAN Setup 2.
Chapter 32 Wireless Setup Figure 311 Menu 7.2: TCP/IP and DHCP Ethernet Setup Menu 7.2 - TCP/IP and DHCP Ethernet Setup DHCP= None Client IP Pool: Starting Address= N/A Size of Client IP Pool= N/A First DNS Server= N/A IP Address= N/A Second DNS Server= N/A IP Address= N/A Third DNS Server= N/A IP Address= N/A DHCP Server Address= N/A TCP/IP Setup: IP Address= 0.0.0.0 IP Subnet Mask= 0.0.0.
Chapter 32 Wireless Setup Figure 312 Menu 7.2.1: IP Alias Setup Menu 7.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Enter here to CONFIRM or ESC to CANCEL: Refer to Table 185 on page 473 for instructions on configuring IP alias parameters.
Chapter 32 Wireless Setup 486 ZyWALL 2 Plus User’s Guide
CHAPTER 33 Remote Node Setup This chapter shows you how to configure a remote node. 33.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use menu 4 to set up Internet access, you are actually configuring a remote node. The following describes how to configure Menu 11.1 - Remote Node Profile, Menu 11.1.
Chapter 33 Remote Node Setup 33.3.1 Ethernet Encapsulation There are three variations of menu 11.1 depending on whether you choose Ethernet Encapsulation, PPPoE Encapsulation or PPTP Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet. The first menu 11.1 screen you see is for Ethernet encapsulation shown next. Figure 314 Menu 11.1: Remote Node Profile for Ethernet Encapsulation Menu 11.
Chapter 33 Remote Node Setup Table 189 Menu 11.1: Remote Node Profile for Ethernet Encapsulation (continued) FIELD DESCRIPTION Server This field is valid only when RoadRunner is selected in the Service Type field. The ZyWALL will find the RoadRunner Server IP automatically if this field is left blank. If it does not, then you must enter the authentication server IP address here. Relogin Every (min) This field is available when you select Telia Login in the Service Type field.
Chapter 33 Remote Node Setup Figure 315 Menu 11.1: Remote Node Profile for PPPoE Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Active= Yes Route= IP Bridge= Yes Encapsulation= PPPoE Service Type= Standard Service Name= Outgoing: My Login= 12356598@hinet.
Chapter 33 Remote Node Setup 33.3.2.3 Metric See Section 8.2 on page 141 for details on the Metric field. Table 190 Fields in Menu 11.1 (PPPoE Encapsulation Specific) FIELD DESCRIPTION Service Name If you are using PPPoE encapsulation, then type the name of your PPPoE service here. Only valid with PPPoE encapsulation. Authen This field sets the authentication protocol used for outgoing calls.
Chapter 33 Remote Node Setup Figure 316 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Active= Yes Route= IP Bridge= No Encapsulation= PPTP Service Type= Standard Service Name= N/A Outgoing: My Login= 12356598@hinet.
Chapter 33 Remote Node Setup Figure 317 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.
Chapter 33 Remote Node Setup Table 192 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION Metric Enter a number from 1 to 15 to set this route’s priority among the ZyWALL’s routes (see Section 8.2 on page 141). The smaller the number, the higher priority the route has. Private This field is valid only for PPTP/PPPoE encapsulation. This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts.
Chapter 33 Remote Node Setup Figure 319 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: 33.6 Traffic Redirect Configure parameters that determine when the ZyWALL will forward WAN traffic to the backup gateway using Menu 11.1.5 - Traffic Redirect Setup.
Chapter 33 Remote Node Setup Table 193 Menu 11.1.5: Traffic Redirect Setup FIELD DESCRIPTION Check WAN IP Address Enter the IP address of a reliable nearby computer (for example, your ISP's DNS server address) to test your ZyWALL's WAN accessibility. The ZyWALL uses the default gateway IP address if you do not enter an IP address here. If you are using PPTP or PPPoE Encapsulation, enter "0.0.0.0" to configure the ZyWALL to check the PVC (Permanent Virtual Circuit) or PPTP tunnel.
CHAPTER 34 IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 34.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1. " The first static route entry is for the default WAN route on the ZyWALL. You cannot modify or delete a static default route. The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address.
Chapter 34 IP Static Route Setup Figure 322 Menu 12. 1: Edit IP Static Route Menu 12.1 - Edit IP Static Route Route #: 3 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL: `The following table describes the IP Static Route Menu fields. Table 194 Menu 12. 1: Edit IP Static Route FIELD DESCRIPTION Route # This is the index number of the static route that you chose in menu 12.
CHAPTER 35 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 35.1 Using NAT " You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 35.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. See Section 35.2.
Chapter 35 Network Address Translation (NAT) Figure 323 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following figure shows how you apply NAT to
Chapter 35 Network Address Translation (NAT) The following table describes the fields in this menu. Table 195 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION OPTIONS Network Address Translation When you select this option the SMT will use Address Mapping Set 1 (menu 15.1 - see Section 35.2.1 on page 501 for further discussion). You can configure any of the mapping types described in Chapter 17 on page 309. Choose Full Feature if you have multiple public WAN IP addresses for your ZyWALL.
Chapter 35 Network Address Translation (NAT) Figure 326 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. NAT_SET 255. SUA (read only) Enter Menu Selection Number: 35.2.1.1 SUA Address Mapping Set Enter 255 to display the next screen (see also Section 35.1.1 on page 499). The fields in this menu cannot be changed. Figure 327 Menu 15.1.255: SUA Address Mapping Rules Menu 15.1.255 - Address Mapping Rules Set Name= SUA Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP --------------0.0.
Chapter 35 Network Address Translation (NAT) Table 196 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create. Idx This is the index or rule number. Local Start IP Local Start IP is the starting local IP address (ILA). Local End IP Local End IP is the ending local IP address (ILA). If the rule is for all local IPs, then the start IP is 0.0.0.0 and the end IP is 255.255.255.255.
Chapter 35 Network Address Translation (NAT) Figure 328 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- -0.0.0.0 255.255.255.255 0.0.0.0 M-1 0.0.0.0 Server Action= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: " The Type, Local and Global Start/End IPs are configured in menu 15.1.1.
Chapter 35 Network Address Translation (NAT) " You must press [ENTER] at the bottom of the screen to save the whole set. You must do this again if you make any changes to the set – including deleting a rule. No changes to the set take place until this action is taken. Selecting Edit in the Action field and then selecting a rule brings up the following menu, Menu 15.1.1.1 - Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs.
Chapter 35 Network Address Translation (NAT) Table 198 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION End Enter the ending global IP address (IGA). This field is N/A for One-to-One, Many-to-One and Server types. Once you have finished configuring a rule in this menu, press [ENTER] at the message “Press ENTER to Confirm…” to save your configuration, or press [ESC] to cancel. 35.
Chapter 35 Network Address Translation (NAT) Figure 331 15.2.1: NAT Server Configuration 15.2.1 - NAT Server Configuration Index= 1 -----------------------------------------------Name= test Active= Yes Start port= 21 End port= 25 IP Address= 192.168.1.33 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 199 15.2.1: NAT Server Configuration FIELD DESCRIPTION Index This is the index number of an individual port forwarding server entry.
Chapter 35 Network Address Translation (NAT) Figure 332 Menu 15.2: NAT Server Setup Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 No 0 0 0.0.0.0 002 Yes 21 25 192.168.1.33 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.
Chapter 35 Network Address Translation (NAT) Figure 334 NAT Example 1 Figure 335 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: From menu 4 shown above,
Chapter 35 Network Address Translation (NAT) 35.4.2 Example 2: Internet Access with a Default Server Figure 336 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Default Server behind the NAT as shown in the next figure. Figure 337 Menu 15.2: Specifying an Inside Server Menu 15.2 - NAT Server Setup Default Server: 192.168.1.10 Rule Act.
Chapter 35 Network Address Translation (NAT) 2 Map the second IGA to our second inside FTP server for FTP traffic in both directions (1 : 1 mapping, giving both local and global IP addresses). 3 Map the other outgoing LAN traffic to IGA3 (Many : 1 mapping). 4 You also map your third IGA to the web server and mail server on the LAN. Type Server allows you to specify multiple servers, of different types, to other computers behind NAT on the LAN.
Chapter 35 Network Address Translation (NAT) The following figure shows how to configure the first rule. Figure 340 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 End = N/A Global IP: Start= 10.132.50.1 End = N/A Press ENTER to Confirm or ESC to Cancel: Figure 341 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Idx Local Start IP --- --------------1. 192.168.1.10 2 192.168.1.11 3. 0.0.0.0 4. 5. 6. 7. 8. 9. 10.
Chapter 35 Network Address Translation (NAT) Figure 342 Example 3: Menu 15.2. Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 Yes 80 80 192.168.1.21 002 Yes 25 25 192.168.1.20 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.
Chapter 35 Network Address Translation (NAT) Follow the steps outlined in example 3 above to configure these two menus as follows. Figure 344 Example 4: Menu 15.1.1.1: Address Mapping Rule Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP: Start= 192.168.1.10 End = 192.168.1.12 Global IP: Start= 10.132.50.1 End = 10.132.50.3 Press ENTER to Confirm or ESC to Cancel: After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next.
Chapter 35 Network Address Translation (NAT) 35.5 Trigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address.
Chapter 35 Network Address Translation (NAT) Figure 346 Menu 15.3.1: Trigger Port Setup Menu 15.3 - Trigger Port Setup Incoming Trigger Rule Name Start Port End Port Start Port End Port -------------------------------------------------------------1. Real Audio 6970 7170 7070 7070 2. 0 0 0 0 3. 0 0 0 0 4. 0 0 0 0 5. 0 0 0 0 6. 0 0 0 0 7. 0 0 0 0 8. 0 0 0 0 9. 0 0 0 0 10. 0 0 0 0 11. 0 0 0 0 12.
CHAPTER 36 Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 36.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next. Figure 347 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: 36.1.1 Activating the Firewall Enter option 2 in this menu to bring up the following screen.
Chapter 36 Introducing the ZyWALL Firewall Figure 348 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies. You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so.
CHAPTER 37 Filter Configuration This chapter shows you how to create and apply filters. 37.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later. Data filtering screens the data to determine if the packet should be allowed to pass.
Chapter 37 Filter Configuration 37.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set.
Chapter 37 Filter Configuration Figure 350 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Chapter 37 Filter Configuration 37.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 351 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: 2 Enter 1 to bring up the following menu. Figure 352 Menu 21.1: Filter Set Configuration Menu 21.
Chapter 37 Filter Configuration Figure 353 Menu 21.1.1: Filter Rules Summary Menu 21.1.1 - Filter Rules Summary # 1 2 3 4 5 6 A Type Filter Rules M m n - ---- ------------------------------------------------------------ - N N N N N N Enter Filter Rule Number (1-6) to Configure: This screen shows the summary of the existing rules in the filter set. The following tables contain a brief description of the abbreviations used in the previous menus.
Chapter 37 Filter Configuration Table 202 Rule Abbreviations Used ABBREVIATION DESCRIPTION Off Offset Len Length Refer to the next section for information on configuring the filter rules. 37.2.1 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press [ENTER] to open menu 21.1.1.1 for the rule. To speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or generic filters.
Chapter 37 Filter Configuration The following table describes how to configure your TCP/IP filter rule. Table 203 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Active Press [SPACE BAR] and then [ENTER] to select Yes to activate the filter rule or No to deactivate it. IP Protocol Protocol refers to the upper layer protocol, e.g., TCP is 6, UDP is 17 and ICMP is 1. Type a value between 0 and 255. A value of 0 matches ANY protocol.
Chapter 37 Filter Configuration The following figure illustrates the logic flow of an IP filter.
Chapter 37 Filter Configuration 37.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Chapter 37 Filter Configuration Table 204 Generic Filter Rule Menu Fields FIELD DESCRIPTION Log Select the logging option from the following: None - No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only packets that do not match the rule parameters will be logged. Both – All packets will be logged. Action Matched Select the action for a packet matching the rule. Options are Check Next Rule, Forward and Drop.
Chapter 37 Filter Configuration Figure 358 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Chapter 37 Filter Configuration After you’ve created the filter set, you must apply it. 1 2 3 4 Enter 11 from the main menu to go to menu 11. Enter 1 or 2 to open Menu 11.x - Remote Node Profile. Go to the Edit Filter Sets field, press [SPACE BAR] to select Yes and press [ENTER]. This brings you to menu 11.1.4. Apply a filter set (our example filter set 3) as shown in Figure 363 on page 533. 5 Press [ENTER] to confirm after you enter the set numbers and to leave menu 11.1.4. 37.
Chapter 37 Filter Configuration 37.5.1.1 When To Use Filtering 1 To block/allow LAN packets by their MAC addresses. 2 To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets. 3 To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A" and outside host/network "B". If the filter blocks the traffic from A to B, it also blocks the traffic from B to A.
Chapter 37 Filter Configuration " If you do not activate the firewall, it is advisable to apply filters. 37.6.1 Applying LAN Filters LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and enter the number(s) of the filter set(s) that you want to apply as appropriate. You can choose up to four filter sets (from twelve) by entering their numbers separated by commas, e.g., 3, 4, 6, 11.
Chapter 37 Filter Configuration 37.6.3 Applying Remote Node Filters Go to menu 11.1.4 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by entering their numbers separated by commas. The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections. Figure 363 Filtering Remote Node Traffic Menu 11.1.
Chapter 37 Filter Configuration 534 ZyWALL 2 Plus User’s Guide
CHAPTER 38 SNMP Configuration This chapter explains SNMP configuration menu 22. 38.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password. Figure 364 Menu 22: SNMP Configuration Menu 22 - SNMP Configuration SNMP: Get Community= public Set Community= public Trusted Host= 0.0.0.0 Trap: Community= public Destination= 0.0.0.
Chapter 38 SNMP Configuration Table 205 SNMP Configuration Menu Fields (continued) FIELD DESCRIPTION Destination Type the IP address of the station to send your SNMP traps to. When you have completed this menu, press [ENTER] at the prompt “Press [ENTER] to confirm or [ESC] to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. 38.
CHAPTER 39 System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 39.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below. Figure 365 Menu 24: System Maintenance Menu 24 - System Maintenance 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.
Chapter 39 System Information & Diagnosis 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 366 Menu 24.1: System Maintenance: Status Menu 24.
Chapter 39 System Information & Diagnosis Table 207 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION DHCP This is the DHCP setting of the port listed on the left. System up Time This is the total time the ZyWALL has been on. You may enter 1 to drop the WAN connection, 9 to reset the counters or [ESC] to return to menu 24. 39.3 System Information and Console Port Speed This section describes your system and allows you to choose different console port speeds.
Chapter 39 System Information & Diagnosis The following table describes the fields in this screen. Table 208 Fields in System Maintenance: Information FIELD DESCRIPTION Name This is the ZyWALL's system name + domain name assigned in menu 1. For example, System Name= xxx; Domain Name= baboo.mickey.com Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used. ZyNOS F/W Version Refers to the version of ZyXEL's Network Operating System software.
Chapter 39 System Information & Diagnosis 3 Select the first option from Menu 24.3 - System Maintenance - Log and Trace to display the error log in the system. After the ZyWALL finishes displaying, you will have the option to clear the error log. Figure 370 Menu 24.3: System Maintenance: Log and Trace Menu 24.3 - System Maintenance - Log and Trace 1. View Error Log 2. UNIX Syslog 4.
Chapter 39 System Information & Diagnosis You need to configure the syslog parameters described in the following table to activate syslog then choose what you want to log. Table 209 System Maintenance Menu Syslog Parameters FIELD DESCRIPTION Syslog: Active Press [SPACE BAR] and then [ENTER] to turn syslog on or off. Syslog Server IP Address Enter the server name or IP address of the syslog server that will log the selected categories of logs.
Chapter 39 System Information & Diagnosis 2 Packet triggered Packet triggered Message Format SdcmdSyslogSend( SYSLOG_PKTTRI, SYSLOG_NOTICE, String ); String = Packet trigger: Protocol=xx Data=xxxxxxxxxx…..x Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG) Data: We will send forty-eight Hex characters to the server Jul 19 11:28:39 192.168.102.2 ZyXEL: Packet Trigger: Protocol=1, Data=4500003c100100001f010004c0a86614ca849a7b08004a5c02000100616263646566676869 6a6b6c6d6e6f7071727374 Jul 19 11:28:56 192.
Chapter 39 System Information & Diagnosis 4 PPP log PPP Log Message Format SdcmdSyslogSend( SYSLOG_PPPLOG, SYSLOG_NOTICE, String ); String = ppp:Proto Starting / ppp:Proto Opening / ppp:Proto Closing / ppp:Proto Shutdown Proto = LCP / ATCP / BACP / BCP / CBCP / CCP / CHAP/ PAP / IPCP / IPXCP Jul 19 11:42:44 192.168.102.2 ZyXEL: ppp:LCP Closing Jul 19 11:42:49 192.168.102.2 ZyXEL: ppp:IPCP Closing Jul 19 11:42:54 192.168.102.
Chapter 39 System Information & Diagnosis Figure 373 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Frame Type: IP Header: IP Version Header Length Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr Options 0000: 02 04 02 00 44/ 44 Time: 17:02:44.
Chapter 39 System Information & Diagnosis Figure 374 Menu 24.4: System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. PPPoE/PPTP Setup Test System 11. Reboot System Enter Menu Selection Number: Host IP Address= N/A 39.5.1 WAN DHCP DHCP functionality can be enabled on the LAN, DMZ, WLAN or WAN as shown in Figure 375 on page 546. LAN DHCP has already been discussed.
Chapter 39 System Information & Diagnosis Table 210 System Maintenance Menu Diagnostic FIELD DESCRIPTION PPPoE/PPTP Setup Test Enter 4 to test the Internet setup. You can also test the Internet setup in Menu 4 - Internet Access. Please refer to Chapter 30 on page 475 for more details. This feature is only available for dial-up connections using PPPoE or PPTP encapsulation. Reboot System Enter 11 to reboot the ZyWALL.
Chapter 39 System Information & Diagnosis 548 ZyWALL 2 Plus User’s Guide
CHAPTER 40 Firmware and Configuration File Maintenance This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 40.1 Introduction Use the instructions in this chapter to change the ZyWALL’s configuration file or upgrade its firmware. After you configure your ZyWALL, you can backup the configuration file to a computer.
Chapter 40 Firmware and Configuration File Maintenance The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 - System Maintenance - Information to confirm that you have uploaded the correct firmware version.
Chapter 40 Firmware and Configuration File Maintenance Figure 376 Telnet into Menu 24.5 Menu 24.5 - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested. 3. Locate the 'rom-0' file. 4. Type 'get rom-0' to back up the current router configuration to your workstation.
Chapter 40 Firmware and Configuration File Maintenance 40.3.3 Example of FTP Commands from the Command Line Figure 377 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit 40.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients.
Chapter 40 Firmware and Configuration File Maintenance 40.3.6 Backup Configuration Using TFTP The ZyWALL supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP should work over WAN as well, it is not recommended. To use TFTP, your computer must have both telnet and TFTP clients. To backup the configuration file, follow the procedure shown next. 1 Use telnet from your computer to connect to the ZyWALL and log in.
Chapter 40 Firmware and Configuration File Maintenance Table 213 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Remote File This is the filename on the ZyWALL. The filename for the firmware is “ras” and for the configuration file, is “rom-0”. Binary Transfer the file in binary mode. Abort Stop transfer of the file. Refer to Section 40.3.5 on page 552 to read about configurations that disallow TFTP and FTP over WAN. 40.3.
Chapter 40 Firmware and Configuration File Maintenance Figure 381 Successful Backup Confirmation Screen ** Backup Configuration completed. OK. ### Hit any key to continue.### 40.4 Restore Configuration This section shows you how to restore a previously saved configuration. Note that this function erases the current configuration before restoring a previous back up configuration; please do not attempt to restore unless you have a backup configuration file stored on disk.
Chapter 40 Firmware and Configuration File Maintenance 1 2 3 4 5 6 7 Launch the FTP client on your computer. Enter “open”, followed by a space and the IP address of your ZyWALL. Press [ENTER] when prompted for a username. Enter your password as requested (the default is “1234”). Enter “bin” to set transfer mode to binary. Find the “rom” file (on your computer) that you want to restore to your ZyWALL. Use “put” to transfer files from the ZyWALL to the computer, for example, “put config.
Chapter 40 Firmware and Configuration File Maintenance Figure 386 Restore Configuration Example Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. 4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu. Figure 387 Successful Restoration Confirmation Screen Save to ROM Hit any key to start system reboot. 40.
Chapter 40 Firmware and Configuration File Maintenance Figure 388 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested. 3.
Chapter 40 Firmware and Configuration File Maintenance 40.5.3 FTP File Upload Command from the DOS Prompt Example 1 2 3 4 5 6 Launch the FTP client on your computer. Enter “open”, followed by a space and the IP address of your ZyWALL. Press [ENTER] when prompted for a username. Enter your password as requested (the default is “1234”). Enter “bin” to set transfer mode to binary. Use “put” to transfer files from the computer to the ZyWALL, for example, “put firmware.
Chapter 40 Firmware and Configuration File Maintenance 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance. 3 Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted. Enter “command sys stdio 5” to restore the five-minute console timeout (default) when the file transfer is complete. 4 Launch the TFTP client on your computer and connect to the ZyWALL. Set the transfer mode to binary before starting data transfer.
Chapter 40 Firmware and Configuration File Maintenance Figure 391 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atur" after "Enter Debug Mode" message. 3. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. 4. After successful firmware upload, enter "atgo" to restart the router.
Chapter 40 Firmware and Configuration File Maintenance Figure 393 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To 1. 2. 3. upload system configuration file: Enter "y" at the prompt below to go into debug mode. Enter "atlc" after "Enter Debug Mode" message. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. 4. After successful firmware upload, enter "atgo" to restart the system. Warning: 1.
CHAPTER 41 System Maintenance Menus 8 to 10 This chapter leads you through SMT menus 24.8 to 24.10. 41.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8. Access can be by Telnet or by a serial connection to the console port, although some commands are only available with a serial connection.
Chapter 41 System Maintenance Menus 8 to 10 41.1.1 Command Syntax The command keywords are in courier new font. Enter the command keywords exactly as shown, do not abbreviate. The required fields in a command are enclosed in angle brackets <>. The optional fields in a command are enclosed in square brackets []. The |symbol means “or”. For example, sys filter netbios config means that you must specify the type of netbios filter and whether to turn it on or off. 41.1.
Chapter 41 System Maintenance Menus 8 to 10 Table 214 Valid Commands COMMAND DESCRIPTION ipsec These commands display IPSec information and configure IPSec settings. bridge These commands display bridge information. bm These commands configure bandwidth management settings and display bandwidth management information. certificates These commands display certificate information and configure certificate settings. 41.
Chapter 41 System Maintenance Menus 8 to 10 The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total budget is reset. The default for the total budget is 0 minutes and the period is 0 hours, meaning no budget control. You can reset the accumulated connection time in this menu by entering the index of a remote node.
Chapter 41 System Maintenance Menus 8 to 10 Table 216 Call History FIELD DESCRIPTION Rate This is the transfer rate of the call. #call This is the number of calls made to or received from that telephone number. Max This is the length of time of the longest telephone call. Min This is the length of time of the shortest telephone call. Total This is the total length of time of all the telephone calls to/from that telephone number. You may enter an entry number to delete it or ‘”0” to exit. 41.
Chapter 41 System Maintenance Menus 8 to 10 Figure 401 Menu 24.10 System Maintenance: Time and Date Setting Menu 24.10 - System Maintenance - Time and Date Setting Time Protocol= NTP (RFC-1305) Time Server Address= a.ntp.alphazed.net Current Time: New Time (hh:mm:ss): 09 : 24 : 26 N/A N/A N/A Current Date: New Date (yyyy-mm-dd): 2007 - 03 - 07 N/A N/A N/A Time Zone= GMT Daylight Saving= No Start Date (mm-nth-week-hr): End Date (mm-nth-week-hr): Jan. - 1st Jan. - 1st - Sun. - Sun.
Chapter 41 System Maintenance Menus 8 to 10 Table 217 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Start Date (mmnth-week-hr) Configure the day and time when Daylight Saving Time starts if you selected Yes in the Daylight Saving field. The hr field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time starts in most parts of the United States on the first Sunday of April. Each time zone in the United States starts using Daylight Saving Time at 2 A.M.
Chapter 41 System Maintenance Menus 8 to 10 570 ZyWALL 2 Plus User’s Guide
CHAPTER 42 Remote Management This chapter covers remote management found in SMT menu 24.11. 42.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. " When you configure remote management to allow management from any network except the LAN, you still need to configure a firewall rule to allow access. See Chapter 11 on page 181 for details on configuring firewall rules.
Chapter 42 Remote Management Figure 402 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: FTP Server: SSH Server: HTTPS Server: HTTP Server: SNMP Service: DNS Service: Port = 23 Access = LAN Secure Client IP = 0.0.0.0 Port = 21 Access = LAN+WAN+DMZ+WLAN Secure Client IP = 0.0.0.0 Certificate = auto_generated_self_signed_cert Port = 22 Access = LAN+WAN+DMZ+WLAN Secure Client IP = 0.0.0.
Chapter 42 Remote Management Table 218 Menu 24.11 – Remote Management Control (continued) FIELD DESCRIPTION Authenticate Client Certificates Select Yes by pressing [SPACE BAR], then [ENTER] to require the SSL client to authenticate itself to the ZyWALL by sending the ZyWALL a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyWALL (see Appendix F on page 627 for details).
Chapter 42 Remote Management 574 ZyWALL 2 Plus User’s Guide
CHAPTER 43 Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 43.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long. This feature is similar to the scheduler in a videocassette recorder (you can specify a time period for the VCR to record). You can apply up to 4 schedule sets in Menu 11.1 - Remote Node Profile.
Chapter 43 Call Scheduling " To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] or [DEL] in the Edit Name field. To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next. Figure 404 Schedule Set Setup Menu 26.
Chapter 43 Call Scheduling Table 219 Schedule Set Setup (continued) FIELD DESCRIPTION Day If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER]. Start Time Enter the start time when you wish the schedule set to take effect in hour-minute format. Duration The duration determines how long the ZyWALL is to apply the action configured in the Action field.
Chapter 43 Call Scheduling Figure 406 Applying Schedule Set(s) to a Remote Node (PPTP) Menu 11.
CHAPTER 44 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • • • • • Power, Hardware Connections, and LEDs ZyWALL Access and Login Internet Access Wireless Router/AP Troubleshooting UPnP 44.1 Power, Hardware Connections, and LEDs V The ZyWALL does not turn on. None of the LEDs turn on when you turn on the ZyWALL. 7 Make sure you are using the power adaptor or cord included with the ZyWALL.
Chapter 44 Troubleshooting 44.2 ZyWALL Access and Login V I forgot the IP address for the ZyWALL. 1 The default IP address is 192.168.1.1. 2 Use the console port to log in to the ZyWALL. 3 If you changed the IP address and have forgotten it, you might get the IP address of the ZyWALL by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig.
Chapter 44 Troubleshooting 6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions • You may also need to clear your Internet browser’s cache. In Internet Explorer, click Tools and then Internet Options to open the Internet Options screen. In the General tab, click Delete Files. In the pop-up window, select the Delete all offline content check box and click OK. Click OK in the Internet Options screen to close it.
Chapter 44 Troubleshooting See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. V I cannot use the console port to access the ZyWALL. 1 Check to see if the ZyWALL is connected to your computer's console port. 2 Check to see if the communications program is configured correctly. The communications software should be configured as follows: • VT100 terminal emulation.
Chapter 44 Troubleshooting The username and password apply to PPPoE and PPPoA encapsulation only. Make sure that you have entered the correct Service Type, User Name and Password (be sure to use the correct casing). Refer to the WAN setup chapter (web configurator or SMT). 2 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again. 3 If the problem continues, contact your ISP. V I cannot access the Internet.
Chapter 44 Troubleshooting interfering with the wireless network (for example, microwaves, other wireless networks, and so on). 3 Reboot the ZyWALL. 4 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions • Check the settings for bandwidth management. If it is disabled, you might consider activating it. If it is enabled, you might consider changing the allocations. 44.
Chapter 44 Troubleshooting Restart your computer. V I cannot open special applications such as white board, file transfer and video when I use the MSN messenger. 1 Wait more than three minutes. 2 Restart the applications.
Chapter 44 Troubleshooting 586 [Document Title]
P ART VII Appendices and Index Product Specifications (589) Setting up Your Computer’s IP Address (593) Pop-up Windows, JavaScripts and Java Permissions (609) IP Addresses and Subnetting (615) Common Services (623) Importing Certificates (627) Command Interpreter (639) Firewall Commands (647) NetBIOS Filter Commands (653) Certificates Commands (655) Brute-Force Password Guessing Protection (659) Boot Commands (661) Legal Information (663) Customer Support (667) Index (671) 587
APPENDIX A Product Specifications The following tables summarize the ZyWALL’s hardware and firmware features. Table 220 Hardware Specifications Dimensions (W x D x H) 181(W) x 128(D) x 36(H) mm Weight 304g Power Specification 12 V DC 1 A Ethernet Ports Auto-negotiating: 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode. Auto-crossover: Use either crossover or straight-through Ethernet cables.
Appendix A Product Specifications Table 221 Firmware Specifications 590 FEATURE DESCRIPTION Network Address Translation (NAT) Each computer on your network must have its own unique IP address. Use NAT to convert your public IP address(es) to multiple private IP addresses for the computers on your network. Port Forwarding If you have a server (mail or web server for example) on your network, you can use this feature to let people access it from the Internet.
Appendix A Product Specifications Table 222 Feature Specifications FEATURE SPECIFICATION Number of Local User Database Entries 32 Number of Static DHCP Table Entries 32 Number of Static Routes 12 Number of Port Forwarding Rules 20 Number of NAT Sessions 3000 Number of Address Mapping Rules 10 Number of IPSec VPN Tunnels/Security Associations 2 Number of Bandwidth Management Classes 10 Number of Bandwidth Management Class Levels 1 Number of DNS Address Record Entries 30 Number of DNS N
Appendix A Product Specifications Table 224 Console Cable Pin Assignments PIN DEFINITION RJ-45 END DB-9M (MALE) END DSR 1 6 DTR 2 4 TX 3 3 RTS 4 7 GND 5 5 RX 6 2 CTS 7 8 DCD 8 1 N/A 9 Table 225 Console Cable Pin Assignments PIN DEFINITION RJ-45 END DB-9M (MALE) END DTR 1 4 DSR 2 6 RX 3 2 CTS 4 8 GND 5 5 TX 6 3 RTS 7 7 DCD 8 1 N/A 9 Table 226 Ethernet Cable Pin Assignments WAN / LAN ETHERNET CABLE PIN LAYOUT Straight-through 592 Crossover (Switch)
APPENDIX B Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.
Appendix B Setting up Your Computer’s IP Address Figure 408 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add. 2 Select Adapter and then click Add. 3 Select the manufacturer and model of your network adapter and then click OK.
Appendix B Setting up Your Computer’s IP Address Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • If your IP address is dynamic, select Obtain an IP address automatically. • If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Figure 409 Windows 95/98/Me: TCP/IP Properties: IP Address 3 Click the DNS Configuration tab.
Appendix B Setting up Your Computer’s IP Address Figure 410 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your ZyWALL and restart your computer when prompted.
Appendix B Setting up Your Computer’s IP Address Figure 411 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 412 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties.
Appendix B Setting up Your Computer’s IP Address Figure 413 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 414 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). • If you have a dynamic IP address click Obtain an IP address automatically.
Appendix B Setting up Your Computer’s IP Address Figure 415 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: • In the IP Settings tab, in IP addresses, click Add. • In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add.
Appendix B Setting up Your Computer’s IP Address Figure 416 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). • If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Appendix B Setting up Your Computer’s IP Address Figure 417 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT). 11 Turn on your ZyWALL and restart your computer (if prompted).
Appendix B Setting up Your Computer’s IP Address Figure 418 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 419 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list.
Appendix B Setting up Your Computer’s IP Address • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyWALL in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration. 7 Turn on your ZyWALL and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the TCP/IP Control Panel window.
Appendix B Setting up Your Computer’s IP Address Figure 421 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyWALL in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your ZyWALL and restart your computer (if prompted).
Appendix B Setting up Your Computer’s IP Address " Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network. Figure 422 Red Hat 9.0: KDE: Network Configuration: Devices 2 Double-click on the profile of the network card you wish to configure.
Appendix B Setting up Your Computer’s IP Address • If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields. 3 Click OK to save the changes and close the Ethernet Device General screen. 4 If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen.
Appendix B Setting up Your Computer’s IP Address Figure 426 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=yes TYPE=Ethernet • If you have a static IP address, enter static in the BOOTPROTO= field. Type IPADDR= followed by the IP address (in dotted decimal notation) and type NETMASK= followed by the subnet mask. The following example shows an example where the static IP address is 192.168.1.10 and the subnet mask is 255.255.255.0.
Appendix B Setting up Your Computer’s IP Address Figure 430 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:BA:72:5B:44 inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.
APPENDIX C Pop-up Windows, JavaScripts and Java Permissions In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). " Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary. Internet Explorer Pop-up Blockers You may have to disable pop-up blocking to log into your device.
Appendix C Pop-up Windows, JavaScripts and Java Permissions 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 432 Internet Options 3 Click Apply to save this setting. Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab.
Appendix C Pop-up Windows, JavaScripts and Java Permissions Figure 433 Internet Options 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites.
Appendix C Pop-up Windows, JavaScripts and Java Permissions 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed. 1 In Internet Explorer, click Tools, Internet Options and then the Security tab. Figure 435 Internet Options 2 3 4 5 6 612 Click the Custom Level... button. Scroll down to Scripting.
Appendix C Pop-up Windows, JavaScripts and Java Permissions Figure 436 Security Settings - Java Scripting Java Permissions 1 2 3 4 5 From Internet Explorer, click Tools, Internet Options and then the Security tab. Click the Custom Level... button. Scroll down to Microsoft VM. Under Java permissions make sure that a safety level is selected. Click OK to close the window.
Appendix C Pop-up Windows, JavaScripts and Java Permissions JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 make sure that Use Java 2 for
APPENDIX D IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks.
Appendix D IP Addresses and Subnetting Figure 439 Network Number and Host ID How much of the IP address is the network number and how much is the host ID varies according to the subnet mask. Subnet Masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). The term “subnet” is short for “subnetwork”. A subnet mask has 32 bits.
Appendix D IP Addresses and Subnetting Subnet masks are expressed in dotted decimal notation just like IP addresses. The following examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet masks. Table 228 Subnet Masks BINARY DECIMAL 1ST OCTET 2ND OCTET 3RD OCTET 4TH OCTET 8-bit mask 11111111 00000000 00000000 00000000 255.0.0.0 16-bit mask 11111111 11111111 00000000 00000000 255.255.0.0 24-bit mask 11111111 11111111 11111111 00000000 255.255.255.
Appendix D IP Addresses and Subnetting Table 230 Alternative Subnet Mask Notation (continued) SUBNET MASK ALTERNATIVE NOTATION LAST OCTET (BINARY) LAST OCTET (DECIMAL) 255.255.255.192 /26 1100 0000 192 255.255.255.224 /27 1110 0000 224 255.255.255.240 /28 1111 0000 240 255.255.255.248 /29 1111 1000 248 255.255.255.252 /30 1111 1100 252 Subnetting You can use subnetting to divide one network into multiple sub-networks.
Appendix D IP Addresses and Subnetting Figure 441 Subnetting Example: After Subnetting In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 27 – 2 or 126 possible hosts (a host ID of all zeroes is the subnet’s address itself, all ones is the subnet’s broadcast address). 192.168.1.0 with mask 255.255.255.128 is subnet A itself, and 192.168.1.127 with mask 255.255.255.128 is its broadcast address.
Appendix D IP Addresses and Subnetting Table 232 Subnet 2 IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. 64 IP Address (Binary) 11000000.10101000.00000001. 01000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.64 Lowest Host ID: 192.168.1.65 Broadcast Address: 192.168.1.127 Highest Host ID: 192.168.1.126 Table 233 Subnet 3 IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1.
Appendix D IP Addresses and Subnetting Table 235 Eight Subnets (continued) SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255 Subnet Planning The following table is a summary for subnet planning on a network with a 24-bit network number. Table 236 24-bit Network Number Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 1 255.255.255.
Appendix D IP Addresses and Subnetting Table 237 16-bit Network Number Subnet Planning (continued) NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 14 255.255.255.252 (/30) 16384 2 15 255.255.255.254 (/31) 32768 1 Configuring IP Addresses Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.
APPENDIX E Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. • Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like. • Protocol: This is the type of IP protocol used by the service.
Appendix E Common Services Table 238 Commonly Used Services (continued) 624 NAME PROTOCOL PORT(S) DESCRIPTION FTP TCP TCP 20 21 File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. H.323 TCP 1720 NetMeeting uses this protocol. HTTP TCP 80 Hyper Text Transfer Protocol - a client/ server protocol for the world wide web. HTTPS TCP 443 HTTPS is a secured http session often used in e-commerce.
Appendix E Common Services Table 238 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION RTELNET TCP 107 Remote Telnet. RTSP TCP/UDP 554 The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP TCP 115 Simple File Transfer Protocol. SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.
Appendix E Common Services 626 ZyWALL 2 Plus User’s Guide
APPENDIX F Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in the following screen to do this.
Appendix F Importing Certificates Figure 443 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 444 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard.
Appendix F Importing Certificates Figure 445 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 446 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard.
Appendix F Importing Certificates Figure 447 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store.
Appendix F Importing Certificates Figure 449 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
Appendix F Importing Certificates Figure 450 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
Appendix F Importing Certificates Figure 451 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard.
Appendix F Importing Certificates Figure 452 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 453 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
Appendix F Importing Certificates Figure 454 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 455 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process.
Appendix F Importing Certificates Figure 456 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 457 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field.
Appendix F Importing Certificates Figure 459 SSL Client Authentication 3 You next see the ZyWALL login screen.
Appendix F Importing Certificates 638 ZyWALL 2 Plus User’s Guide
APPENDIX G Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. " Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable. Command Syntax • • • • • The command keywords are in courier new font.
Appendix G Command Interpreter Configuring What You Want the ZyWALL to Log 1 Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyWALL is to record. 2 Use sys logs category to view a list of the log categories.
Appendix G Command Interpreter Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results. ras> ras> ras> ras> # sys sys sys sys logs logs logs logs load category access 3 save display access .time source destination message 0|06/08/2004 05:58:21 |172.21.4.154 |224.0.1.24 BLOCK Firewall default policy: IGMP (W to W/ZW) 1|06/08/2004 05:58:20 |172.21.3.56 |239.255.255.
Appendix G Command Interpreter Figure 463 Routing Command Example ras> ip nat routing 2 1 Routing can work in NAT when no NAT rule match. ----------------------------------------------LAN: no DMZ: yes WLAN: yes ARP Behavior and the ARP ackGratuitous Commands The ZyWALL does not accept ARP reply information if the ZyWALL did not send out a corresponding request. This helps prevent the ZyWALL from updating its ARP table with an incorrect IP address to MAC address mapping due to a spoofed ARP.
Appendix G Command Interpreter is on and set to force updates, the ZyWALL receives the gratuitous ARP request and updates its ARP table. This way the ZyWALL has a correct gateway ARP entry to forward packets through the backup gateway. If ackGratuitous is off or not set to force updates, the ZyWALL will not update the gateway ARP entry and cannot forward packets through gateway B. Figure 464 Backup Gateway Updating the ARP entries could increase the danger of spoofing attacks.
Appendix G Command Interpreter Figure 465 Managing the Bandwidth of an IPSec SA Use on with this command to set the ZyWALL to use the outer source and destination IP addresses of VPN packets in managing the bandwidth of the VPN traffic. These are the IP addresses of the ZyWALL and the remote IPSec router. The following figure shows an example of this. The ZyWALL uses the IP addresses of the ZyWALL (X in the figure) and remote IPSec router (Y) to manage the bandwidth of the VPN traffic for the IKE SA.
Appendix G Command Interpreter By default the ZyWALL uses a 128 bit AES encryption key for phase 2 IPSec tunnels. Use this command to edit an existing VPN rule to use a longer AES encryption key. See the following example. Say you have a VPN rule one that uses AES for the phase 2 encryption and you want it to use 192 bit encryption. • Use the first line to start editing the VPN rule. • The second line sets VPN rule one to use 192 bit AES for the phase 2 encryption. • The third line displays the results.
Appendix G Command Interpreter 646 ZyWALL 2 Plus User’s Guide
APPENDIX H Firewall Commands The following describes the firewall commands. See Appendix G on page 639 for information on the command structure. Table 239 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall active This command turns the firewall on or off. config retrieve firewall This command returns the previously saved firewall settings. config save firewall This command saves the current firewall settings.
Appendix H Firewall Commands Table 239 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION config edit firewall e-mail mail-server This command sets the IP address to which the e-mail messages are sent. config edit firewall e-mail return-addr This command sets the source e-mail address of the firewall e-mails. config edit firewall e-mail email-to This command sets the e-mail address to which the firewall e-mails are sent.
Appendix H Firewall Commands Table 239 Firewall Commands (continued) FUNCTION Sets COMMAND DESCRIPTION config edit firewall attack minute-high <0-255> This command sets the threshold rate of new half-open sessions per minute where the ZyWALL starts deleting old half-opened sessions until it gets them down to the minute-low threshold. config edit firewall attack minute-low <0-255> This command sets the threshold of half-open sessions where the ZyWALL stops deleting half-opened sessions.
Appendix H Firewall Commands Table 239 Firewall Commands (continued) FUNCTION Rules 650 COMMAND DESCRIPTION Config edit firewall set tcp-idle-timeout This command sets how long ZyWALL lets an inactive TCP connection remain open before considering it closed. Config edit firewall set log This command sets whether or not the ZyWALL creates logs for packets that match the firewall’s default rule set.
Appendix H Firewall Commands Table 239 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION config edit firewall set rule destaddrsubnet This command sets a rule to have the ZyWALL check for traffic with a particular subnet destination (defined by IP address and subnet mask).
Appendix H Firewall Commands 652 ZyWALL 2 Plus User’s Guide
APPENDIX I NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See Appendix G on page 639 for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
Appendix I NetBIOS Filter Commands The filter types and their default settings are as follows. Table 240 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN and WAN This field displays whether NetBIOS packets are blocked or forwarded between the LAN and the WAN. Block Between LAN and DMZ This field displays whether NetBIOS packets are blocked or forwarded between the LAN and the DMZ.
APPENDIX J Certificates Commands The following describes the certificate commands. See Appendix G on page 639 for information on the command structure. All of these commands start with certificates. Table 241 Certificates Commands COMMAND DESCRIPTION my_cert create ZyWALL 2 Plus User’s Guide create selfsigned [key size] Create a self-signed local host certificate. specifies a descriptive name for the generated certificate.
Appendix J Certificates Commands Table 241 Certificates Commands (continued) COMMAND DESCRIPTION create cmp_enroll [key size] Create a certificate request and enroll for a certificate immediately online using CMP protocol. specifies a descriptive name for the enrolled certificate. specifies the CA server address. specifies the name of the CA certificate. specifies the id and key used for user authentication.
Appendix J Certificates Commands Table 241 Certificates Commands (continued) COMMAND DESCRIPTION ca_trusted import Import the PEM-encoded certificate from stdin. specifies the name as which the imported CA certificate is to be saved. export Export the PEM-encoded certificate to stdout for user to copy and paste. specifies the name of the certificate to be exported. view View the information of the specified trusted CA certificate.
Appendix J Certificates Commands Table 241 Certificates Commands (continued) COMMAND DESCRIPTION rename Rename the specified trusted remote host certificate. specifies the name of the certificate to be renamed. specifies the new name as which the certificate is to be saved. add [login:pswd ] Add a new directory service. specifies a descriptive name as which the added directory server is to be saved.
APPENDIX K Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See Appendix G on page 639 for information on the command structure.
Appendix K Brute-Force Password Guessing Protection 660 ZyWALL 2 Plus User’s Guide
APPENDIX L Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you have access to a series of boot module commands, for example ATUR (for uploading firmware) and ATLC (for uploading the configuration file).
Appendix L Boot Commands Figure 469 Boot Module Commands AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.
APPENDIX M Legal Information Copyright Copyright © 2007 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
Appendix M Legal Information If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures: 1 Reorient or relocate the receiving antenna. 2 Increase the separation between the equipment and the receiver. 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Appendix M Legal Information ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products.
Appendix M Legal Information 666 ZyWALL 2 Plus User’s Guide
APPENDIX N Customer Support Please have the following information ready when you contact customer support. Required Information • • • • Product model and serial number. Warranty Information. Date that you received your device. Brief description of the problem and the steps you took to solve it. Corporate Headquarters (Worldwide) • • • • • • • Support E-mail: support@zyxel.com.tw Sales E-mail: sales@zyxel.com.tw Telephone: +886-3-578-3942 Fax: +886-3-578-2439 Web Site: www.zyxel.com, www.europe.zyxel.
Appendix N Customer Support Denmark • • • • • • Support E-mail: support@zyxel.dk Sales E-mail: sales@zyxel.dk Telephone: +45-39-55-07-00 Fax: +45-39-55-07-07 Web Site: www.zyxel.dk Regular Mail: ZyXEL Communications A/S, Columbusvej, 2860 Soeborg, Denmark Finland • • • • • • Support E-mail: support@zyxel.fi Sales E-mail: sales@zyxel.fi Telephone: +358-9-4780-8411 Fax: +358-9-4780 8448 Web Site: www.zyxel.
Appendix N Customer Support • • • • Telephone: +7-3272-590-698 Fax: +7-3272-590-689 Web Site: www.zyxel.kz Regular Mail: ZyXEL Kazakhstan, 43, Dostyk ave.,Office 414, Dostyk Business Centre, 050010, Almaty, Republic of Kazakhstan North America • • • • • • • Support E-mail: support@zyxel.com Sales E-mail: sales@zyxel.com Telephone: +1-800-255-4101, +1-714-632-0882 Fax: +1-714-632-0858 Web Site: www.us.zyxel.com FTP Site: ftp.us.zyxel.com Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St.
Appendix N Customer Support • Web Site: www.zyxel.es • Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, Spain Sweden • • • • • • Support E-mail: support@zyxel.se Sales E-mail: sales@zyxel.se Telephone: +46-31-744-7700 Fax: +46-31-744-7701 Web Site: www.zyxel.se Regular Mail: ZyXEL Communications A/S, Sjöporten 4, 41764 Göteborg, Sweden Ukraine • • • • • • Support E-mail: support@ua.zyxel.com Sales E-mail: sales@ua.zyxel.
Index Index Numerics 9600 baud 445 A active protocol 253 AH 253 and encapsulation 254 ESP 253 Address Assignment 343 address assignment 143 AH 253 and transport mode 254 ALG 387 RTP 388 SIP 389 STUN 389 allocated budget 464, 491 alternative subnet mask notation 617 anti-probing 199 Application Layer Gateway. See ALG.
Index CHAP 464, 491 CNM 374 command interpreter mode 563 command line 551 commands FTP 551 computer names 126, 128 configuration backup 440, 550 TFTP 553 configuration restore 440, 555 via console port 561 connection ID/name 492 console port 445, 539 configuration upload 561 data bits 445 file backup 554 file upload 560 flow control 445 parity 445 restoring files 556 settings 445 speed 539, 540 stop bit 445 contact information 667 content filter general 211 content filtering 211 categories 211, 214 customi
Index extended authentication 242 F F/W version 540 factory defaults 441 factory-default configuration file 51 FCC interference statement 663 file backup console port 554 file maintenance over WAN 552 file upload console port 560 FTP 559 TFTP 559 Xmodem 561 filename conventions 549 filter 467, 479, 494, 519 and NAT 530 applying 531 configuration 519 configuring 522 DMZ 532 example 528 filter rule execution 520 generic filter rule 527 incoming protocol 473 IP filter logic flow 526 protocol 473 remote node
Index ID type 240 IP address, remote IPSec router 237 IP address, ZyXEL Device 237 local identity 241 main mode 236, 242 NAT traversal 243 negotiation mode 236 password 242 peer identity 241 pre-shared key 240 proposal 239 SA life time 243 user name 242 IKE SA. See also VPN. incoming protocol filter 473 Internet access setup 67, 475 Internet Assigned Number Authority. See IANA. Internet Assigned Numbers AuthoritySee IANA 622 Internet Protocol Security. See IPSec.
Index inside global address 309 inside local address 309 Many to Many No Overload 312 Many to Many Overload 312 Many to One 312 mapping types 312 NAT unfriendly applications 513 One to One 312 ordering rules 504 port forwarding 317 port restricted cone 311 Server 312 server set 501 Single User Account 313 trigger port forwarding 515 what NAT does 310, 315 NAT traversal 243, 377 navigation panel 58 NBNS 126, 128 NetBIOS 128 NetBIOS Name Server. See NBNS. Network Address Translation. See NAT.
Index WWW 357 remote node 487 filter 467, 494 reports 401 host IP address 402, 403 protocol/port 402, 404 web site hits 402, 403 required fields 447 reset button 51 resetting the time 432 resetting the ZyWALL 51 restore configuration 440, 555 via console port 561 restoring factory defaults 441 restoring files via console port 556 via FTP 555 retry count 463 retry interval 463 RFC 1058. See RIP. RFC 1305. See NTP time protocol. RFC 1389. See RIP. RFC 1466. See IP address. RFC 1597. See private IP address.
Index subnetting 618 subscription services 117 syntax conventions 4 syslog logging 541 system information 537 maintenance 537 name 427, 453 status 537 timeout 356 System Management Terminal. See SMT.
Index WAN DHCP 546 WAN IP address 143 WAN setup 459 warranty 664 note 664 web configurator 49 web site hits 402, 403 Windows Internet Naming Service. See WINS. WINS 126, 128 WINS server 128 wireless channel 584 wireless LAN 584 wireless security 584 wizard setup 67 WLAN IP alias 484 setup 483 TCP/IP setup 484 WWW 357 www.dyndns.org 457 X Xmodem 561 file upload 561 protocol 550 Z ZyNOS 540, 550 ZyWALL registration 118 ZyXEL’s Network Operating System. See ZyNOS.