ZyWALL 110/310/1100 Series VPN Firewall Version 3.10 Edition 2, 02/2013 Quick Start Guide User’s Guide Default Login Details LAN Port IP Address User Name www.zyxel.com Password https://192.168.1.
IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a User’s Guide for a series of products. Not all products support all firmware features. Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system. Every effort has been made to ensure that the information in this manual is accurate.
Chapter 1 Introduction.........................................................................................................................................17 1.1 Overview ...........................................................................................................................................17 1.2 Management Overview .....................................................................................................................19 1.3 Web Configurator ..............................
.3.5 VPN Express Wizard - Summary ...........................................................................................51 4.3.6 VPN Express Wizard - Finish .................................................................................................52 4.3.7 VPN Advanced Wizard - Scenario .........................................................................................53 4.3.8 VPN Advanced Wizard - Phase 1 Settings ...........................................................................
6.9.1 More Information .....................................................................................................................95 6.10 USB Storage Screen .......................................................................................................................96 6.11 The IPSec Monitor Screen ..............................................................................................................97 6.11.1 Regular Expressions in Searching IPSec SAs ..............................
8.2 The Trunk Summary Screen ...........................................................................................................180 8.2.1 Configuring a User-Defined Trunk .........................................................................................181 8.2.2 Configuring the System Default Trunk ..................................................................................183 Chapter 9 Policy and Static Routes ...........................................................................
Chapter 13 NAT.....................................................................................................................................................221 13.1 NAT Overview ...............................................................................................................................221 13.1.1 What You Can Do in this Chapter ........................................................................................221 13.1.2 What You Need to Know ....................................
Chapter 18 Authentication Policy .......................................................................................................................253 18.1 Overview .......................................................................................................................................253 18.1.1 What You Can Do in this Chapter ........................................................................................253 18.1.2 What You Need to Know ...........................................
Chapter 21 SSL VPN ............................................................................................................................................317 21.1 Overview .......................................................................................................................................317 21.1.1 What You Can Do in this Chapter ........................................................................................317 21.1.2 What You Need to Know ....................................
24.1.2 What You Need to Know ......................................................................................................345 24.2 L2TP VPN Screen .........................................................................................................................347 Chapter 25 Bandwidth Management.................................................................................................................349 25.1 Overview ....................................................................
28.2.1 IPv4 Address Add/Edit Screen ............................................................................................386 28.2.2 IPv6 Address Add/Edit Screen ............................................................................................387 28.3 Address Group Summary Screen .................................................................................................388 28.3.1 Address Group Add/Edit Screen ............................................................................
32.2 Authentication Method Objects .....................................................................................................410 32.2.1 Creating an Authentication Method Object ..........................................................................410 Chapter 33 Certificates ........................................................................................................................................413 33.1 Overview ...................................................................
Chapter 37 System ...............................................................................................................................................443 37.1 Overview .......................................................................................................................................443 37.1.1 What You Can Do in this Chapter ........................................................................................443 37.2 Host Name ................................................
37.12 Language Screen ........................................................................................................................483 37.13 IPv6 Screen .................................................................................................................................483 Chapter 38 Log and Report .................................................................................................................................485 38.1 Overview .........................................
Chapter 42 Reboot ...............................................................................................................................................525 42.1 Overview .......................................................................................................................................525 42.1.1 What You Need To Know .....................................................................................................525 42.2 The Reboot Screen .....................................
ZyWALL 110/310/1100 Series User’s Guide
C HAPT ER 1 Introduction 1.1 Overview Note: This help covers the following ZyWALL models and refers to them all as “ZyWALL”. Features and interface names vary by model. Key feature differences between ZyWALL models are as follows. Other features are common to all models although features may vary slightly by model. See the specific product’s datasheet for detailed specifications.
Chapter 1 Introduction Figure 2 Applications: VPN Connectivity ***** OTP PIN SafeWord 2008 Authentication Server File Server Email Server Web-based Application SSL VPN Network Access SSL VPN lets remote users use their web browsers for a very easy-to-use VPN solution. A user just browses to the ZyWALL’s web address and enters his user name and password to securely connect to the ZyWALL’s network.
Chapter 1 Introduction Figure 4 Applications: User-Aware Access Control A B C Load Balancing Set up multiple connections to the Internet on the same port, or different ports, including cellular interfaces. In either case, you can balance the traffic loads between them. Figure 5 Applications: Multiple WAN Interfaces 1.2 Management Overview You can manage the ZyWALL in the following ways. Web Configurator The Web Configurator allows easy ZyWALL setup and management using an Internet browser.
Chapter 1 Introduction Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL. Access it using remote management (for example, SSH or Telnet) or via the physical or Web Configurator console port. See the Command Reference Guide for CLI details. The default settings for the console port are: Table 2 Console Port Default Settings SETTING VALUE Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off 1.
Chapter 1 Introduction 4 Click Login. If you logged in using the default user name and password, the Update Admin Info screen appears. Otherwise, the dashboard appears. 5 Follow the directions in the Update Admin Info screen. If you change the default password, the Login screen appears after you click Apply. If you click Ignore, the Installation Setup Wizard opens if the ZyWALL is using its default configuration; otherwise the dashboard appears. B A C 1.3.
Chapter 1 Introduction The title bar icons in the upper right corner provide the following functions. Table 3 Title Bar: Web Configurator Icons LABEL DESCRIPTION Logout Click this to log out of the Web Configurator. Help Click this to open the help page for the current screen. About Click this to display basic information about the ZyWALL. Site Map Click this to see an overview of links to the Web Configurator screens.
Chapter 1 Introduction Figure 9 Site Map Object Reference Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object. Figure 10 Object Reference The fields vary with the type of object. This table describes labels that can appear in this screen.
Chapter 1 Introduction Table 5 Object References (continued) LABEL DESCRIPTION Refresh Click this to update the information in this screen. Cancel Click Cancel to close the screen. Console Click Console to open a Java-based console window from which you can run CLI commands. You will be prompted to enter your user name and password. See the Command Reference Guide for information about the commands.
Chapter 1 Introduction 1.3.3 Navigation Panel Use the navigation panel menu items to open status and configuration screens. Click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it. The following sections introduce the ZyWALL’s navigation panel menus and their screens.
Chapter 1 Introduction Table 6 Monitor Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Cellular Status Displays details about the ZyWALL’s 3G connection status. USB Storage Displays details about USB device connected to the ZyWALL. VPN Monitor IPSec Displays and manages the active IPSec SAs. SSL Lists users currently logged into the VPN SSL client portal. You can also log out individual users and delete related session information.
Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Firewall Firewall Create and manage level-3 traffic rules. Session Control Limit the number of concurrent client NAT/firewall sessions. VPN Connection Configure IPSec tunnels. VPN Gateway Configure IKE tunnels.
Chapter 1 Introduction Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Console Speed Set the console speed. DNS Configure the DNS server and address records for the ZyWALL. WWW Service Control Configure HTTP, HTTPS, and general authentication. Login Page Configure how the login and access user screens look. SSH Configure SSH server and SSH service settings. TELNET Configure telnet server settings for the ZyWALL. FTP Configure FTP server settings.
Chapter 1 Introduction Figure 14 Sorting Table Entries by a Column’s Criteria Click the down arrow next to a column heading for more options about how to display the entries. The options available vary depending on the type of fields in the column.
Chapter 1 Introduction Figure 17 Moving Columns Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time. Figure 18 Navigating Pages of Table Entries The tables have icons for working with table entries. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate. Figure 19 Common Table Icons Here are descriptions for the most common table icons.
Chapter 1 Introduction Working with Lists When a list of available entries displays next to a list of selected entries, you can often just doubleclick an entry to move it from one list to the other. In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list.
Chapter 1 Introduction 32 ZyWALL 110/310/1100 Series User’s Guide
C HAPT ER 2 Installation Setup Wizard 2.1 Installation Setup Wizard Screens When you log into the Web Configurator for the first time or when you reset the ZyWALL to its default configuration, the Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscription services. This chapter provides information on configuring the Web Configurator's installation setup wizard.
Chapter 2 Installation Setup Wizard • WAN Interface: This is the interface you are configuring for Internet access. • Zone: This is the security zone to which this interface and Internet connection belong. • IP Address Assignment: Select Auto if your ISP did not assign you a fixed IP address. Select Static if the ISP assigned a fixed IP address. 2.1.2 Internet Access: Ethernet This screen is read-only if you set the previous screen’s IP Address Assignment field to Auto.
Chapter 2 Installation Setup Wizard • Type the Password associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank. • Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPPoE server. 2.1.3.2 WAN IP Address Assignments • WAN Interface: This is the name of the interface that will connect with your ISP.
Chapter 2 Installation Setup Wizard • Type a Connection ID or connection name. It must follow the “c:id” and “n:name” format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your broadband modem or router. You can use alphanumeric and -_: characters, and it can be up to 31 characters long. 2.1.5.2 WAN IP Address Assignments • First WAN Interface: This is the connection type on the interface you are configuring to connect with your ISP.
C HAPT ER 3 Hardware Introduction 3.1 Default Zones, Interfaces, and Ports The default configurations for zones, interfaces, and ports are as follows. References to interfaces may be generic rather than the specific name used in your model. For example, this guide may use “the WAN interface” rather than “wan1” or “wan2”, “ge2” or” ge3”. An OPT (optional) Ethernet port can be configured as an additional WAN port, LAN, WLAN, or DMZ port.
Chapter 3 Hardware Introduction Note: Use an 8-wire Ethernet cable to run your Gigabit Ethernet at 1000 Mbps. Using a 4wire Ethernet cable limits your connection to 100 Mbps. Note that the connection speed also depends on what the Ethernet device at the other end can support. 3.2 Stopping the ZyWALL Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. 3.
Chapter 3 Hardware Introduction 3.4 Wall-mounting See Chapter 1 on page 17 for the ZyWALL models that can be wall-mounted. Do the following to attach your ZyWALL to a wall. 1 Screw two screws with 6 mm ~ 8 mm (0.24" ~ 0.31") wide heads into the wall 150 mm apart (see the figure in step 2). Do not screw the screws all the way in to the wall; leave a small gap between the head of the screw and the wall.
Chapter 3 Hardware Introduction Figure 21 ZyWALL Front Panel 110 310 1100 The following tables describe the LEDs. Table 10 Front Panel LEDs LED COLOR STATUS DESCRIPTION Off The ZyWALL is turned off. Green On The ZyWALL is turned on. Red On There is a hardware component failure. Shut down the device, wait for a few minutes and then restart the device (see Section 3.2 on page 38). If the LED turns red again, then please contact your vendor. Green Off The ZyWALL is not ready or has failed.
Chapter 3 Hardware Introduction 3.5.1 Rear Panels The following graphic shows the rear panel of the ZyWALL. 110 310 1100 Table 11 Rear Panel LABEL DESCRIPTION Console You can use the console port to manage the ZyWALL using CLI commands. You will be prompted to enter your user name and password. See the Command Reference Guide for more information about the CLI.
Chapter 3 Hardware Introduction 42 ZyWALL 110/310/1100 Series User’s Guide
C HAPT ER 4 Quick Setup Wizards 4.1 Quick Setup Overview The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User’s Guide for background information. In the Web Configurator, click Configuration > Quick Setup to open the first Quick Setup screen.
Chapter 4 Quick Setup Wizards Figure 23 WAN Interface Quick Setup Wizard 4.2.1 Choose an Ethernet Interface Select the Ethernet interface that you want to configure for a WAN connection and click Next. Figure 24 Choose an Ethernet Interface 4.2.2 Select WAN Type WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP.
Chapter 4 Quick Setup Wizards Figure 25 WAN Interface Setup: Step 2 The screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information. Note: Enter the Internet access information exactly as your ISP gave it to you. 4.2.3 Configure WAN Settings Use this screen to select whether the interface should use a fixed or dynamic IP address.
Chapter 4 Quick Setup Wizards Figure 27 WAN and ISP Connection Settings: (PPTP Shown) The following table describes the labels in this screen. Table 12 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection. Encapsulation This displays the type of Internet connection you are configuring. Authentication Type Use the drop-down list box to select an authentication protocol for outgoing calls.
Chapter 4 Quick Setup Wizards Table 12 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION Server IP Type the IP address of the PPTP server. Connection ID Enter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your DSL modem. You can use alphanumeric and -_: characters, and it can be up to 31 characters long.
Chapter 4 Quick Setup Wizards The following table describes the labels in this screen. Table 13 Interface Wizard: Summary WAN LABEL DESCRIPTION Encapsulation This displays what encapsulation this interface uses to connect to the Internet. Service Name This field only appears for a PPPoE interface. It displays the PPPoE service name specified in the ISP account. Server IP This field only appears for a PPTP interface. It displays the IP address of the PPTP server.
Chapter 4 Quick Setup Wizards • VPN Setup configures a VPN tunnel for a secure connection to another computer or network. • VPN Settings for Configuration Provisioning sets up a VPN rule the ZyWALL IPSec VPN Client can retrieve. Just enter a user name, password and the IP address of the ZyWALL in the ZyWALL IPSec VPN Client to get the VPN settings automatically from the ZyWALL. Figure 30 VPN Wizard Welcome 4.3.
Chapter 4 Quick Setup Wizards 4.3.3 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 31 on page 49 to display the following screen. Figure 32 VPN Express Wizard: Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Select the scenario that best describes your intended VPN connection.
Chapter 4 Quick Setup Wizards 4.3.4 VPN Express Wizard - Configuration Figure 33 VPN Express Wizard: Configuration • Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name. Use 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. • Pre-Shared Key: Type the password.
Chapter 4 Quick Setup Wizards Figure 34 VPN Express Wizard: Summary • Rule Name: Identifies the VPN gateway policy. • Secure Gateway: IP address or domain name of the remote IPSec device. If this field displays Any, only the remote IPSec device can initiate the VPN connection. • Pre-Shared Key: VPN tunnel password. It identifies a communicating party during a phase 1 IKE negotiation. • Local Policy: IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel.
Chapter 4 Quick Setup Wizards Figure 35 VPN Express Wizard: Finish Click Close to exit the wizard. 4.3.7 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 31 on page 49 to display the following screen.
Chapter 4 Quick Setup Wizards Figure 36 VPN Advanced Wizard: Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Select the scenario that best describes your intended VPN connection. The figure on the left of the screen changes to match the scenario you select.
Chapter 4 Quick Setup Wizards Figure 37 VPN Advanced Wizard: Phase 1 Settings • Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec device by its IP address or a domain name. Use 0.0.0.0 if the remote IPSec device has a dynamic WAN IP address. • My Address (interface): Select an interface from the drop-down list box to use on your ZyWALL.
Chapter 4 Quick Setup Wizards • Dead Peer Detection (DPD) has the ZyWALL make sure the remote IPSec device is there before transmitting data through the IKE SA. If there has been no traffic for at least 15 seconds, the ZyWALL sends a message to the remote IPSec device. If it responds, the ZyWALL transmits the data. If it does not respond, the ZyWALL shuts down the IKE SA. • Authentication Method: Select Pre-Shared Key to use a password or Certificate to use one of the ZyWALL’s certificates. 4.3.
Chapter 4 Quick Setup Wizards 4.3.10 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settings. Figure 39 VPN Advanced Wizard: Step 5 • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: IP address or domain name of the remote IPSec device. • Pre-Shared Key: VPN tunnel password. • Certificate: The certificate the ZyWALL uses to identify itself when setting up the VPN tunnel.
Chapter 4 Quick Setup Wizards Figure 40 VPN Wizard: Finish Click Close to exit the wizard. 4.4 VPN Settings for Configuration Provisioning Wizard: Wizard Type Use VPN Settings for Configuration Provisioning to set up a VPN rule that can be retrieved with the ZyWALL IPSec VPN Client. VPN rules for the ZyWALL IPSec VPN Client have certain restrictions.
Chapter 4 Quick Setup Wizards Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre-shared key. Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key in the VPN rule. Figure 41 VPN Settings for Configuration Provisioning Express Wizard: Wizard Type 4.4.1 Configuration Provisioning Express Wizard - VPN Settings Click the Express radio button as shown in the previous screen to display the following screen.
Chapter 4 Quick Setup Wizards Figure 42 VPN for Configuration Provisioning Express Wizard: Settings Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Application Scenario: Only the Remote Access (Server Role) is allowed in this wizard. It allows incoming connections from the ZyWALL IPSec VPN Client. 4.4.
Chapter 4 Quick Setup Wizards Figure 43 VPN for Configuration Provisioning Express Wizard: Configuration • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL IPSec VPN Client. • Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal (“0-9”, “A-F”) characters. Proceed a hexadecimal key with “0x”.
Chapter 4 Quick Setup Wizards Figure 44 VPN for Configuration Provisioning Express Wizard: Save • Rule Name: Identifies the VPN gateway policy. • Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the ZyWALL IPSec VPN Client. • Pre-Shared Key: VPN tunnel password. It identifies a communicating party during a phase 1 IKE negotiation.
Chapter 4 Quick Setup Wizards Figure 45 VPN for Configuration Provisioning Express Wizard: Finish Click Close to exit the wizard. 4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard Scenario Click the Advanced radio button as shown in the screen shown in Figure 41 on page 59 to display the following screen.
Chapter 4 Quick Setup Wizards Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Application Scenario: Only the Remote Access (Server Role) is allowed in this wizard. It allows incoming connections from the ZyWALL IPSec VPN Client. Click Next to continue the wizard. 4.4.
Chapter 4 Quick Setup Wizards • Authentication Algorithm: MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. MD5 gives minimal security. SHA1 gives higher security and SHA256 gives the highest security. The stronger the algorithm, the slower it is. • Key Group: DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random number.
Chapter 4 Quick Setup Wizards • Remote Policy (IP/Mask): Any displays in this field because it is not configurable in this wizard. • Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 4.4.8 VPN Settings for Configuration Provisioning Advanced Wizard Summary This is a read-only summary of the VPN tunnel settings.
Chapter 4 Quick Setup Wizards VPN Connection screen. Enter the IP address of the ZyWALL in the ZyWALL IPSec VPN Client to get all these VPN settings automatically from the ZyWALL. Figure 50 VPN for Configuration Provisioning Advanced Wizard: Finish Click Close to exit the wizard.
Chapter 4 Quick Setup Wizards 68 ZyWALL 110/310/1100 Series User’s Guide
C HAPT ER 5 Dashboard 5.1 Overview Use the Dashboard screens to check status information about the ZyWALL. 5.1.1 What You Can Do in this Chapter Use the Dashboard screens for the following. • Use the main Dashboard screen (see Section 5.2 on page 69) to see the ZyWALL’s general device information, system status, system resource usage, licensed service status, and interface status. You can also display other status screens for more information. • Use the VPN status screen (see Section 5.2.
Chapter 5 Dashboard Figure 51 Dashboard A B C D E The following table describes the labels in this screen. Table 14 Dashboard LABEL DESCRIPTION Widget Setting (A) Use this link to open or close widgets by selecting/clearing the associated checkbox. Up Arrow (B) Click this to collapse a widget. It then becomes a down arrow. Click it again to enlarge the widget again. Refresh Time Setting (C) Set the interval for refreshing the information displayed in the widget.
Chapter 5 Dashboard Table 14 Dashboard (continued) LABEL DESCRIPTION Device This field displays the name of the device connected to the USB port if one is connected. Status This field displays the current status of each interface or device installed in a slot. The possible values depend on what type of interface it is. Inactive - The Ethernet interface is disabled. Down - The Ethernet interface is enabled but not connected. Speed / Duplex - The Ethernet interface is enabled and connected.
Chapter 5 Dashboard Table 14 Dashboard (continued) LABEL Boot Status DESCRIPTION This field displays details about the ZyWALL’s startup state. OK - The ZyWALL started up successfully. Firmware update OK - A firmware update was successful. Problematic configuration after firmware update - The application of the configuration failed after a firmware upgrade. System default configuration - The ZyWALL successfully applied the system default configuration.
Chapter 5 Dashboard Table 14 Dashboard (continued) LABEL Status DESCRIPTION This field displays the current status of each interface. The possible values depend on what type of interface it is. For Ethernet interfaces: Inactive - The Ethernet interface is disabled. Down - The Ethernet interface does not have any physical ports associated with it or the Ethernet interface is enabled but not connected. Speed / Duplex - The Ethernet interface is enabled and connected.
Chapter 5 Dashboard Table 14 Dashboard (continued) LABEL Logs The Latest Alert Logs DESCRIPTION This field displays whether a log (and alert) was created for the triggered firewall rule. These fields display recent logs generated by the ZyWALL. # This is the entry’s rank in the list of alert logs. Time This field displays the date and time the log was created. Priority This field displays the severity of the log. Category This field displays the type of log generated.
Chapter 5 Dashboard 5.2.2 The Memory Usage Screen Use this screen to look at a chart of the ZyWALL’s recent memory (RAM) usage. To access this screen, click Memory Usage in the dashboard. Figure 53 Dashboard > Memory Usage The following table describes the labels in this screen. Table 16 Dashboard > Memory Usage LABEL DESCRIPTION The y-axis represents the percentage of RAM usage.
Chapter 5 Dashboard Figure 54 Dashboard > Session Usage The following table describes the labels in this screen. Table 17 Dashboard > Session Usage LABEL DESCRIPTION Sessions The y-axis represents the number of session. The x-axis shows the time period over which the session usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Click this to update the information in the window right away. 5.2.
Chapter 5 Dashboard The following table describes the labels in this screen. Table 18 Dashboard > VPN Status LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific SA. Name This field displays the name of the IPSec SA. Encapsulation This field displays how the IPSec SA is encapsulated. Algorithm This field displays the encryption and authentication algorithms used in the SA.
Chapter 5 Dashboard 5.2.6 The Number of Login Users Screen Use this screen to look at a list of the users currently logged into the ZyWALL. Users who close their browsers without logging out are still shown as logged in here. To access this screen, click Number of Login Users in System Status in the dashboard or Monitor > Login User. Figure 57 Dashboard > System Status > Number of Login Users The following table describes the labels in this screen.
C HAPT ER 6 Monitor 6.1 Overview Use the Monitor screens to check status and statistics information. 6.1.1 What You Can Do in this Chapter Use the Monitor screens for the following. • Use the System Status > Port Statistics screen (see Section 6.2 on page 80) to look at packet statistics for each physical port. • Use the System Status > Port Statistics > Graph View screen (see Section 6.2 on page 80) to look at a line graph of packet statistics for each physical port.
Chapter 6 Monitor 6.2 The Port Statistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port. To access this screen, click Monitor > System Status > Port Statistics. Figure 58 Monitor > System Status > Port Statistics The following table describes the labels in this screen. Table 21 Monitor > System Status > Port Statistics LABEL DESCRIPTION Poll Interval Enter how often you want this window to be updated automatically, and click Set Interval.
Chapter 6 Monitor 6.2.1 The Port Statistics Graph Screen Use this screen to look at a line graph of packet statistics for each physical port. To access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button. Figure 59 Monitor > System Status > Port Statistics > Switch to Graphic View The following table describes the labels in this screen.
Chapter 6 Monitor 6.3 Interface Status Screen This screen lists all of the ZyWALL’s interfaces and gives packet statistics for them. Click Monitor > System Status > Interface Status to access this screen.
Chapter 6 Monitor Figure 60 Monitor > System Status > Interface Status ZyWALL 110/310/1100 Series User’s Guide 83
Chapter 6 Monitor Each field is described in the following table. Table 23 Monitor > System Status > Interface Status LABEL DESCRIPTION Interface Status If an Ethernet interface does not have any physical ports associated with it, its entry is displayed in light gray text. Expand/Close Click this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces. Name This field displays the name of each interface.
Chapter 6 Monitor Table 23 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. Zone This field displays the zone to which the interface is assigned. IP Address This is the IP address of the interface. If the interface is active (and connected), the ZyWALL tunnels local traffic sent to this IP address to the Remote Gateway Address.
Chapter 6 Monitor Table 23 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION IP Address This field displays the current IPv6 address assigned to the interface. If the IPv6 address is not displayed, the interface is disabled or did not receive an IPv6 address via DHCP. If this interface is a member of an active virtual router, this field displays the IP address it is currently using.
Chapter 6 Monitor • LAN IP with heaviest traffic and how much traffic has been sent to and from each one You use the Traffic Statistics screen to tell the ZyWALL when to start and when to stop collecting information for these reports. You cannot schedule data collection; you have to start and stop it manually in the Traffic Statistics screen. Figure 61 Monitor > System Status > Traffic Statistics There is a limit on the number of records shown in the report.
Chapter 6 Monitor Table 24 Monitor > System Status > Traffic Statistics (continued) LABEL DESCRIPTION Traffic Type Select the type of report to display. Choices are: Host IP Address/User - displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one. Service/Port - displays the most-used protocols or service ports and the amount of traffic for each one. Web Site Hits - displays the most-visited Web sites and how many times each one has been visited.
Chapter 6 Monitor The following table displays the maximum number of records shown in the report, the byte count limit, and the hit count limit. Table 25 Maximum Values for Reports LABEL DESCRIPTION Maximum Number of Records 20 Byte Count Limit 264 bytes; this is just less than 17 million terabytes. Hit Count Limit 264 hits; this is over 1.8 x 1019 hits. 6.
Chapter 6 Monitor The following table describes the labels in this screen. Table 26 Monitor > System Status > Session Monitor LABEL DESCRIPTION View Select how you want the established sessions that passed through the ZyWALL to be displayed.
Chapter 6 Monitor 6.6 The DDNS Status Screen The DDNS Status screen shows the status of the ZyWALL’s DDNS domain names. Click Monitor > System Status > DDNS Status to open the following screen. Figure 63 Monitor > System Status > DDNS Status The following table describes the labels in this screen. Table 27 Monitor > System Status > DDNS Status LABEL DESCRIPTION Update Click this to have the ZyWALL update the profile to the DDNS server. The ZyWALL attempts to resolve the IP address for the domain name.
Chapter 6 Monitor The following table describes the labels in this screen. Table 28 Monitor > System Status > IP/MAC Binding LABEL DESCRIPTION Interface Select a ZyWALL interface that has IP/MAC binding enabled to show to which devices it has assigned an IP address. # This is the index number of an IP/MAC binding entry. IP Address This is the IP address that the ZyWALL assigned to a device. Host Name This field displays the name used to identify this device on the network (the computer name).
Chapter 6 Monitor Table 29 Monitor > System Status > Login Users (continued) LABEL DESCRIPTION User Info This field displays the types of user accounts the ZyWALL uses. If the user type is ext-user (external user), this field will show its external-group information when you move your mouse over it. If the external user matches two external-group objects, both external-group object names will be shown. Force Logout Select a user ID and click this icon to end a user’s session.
Chapter 6 Monitor Table 30 Monitor > System Status > Cellular Status (continued) 94 LABEL DESCRIPTION Status No device - no 3G device is connected to the ZyWALL. No Service - no 3G network is available in the area; you cannot connect to the Internet. Limited Service - returned by the service provider in cases where the SIM card is expired, the user failed to pay for the service and so on; you cannot connect to the Internet. Device detected - displays when you connect a 3G device.
Chapter 6 Monitor 6.9.1 More Information This screen displays more information on your 3G, such as the signal strength, IMEA/ESN and IMSI that helps identify your 3G device and SIM card. Click Monitor > System Status > More Information to display this screen. Note: This screen is only available when the 3G device is attached to and activated on the ZyWALL. Figure 67 Monitor > System Status > More Information The following table describes the labels in this screen.
Chapter 6 Monitor Table 31 Monitor > System Status > More Information (continued) LABEL DESCRIPTION Device IMEI/ESN IMEI (International Mobile Equipment Identity) is a 15-digit code in decimal format that identifies the 3G device. ESN (Electronic Serial Number) is an 8-digit code in hexadecimal format that identifies the 3G device. SIM Card IMSI IMSI (International Mobile Subscriber Identity) is a 15-digit code that identifies the SIM card. 6.
Chapter 6 Monitor Table 32 Monitor > System Status > USB Storage (continued) LABEL DESCRIPTION Status Ready - you can have the ZyWALL use the USB storage device. Click Remove Now to stop the ZyWALL from using the USB storage device so you can remove it. Unused - the connected USB storage device was manually unmounted by using the Remove Now button or for some reason the ZyWALL cannot mount it. Click Use It to have the ZyWALL mount a connected USB storage device.
Chapter 6 Monitor Each field is described in the following table. Table 33 Monitor > VPN Monitor > IPSec LABEL DESCRIPTION Name Enter the name of a IPSec SA here and click Search to find it (if it is associated). You can use a keyword or regular expression. Use up to 30 alphanumeric and _+-.()!$*^:?|{}[]<>/ characters. See Section 6.11.1 on page 98 for more details. Policy Enter the IP address(es) or names of the local and remote policies for an IPSec SA and click Search to find it.
Chapter 6 Monitor The whole VPN connection or policy name has to match if you do not use a question mark or asterisk. 6.12 The SSL Connection Monitor Screen The ZyWALL keeps track of the users who are currently logged into the VPN SSL client Click Monitor > VPN Monitor > SSL to display the user list. portal. Use this screen to do the following: • View a list of active SSL VPN connections. • Log out individual users and delete related session information.
Chapter 6 Monitor Figure 71 Monitor > VPN Monitor > L2TP over IPSec The following table describes the fields in this screen. Table 35 Monitor > VPN Monitor > L2TP over IPSec LABEL DESCRIPTION Disconnect Select a connection and click this button to disconnect it. # This is the index number of a current L2TP VPN session. User Name This field displays the remote user’s user name. Hostname This field displays the name of the computer that has this L2TP VPN connection with the ZyWALL.
Chapter 6 Monitor Figure 72 Monitor > Log The following table describes the labels in this screen. Table 36 Monitor > Log LABEL DESCRIPTION Show Filter / Hide Filter Click this button to show or hide the filter settings. If the filter settings are hidden, the Display, Email Log Now, Refresh, and Clear Log fields are available. If the filter settings are shown, the Display, Priority, Source Address, Destination Address, Service, Keyword, and Search fields are available.
Chapter 6 Monitor Table 36 Monitor > Log (continued) LABEL DESCRIPTION Email Log Now Click this button to send log message(s) to the Active e-mail address(es) specified in the Send Log To field on the Log Settings page (see Section 38.3.2 on page 489). Clear Log Click this button to clear the whole log, regardless of what is currently displayed on the screen. # This field is a sequential value, and it is not associated with a specific log message.
C HAPT ER 7 Interfaces 7.1 Interface Overview Use the Interface screens to configure the ZyWALL’s interfaces. You can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. • Interfaces are used within the system operationally. You use them in configuring various features. An interface also describes a network that is directly connected to the ZyWALL. For example, You connect the LAN network to the LAN interface.
Chapter 7 Interfaces • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. • Many interfaces can share the same physical port. • An interface belongs to at most one zone. • Many interfaces can belong to the same zone. • Layer-3 virtualization (IP alias, for example) is a kind of interface. Types of Interfaces You can create several types of interfaces in the ZyWALL.
Chapter 7 Interfaces Table 37 Ethernet, PPP, Cellular, VLAN, Bridge, and Virtual Interface Characteristics (continued) CHARACTERISTICS ETHERNET ETHERNET PPP CELLULAR VLAN BRIDGE VIRTUAL Yes Yes Yes Yes Yes Yes No DHCP server No Yes No No Yes Yes No DHCP relay No Yes No No Yes Yes No Connectivity Check Yes No Yes Yes Yes Yes No Packet size (MTU) DHCP - * The format of interface names other than the Ethernet and ppp interface names is strict.
Chapter 7 Interfaces * - You cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it. IPv6 Overview IPv6 (Internet Protocol version 6), is designed to enhance IP address size and features.
Chapter 7 Interfaces Stateless Autoconfiguration With stateless autoconfiguration in IPv6, addresses can be uniquely and automatically generated. Unlike DHCPv6 (Dynamic Host Configuration Protocol version six) which is used in IPv6 stateful autoconfiguration, the owner and status of addresses don’t need to be maintained by a DHCP server. Every IPv6 device is able to generate its own and unique IP address automatically when IPv6 is initiated on its interface.
Chapter 7 Interfaces 7.1.3 What You Need to Do First For IPv6 settings, go to the Configuration > System > IPv6 screen to enable IPv6 support on the ZyWALL first. 7.2 Port Role Screen To access this screen, click Configuration > Network > Interface > Port Role. Use the Port Role screen to set the ZyWALL’s flexible ports as part of the lan1, lan2, ext-wlan or dmz interfaces. This creates a hardware connection between the physical ports at the layer-2 (data link, MAC address) level.
Chapter 7 Interfaces Click Reset to change the port groups to their current configuration (last-saved values). 7.3 Ethernet Summary Screen This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces. If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure Ethernet interfaces used for your IPv6 networks on this screen. To access this screen, click Configuration > Network > Interface > Ethernet.
Chapter 7 Interfaces Each field is described in the following table. Table 40 Configuration > Network > Interface > Ethernet LABEL DESCRIPTION Configuration / IPv6 Configuration Use the Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your ZyWALL to an IPv6 network. Both sections have similar fields as described below.
Chapter 7 Interfaces • Select which direction(s) routing information is exchanged - The ZyWALL can receive routing information, send routing information, or do both. • Select which version of RIP to support in each direction - The ZyWALL supports RIP-1, RIP-2, and both versions. • Select the broadcasting method used by RIP-2 packets - The ZyWALL can use subnet broadcasting or multicasting. With OSPF, you can use Ethernet interfaces to do the following things.
Chapter 7 Interfaces Figure 75 Configuration > Network > Interface > Ethernet > Edit (External Type) 112 ZyWALL 110/310/1100 Series User’s Guide
Chapter 7 Interfaces Figure 76 Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL 110/310/1100 Series User’s Guide 113
Chapter 7 Interfaces Figure 77 Configuration > Network > Interface > Ethernet > Edit (OPT) 114 ZyWALL 110/310/1100 Series User’s Guide
Chapter 7 Interfaces This screen’s fields are described in the table below. Table 41 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION IPv4/IPv6 View / IPv4 View / IPv6 View Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 7 Interfaces Table 41 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. Gateway This option appears when Interface Type is external or general. Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination.
Chapter 7 Interfaces Table 41 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL Address DESCRIPTION This field displays the combined IPv6 IP address for this interface. Note: This field displays the combined address after you click OK and reopen this screen. DHCPv6 Setting DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others.
Chapter 7 Interfaces Table 41 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Advertised Hosts Get Other Configuration From DHCPv6 Select this to have the ZyWALL indicate to hosts to obtain DNS information through DHCPv6. Router Preference Select the router preference (Low, Medium or High) for the interface. The interface sends this preference in the router advertisements to tell hosts what preference they should use for the ZyWALL.
Chapter 7 Interfaces Table 41 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576. Ingress Bandwidth This is reserved for future use. MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface.
Chapter 7 Interfaces Table 41 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL IP Pool Start Address DESCRIPTION Enter the IP address from which the ZyWALL begins allocating IP addresses. If you want to assign a static IP address to a specific computer, use the Static DHCP Table. If this field is blank, the Pool Size must also be blank.
Chapter 7 Interfaces Table 41 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Enable IP/MAC Binding Select this option to have this interface enforce links between specific IP addresses and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses.
Chapter 7 Interfaces Table 41 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL Authentication DESCRIPTION Select an authentication method, or disable authentication. To exchange OSPF routing information with peer border routers, you must use the same authentication method that they use.
Chapter 7 Interfaces Figure 78 Object References The following table describes labels that can appear in this screen. Table 42 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window. # This field is a sequential value, and it is not associated with any entry.
Chapter 7 Interfaces Select a DHCPv6 request or lease object in the Select one object field and click OK to save it. Click Cancel to exit without saving the setting. 7.3.4 Add/Edit DHCP Extended Options When you configure an interface as a DHCPv4 server, you can additionally add DHCP extended options which have the ZyWALL to add more information in the DHCP packets. The available fields vary depending on the DHCP option you select in this screen.
Chapter 7 Interfaces Table 43 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options LABEL DESCRIPTION First Information, Second Information If you selected VIVS (125), enter additional information for the corresponding enterprise number in these fields. OK Click this to close this screen and update the settings to the previous Edit screen. Cancel Click Cancel to close the screen.
Chapter 7 Interfaces Figure 81 Example: PPPoE/PPTP Interfaces PPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet size; and they can verify the gateway is available. There are two main differences between PPPoE/ PPTP interfaces and other interfaces. • You must also configure an ISP account object for the PPPoE/PPTP interface to use.
Chapter 7 Interfaces Each field is described in the table below. Table 45 Configuration > Network > Interface > PPP LABEL DESCRIPTION User Configuration / System Default The ZyWALL comes with the (non-removable) System Default PPP interfaces preconfigured. You can create (and delete) User Configuration PPP interfaces. Add Click this to create a new user-configured PPP interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Chapter 7 Interfaces Figure 83 Configuration > Network > Interface > PPP > Add 128 ZyWALL 110/310/1100 Series User’s Guide
Chapter 7 Interfaces Each field is explained in the following table. Table 46 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION IPv4/IPv6 View / IPv4 View / IPv6 View Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 7 Interfaces Table 46 Configuration > Network > Interface > PPP > Add (continued) LABEL IP Address DESCRIPTION This field is enabled if you select Use Fixed IP Address. Enter the IP address for this interface. Metric IPv6 Address Assignment Enter the priority of the gateway (the ISP) on this interface. The ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority.
Chapter 7 Interfaces Table 46 Configuration > Network > Interface > PPP > Add (continued) LABEL Enable Rapid Commit DESCRIPTION Select this to shorten the DHCPv6 message exchange process from four to two steps. This function helps reduce heavy network traffic load. Note: Make sure you also enable this option in the DHCPv6 clients to make rapid commit work. Request Address Select this to get an IPv6 IP address for this interface from the DHCP server.
Chapter 7 Interfaces Table 46 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Check this address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. Check Port This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check.
Chapter 7 Interfaces Aside from selecting the 3G network, the 3G card may also select an available 2.5G or 2.75G network automatically. See the following table for a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies. Table 47 2G, 2.5G, 2.75G, 3G and 3.5G Wireless Technologies MOBILE PHONE AND DATA STANDARDS NAME TYPE GSM-BASED CDMA-BASED 2G Circuitswitched GSM (Global System for Mobile Communications), Personal Handyphone System (PHS), etc.
Chapter 7 Interfaces Figure 84 Configuration > Network > Interface > Cellular The following table describes the labels in this screen. Table 48 Configuration > Network > Interface > Cellular LABEL DESCRIPTION Add Click this to create a new cellular interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 7 Interfaces Figure 85 Configuration > Network > Interface > Cellular > Add ZyWALL 110/310/1100 Series User’s Guide 135
Chapter 7 Interfaces The following table describes the labels in this screen. Table 49 Configuration > Network > Interface > Cellular > Add LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this option to turn on this interface. Interface Properties Interface Name Select a name for the interface.
Chapter 7 Interfaces Table 49 Configuration > Network > Interface > Cellular > Add (continued) LABEL User Name DESCRIPTION This field displays when you select an authentication type other than None. This field is read-only if you selected Device in the profile selection. If this field is configurable, enter the user name for this 3G card exactly as the service provider gave it to you. You can use 1 ~ 64 alphanumeric and #:%-_@$./ characters. The first character must be alphanumeric or -_@$./.
Chapter 7 Interfaces Table 49 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Check Period Enter the number of seconds between connection check attempts. Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure. Check Fail Tolerance Enter the number of consecutive failures before the ZyWALL stops routing through the gateway. Check Default Gateway Select this to use the default gateway for the connectivity check.
Chapter 7 Interfaces Table 49 Configuration > Network > Interface > Cellular > Add (continued) LABEL Network Selection DESCRIPTION Home network is the network to which you are originally subscribed. Select Home to have the 3G device connect only to the home network. If the home network is down, the ZyWALL’s 3G Internet connection is also unavailable.
Chapter 7 Interfaces Table 49 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Log Select None to not create a log when the ZyWALL takes this action, Log to create a log, or Log-alert to create an alert log. If you select Log or Log-alert you can also select recurring every to have the ZyWALL send a log or alert for this event periodically. Specify how often (from 1 to 65535 minutes) to send the log or alert. OK Click OK to save your changes back to the ZyWALL.
Chapter 7 Interfaces • your ZyWALL has a public IPv4 IP address given from your ISP, and • you want to transmit your IPv6 packets to one and only one remote site whose LAN network is also an IPv6 network. With this mode, the ZyWALL encapsulates IPv6 packets within IPv4 packets across the Internet. You must know the WAN IP address of the remote gateway device. This mode is normally used for a site-to-site application such as two branch offices.
Chapter 7 Interfaces Figure 89 6to4 Tunnel IPv6 IPv6 IPv4 Internet IPv6 7.6.1 Configuring a Tunnel This screen lists the ZyWALL’s configured tunnel interfaces. To access this screen, click Network > Interface > Tunnel. Figure 90 Network > Interface > Tunnel Each field is explained in the following table. Table 50 Network > Interface > Tunnel 142 LABEL DESCRIPTION Add Click this to create a new GRE tunnel interface.
Chapter 7 Interfaces Table 50 Network > Interface > Tunnel (continued) LABEL DESCRIPTION Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. Name This field displays the name of the interface. IP Address This is the IP address of the interface. If the interface is active (and connected), the ZyWALL tunnels local traffic sent to this IP address to the Remote Gateway Address.
Chapter 7 Interfaces Figure 91 Network > Interface > Tunnel > Add/Edit Each field is explained in the following table. Table 51 Network > Interface > Tunnel > Add/Edit LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Select this to enable this interface. Clear this to disable this interface.
Chapter 7 Interfaces Table 51 Network > Interface > Tunnel > Add/Edit (continued) LABEL Tunnel Mode IP Address Assignment DESCRIPTION Select the tunneling protocol of the interface (GRE, IPv6-in-IPv4 or 6to4). See Section 7.6 on page 140 for more information. This section is available if you are configuring a GRE tunnel. IP Address Enter the IP address for this interface. Subnet Mask Enter the subnet mask of this interface in dot decimal notation.
Chapter 7 Interfaces Table 51 Network > Interface > Tunnel > Add/Edit (continued) LABEL DESCRIPTION Interface Parameters Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management. Ingress Bandwidth This is reserved for future use. MTU Maximum Transmission Unit.
Chapter 7 Interfaces 7.7 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 92 Example: Before VLAN A B C In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs.
Chapter 7 Interfaces This approach provides a few advantages. • Increased performance - In VLAN 2, the extra switch should route traffic inside the sales department faster than the router does. In addition, broadcasts are limited to smaller, more logical groups of users. • Higher security - If each computer has a separate physical connection to the switch, then broadcast traffic in each VLAN is never sent to computers in another VLAN.
Chapter 7 Interfaces Figure 94 Configuration > Network > Interface > VLAN Each field is explained in the following table. Table 52 Configuration > Network > Interface > VLAN LABEL DESCRIPTION Configuratio n / IPv6 Configuratio n Use the Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your ZyWALL to an IPv6 network. Both sections have similar fields as described below.
Chapter 7 Interfaces Table 52 Configuration > Network > Interface > VLAN (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 7.7.2 VLAN Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each VLAN interface. To access this screen, click the Create Virtual Interface icon in the VLAN Summary screen.
Chapter 7 Interfaces Figure 95 Configuration > Network > Interface > VLAN > Create Virtual Interface ZyWALL 110/310/1100 Series User’s Guide 151
Chapter 7 Interfaces Each field is explained in the following table. Table 53 Configuration > Network > Interface > VLAN > Create Virtual Interface LABEL DESCRIPTION IPv4/IPv6 View / IPv4 View / IPv6 View Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 7 Interfaces Table 53 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued) LABEL Gateway DESCRIPTION This field is enabled if you select Use Fixed IP Address. Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. Metric IPv6 Address Assignment Enter the priority of the gateway (if any) on this interface.
Chapter 7 Interfaces Table 53 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued) LABEL DESCRIPTION DHCPv6 Setting DUID This field displays the DHCP Unique IDentifier (DUID) of the interface, which is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others. See DHCPv6 on page 107 for more information. DUID as MAC Select this to have the DUID generated from the interface’s default MAC address.
Chapter 7 Interfaces Table 53 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued) LABEL Router Preference DESCRIPTION Select the router preference (Low, Medium or High) for the interface. The interface sends this preference in the router advertisements to tell hosts what preference they should use for the ZyWALL. This helps hosts to choose their default router especially when there are multiple IPv6 router in the network.
Chapter 7 Interfaces Table 53 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued) LABEL MTU Connectivity Check DESCRIPTION Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the ZyWALL divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500.
Chapter 7 Interfaces Table 53 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued) LABEL Pool Size DESCRIPTION Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyWALL can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses. If this field is blank, the IP Pool Start Address must also be blank.
Chapter 7 Interfaces Table 53 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued) LABEL DESCRIPTION Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. # This field is a sequential value, and it is not associated with a specific entry. IP Address Enter the IP address to assign to a device with this entry’s MAC address.
Chapter 7 Interfaces Table 53 Configuration > Network > Interface > VLAN > Create Virtual Interface (continued) LABEL MD5 Authentication Key DESCRIPTION This field is available if the Authentication is MD5. Type the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. Related Setting Configure WAN TRUNK Click WAN TRUNK to go to a screen where you can set this VLAN to be part of a WAN trunk for load balancing.
Chapter 7 Interfaces If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to port 2 accordingly. Table 55 Example: Bridge Table After Computer B Responds to Computer A MAC ADDRESS PORT 0A:0A:0A:0A:0A:0A 2 0B:0B:0B:0B:0B:0B 4 Bridge Interface Overview A bridge interface creates a software bridge between the members of the bridge interface.
Chapter 7 Interfaces Figure 96 Configuration > Network > Interface > Bridge Each field is described in the following table. Table 57 Configuration > Network > Interface > Bridge LABEL DESCRIPTION Configuration / IPv6 Configuration Use the Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your ZyWALL to an IPv6 network. Both sections have similar fields as described below. Add Click this to create a new entry.
Chapter 7 Interfaces 7.8.2 Bridge Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Create Virtual Interface icon in the Bridge Summary screen. The following screen appears.
Chapter 7 Interfaces Figure 97 Configuration > Network > Interface > Bridge > Create Virtual Interface ZyWALL 110/310/1100 Series User’s Guide 163
Chapter 7 Interfaces Each field is described in the table below. Table 58 Configuration > Network > Interface > Bridge > Create Virtual Interface LABEL DESCRIPTION IPv4/IPv6 View / IPv4 View / IPv6 View Use this button to display both IPv4 and IPv6, IPv4-only, or IPv6-only configuration fields. Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 7 Interfaces Table 58 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued) LABEL IP Address DESCRIPTION This field is enabled if you select Use Fixed IP Address. Enter the IP address for this interface. Subnet Mask This field is enabled if you select Use Fixed IP Address. Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network.
Chapter 7 Interfaces Table 58 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued) LABEL Suffix Address DESCRIPTION Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The ZyWALL will append it to the delegated prefix. For example, you got a delegated prefix of 2003:1234:5678/48. You want to configure an IP address of 2003:1234:5678:1111::1/128 for this interface, then enter ::1111:0:0:0:1/128 in this field.
Chapter 7 Interfaces Table 58 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued) LABEL Advertised Hosts Get Network Configuration From DHCPv6 DESCRIPTION Select this to have the ZyWALL indicate to hosts to obtain network settings (such as prefix and DNS settings) through DHCPv6. Clear this to have the ZyWALL indicate to hosts that DHCPv6 is not available and they should use the prefix in the router advertisement message.
Chapter 7 Interfaces Table 58 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued) LABEL Address DESCRIPTION This is the final network prefix combined by the selected delegated prefix and the suffix. Note: This field displays the combined address after you click OK and reopen this screen. Interface Parameters Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send through the interface to the network.
Chapter 7 Interfaces Table 58 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued) LABEL DESCRIPTION First WINS Server, Second WINS Server Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.
Chapter 7 Interfaces Table 58 Configuration > Network > Interface > Bridge > Create Virtual Interface (continued) LABEL DESCRIPTION Enable Connectivity Check Select this to turn on the connection check. Check Method Select the method that the gateway allows. Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available. Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available.
Chapter 7 Interfaces 7.9.1 Virtual Interfaces Add/Edit This screen lets you configure IP address assignment and interface parameters for virtual interfaces. To access this screen, click the Create Virtual Interface icon in the Ethernet, VLAN, or bridge interface summary screen. Figure 98 Configuration > Network > Interface > Create Virtual Interface Each field is described in the table below.
Chapter 7 Interfaces Table 59 Configuration > Network > Interface > Create Virtual Interface (continued) LABEL Ingress Bandwidth DESCRIPTION This is reserved for future use. Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can receive from the network through the interface. Allowed values are 0 - 1048576. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 7.
Chapter 7 Interfaces In the example above, if the ZyWALL gets a packet with a destination address of 5.5.5.5, it might not find any entries in the routing table. In this case, the packet is dropped. However, if there is a default router to which the ZyWALL should send this packet, you can specify it as a gateway in one of the interfaces. For example, if there is a default router at 200.200.200.100, you can create a gateway at 200.200.200.100 on ge2.
Chapter 7 Interfaces In the ZyWALL, some interfaces can provide DHCP services to the network. In this case, the interface can be a DHCP relay or a DHCP server. As a DHCP relay, the interface routes DHCP requests to DHCP servers on different networks. You can specify more than one DHCP server. If you do, the interface routes DHCP requests to all of them. It is possible for an interface to be a DHCP relay and a DHCP client simultaneously.
Chapter 7 Interfaces PPPoE/PPTP Overview Point-to-Point Protocol over Ethernet (PPPoE, RFC 2516) and Point-to-Point Tunneling Protocol (PPTP, RFC 2637) are usually used to connect two computers over phone lines or broadband connections. PPPoE is often used with cable modems and DSL connections. It provides the following advantages: • The access and authentication method works with existing systems, including RADIUS. • You can access one of several network services.
Chapter 7 Interfaces 176 ZyWALL 110/310/1100 Series User’s Guide
C HAPT ER 8 Trunk 8.1 Overview Use trunks for WAN traffic load balancing to increase overall network throughput and reliability. Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links. Maybe you have two Internet connections with different bandwidths.
Chapter 8 Trunk • If that interface’s connection goes down, the ZyWALL can still send its traffic through another interface. • You can define multiple trunks for the same physical interfaces. Link Sticking You can have the ZyWALL send each local computer’s traffic that is going to the same destination through a single WAN interface for a specified period of time. This is useful when a server requires authentication.
Chapter 8 Trunk Figure 101 Least Load First Example The outbound bandwidth utilization is used as the load balancing index. In this example, the measured (current) outbound throughput of WAN 1 is 412K and WAN 2 is 198K. The ZyWALL calculates the load balancing index as shown in the table below. Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the ZyWALL will send the subsequent new session traffic through WAN 2.
Chapter 8 Trunk Spillover The spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the interface’s maximum allowable load is reached, then sends the excess network traffic of new sessions to the next interface in the trunk member list. This continues as long as there are more member interfaces and traffic to be sent through them. Suppose the first trunk member interface uses an unlimited access Internet connection and the second is billed by usage.
Chapter 8 Trunk The following table describes the items in this screen. Table 64 Configuration > Network > Interface > Trunk LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. Enable Link Sticking Enable link sticking to have the system route sessions from one source to the same destination through the same link for a period of time.
Chapter 8 Trunk Figure 105 Configuration > Network > Interface > Trunk > Add (or Edit) Each field is described in the table below. Table 65 Configuration > Network > Interface > Trunk > Add (or Edit) LABEL DESCRIPTION Name This is read-only if you are editing an existing trunk. When adding a new trunk, enter a descriptive name for this trunk. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 8 Trunk Table 65 Configuration > Network > Interface > Trunk > Add (or Edit) (continued) LABEL DESCRIPTION Member Click this table cell and select an interface to be a group member. If you select an interface that is part of another Ethernet interface, the ZyWALL does not send traffic through the interface as part of the trunk. For example, if you have physical port 5 in the ge2 representative interface, you must select interface ge2 in order to send traffic through port 5 as part of the trunk.
Chapter 8 Trunk Figure 106 Configuration > Network > Interface > Trunk > Edit (System Default) Each field is described in the table below. Table 66 Configuration > Network > Interface > Trunk > Edit (System Default) LABEL DESCRIPTION Name This field displays the name of the selected system default trunk. Load Balancing Algorithm Select the load balancing method to use for the trunk. Select Weighted Round Robin to balance the traffic load between interfaces based on their respective weights.
Chapter 8 Trunk Table 66 Configuration > Network > Interface > Trunk > Edit (System Default) (continued) LABEL DESCRIPTION Spillover This field displays with the spillover load balancing algorithm. Specify the maximum bandwidth of traffic in kilobits per second (1~1048576) to send out through the interface before using another interface. When this spillover bandwidth limit is exceeded, the ZyWALL sends new session traffic through the next interface.
Chapter 8 Trunk 186 ZyWALL 110/310/1100 Series User’s Guide
C HAPT ER 9 Policy and Static Routes 9.1 Policy and Static Routes Overview Use policy routes and static routes to override the ZyWALL’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the ZyWALL’s LAN interface. The ZyWALL routes most traffic from A to the Internet through the ZyWALL’s default gateway (R1).
Chapter 9 Policy and Static Routes 9.1.2 What You Need to Know Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.
Chapter 9 Policy and Static Routes DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired.
Chapter 9 Policy and Static Routes Figure 108 Configuration > Network > Routing > Policy Route The following table describes the labels in this screen. Table 67 Configuration > Network > Routing > Policy Route LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. IPv4 Configuration / IPv6 Configuration Use the IPv4 Configuration section for IPv4 network settings.
Chapter 9 Policy and Static Routes Table 67 Configuration > Network > Routing > Policy Route (continued) LABEL DESCRIPTION DSCP Code This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP values or no DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic The “af” entries stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences.
Chapter 9 Policy and Static Routes Figure 109 Configuration > Network > Routing > Policy Route > Add/Edit (IPv4 Configuration) 192 ZyWALL 110/310/1100 Series User’s Guide
Chapter 9 Policy and Static Routes Figure 110 Configuration > Network > Routing > Policy Route > Add/Edit (IPv6 Configuration) The following table describes the labels in this screen. Table 68 Configuration > Network > Routing > Policy Route > Add/Edit LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. Create new Object Use this to configure any new settings objects that you need to use in this screen.
Chapter 9 Policy and Static Routes Table 68 Configuration > Network > Routing > Policy Route > Add/Edit (continued) LABEL DESCRIPTION DSCP Code Select a DSCP code point value of incoming packets to which this policy route applies or select User Define to specify another DSCP code point. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment. any means all DSCP value or no DSCP marker. default means traffic with a DSCP value of 0.
Chapter 9 Policy and Static Routes Table 68 Configuration > Network > Routing > Policy Route > Add/Edit (continued) LABEL DESCRIPTION DSCP Marking Set how the ZyWALL handles the DSCP value of the outgoing packets that match this route. Select one of the pre-defined DSCP values to apply or select User Define to specify another DSCP value. The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences.
Chapter 9 Policy and Static Routes The following table describes the labels in this screen. Table 69 Configuration > Network > Routing > Static Route LABEL DESCRIPTION IPv4 Configuration / IPv6 Configuration Use the IPv4 Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your ZyWALL to an IPv6 network. Both sections have similar fields as described below. Add Click this to create a new static route.
Chapter 9 Policy and Static Routes The following table describes the labels in this screen. Table 70 Configuration > Network > Routing > Static Route > Add LABEL DESCRIPTION Destination IP This parameter specifies the IP network address of the final destination. Routing is always based on network number. If you need to specify a route to a single host, enter the specific IP address here and use a subnet mask of 255.255.255.
Chapter 9 Policy and Static Routes the following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets.
C HAPTER 10 Routing Protocols 10.1 Routing Protocols Overview Routing protocols give the ZyWALL routing information about the network from other routers. The ZyWALL stores this routing information in the routing table it uses to make routing decisions. In turn, the ZyWALL can also use routing protocols to propagate routing information to other routers. Routing protocols are usually only used in networks using multiple routers like campuses or large enterprises. 10.1.
Chapter 10 Routing Protocols its routes asynchronously to the network and converges slowly. Therefore, RIP is more suitable for small networks (up to 15 routers). • In the ZyWALL, you can configure two sets of RIP settings before you can use it in an interface. • First, the Authentication field specifies how to verify that the routing information that is received is the same routing information that is sent. This is discussed in more detail in Authentication Types on page 209.
Chapter 10 Routing Protocols Table 73 Configuration > Network > Routing Protocol > RIP (continued) LABEL DESCRIPTION Redistribute Active OSPF Select this to use RIP to advertise routes that were learned through OSPF. Metric Type the cost for routes provided by OSPF. The metric represents the “cost” of transmission for routing purposes. RIP routing uses hop count as the measurement of cost, with 1 usually used for directly connected networks.
Chapter 10 Routing Protocols • A normal area is a group of adjacent networks. A normal area has routing information about the OSPF AS, any networks outside the OSPF AS to which it is directly connected, and any networks outside the OSPF AS that provide routing information to any area in the OSPF AS. • A stub area has routing information about the OSPF AS. It does not have any routing information about any networks outside the OSPF AS, including networks to which it is directly connected.
Chapter 10 Routing Protocols • An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in networks outside the OSPF AS. This is called redistribution in OSPF. Table 74 OSPF: Redistribution from Other Sources to Each Type of Area SOURCE \ TYPE OF AREA NORMAL NSSA STUB Static routes Yes Yes No RIP Yes Yes Yes • A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone router, and so is every ABR.
Chapter 10 Routing Protocols Figure 117 OSPF: Virtual Link In this example, area 100 does not have a direct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10. The virtual link becomes the connection between area 100 and the backbone. You cannot create a virtual link to a router in a different area. OSPF Configuration Follow these steps when you configure OSPF on the ZyWALL. 1 Enable OSPF. 2 Set up the OSPF areas. 3 Configure the appropriate interfaces.
Chapter 10 Routing Protocols Figure 118 Configuration > Network > Routing > OSPF The following table describes the labels in this screen. See Section 10.3.2 on page 206 for more information as well. Table 75 Configuration > Network > Routing Protocol > OSPF LABEL DESCRIPTION OSPF Router ID Select the 32-bit ID the ZyWALL uses in the OSPF AS. Default - the first available interface IP address is the ZyWALL’s ID.
Chapter 10 Routing Protocols Table 75 Configuration > Network > Routing Protocol > OSPF (continued) LABEL DESCRIPTION Add Click this to create a new OSPF area. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. # This field is a sequential value, and it is not associated with a specific area.
Chapter 10 Routing Protocols The following table describes the labels in this screen. Table 76 Configuration > Network > Routing > OSPF > Add LABEL DESCRIPTION Area ID Type the unique, 32-bit identifier for the area in IP address format. Type Select the type of OSPF area. Normal - This area is a normal area. It has routing information about the OSPF AS and about networks outside the OSPF AS. Stub - This area is an stub area.
Chapter 10 Routing Protocols 10.3.3 Virtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create a new virtual link or edit an existing one. When the OSPF add or edit screen (see Section 10.3.2 on page 206) has the Type set to Normal, a Virtual Link table displays. Click either the Add icon or an entry and the Edit icon to display a screen like the following. Figure 120 Configuration > Network > Routing > OSPF > Add > Add The following table describes the labels in this screen.
Chapter 10 Routing Protocols Authentication Types Authentication is used to guarantee the integrity, but not the confidentiality, of routing updates. The transmitting router uses its key to encrypt the original message into a smaller message, and the smaller message is transmitted with the original message. The receiving router uses its key to encrypt the received message and then verifies that it matches the smaller message sent with it.
Chapter 10 Routing Protocols 210 ZyWALL 110/310/1100 Series User’s Guide
C HAPTER 11 Zones 11.1 Zones Overview Set up zones to configure network security and network policies in the ZyWALL. A zone is a group of interfaces and/or VPN tunnels. The ZyWALL uses zones instead of interfaces in many security and policy settings, such as firewall rules, Anti-X, and remote management. Zones cannot overlap. Each Ethernet interface, VLAN interface, bridge interface, PPPoE/PPTP interface and VPN tunnel can be assigned to at most one zone.
Chapter 11 Zones Intra-zone Traffic • Intra-zone traffic is traffic between interfaces or VPN tunnels in the same zone. For example, in Figure 121 on page 211, traffic between VLAN 2 and the Ethernet is intra-zone traffic. • In each zone, you can either allow or prohibit all intra-zone traffic. For example, in Figure 121 on page 211, you might allow intra-zone traffic in the LAN zone but prohibit it in the WAN zone.
Chapter 11 Zones The following table describes the labels in this screen. Table 78 Configuration > Network > Zone LABEL DESCRIPTION User Configuration / System Default The ZyWALL comes with pre-configured System Default zones that you cannot delete. You can create your own User Configuration zones Add Click this to create a new, user-configured zone. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Chapter 11 Zones The following table describes the labels in this screen. Table 79 Network > Zone > Add/Edit LABEL DESCRIPTION Name For a system default zone, the name is read only. For a user-configured zone, type the name used to refer to the zone. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Member List Available lists the interfaces and VPN tunnels that do not belong to any zone.
C HAPTER 12 DDNS 12.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 12.1.1 What You Can Do in this Chapter • Use the DDNS screen (see Section 12.2 on page 216) to view a list of the configured DDNS domain names and their details. • Use the DDNS Add/Edit screen (see Section 12.2.1 on page 217) to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. 12.1.
Chapter 12 DDNS 12.2 The DDNS Screen The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. Click Configuration > Network > DDNS to open the following screen. Figure 124 Configuration > Network > DDNS The following table describes the labels in this screen.
Chapter 12 DDNS Table 81 Configuration > Network > DDNS (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. 12.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen.
Chapter 12 DDNS Table 82 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION Username Type the user name used when you registered your domain name. You can use up to 31 alphanumeric characters and the underscore. Spaces are not allowed. For a Dynu DDNS entry, this user name is the one you use for logging into the service, not the name recorded in your personal information in the Dynu website. Password Type the password provided by the DDNS provider.
Chapter 12 DDNS Table 82 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION Enable Wildcard This option is only available with a DynDNS account. Enable the wildcard feature to alias subdomains to be aliased to the same IP address as your (dynamic) domain name. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname. Mail Exchanger This option is only available with a DynDNS account.
Chapter 12 DDNS 220 ZyWALL 110/310/1100 Series User’s Guide
C HAPTER 13 NAT 13.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. Use Network Address Translation (NAT) to make computers on a private network behind the ZyWALL available outside the private network.
Chapter 13 NAT 13.2 The NAT Screen The NAT summary screen provides a summary of all NAT rules and their configuration. In addition, this screen allows you to create new NAT rules and edit and delete existing NAT rules. To access this screen, login to the Web Configurator and click Configuration > Network > NAT. The following screen appears, providing a summary of the existing NAT rules. Figure 127 Configuration > Network > NAT The following table describes the labels in this screen.
Chapter 13 NAT 13.2.1 The NAT Add/Edit Screen The NAT Add/Edit screen lets you create new NAT rules and edit existing ones. To open this window, open the NAT summary screen. (See Section 13.2 on page 222.) Then, click on an Add icon or Edit icon to open the following screen. Figure 128 Configuration > Network > NAT > Add The following table describes the labels in this screen.
Chapter 13 NAT Table 84 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Incoming Interface Select the interface on which packets for the NAT rule must be received. It can be an Ethernet, VLAN, bridge, or PPPoE/PPTP interface. Original IP Specify the destination IP address of the packets received by this NAT rule’s specified incoming interface.
Chapter 13 NAT Table 84 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Mapped End Port This field is available if Mapping Type is Ports. Enter the end of the range of translated destination ports if this NAT rule forwards the packet. The original port range and the mapped port range must be the same size.
Chapter 13 NAT Figure 129 LAN Computer Queries a Public DNS Server DNS xxx.LAN-SMTP.com = 1.1.1.1 xxx.LAN-SMTP.com = ? 1.1.1.1 LAN 192.168.1.21 192.168.1.89 The LAN user’s computer then sends traffic to IP address 1.1.1.1. NAT loopback uses the IP address of the ZyWALL’s LAN interface (192.168.1.1) as the source address of the traffic going from the LAN users to the LAN SMTP server. Figure 130 LAN to LAN Traffic NAT Source 192.168.1.1 Source 192.168.1.89 SMTP SMTP LAN 192.168.1.21 192.168.1.
Chapter 13 NAT Figure 131 LAN to LAN Return Traffic NAT Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP LAN 192.168.1.21 ZyWALL 110/310/1100 Series User’s Guide 192.168.1.
Chapter 13 NAT 228 ZyWALL 110/310/1100 Series User’s Guide
C HAPTER 14 HTTP Redirect 14.1 Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server. In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN1 zone wants to open a web page, its HTTP request is redirected to proxy server A first. If proxy server A cannot find the web page in its cache, a policy route allows it to access the Internet to get them from a server.
Chapter 14 HTTP Redirect A client connects to a web proxy server each time he/she wants to access the Internet. The web proxy provides caching service to allow quick access and reduce network usage. The proxy checks its local cache for the requested web resource first. If it is not found, the proxy gets it from the specified server and forwards the response to the client.
Chapter 14 HTTP Redirect Figure 133 Configuration > Network > HTTP Redirect The following table describes the labels in this screen. Table 85 Configuration > Network > HTTP Redirect LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 14 HTTP Redirect The following table describes the labels in this screen. Table 86 Network > HTTP Redirect > Edit LABEL 232 DESCRIPTION Enable Use this option to turn the HTTP redirect rule on or off. Name Enter a name to identify this rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
C HAPTER 15 ALG 15.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the ZyWALL’s NAT. • SIP - Session Initiation Protocol (SIP) - An application-layer protocol that can be used to create voice and multimedia sessions over Internet. • H.323 - A teleconferencing protocol suite that provides audio, data and video conferencing. • FTP - File Transfer Protocol - an Internet file transfer service.
Chapter 15 ALG FTP ALG The FTP ALG allows TCP packets with a specified port destination to pass through. If the FTP server is located on the LAN, you must also configure NAT (port forwarding) and firewall rules if you want to allow access to the server from the WAN. H.323 ALG • The H.323 ALG supports peer-to-peer H.323 calls. • The H.323 ALG handles H.323 calls that go through NAT or that the ZyWALL routes. You can also make other H.323 calls that do not go through NAT or routing.
Chapter 15 ALG Peer-to-Peer Calls and the ZyWALL The ZyWALL ALG can allow peer-to-peer VoIP calls for both H.323 and SIP. You must configure the firewall and NAT (port forwarding) to allow incoming (peer-to-peer) calls from the WAN to a private IP address on the LAN (or DMZ). VoIP Calls from the WAN with Multiple Outgoing Calls When you configure the firewall and NAT (port forwarding) to allow calls from the WAN to a specific IP address on the LAN, you can also use policy routing to have H.
Chapter 15 ALG Figure 138 VoIP with Multiple WAN IP Addresses • See Section 15.3 on page 238 for ALG background/technical information. 15.1.3 Before You Begin You must also configure the firewall and enable NAT in the ZyWALL to allow sessions initiated from the WAN. 15.2 The ALG Screen Click Configuration > Network > ALG to open the ALG screen. Use this screen to turn ALGs off or on, configure the port numbers to which they apply, and configure SIP ALG time outs.
Chapter 15 ALG The following table describes the labels in this screen. Table 87 Configuration > Network > ALG LABEL DESCRIPTION Enable SIP ALG Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the ZyWALL’s NAT. Enable SIP Transformations Select this to have the ZyWALL modify IP addresses and port numbers embedded in the SIP data payload.
Chapter 15 ALG 15.3 ALG Technical Reference Here is more detailed information about the Application Layer Gateway. ALG Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’ data payload. The ZyWALL examines and uses IP address and port number information embedded in the VoIP traffic’s data stream.
Chapter 15 ALG RTP When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP.
Chapter 15 ALG 240 ZyWALL 110/310/1100 Series User’s Guide
C HAPTER 16 IP/MAC Binding 16.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The ZyWALL uses DHCP to assign IP addresses and records the MAC address it assigned to each IP address. The ZyWALL then checks incoming connection attempts against this list. A user cannot manually assign another IP to his computer and use it to connect to the ZyWALL. Suppose you configure access privileges for IP address 192.168.1.
Chapter 16 IP/MAC Binding Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, VLAN interfaces. You can also enable or disable IP/MAC binding and logging in an interface’s configuration screen. 16.2 IP/MAC Binding Summary Click Configuration > Network > IP/MAC Binding to open the IP/MAC Binding Summary screen. This screen lists the total number of IP to MAC address bindings for devices connected to each supported interface.
Chapter 16 IP/MAC Binding Figure 142 Configuration > Network > IP/MAC Binding > Edit The following table describes the labels in this screen. Table 89 Configuration > Network > IP/MAC Binding > Edit LABEL DESCRIPTION IP/MAC Binding Settings Interface Name This field displays the name of the interface within the ZyWALL and the interface’s IP address and subnet mask. Enable IP/MAC Binding Select this option to have this interface enforce links between specific IP addresses and specific MAC addresses.
Chapter 16 IP/MAC Binding Figure 143 Configuration > Network > IP/MAC Binding > Edit > Add The following table describes the labels in this screen. Table 90 Configuration > Network > IP/MAC Binding > Edit > Add LABEL DESCRIPTION Interface Name This field displays the name of the interface within the ZyWALL and the interface’s IP address and subnet mask. IP Address Enter the IP address that the ZyWALL is to assign to a device with the entry’s MAC address.
Chapter 16 IP/MAC Binding Table 91 Configuration > Network > IP/MAC Binding > Exempt List (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. # This is the index number of the IP/MAC binding list entry. Name Enter a name to help identify this entry. Start IP Enter the first IP address in a range of IP addresses for which the ZyWALL does not apply IP/ MAC binding.
Chapter 16 IP/MAC Binding 246 ZyWALL 110/310/1100 Series User’s Guide
C HAPTER 17 Inbound Load Balancing 17.1 Inbound Load Balancing Overview Inbound load balancing enables the ZyWALL to respond to a DNS query message with a different IP address for DNS name resolution. The ZyWALL checks which member interface has the least load and responds to the DNS query message with the interface’s IP address. In the following figure, an Internet host (A) sends a DNS query message to the DNS server (D) in order to resolve a domain name of www.example.com.
Chapter 17 Inbound Load Balancing • Use the Inbound LB Add/Edit screen (see Section 17.2.1 on page 249) to add or edit a DNS load balancing rule. 17.2 The Inbound LB Screen The Inbound LB screen provides a summary of all DNS load balancing rules and the details. You can also use this screen to add, edit, or remove the rules. Click Configuration > Network > Inbound LB to open the following screen.
Chapter 17 Inbound Load Balancing Table 92 Configuration > Network > Inbound LB (continued) LABEL DESCRIPTION Query From Address This field displays the source IP address of the DNS query messages to which the ZyWALL applies the DNS load balancing rule. Query From Zone The ZyWALL applies the DNS load balancing rule to the query messages received from this zone. Load Balancing Member This field displays the member interfaces which the ZyWALL manages for load balancing.
Chapter 17 Inbound Load Balancing Figure 147 Configuration > Network > Inbound LB > Add The following table describes the labels in this screen. Table 93 Configuration > Network > Inbound LB > Add/Edit LABEL DESCRIPTION Create New Object Use this to configure any new setting objects that you need to use in this screen. General Settings Enable Select this to enable this DNS load balancing rule.
Chapter 17 Inbound Load Balancing Table 93 Configuration > Network > Inbound LB > Add/Edit (continued) LABEL DESCRIPTION Load Balancing Algorithm Select a load balancing method to use from the drop-down list box. Select Weighted Round Robin to balance the traffic load between interfaces based on their respective weights. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight.
Chapter 17 Inbound Load Balancing Figure 148 Configuration > Network > Inbound LB > Add/Edit > Add The following table describes the labels in this screen. Table 94 Configuration > Network > Inbound LB > Add/Edit > Add/Edit LABEL DESCRIPTION Member The ZyWALL checks each member interface’s loading in the order displayed here. Monitor Interface Select an interface to associate it with the DNS load balancing rule.
C HAPTER 18 Authentication Policy 18.1 Overview Use authentication policies to control who can access the network. After a user passes authentication the user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access. In the following figure the ZyWALL’s authentication policy requires endpoint security checking on local user A. A passes authentication and the endpoint security check and is given access.
Chapter 18 Authentication Policy Multiple Endpoint Security Objects You can set an authentication policy to use multiple endpoint security objects. This allows checking of computers with different OSs or security settings. When a client attempts to log in, the ZyWALL checks the client’s computer against the endpoint security objects one-by-one. The client’s computer must match one of the authentication policy’s endpoint security objects in order to gain access.
Chapter 18 Authentication Policy Figure 150 Configuration > Auth. Policy The following table gives an overview of the objects you can configure. Table 95 Configuration > Auth. Policy LABEL DESCRIPTION Enable Authentication Policy Select this to turn on the authentication policy feature. Exceptional Services Use this table to list services that users can access without logging in. Click Add to change the list’s membership. A screen appears. Available services appear on the left.
Chapter 18 Authentication Policy Table 95 Configuration > Auth. Policy (continued) LABEL DESCRIPTION Authentication Policy Summary Use this table to manage the ZyWALL’s list of authentication policies. Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Chapter 18 Authentication Policy Figure 152 Configuration > Auth. Policy > Add The following table gives an overview of the objects you can configure. Table 96 Configuration > Auth. Policy > Add LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Enable Policy Select this check box to activate the authentication policy. This field is available for userconfigured policies.
Chapter 18 Authentication Policy Table 96 Configuration > Auth. Policy > Add (continued) LABEL DESCRIPTION Force User Authentication This field is available for user-configured policies that require authentication. Select this to have the ZyWALL automatically display the login screen when users who have not logged in yet try to send HTTP traffic. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 18.
Chapter 18 Authentication Policy 18.3.2 Set Up User Groups Set up the user groups and assign the users to the user groups. 1 Click Configuration > Object > User/Group > Group. Click the Add icon. 2 Enter the name of the group. In this example, it is “Finance”. Then, select User/Leo and click the right arrow to move him to the Member list. This example only has one member in this group, so click OK. Of course you could add more members later.
Chapter 18 Authentication Policy Figure 155 Configuration > Object > AAA Server > RADIUS > Add 2 Click Configuration > Object > Auth. Method. Double-click the default entry. Click the Add icon. Select group radius because the ZyWALL should use the specified RADIUS server for authentication. Click OK. Figure 156 Configuration > Object > Auth. method > Edit 3 Click Configuration > Auth. Policy. In the Authentication Policy Summary section, click the Add icon.
Chapter 18 Authentication Policy Figure 157 Configuration > Auth. Policy > Add In the Auth. Policy screen, select Enable Authentication Policy and click Apply. Figure 158 Configuration > Auth. Policy When the users try to browse the web (or use any HTTP/HTTPS application), the Login screen appears. They have to log in using the user name and password in the RADIUS server. 18.3.
Chapter 18 Authentication Policy 1 Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Besides configuring the RADIUS server’s address, authentication port, and key; set the Group Membership Attribute field to the attribute that the ZyWALL is to check to determine to which group a user belongs. This example uses Class. This attribute’s value is called a group identifier; it determines to which group a user belongs.
Chapter 18 Authentication Policy ZyWALL 110/310/1100 Series User’s Guide 263
Chapter 18 Authentication Policy 264 ZyWALL 110/310/1100 Series User’s Guide
C HAPTER 19 Firewall 19.1 Overview Use the firewall to block or allow services that use static port numbers. This example shows the ZyWALL’s default firewall behavior for WAN to LAN traffic and how stateful inspection works. A LAN user can initiate a Telnet session from within the LAN zone and the firewall allows the response. However, the firewall blocks Telnet traffic initiated from the WAN zone and destined for the LAN zone. The firewall allows VPN traffic between any of the networks.
Chapter 19 Firewall Note: At the time of writing the ZyWALL’s VPN and GRE tunnels support IPv4 traffic so IPv6 firewall rules do not apply to IPSec, SSL VPN, and GRE tunnel traffic. Table 97 Example Firewall Behavior FROM ZONE TO ZONE BEHAVIOR From any to ZyWALL DHCP traffic from any interface to the ZyWALL is allowed. DHCPv6 and Default_Allow_ICMPv6_Group traffic from any interface to the ZyWALL is allowed.
Chapter 19 Firewall A From Any To ZyWALL direction rule applies to traffic from an interface which is not in a zone. Global Firewall Rules Firewall rules with from any and/or to any as the packet direction are called global firewall rules. The global firewall rules are the only firewall rules that apply to an interface or VPN tunnel that is not included in a zone. The from any rules apply to traffic coming from the interface and the to any rules apply to traffic going to the interface.
Chapter 19 Firewall 19.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL. This is called an asymmetrical or “triangle” route. This causes the ZyWALL to reset the connection, as the connection has not been acknowledged. You can have the ZyWALL permit the use of asymmetrical route topology on the network (not reset the connection).
Chapter 19 Firewall • Besides configuring the firewall, you also need to configure NAT rules to allow computers on the WAN to access LAN devices. See Chapter 13 on page 221 for more information. • The ZyWALL applies NAT (Destination NAT) settings before applying the firewall rules. So for example, if you configure a NAT entry that sends WAN traffic to a LAN IP address, when you configure a corresponding firewall rule to allow the traffic, you need to set the LAN IP address as the destination.
Chapter 19 Firewall Figure 163 Configuration > Firewall 270 ZyWALL 110/310/1100 Series User’s Guide
Chapter 19 Firewall The following table describes the labels in this screen. Table 98 Configuration > Firewall LABEL DESCRIPTION General Settings Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control when the firewall is activated. IPv4 / IPv6 Rule Summary Separate firewall rules for IPv4 and IPv6 traffic appear when you enable the ZyWALL’s global IPv6 option, otherwise the rules are just for IPv4 traffic.
Chapter 19 Firewall Table 98 Configuration > Firewall (continued) LABEL DESCRIPTION Schedule This field tells you the schedule object that the rule uses. none means the rule is active at all times if enabled. User This is the user name or user group name to which this firewall rule applies. IPv4 / IPv6 Source This displays the IPv4 or IPv6 source address object to which this firewall rule applies.
Chapter 19 Firewall Table 99 Configuration > Firewall > Add (continued) LABEL DESCRIPTION From For through-ZyWALL rules, select the direction of travel of packets to which the rule applies. To any means all interfaces or VPN tunnels. ZyWALL means packets destined for the ZyWALL itself. Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. Schedule Select a schedule that defines when the rule applies.
Chapter 19 Firewall Figure 165 Configuration > Firewall > Session Limit The following table describes the labels in this screen. Table 100 Configuration > Firewall > Session Limit LABEL DESCRIPTION General Settings Enable Session limit Select this check box to control the number of concurrent sessions hosts can have. IPv4 / IPv6 Rule Summary The IPv4 rules apply to IPv4 sessions. The IPv6 rules apply to IPv6 sessions.
Chapter 19 Firewall Table 100 Configuration > Firewall > Session Limit (continued) LABEL DESCRIPTION User This is the user name or user group name to which this session limit rule applies. IPv4 Address This is the IPv4 address object to which this session limit rule applies. IPv6 Address This is the IPv6 address object to which this session limit rule applies. Description This is the information configured to help you identify the rule.
Chapter 19 Firewall Table 101 Configuration > Firewall > Session Limit > Edit (continued) LABEL DESCRIPTION Session Limit per Host Use this field to set a limit to the number of concurrent NAT/firewall sessions this rule’s users or addresses can have. For this rule’s users and addresses, this setting overrides the Default Session per Host setting in the general Firewall Session Limit screen. OK Click OK to save your customized settings and exit this screen.
Chapter 19 Firewall Figure 169 Firewall Example: Create a Service Object 4 Select From WAN and To LAN1 and enter a name for the firewall rule. Select Dest_1 for the Destination and Doom as the Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done. Figure 170 Firewall Example: Edit a Firewall Rule 5 The firewall rule appears in the firewall rule summary.
Chapter 19 Firewall 19.5 Firewall Rule Example Applications Suppose you decide to block LAN users from using IRC (Internet Relay Chat) through the Internet. To do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need the firewall rule to always be in effect. The following figure shows the results of this rule.
Chapter 19 Firewall Now you configure a LAN1 to WAN firewall rule that allows IRC traffic from the IP address of the CEO’s computer (192.168.1.7 for example) to go to any destination address. You do not need to specify a schedule since you want the firewall rule to always be in effect. The following figure shows the results of your two custom rules. Figure 173 Limited LAN to WAN IRC Traffic Example LAN1 Your firewall would have the following configuration.
Chapter 19 Firewall The rule for the CEO must come before the rule that blocks all LAN1 to WAN IRC traffic. If the rule that blocks all LAN1 to WAN IRC traffic came first, the CEO’s IRC traffic would match that rule and the ZyWALL would drop it and not check any other firewall rules.
C HAPTER 20 IPSec VPN 20.1 Virtual Private Networks (VPN) Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Chapter 20 IPSec VPN Figure 175 SSL VPN https:// LAN (192.168.1.X) Web Mail File Share Web-based Application Non-Web Application Server L2TP VPN L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, or Windows operating systems for secure connections to the network behind the ZyWALL. The remote users do not need their own IPSec gateways or third-party VPN client software.
Chapter 20 IPSec VPN 20.1.2 What You Need to Know An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router.
Chapter 20 IPSec VPN Application Scenarios The ZyWALL’s application scenarios make it easier to configure your VPN connection settings. Table 105 IPSec VPN Application Scenarios SITE-TO-SITE Choose this if the remote IPSec router has a static IP address or a domain name. This ZyWALL can initiate the VPN tunnel. The remote IPSec router can also initiate the VPN tunnel if this ZyWALL has a static IP address or a domain name.
Chapter 20 IPSec VPN • In any VPN connection, you have to select address objects to specify the local policy and remote policy. You should set up the address objects first. • In a VPN gateway, you can select an Ethernet interface, virtual Ethernet interface, VLAN interface, or virtual VLAN interface to specify what address the ZyWALL uses as its IP address when it establishes the IKE SA. You should set up the interface first. See Chapter 7 on page 103.
Chapter 20 IPSec VPN Each field is discussed in the following table. See Section 20.2.2 on page 292 and Section 20.2.1 on page 286 for more information. Table 106 Configuration > VPN > IPSec VPN > VPN Connection LABEL DESCRIPTION Use Policy Route to control dynamic IPSec rules Select this to be able to use policy routes to manually specify the destination addresses of dynamic IPSec rules. You must manually create these policy routes.
Chapter 20 IPSec VPN Figure 179 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL 110/310/1100 Series User’s Guide 287
Chapter 20 IPSec VPN Each field is described in the following table. Table 107 Configuration > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. Create new Object Use to configure any new settings objects that you need to use in this screen. General Settings Enable Select this check box to activate this VPN connection.
Chapter 20 IPSec VPN Table 107 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Remote Policy Select the address corresponding to the remote network. Use Create new Object if you need to configure a new one. Policy Enforcement Clear this to allow traffic with source and destination IP addresses that do not match the local and remote policy to use the VPN tunnel. Leave this cleared for free access between the local and remote networks.
Chapter 20 IPSec VPN Table 107 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL Authentication DESCRIPTION Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are SHA1, SHA256, SHA512 and MD5. SHA is generally considered stronger than MD5, but it is also slower. The ZyWALL and the remote IPSec router must both have a proposal that uses the same authentication algorithm.
Chapter 20 IPSec VPN Table 107 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Source NAT This translation hides the source address of computers in the local network. It may also be necessary if you want the ZyWALL to route packets from computers outside the local network through the IPSec SA. Source Select the address object that represents the original source address (or select Create Object to configure a new one).
Chapter 20 IPSec VPN Table 107 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION OK Click OK to save the changes. Cancel Click Cancel to discard all changes and return to the main VPN screen. 20.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one using a manual key. This is useful if you have problems with IKE key management.
Chapter 20 IPSec VPN This table describes labels specific to manual key configuration. See Section 20.2 on page 285 for descriptions of the other fields. Table 108 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key LABEL DESCRIPTION Manual Key My Address Type the IP address of the ZyWALL in the IPSec SA. Secure Gateway Address Type the IP address of the remote IPSec router in the IPSec SA. SPI Type a unique SPI (Security Parameter Index) between 256 and 4095.
Chapter 20 IPSec VPN Table 108 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL Encryption Key DESCRIPTION This field is applicable when you select an Encryption Algorithm. Enter the encryption key, which depends on the encryption algorithm.
Chapter 20 IPSec VPN Figure 181 Configuration > VPN > IPSec VPN > VPN Gateway Each field is discussed in the following table. See Section 20.3.1 on page 295 for more information. Table 109 Configuration > VPN > IPSec VPN > VPN Gateway LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Chapter 20 IPSec VPN Figure 182 Configuration > VPN > IPSec VPN > VPN Gateway > Edit 296 ZyWALL 110/310/1100 Series User’s Guide
Chapter 20 IPSec VPN Each field is described in the following table. Table 110 Configuration > VPN > IPSec VPN > VPN Gateway > Edit LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. General Settings VPN Gateway Name Type the name used to identify this VPN gateway. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.
Chapter 20 IPSec VPN Table 110 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Certificate DESCRIPTION Select this to have the ZyWALL and remote IPSec router use certificates to authenticate each other when they negotiate the IKE SA. Then select the certificate the ZyWALL uses to identify itself to the remote IPsec router. This certificate is one of the certificates in My Certificates. If this certificate is selfsigned, import it into the remote IPsec router.
Chapter 20 IPSec VPN Table 110 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Content DESCRIPTION This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPSec router during authentication. The identity depends on the Peer ID Type. If the ZyWALL and remote IPSec router do not use certificates, IP - type an IP address; see the note at the end of this description. DNS - type the fully qualified domain name (FQDN).
Chapter 20 IPSec VPN Table 110 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Encryption DESCRIPTION Select which key size and encryption algorithm to use in the IKE SA.
Chapter 20 IPSec VPN Table 110 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Client Mode Select this radio button if the ZyWALL provides a username and password to the remote IPSec router for authentication. You also have to provide the User Name and the Password. User Name This field is required if the ZyWALL is in Client Mode for extended authentication. Type the user name the ZyWALL sends to the remote IPSec router. The user name can be 131 ASCII characters.
Chapter 20 IPSec VPN 20.4.1 VPN Concentrator Requirements and Suggestions Consider the following when using the VPN concentrator. • The local IP addresses configured in the VPN rules should not overlap. • The concentrator must have at least one separate VPN rule for each spoke. In the local policy, specify the IP addresses of the networks with which the spoke is to be able to have a VPN tunnel. This may require you to use more than one VPN rule for each spoke.
Chapter 20 IPSec VPN Figure 185 Configuration > VPN > IPSec VPN > Concentrator > Edit Each field is described in the following table. Table 112 VPN > IPSec VPN > Concentrator > Edit LABEL DESCRIPTION Name Enter the name of the concentrator. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Member Select the concentrator’s IPSec VPN connection policies.
Chapter 20 IPSec VPN In the ZyWALL Quick Setup wizard, you can use the VPN Settings for Configuration Provisioning wizard to create a VPN rule that will not violate these restrictions. Figure 186 Configuration > VPN > IPSec VPN > Configuration Provisioning Each field is discussed in the following table.
Chapter 20 IPSec VPN Table 113 Configuration > VPN > IPSec VPN > Configuration Provisioning (continued) LABEL DESCRIPTION Move Use Move to reorder a selected entry. Select an entry, click Move, type the number where the entry should be moved, press , then click Apply. Status This icon shows if the entry is active (yellow) or not (gray). VPN rule settings can only be retrieved when the entry is activated (and Enable Configuration Provisioning is also selected).
Chapter 20 IPSec VPN IKE SA Proposal The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2, as illustrated next.
Chapter 20 IPSec VPN Diffie-Hellman (DH) Key Exchange The ZyWALL and the remote IPSec router use DH public-key cryptography to establish a shared secret. The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4, as illustrated next. Figure 188 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange Diffie-Hellman key exchange 3 X 4 Y DH public-key cryptography is based on DH key groups.
Chapter 20 IPSec VPN Note: The ZyWALL and the remote IPSec router must use the same pre-shared key. Router identity consists of ID type and content. The ID type can be domain name, IP address, or email address, and the content is a (properly-formatted) domain name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you enter does not have to actually exist.
Chapter 20 IPSec VPN Steps 1 - 2: The ZyWALL sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL. Steps 3 - 4: The ZyWALL and the remote IPSec router exchange pre-shared keys for authentication and participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish a shared secret.
Chapter 20 IPSec VPN Extended Authentication Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router. For example, this might be used with telecommuters. In extended authentication, one of the routers (the ZyWALL or the remote IPSec router) provides a user name and password to the other router, which uses a local user database and/or an external server to verify the user name and password.
Chapter 20 IPSec VPN Note: The ZyWALL and remote IPSec router must use the same active protocol. Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. Encapsulation There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure.
Chapter 20 IPSec VPN If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. Additional Topics for IPSec SA This section provides more information about IPSec SA in your ZyWALL.
Chapter 20 IPSec VPN Figure 192 VPN Example: NAT for Inbound and Outbound Traffic Source Address in Outbound Packets (Outbound Traffic, Source NAT) This translation lets the ZyWALL route packets from computers that are not part of the specified local network (local policy) through the IPSec SA. For example, in Figure 192 on page 313, you have to configure this kind of translation if you want computer M to establish a connection with any computer in the remote network (B).
Chapter 20 IPSec VPN You have to specify one or more rules when you set up this kind of NAT. The ZyWALL checks these rules similar to the way it checks rules for a firewall. The first part of these rules define the conditions in which the rule apply. • Original IP - the original destination address; the remote network (B). • Protocol - the protocol [TCP, UDP, or both] used by the service requesting the connection.
Chapter 20 IPSec VPN Set Up the VPN Connection that Manages the IPSec SA 1 In Configuration > VPN > IPSec VPN > VPN Connection > Add, click Create New Object > Address to create an address object for the remote network. Set the Address Type to SUBNET, the Network field to 172.16.1.0, and the Netmask to 255.255.255.0. 2 Enable the VPN connection and name it (“VPN_CONN_EXAMPLE”). Set VPN Gateway to Site-tosite and select the VPN gateway you configured (VPN_GW_EXAMPLE).
Chapter 20 IPSec VPN 316 ZyWALL 110/310/1100 Series User’s Guide
C HAPTER 21 SSL VPN 21.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login. The remote users do not need a VPN router or VPN client software. 21.1.1 What You Can Do in this Chapter • Use the VPN > SSL VPN > Access Privilege screens (see Section 21.2 on page 318) to configure SSL access policies. • Use the Click VPN > SSL VPN > Global Setting screen (see Section 21.
Chapter 21 SSL VPN SSL Access Policy Objects The SSL access policies reference the following objects. If you update this information, in response to changes, the ZyWALL automatically propagates the changes through the SSL policies that use the object(s). When you delete an SSL policy, the objects are not removed. Table 116 Objects OBJECT SCREEN DESCRIPTION User Accounts User Account/ User Group Configure a user account or user group to which you want to apply this SSL access policy.
Chapter 21 SSL VPN The following table describes the labels in this screen. Table 117 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 21 SSL VPN Figure 196 VPN > SSL VPN > Add/Edit The following table describes the labels in this screen. Table 118 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Configuration Enable Policy 320 Select this option to activate this SSL access policy.
Chapter 21 SSL VPN Table 118 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION Name Enter a descriptive name to identify this policy. You can enter up to 31 characters (“a-z”, A-Z”, “0-9”) with no spaces allowed. Zone Select the zone to which to add this SSL access policy. You use zones to apply security settings such as firewall and remote management. Description Enter additional information about this SSL access policy.
Chapter 21 SSL VPN Table 118 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION Network List To allow user access to local network(s), select a network name in the Selectable Address Objects list and click the right arrow button to add to the Selected Address Objects list. You can select more than one network. To block access to a network, select the network name in the Selected Address Objects list and click the left arrow button.
Chapter 21 SSL VPN Table 119 VPN > SSL VPN > Global Setting (continued) LABEL DESCRIPTION SSL VPN Login Domain Name 1/ 2 Specify a full domain name for users to use for SSL VPN login. The domain name must be registered to one of the ZyWALL’s IP addresses or be one of the ZyWALL’s DDNS entries. You can specify up to two domain names so you could use one domain name for each of two WAN ports. For example, www.zyxel.com is a fully qualified domain name where “www” is the host.
Chapter 21 SSL VPN Figure 198 Example Logo Graphic Display 21.4 SSL VPN Example This example uses SSL VPN to let remote users securely access the internal http://info website. 324 1 Click Configuration > VPN > SSL VPN > Access Privilege > Add and click Create New Object > Application to create an SSL application object. Set the Type to Web Application, the Server Type to Web Server, and the URL to http://info. Select Web Page Encryption to prevent users from saving the web content.
Chapter 21 SSL VPN 3 Display the ZyWALL’s login screen, enter your user account information (the user name and password), and click SSL VPN to establish an SSL VPN connection. 4 Your computer starts establishing a secure connection to the ZyWALL after the login. This may take up to two minutes. If you get a message about needing Java, download and install it and restart your browser and re-login. If a certificate warning screen displays, click OK, Yes or Continue.
Chapter 21 SSL VPN 5 The client portal screen displays after the connection is up. In this example, click the Web Server link to go to http://info. If the user account is not included in an SSL VPN access policy, the ZyWALL redirects the user to the user aware screen. For more information on user portal screens, refer to Chapter 22 on page 327.
C HAPTER 22 SSL User Screens 22.1 Overview This chapter introduces the remote user SSL VPN screens. The following figure shows a network example where a remote user (A) logs into the ZyWALL from the Internet to access the web server (WWW) on the local network. Figure 199 Network Example Internet WWW A 22.1.
Chapter 22 SSL User Screens • Using RDP requires Internet Explorer • Sun’s Runtime Environment (JRE) version 1.6 or later installed and enabled. Required Information A remote user needs the following information from the network administrator to log in and access network resources.
Chapter 22 SSL User Screens Figure 201 Login Security Screen 3 A login screen displays. Enter the user name and password of your login account. If a token password is also required, enter it in the One-Time Password field. Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources. Figure 202 Login Screen 4 Your computer starts establishing a secure connection to the ZyWALL after a successful login. This may take up to two minutes.
Chapter 22 SSL User Screens Figure 204 ActiveX Object Installation Blocked by Browser Figure 205 SecuExtender Blocked by Internet Explorer 6 The ZyWALL tries to run the “ssltun” application. You may need to click something to get your browser to allow this. In Internet Explorer, click Run. Figure 206 SecuExtender Progress 7 330 Click Next to use the setup wizard to install the SecuExtender client on your computer.
Chapter 22 SSL User Screens Figure 207 SecuExtender Progress 8 If a screen like the following displays, click Continue Anyway to finish installing the SecuExtender client on your computer. Figure 208 Installation Warning 9 The Application screen displays showing the list of resources available to you. See Figure 209 on page 332 for a screen example. Note: Available resource links vary depending on the configuration your network administrator made. 22.
Chapter 22 SSL User Screens Figure 209 Remote User Screen 2 1 3 4 5 6 The following table describes the various parts of a remote user screen. Table 120 Remote User Screen Overview # DESCRIPTION 1 Click on a menu tab to go to the Application or File Sharing screen. 2 Click this icon to log out and terminate the secure connection. 3 Click this icon to create a bookmark to the SSL VPN user screen in your web browser. 4 Click this icon to display the on-line help window.
Chapter 22 SSL User Screens 3 Click OK to create a bookmark in your web browser. Figure 210 Add Favorite 22.5 Logging Out of the SSL VPN User Screens To properly terminate a connection, click on the Logout icon in any remote user screen. 1 Click the Logout icon in any remote user screen. 2 A prompt window displays. Click OK to continue. Figure 211 Logout: Prompt 22.
Chapter 22 SSL User Screens Figure 212 Application 22.7 SSL User File Sharing The File Sharing screen lets you access files on a file server through the SSL VPN connection. Use it to display and access shared files/folders on a file server. You can also perform the following actions: • Access a folder. • Open a file (if your web browser cannot open the file, you are prompted to download it). • Save a file to your computer. • Create a new folder. • Rename a file or folder. • Delete a file or folder.
Chapter 22 SSL User Screens Figure 213 File Sharing 22.7.2 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer. 1 Log in as a remote user and click the File Sharing tab. 2 Click on a file share icon. 3 If an access user name and password are required, a screen displays as shown in the following figure. Enter the account information and click Login to continue.
Chapter 22 SSL User Screens 4 A list of files/folders displays. Double click a file to open it in a separate browser window or select a file and click Download to save it to your computer. You can also click a folder to access it. For this example, click on a .doc file to open the Word document. Figure 215 File Sharing: Open a Word File 22.7.3 Downloading a File You are prompted to download a file which cannot be opened using a web browser.
Chapter 22 SSL User Screens Figure 216 File Sharing: Save a Word File 22.7.5 Creating a New Folder To create a new folder in the file share location, click the New Folder icon. Specify a descriptive name for the folder. You can enter up to 356 characters. Then click Add. Note: Make sure the length of the folder name does not exceed the maximum allowed on the file server. Figure 217 File Sharing: Create a New Folder 22.7.
Chapter 22 SSL User Screens A popup window displays. Specify the new name and/or file extension in the field provided. You can enter up to 356 characters. Then click Apply. Note: Make sure the length of the name does not exceed the maximum allowed on the file server. You may not be able to open a file if you change the file extension. Figure 219 File Sharing: Rename 22.7.7 Deleting a File or Folder Click the Delete icon next to a file or folder to remove it. 22.7.
Chapter 22 SSL User Screens Note: Uploading a file with the same name and file extension replaces the existing file on the file server. No warning message is displayed.
Chapter 22 SSL User Screens 340 ZyWALL 110/310/1100 Series User’s Guide
C HAPTER 23 ZyWALL SecuExtender The ZyWALL automatically loads the ZyWALL SecuExtender client program to your computer after a successful login to an SSL VPN tunnel with network extension support enabled. The ZyWALL SecuExtender lets you: • Access servers, remote desktops and manage files as if you were on the local network. • Use applications like e-mail, file transfer, and remote desktop programs directly without using a browser.
Chapter 23 ZyWALL SecuExtender Figure 222 ZyWALL SecuExtender Status The following table describes the labels in this screen. Table 121 ZyWALL SecuExtender Status LABEL DESCRIPTION Connection Status SecuExtender IP Address This is the IP address the ZyWALL assigned to this remote user computer for an SSL VPN connection. DNS Server 1/2 These are the IP addresses of the DNS server and backup DNS server for the SSL VPN connection.
Chapter 23 ZyWALL SecuExtender Figure 223 ZyWALL SecuExtender Log Example ################################################################################## ############## [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Build Datetime: Feb 24 2009/ 10:25:07 [ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] rasphone.pbk: C:\Documents and Settings\11746\rasphone.pbk [ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] SecuExtender.log: C:\Documents and Settings\11746\SecuExtender.
Chapter 23 ZyWALL SecuExtender Figure 224 Uninstalling the ZyWALL SecuExtender Confirmation 3 Windows uninstalls the ZyWALL SecuExtender.
C HAPTER 24 L2TP VPN 24.1 Overview L2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, or Windows operating systems for secure connections to the network behind the ZyWALL. The remote users do not need their own IPSec gateways or third-party VPN client software. Figure 226 L2TP VPN Overview 24.1.1 What You Can Do in this Chapter • Use the L2TP VPN screen (see Section 24.2 on page 347) to configure the ZyWALL’s L2TP VPN settings. 24.1.
Chapter 24 L2TP VPN Using the Default L2TP VPN Connection The Default_L2TP_VPN_GW gateway entry is pre-configured to be convenient to use for L2TP VPN. Edit it as follows: • Set My Address to the WAN interface domain name or IP address you want to use. • Replace the default Pre-Shared Key. Create a host-type address object containing the My Address IP address configured in the Default_L2TP_VPN_GW and set the Default_L2TP_VPN_Connection’s Local Policy to use it.
Chapter 24 L2TP VPN 24.2 L2TP VPN Screen Click Configuration > VPN > L2TP VPN to open the following screen. Use this screen to configure the ZyWALL’s L2TP VPN settings. Note: Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings. The remote users must make any needed matching configuration changes and reestablish the sessions using the new settings. Figure 228 Configuration > VPN > L2TP VPN The following table describes the fields in this screen.
Chapter 24 L2TP VPN Table 122 Configuration > VPN > L2TP VPN (continued) LABEL DESCRIPTION Authentication Server Certificate Select the certificate to use to identify the ZyWALL for L2TP VPN connections. You must have certificates already configured in the My Certificates screen (Click My Certificates and see Chapter 33 on page 413 for details). The certificate is used with the EAP, PEAP, and MSCHAPv2 authentication protocols.
C HAPTER 25 Bandwidth Management 25.1 Overview Bandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video. 25.1.1 What You Can Do in this Chapter Use the BWM screens (see Section 25.
Chapter 25 Bandwidth Management Connection and Packet Directions Bandwidth management looks at the connection direction, that is from which interface the connection was initiated and to which interface the connection is going. A connection has outbound and inbound packet flows. The ZyWALL controls the bandwidth of traffic of each flow as it is going out through an interface or VPN tunnel. • The outbound traffic flows from the connection initiator to the connection responder.
Chapter 25 Bandwidth Management Figure 230 LAN1 to WAN, Outbound 200 kbps, Inbound 500 kbps Outbound 200 kbps Inbound 500 kbps Bandwidth Management Priority • The ZyWALL gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate. • Then lower-priority traffic gets bandwidth. • The ZyWALL uses a fairness-based (round-robin) scheduler to divide bandwidth among traffic flows with the same priority.
Chapter 25 Bandwidth Management Figure 231 Bandwidth Management Behavior BWM 1000 kbps 1000 kbps 1000 kbps Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate. Table 123 Configured Rate Effect POLICY CONFIGURED RATE MAX. B. U.
Chapter 25 Bandwidth Management Priority and Over Allotment of Bandwidth Effect Server A has a configured rate that equals the total amount of available bandwidth and a higher priority. You should regard extreme over allotment of traffic with different priorities (as shown here) as a configuration error. Even though the ZyWALL still attempts to let all traffic get through and not be lost, regardless of its priority, server B gets almost no bandwidth with this configuration.
Chapter 25 Bandwidth Management The following table describes the labels in this screen. See Section 25.2.1 on page 355 for more information as well. Table 127 Configuration > Bandwidth Management LABEL DESCRIPTION Enable BWM Select this check box to activate management bandwidth. Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Select an entry and click this to be able to modify it.
Chapter 25 Bandwidth Management Table 127 Configuration > Bandwidth Management LABEL DESCRIPTION BWM In/Pri/Out/Pri This field shows the amount of bandwidth the traffic can use. In - This is how much inbound bandwidth, in kilobits per second, this policy allows the matching traffic to use. Inbound refers to the traffic the ZyWALL sends to a connection’s initiator. If no displays here, this policy does not apply bandwidth management for the inbound traffic.
Chapter 25 Bandwidth Management Figure 234 Configuration > Bandwidth Management > Add/Edit The following table describes the labels in this screen. Table 128 Configuration > Bandwidth Management LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Configuration 356 Enable Select this check box to turn on this policy. Description Enter a description of this policy. It is not used elsewhere.
Chapter 25 Bandwidth Management Table 128 Configuration > Bandwidth Management LABEL DESCRIPTION Outgoing Interface Select the destination interface of the traffic to which this policy applies. Source Select a source address or address group for whom this policy applies. Use Create new Object if you need to configure a new one. Select any if the policy is effective for every source. Destination Select a destination address or address group for whom this policy applies.
Chapter 25 Bandwidth Management Table 128 Configuration > Bandwidth Management LABEL Outbound kbps DESCRIPTION Type how much outbound bandwidth, in kilobits per second, this policy allows the traffic to use. Outbound refers to the traffic the ZyWALL sends out from a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the ZyWALL sends out from the initiator.
C HAPTER 26 Device HA 26.1 Overview Device HA lets a backup ZyWALL (B) automatically take over if the master ZyWALL (A) fails. Figure 235 Device HA Backup Taking Over for the Master A B 26.1.1 What You Can Do in this Chapter • Use the General screen (Section 26.2 on page 360) to configure device HA global settings, and see the status of each interface monitored by device HA. • Use the Active-Passive Mode screens (Section 26.3 on page 361) to use active-passive mode device HA.
Chapter 26 Device HA Note: Only ZyWALLs of the same model and firmware version can synchronize. Otherwise you must manually configure the master ZyWALL’s settings on the backup (by editing copies of the configuration files in a text editor for example). Finding Out More • See Section 26.5 on page 366 for device HA background/technical information. 26.1.3 Before You Begin • Configure a static IP address for each interface that you will have device HA monitor. 26.
Chapter 26 Device HA Table 129 Configuration > Device HA > General (continued) LABEL DESCRIPTION Management IP / Netmask This field displays the interface’s management IP address and subnet mask. You can use this IP address and subnet mask to access the ZyWALL whether it is in master or backup mode. Link Status This tells whether the monitored interface’s connection is down or up. HA Status The text before the slash shows whether the device is configured as the master or the backup role.
Chapter 26 Device HA Figure 238 Cluster IDs for Multiple Virtual Routers A 1 B C D 2 Monitored Interfaces in Active-Passive Mode Device HA You can select which interfaces device HA monitors. If a monitored interface on the ZyWALL loses its connection, device HA has the backup ZyWALL take over. Enable monitoring for the same interfaces on the master and backup ZyWALLs.
Chapter 26 Device HA 26.3.1 Configuring Active-Passive Mode Device HA The Device HA Active-Passive Mode screen lets you configure general active-passive mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup ZyWALLs. To access this screen, click Configuration > Device HA > Active-Passive Mode. The following table describes the labels in this screen. See Section 26.4 on page 365 for more information as well.
Chapter 26 Device HA Table 130 Configuration > Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Inactivate To turn off an entry, select it and click Inactivate. # This is the entry’s index number in the list. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. Interface This field identifies the interface. At the time of writing, Ethernet and bridge interfaces can be included in the active-passive mode virtual router.
Chapter 26 Device HA Table 130 Configuration > Device HA > Active-Passive Mode (continued) LABEL DESCRIPTION Apply This appears when the ZyWALL is currently using active-passive mode device HA. Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 26.
Chapter 26 Device HA The following table describes the labels in this screen. Table 131 Configuration > Device HA > Active-Passive Mode > Edit LABEL DESCRIPTION Enable Monitored Interface Select this to have device HA monitor the status of this interface’s connection. Interface Name This identifies the interface. Note: Do not connect the bridge interfaces on two ZyWALLs without device HA activated on both. Doing so could cause a broadcast storm.
Chapter 26 Device HA A B 2 Configure the bridge interface on the master ZyWALL, set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} A B 3 Configure the bridge interface on the backup ZyWALL, set the bridge interface as a monitored interface, and activate device HA. Br0 {ge4, ge5} A B Br0 {ge4, ge5} 4 Connect the ZyWALLs.
Chapter 26 Device HA Br0 {ge4, ge5} A B Br0 {ge4, ge5} Second Option for Connecting the Bridge Interfaces on Two ZyWALLs Another option is to disable the bridge interfaces, connect the bridge interfaces, activate device HA, and finally reactivate the bridge interfaces as shown in the following example. 1 In this case the ZyWALLs are already connected, but the bridge faces have not been configured yet. Configure a disabled bridge interface on the master ZyWALL but disable it.
Chapter 26 Device HA 3 Enable the bridge interface on the master ZyWALL and then on the backup ZyWALL. Br0 {ge4, ge5} A B Br0 {ge4, ge5} 4 Connect the ZyWALLs. Br0 {ge4, ge5} A B Br0 {ge4, ge5} Synchronization During synchronization, the master ZyWALL sends the following information to the backup ZyWALL. • Startup configuration file (startup-config.conf) • Certificates (My Certificates, and Trusted Certificates) Synchronization does not change the device HA settings in the backup ZyWALL.
Chapter 26 Device HA • The backup ZyWALL cannot be the master. This refers to the actual role at the time of synchronization, not the role setting in the configuration screen.
C HAPTER 27 User/Group 27.1 Overview This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them. 27.1.1 What You Can Do in this Chapter • The User screen (see Section 27.2 on page 373) provides a summary of all user accounts. • The Group screen (see Section 27.3 on page 376) provides a summary of all user groups.
Chapter 27 User/Group Note: The default admin account is always authenticated locally, regardless of the authentication method setting. (See Chapter 32 on page 409 for more information about authentication methods.) Ext-User Accounts Set up an ext-user account if the user is authenticated by an external server and you want to set up specific policies for this user in the ZyWALL. If you do not want to set up policies for this user, you do not have to set up an ext-user account.
Chapter 27 User/Group User Awareness By default, users do not have to log into the ZyWALL to use the network services it provides. The ZyWALL automatically routes packets for everyone. If you want to restrict network services that certain users can use via the ZyWALL, you can require them to log in to the ZyWALL first. The ZyWALL is then ‘aware’ of the user who is logged in and you can create ‘user-aware policies’ that define what services they can use. See Section 27.4.
Chapter 27 User/Group Table 133 Configuration > Object > User/Group (continued) LABEL DESCRIPTION User Type This field displays the types of user accounts the ZyWALL uses: • • • • • • Description admin - this user can look at and change the configuration of the ZyWALL limited-admin - this user can look at the configuration of the ZyWALL but not to change it user - this user has access to the ZyWALL’s services and can also browse user-mode commands (CLI).
Chapter 27 User/Group Figure 243 Configuration > User/Group > User > Add The following table describes the labels in this screen. Table 134 Configuration > User/Group > User > Add LABEL DESCRIPTION User Name Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User names have to be different than user group names, and some words are reserved. See Section 27.2.1.
Chapter 27 User/Group Table 134 Configuration > User/Group > User > Add (continued) LABEL DESCRIPTION Lease Time If you select Use Default Settings in the Authentication Timeout Settings field, the default lease time is shown. If you select Use Manual Settings, you need to enter the number of minutes this user has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited.
Chapter 27 User/Group Table 135 Configuration > Object > User/Group > Group (continued) LABEL DESCRIPTION Object References Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 7.3.2 on page 122 for an example. # This field is a sequential value, and it is not associated with a specific user group. Group Name This field displays the name of each user group. Description This field displays the description for each user group.
Chapter 27 User/Group 27.4 The User/Group Setting Screen The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them. To access this screen, login to the Web Configurator, and click Configuration > Object > User/ Group > Setting.
Chapter 27 User/Group Table 137 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific entry. User Type These are the kinds of user account the ZyWALL supports.
Chapter 27 User/Group Table 137 Configuration > Object > User/Group > Setting (continued) LABEL Maximum number per access account DESCRIPTION This field is effective when Limit ... for access account is checked. Type the maximum number of simultaneous logins by each access user.
Chapter 27 User/Group The following table describes the labels in this screen. Table 138 Configuration > Object > User/Group > Setting > Edit LABEL DESCRIPTION User Type This read-only field identifies the type of user account for which you are configuring the default settings. • • • • • • Lease Time admin - this user can look at and change the configuration of the ZyWALL limited-admin - this user can look at the configuration of the ZyWALL but not to change it.
Chapter 27 User/Group The following table describes the labels in this screen. Table 139 Web Configurator for Non-Admin Users LABEL DESCRIPTION User-defined lease time (max ... minutes) Access users can specify a lease time shorter than or equal to the one that you specified. The default value is the lease time that you specified. Renew Access users can click this button to reset the lease time, the amount of time remaining before the ZyWALL automatically logs them out.
Chapter 27 User/Group Figure 250 RADIUS Example: Keywords for User Attributes type=user;leaseTime=222;reauthTime=222 Creating a Large Number of Ext-User Accounts If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 39 on page 499 for more information about shell scripts.
C HAPTER 28 Addresses 28.1 Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. 28.1.1 What You Can Do in this Chapter • The Address screen (Section 28.2 on page 384) provides a summary of all addresses in the ZyWALL. Use the Address Add/Edit screen to create a new address or edit an existing one. • Use the Address Group summary screen (Section 28.
Chapter 28 Addresses Figure 251 Configuration > Object > Address > Address The following table describes the labels in this screen. See Section 28.2.1 on page 386 for more information as well. Table 141 Configuration > Object > Address > Address LABEL DESCRIPTION IPv4 Address Configuration Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Chapter 28 Addresses Table 141 Configuration > Object > Address > Address (continued) LABEL DESCRIPTION Type This field displays the type of each address object. “INTERFACE” means the object uses the settings of one of the ZyWALL’s interfaces. IPv6 Address This field displays the IPv6 addresses represented by each address object. If the object’s settings are based on one of the ZyWALL’s interfaces, the name of the interface displays first followed by the object’s current address settings. 28.2.
Chapter 28 Addresses Table 142 IPv4 Address Configuration > Add/Edit (continued) LABEL DESCRIPTION OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. 28.2.2 IPv6 Address Add/Edit Screen The Configuration > IPv6 Address Add/Edit screen allows you to create a new address or edit an existing one. To access this screen, go to the Address screen (see Section 28.
Chapter 28 Addresses 28.3 Address Group Summary Screen The Address Group screen provides a summary of all address groups. To access this screen, click Configuration > Object > Address > Address Group. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 254 Configuration > Object > Address > Address Group The following table describes the labels in this screen. See Section 28.3.
Chapter 28 Addresses 28.3.1 Address Group Add/Edit Screen The Address Group Add/Edit screen allows you to create a new address group or edit an existing one. To access this screen, go to the Address Group screen (see Section 28.3 on page 388), and click either the Add icon or an Edit icon in the IPv4 Address Group Configuration or IPv6 Address Group Configuration section. Figure 255 IPv4/IPv6 Address Group Configuration > Add The following table describes the labels in this screen.
C HAPTER 29 Services 29.1 Overview Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 29.1.1 What You Can Do in this Chapter • Use the Service screens (Section 29.2 on page 391) to view and configure the ZyWALL’s list of services and their definitions. • Use the Service Group screens (Section 29.2 on page 391) to view and configure the ZyWALL’s list of service groups. 29.1.
Chapter 29 Services Service Objects and Service Groups Use service objects to define IP protocols. • TCP applications • UDP applications • ICMP messages • user-defined services (for other types of IP protocols) These objects are used in policy routes, firewall rules. Use service groups when you want to create the same rule for several services, instead of creating separate rules for each service. Service groups may consist of services and other service groups.
Chapter 29 Services The following table describes the labels in this screen. Table 146 Configuration > Object > Service > Service LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 29 Services 29.3 The Service Group Summary Screen The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service Group. Figure 258 Configuration > Object > Service > Service Group The following table describes the labels in this screen. See Section 29.3.1 on page 394 for more information as well.
Chapter 29 Services Table 148 Configuration > Object > Service > Service Group (continued) LABEL DESCRIPTION Family This field displays the Server Group supported type, which is according to your configurations in the Service Group Add/Edit screen. There are 3 types of families: • • • Name : Supports IPv4 only : Supports IPv6 only : Supports both IPv4 and IPv6 This field displays the name of each service group.
Chapter 29 Services Table 149 Configuration > Object > Service > Service Group > Edit (continued) LABEL DESCRIPTION Member List The Member list displays the names of the service and service group objects that have been added to the service group. The order of members is not important. Select items from the Available list that you want to be members and move them to the Member list.
C HAPTER 30 Schedules 30.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rules. The ZyWALL supports one-time and recurring schedules. One-time schedules are effective only once, while recurring schedules usually repeat. Both types of schedules are based on the current date and time in the ZyWALL. Note: Schedules are based on the ZyWALL’s current date and time. 30.1.1 What You Can Do in this Chapter • Use the Schedule summary screen (Section 30.
Chapter 30 Schedules 30.2 The Schedule Summary Screen The Schedule summary screen provides a summary of all schedules in the ZyWALL. To access this screen, click Configuration > Object > Schedule. Figure 260 Configuration > Object > Schedule The following table describes the labels in this screen. See Section 30.2.1 on page 398 and Section 30.2.2 on page 399 for more information as well. Table 150 Configuration > Object > Schedule LABEL DESCRIPTION One Time Add Click this to create a new entry.
Chapter 30 Schedules 30.2.1 The One-Time Schedule Add/Edit Screen The One-Time Schedule Add/Edit screen allows you to define a one-time schedule or edit an existing one. To access this screen, go to the Schedule screen (see Section 30.2 on page 397), and click either the Add icon or an Edit icon in the One Time section. Figure 261 Configuration > Object > Schedule > Edit (One Time) The following table describes the labels in this screen.
Chapter 30 Schedules 30.2.2 The Recurring Schedule Add/Edit Screen The Recurring Schedule Add/Edit screen allows you to define a recurring schedule or edit an existing one. To access this screen, go to the Schedule screen (see Section 30.2 on page 397), and click either the Add icon or an Edit icon in the Recurring section. Figure 262 Configuration > Object > Schedule > Edit (Recurring) The Year, Month, and Day columns are not used in recurring schedules and are disabled in this screen.
C HAPTER 31 AAA Server 31.1 Overview You can use a AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The AAA server can be a Active Directory, LDAP, or RADIUS server. Use the AAA Server screens to create and manage objects that contain settings for using AAA servers. You use AAA server objects in configuring ext-group-user user objects and authentication method objects (see Chapter 32 on page 409). 31.1.
Chapter 31 AAA Server Figure 264 RADIUS Server Network Example 31.1.3 ASAS ASAS (Authenex Strong Authentication System) is a RADIUS server that works with the One-Time Password (OTP) feature. Purchase a ZyWALL OTP package in order to use this feature. The package contains server software and physical OTP tokens (PIN generators). Do the following to use OTP. See the documentation included on the ASAS’ CD for details. 1 Install the ASAS server software on a computer.
Chapter 31 AAA Server • Directory Service (LDAP/AD) LDAP (Lightweight Directory Access Protocol)/AD (Active Directory) is a directory service that is both a directory and a protocol for controlling access to a network. The directory consists of a database specialized for fast information retrieval and filtering activities. You create and store user profile and login information on the external server.
Chapter 31 AAA Server Bind DN A bind DN is used to authenticate with an LDAP/AD server. For example a bind DN of cn=zywallAdmin allows the ZyWALL to log into the LDAP/AD server using the user name of zywallAdmin. The bind DN is used in conjunction with a bind password. When a bind DN is not specified, the ZyWALL will try to log in as an anonymous user. If the bind password is incorrect, the login will fail. 31.
Chapter 31 AAA Server Figure 267 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add The following table describes the labels in this screen. Table 154 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add LABEL DESCRIPTION Name Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes. Description Enter the description of each server, if any. You can use up to 60 printable ASCII characters.
Chapter 31 AAA Server Table 154 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add (continued) LABEL DESCRIPTION Base DN Specify the directory (up to 127 alphanumerical characters). For example, c=US. o=ZyXEL, This is only for LDAP. Use SSL Select Use SSL to establish a secure connection to the AD or LDAP server(s). Search time limit Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the AD or LDAP server.
Chapter 31 AAA Server 31.3 RADIUS Server Summary Use the RADIUS screen to manage the list of RADIUS servers the ZyWALL can use in authenticating users. Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Figure 268 Configuration > Object > AAA Server > RADIUS The following table describes the labels in this screen. Table 155 Configuration > Object > AAA Server > RADIUS LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 31 AAA Server Figure 269 Configuration > Object > AAA Server > RADIUS > Add The following table describes the labels in this screen. Table 156 Configuration > Object > AAA Server > RADIUS > Add LABEL DESCRIPTION Name Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes. Description Enter the description of each server, if any. You can use up to 60 printable ASCII characters. Server Address Enter the address of the RADIUS server.
Chapter 31 AAA Server Table 156 Configuration > Object > AAA Server > RADIUS > Add (continued) LABEL DESCRIPTION Group Membership Attribute A RADIUS server defines attributes for its accounts. Select the name and number of the attribute that the ZyWALL is to check to determine to which group a user belongs. If it does not display, select user-defined and specify the attribute’s number. This attribute’s value is called a group identifier; it determines to which group a user belongs.
C HAPTER 32 Authentication Method 32.1 Overview Authentication method objects set how the ZyWALL authenticates wireless, HTTP/HTTPS clients, and peer IPSec routers (extended authentication) clients. Configure authentication method objects to have the ZyWALL use the local user database, and/or the authentication servers and authentication server groups specified by AAA server objects. By default, user accounts created and stored on the ZyWALL are authenticated locally. 32.1.
Chapter 32 Authentication Method Figure 270 Example: Using Authentication Method in VPN 32.2 Authentication Method Objects Click Configuration > Object > Auth. Method to display the screen as shown. Note: You can create up to 16 authentication method objects. Figure 271 Configuration > Object > Auth. Method The following table describes the labels in this screen. Table 157 Configuration > Object > Auth. Method LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 32 Authentication Method 2 Click Add. 3 Specify a descriptive name for identification purposes in the Name field. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. For example, “My_Device”. 4 Click Add to insert an authentication method in the table. 5 Select a server object from the Method List drop-down list box. 6 You can add up to four server objects to the table.
Chapter 32 Authentication Method Table 158 Configuration > Object > Auth. Method > Add (continued) LABEL DESCRIPTION Move To change a method’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. The ordering of your methods is important as ZyWALL authenticates the users using the authentication methods in the order they appear in this screen.
C HAPTER 33 Certificates 33.1 Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication. 33.1.1 What You Can Do in this Chapter • Use the My Certificates screens (see Section 33.2 on page 416 to Section 33.2.
Chapter 33 Certificates 5 Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny’s public key to verify the message. The ZyWALL uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection.
Chapter 33 Certificates • Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the ZyWALL. Note: Be careful not to convert a binary file to text during the transfer process.
Chapter 33 Certificates Figure 274 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 33.2 The My Certificates Screen Click Configuration > Object > Certificate > My Certificates to open the My Certificates screen.
Chapter 33 Certificates The following table describes the labels in this screen. Table 159 Configuration > Object > Certificate > My Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
Chapter 33 Certificates Figure 276 Configuration > Object > Certificate > My Certificates > Add The following table describes the labels in this screen. Table 160 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters. Subject Information Use these fields to record information that identifies the owner of the certificate.
Chapter 33 Certificates Table 160 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Country Identify the nation where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. Key Type Select RSA to use the Rivest, Shamir and Adleman public-key algorithm. Select DSA to use the Digital Signature Algorithm public-key algorithm.
Chapter 33 Certificates Figure 277 Configuration > Object > Certificate > My Certificates > Edit The following table describes the labels in this screen. Table 161 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters. Certification Path This field displays for a certificate, not a certification request.
Chapter 33 Certificates Table 161 Configuration > Object > Certificate > My Certificates > Edit (continued) LABEL DESCRIPTION Certificate Information These read-only fields display detailed information about the certificate. Type This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). “X.
Chapter 33 Certificates Table 161 Configuration > Object > Certificate > My Certificates > Edit (continued) LABEL DESCRIPTION Export Certificate Only Use this button to save a copy of the certificate without its private key. Click this button and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save. Password If you want to export the certificate with its private key, create a password and type it here.
Chapter 33 Certificates The following table describes the labels in this screen. Table 162 Configuration > Object > Certificate > My Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL. Browse Click Browse to find the certificate file you want to upload.
Chapter 33 Certificates Table 163 Configuration > Object > Certificate > Trusted Certificates (continued) LABEL DESCRIPTION Object References You cannot delete certificates that any of the ZyWALL’s features are configured to use. Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 7.3.2 on page 122 for an example. # This field displays the certificate index number. The certificates are listed in alphabetical order.
Chapter 33 Certificates Figure 280 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL 110/310/1100 Series User’s Guide 425
Chapter 33 Certificates The following table describes the labels in this screen. Table 164 Configuration > Object > Certificate > Trusted Certificates > Edit 426 LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Chapter 33 Certificates Table 164 Configuration > Object > Certificate > Trusted Certificates > Edit (continued) LABEL DESCRIPTION Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same information as in the Subject Name field. Signature Algorithm This field displays the type of algorithm that was used to sign the certificate.
Chapter 33 Certificates Note: You must remove any spaces from the certificate’s filename before you can import the certificate. Figure 281 Configuration > Object > Certificate > Trusted Certificates > Import The following table describes the labels in this screen. Table 165 Configuration > Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
C HAPTER 34 ISP Accounts 34.1 Overview Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/PPTP interfaces. An ISP account is a profile of settings for Internet access using PPPoE or PPTP. Finding Out More • See Section 7.4 on page 125 for information about PPPoE/PPTP interfaces. 34.1.1 What You Can Do in this Chapter Use the Object > ISP Account screens (Section 34.2 on page 429) to create and manage ISP accounts in the ZyWALL. 34.
Chapter 34 ISP Accounts Table 166 Configuration > Object > ISP Account (continued) LABEL DESCRIPTION Profile Name This field displays the profile name of the ISP account. This name is used to identify the ISP account. Protocol This field displays the protocol used by the ISP account. Authentication Type This field displays the authentication type used by the ISP account. User Name This field displays the user name of the ISP account. 34.2.
Chapter 34 ISP Accounts Table 167 Configuration > Object > ISP Account > Edit (continued) LABEL DESCRIPTION Authentication Type Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node. Chap - Your ZyWALL accepts CHAP only. PAP - Your ZyWALL accepts PAP only. MSCHAP - Your ZyWALL accepts MSCHAP only. MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only.
C HAPTER 35 SSL Application 35.1 Overview You use SSL application objects in SSL VPN. Configure an SSL application object to specify the type of application and the address of the local computer, server, or web site SSL users are to be able to access. You can apply one or more SSL application objects in the VPN > SSL VPN screen for a user account/user group. 35.1.1 What You Can Do in this Chapter • Use the SSL Application screen (Section 35.
Chapter 35 SSL Application The LAN computer to be managed must have VNC (Virtual Network Computing) or RDP (Remote Desktop Protocol) server software installed. The remote user’s computer does not use VNC or RDP client software. The ZyWALL works with the following remote desktop connection software: RDP • Windows Remote Desktop (supported in Internet Explorer) VNC • RealVNC • TightVNC • UltraVNC For example, user A uses an SSL VPN connection to log into the ZyWALL.
Chapter 35 SSL Application Figure 285 Example: SSL Application: Specifying a Web Site for Access 35.2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects. Click Configuration > Object > SSL Application in the navigation panel. Figure 286 Configuration > Object > SSL Application The following table describes the labels in this screen.
Chapter 35 SSL Application Table 168 Configuration > Object > SSL Application LABEL DESCRIPTION Address This field displays the IP address/URL of the application server or the location of a file share. Type This field shows whether the object is a file-sharing, web-server, Outlook Web Access, Virtual Network Computing, or Remote Desktop Protocol SSL application. 35.2.
Chapter 35 SSL Application Figure 288 Configuration > Object > SSL Application > Add/Edit: File Sharing The following table describes the labels in this screen. Table 169 Configuration > Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen. Object Type Select Web Application or File Sharing from the drop-down list box.
Chapter 35 SSL Application Table 169 Configuration > Object > SSL Application > Add/Edit: Web Application (continued) LABEL DESCRIPTION Preview This field only appears when you choose Web Application as the object type. This field displays if the Server Type is set to Web Server, OWA or Weblink. Click Preview to access the URL you specified in a new IE web browser. Entry Point This field only appears when you choose Web Application as the object type.
C HAPTER 36 DHCPv6 36.1 Overview This chapter describes how to configure DHCPv6 request type and lease type objects. 36.1.1 What You Can Do in this Chapter • The Request screen (see Section 27.2 on page 373) allows you to configure DHCPv6 request type objects. • The Lease screen (see Section 27.3 on page 376) allows you to configure DHCPv6 lease type objects. 36.2 The DHCPv6 Request Screen The Request screen allows you to add, edit, and remove DHCPv6 request type objects.
Chapter 36 DHCPv6 Table 170 Configuration > Object > DHCPv6 > Request (continued) LABEL DESCRIPTION Type This field displays the request type of each request object. Interface This field displays the interface used for each request object. Value This field displays the value for each request object. 36.2.1 DHCPv6 Request Add/Edit Screen The Request Add/Edit screen allows you to create a new request object or edit an existing one. To access this screen, go to the Request screen (see Section 27.
Chapter 36 DHCPv6 Figure 291 Configuration > Object > DHCPv6 > Lease The following table describes the labels in this screen. Table 172 Configuration > Object > DHCPv6 > Lease LABEL DESCRIPTION Configuration Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 36 DHCPv6 The following table describes the labels in this screen. Table 173 Configuration > DHCPv6 > Lease > Add LABEL DESCRIPTION Name Type the name for this lease object. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Lease Type Select the lease type for this lease object. You can choose from Prefix Delegation, DNS Server, Address, Address Pool, NTP Server, or SIP Server.
Chapter 36 DHCPv6 442 ZyWALL 110/310/1100 Series User’s Guide
C HAPTER 37 System 37.1 Overview Use the system screens to configure general ZyWALL settings. 37.1.1 What You Can Do in this Chapter • Use the System > Host Name screen (see Section 37.2 on page 444) to configure a unique name for the ZyWALL in your network. • Use the System > USB Storage screen (see Section 37.3 on page 444) to configure the settings for the connected USB devices. • Use the System > Date/Time screen (see Section 37.4 on page 445) to configure the date and time for the ZyWALL.
Chapter 37 System 37.2 Host Name A host name is the unique name by which a device is known on a network. Click Configuration > System > Host Name to open the Host Name screen. Figure 293 Configuration > System > Host Name The following table describes the labels in this screen. Table 174 Configuration > System > Host Name LABEL DESCRIPTION System Name Enter a descriptive name to identify your ZyWALL device. This name can be up to 64 alphanumeric characters long.
Chapter 37 System Figure 294 Configuration > System > USB Storage The following table describes the labels in this screen. Table 175 Configuration > System > USB Storage LABEL DESCRIPTION Activate USB storage service Select this if you want to use the connected USB device(s). Disk full warning when remaining space is less than Set a number and select a unit (MB or %) to have the ZyWALL send a warning message when the remaining USB storage space is less than the value you set here.
Chapter 37 System Figure 295 Configuration > System > Date and Time The following table describes the labels in this screen. Table 176 Configuration > System > Date and Time LABEL DESCRIPTION Current Time and Date Current Time This field displays the present time of your ZyWALL. Current Date This field displays the present date of your ZyWALL. Time and Date Setup Manual Select this radio button to enter the time and date manually.
Chapter 37 System Table 176 Configuration > System > Date and Time (continued) LABEL DESCRIPTION Get from Time Server Select this radio button to have the ZyWALL get the time and date from the time server you specify below. The ZyWALL requests time and date settings from the time server under the following circumstances. • • • When the ZyWALL starts up. When you click Apply or Synchronize Now in this screen. 24-hour intervals after starting up.
Chapter 37 System 37.4.1 Pre-defined NTP Time Servers List When you turn on the ZyWALL for the first time, the date and time start at 2003-01-01 00:00:00. The ZyWALL then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers. The ZyWALL continues to use the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified. Table 177 Default Time Servers 0.pool.ntp.org 1.
Chapter 37 System 7 Click Apply. To get the ZyWALL date and time from a time server 1 Click System > Date/Time. 2 Select Get from Time Server under Time and Date Setup. 3 Under Time Zone Setup, select your Time Zone from the list. 4 As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for daylight savings. 5 Under Time and Date Setup, enter a Time Server Address (Table 177 on page 448). 6 Click Apply. 37.
Chapter 37 System 37.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. 37.6.1 DNS Server Address Assignment The ZyWALL can get the DNS server addresses in the following ways. • The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up.
Chapter 37 System The following table describes the labels in this screen. Table 179 Configuration > System > DNS LABEL DESCRIPTION Address/PTR Record This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Chapter 37 System Table 179 Configuration > System > DNS (continued) LABEL DESCRIPTION # This is the index number of the MX record. Domain Name This is the domain name where the mail is destined for. IP/FQDN This is the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that handles the mail for the domain specified in the field above. Service Control This specifies from which computers and zones you can send DNS queries to the ZyWALL. Add Click this to create a new entry.
Chapter 37 System 37.6.5 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an address/PTR record. Figure 299 Configuration > System > DNS > Address/PTR Record Edit The following table describes the labels in this screen. Table 180 Configuration > System > DNS > Address/PTR Record Edit LABEL DESCRIPTION FQDN Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name.
Chapter 37 System Figure 300 Configuration > System > DNS > Domain Zone Forwarder Add The following table describes the labels in this screen. Table 181 Configuration > System > DNS > Domain Zone Forwarder Add LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the ZyWALL receives needs to resolve a zyxel.com.
Chapter 37 System Figure 301 Configuration > System > DNS > MX Record Add The following table describes the labels in this screen. Table 182 Configuration > System > DNS > MX Record Add LABEL DESCRIPTION Domain Name Enter the domain name where the mail is destined for. IP Address/FQDN Enter the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that handles the mail for the domain specified in the field above. OK Click OK to save your customized settings and exit this screen.
Chapter 37 System 37.7 WWW Overview The following figure shows secure and insecure management of the ZyWALL coming in from the WAN. HTTPS and SSH access are secure. HTTP and Telnet access are not secure. Note: To allow the ZyWALL to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-ZyWALL firewall rule to block that traffic. • See To-ZyWALL Rules on page 266 for more on To-ZyWALL firewall rules.
Chapter 37 System It relies upon certificates, public keys, and private keys (see Chapter 33 on page 413 for more information). HTTPS on the ZyWALL is used so that you can securely access the ZyWALL using the Web Configurator.
Chapter 37 System Figure 304 Configuration > System > WWW > Service Control The following table describes the labels in this screen. Table 184 Configuration > System > WWW > Service Control LABEL DESCRIPTION HTTPS 458 Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL Web Configurator using secure HTTPs connections. Server Port The HTTPS server listens on port 443 by default.
Chapter 37 System Table 184 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Authenticate Client Certificates Select Authenticate Client Certificates (optional) to require the SSL client to authenticate itself to the ZyWALL by sending the ZyWALL a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyWALL (see Section 37.7.7.5 on page 467 on importing certificates for details).
Chapter 37 System Table 184 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.
Chapter 37 System The following table describes the labels in this screen. Table 185 Configuration > System > Service Control Rule > Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen. Address Object Select ALL to allow or deny any computer to communicate with the ZyWALL using this service.
Chapter 37 System Figure 306 Configuration > System > WWW > Login Page The following figures identify the parts you can customize in the login and access pages.
Chapter 37 System Figure 307 Login Page Customization Logo Title Message (color of all text) Background Note Message (last line of text) Figure 308 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color.
Chapter 37 System • Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. • Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)” for black. Your desired color should display in the preview screen on the right after you click in another field, click Apply, or press [ENTER]. If your desired color does not display, your browser may not support it.
Chapter 37 System Table 186 Configuration > System > WWW > Login Page LABEL DESCRIPTION Background Set how the window’s background looks. To use a graphic, select Picture and upload a graphic. Specify the location and file name of the logo graphic or click Browse to locate it. The picture’s size cannot be over 438 x 337 pixels. Note: Use a GIF, JPG, or PNG of 100 kilobytes or less. To use a color, select Color and specify the color. Apply Click Apply to save your changes back to the ZyWALL.
Chapter 37 System Figure 310 Security Certificate 1 (Firefox) Figure 311 Security Certificate 2 (Firefox) 37.7.7.3 Avoiding Browser Warning Messages Here are the main reasons your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings: • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities.
Chapter 37 System Figure 312 Login Screen (Internet Explorer) 37.7.7.5 Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
Chapter 37 System Figure 314 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. 37.7.7.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 468 Click Next to begin the wizard.
Chapter 37 System Figure 315 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 316 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
Chapter 37 System Figure 317 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 318 Personal Certificate Import Wizard 4 5 470 Click Finish to complete the wizard and begin the import process.
Chapter 37 System Figure 319 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 320 Personal Certificate Import Wizard 6 37.7.7.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field.
Chapter 37 System Figure 322 SSL Client Authentication 3 You next see the Web Configurator login screen. Figure 323 Secure Web Configurator Login Screen 37.8 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s command line interface. Specify which zones allow SSH access and from which IP address the access can come. SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
Chapter 37 System Figure 324 SSH Communication Over the WAN Example 37.8.1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1. Figure 325 How SSH v1 Works Example 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.
Chapter 37 System 37.8.2 SSH Implementation on the ZyWALL Your ZyWALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish). The SSH server is implemented on the ZyWALL for management using port 22 (by default). 37.8.3 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the ZyWALL over SSH. 37.8.
Chapter 37 System Table 187 Configuration > System > SSH (continued) LABEL DESCRIPTION Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 185 on page 461 for details on the screen that opens. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 37 System 37.8.5.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions. 1 Test whether the SSH service is available on the ZyWALL. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the ZyWALL (using the default IP address of 192.168.1.1). A message displays indicating the SSH protocol version supported by the ZyWALL.
Chapter 37 System Figure 330 Configuration > System > TELNET The following table describes the labels in this screen. Table 188 Configuration > System > TELNET LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service.
Chapter 37 System 37.10 FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. Please see Chapter 39 on page 499 for more information about firmware and configuration files. 37.10.1 Configuring FTP To change your ZyWALL’s FTP settings, click Configuration > System > FTP tab. The screen appears as shown. Use this screen to specify from which zones FTP can be used to access the ZyWALL.
Chapter 37 System Table 189 Configuration > System > FTP (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.
Chapter 37 System Figure 332 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.
Chapter 37 System statistical data and monitor status and performance. You can download the ZyWALL’s MIBs from www.zyxel.com. 37.11.2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs. Table 190 SNMP Traps OBJECT LABEL OBJECT ID DESCRIPTION Cold Start 1.3.6.1.6.3.1.1.5.1 This trap is sent when the ZyWALL is turned on or an agent restarts. linkDown 1.3.6.1.6.3.1.1.5.3 This trap is sent when the Ethernet link is down. linkUp 1.3.6.1.6.3.1.1.5.
Chapter 37 System Figure 333 Configuration > System > SNMP The following table describes the labels in this screen. Table 191 Configuration > System > SNMP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL using this service.
Chapter 37 System Table 191 Configuration > System > SNMP (continued) LABEL DESCRIPTION # This the index number of the service control rule. The entry with a hyphen (-) instead of a number is the ZyWALL’s (non-configurable) default policy. The ZyWALL applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the ZyWALL will not have to use the default policy.
Chapter 37 System Figure 335 Configuration > System > IPv6 The following table describes the labels in this screen. Table 193 Configuration > System > IPv6 484 LABEL DESCRIPTION Enable IPv6 Select this to have the ZyWALL support IPv6 and make IPv6 settings be available on the screens that the functions support, such as the Configuration > Network > Interface > Ethernet, VLAN, and Bridge screens. The ZyWALL discards all IPv6 packets if you clear this check box.
C HAPTER 38 Log and Report 38.1 Overview Use these screens to configure daily reporting and log settings. 38.1.1 What You Can Do In this Chapter • Use the Email Daily Report screen (Section 38.2 on page 485) to configure where and how to send daily reports and what reports to send. • Use the Log Setting screens (Section 38.3 on page 487) to specify settings for recording log messages and alerts, e-mailing them, storing them on a connected USB storage device, and sending them to remote syslog servers.
Chapter 38 Log and Report Figure 336 Configuration > Log & Report > Email Daily Report The following table describes the labels in this screen. Table 194 Configuration > Log & Report > Email Daily Report 486 LABEL DESCRIPTION Enable Email Daily Report Select this to send reports by e-mail every day. Mail Server Type the name or IP address of the outgoing SMTP server. Mail Subject Type the subject line for the outgoing e-mail.
Chapter 38 Log and Report Table 194 Configuration > Log & Report > Email Daily Report (continued) LABEL DESCRIPTION Password This box is effective when you select the SMTP Authentication check box. Type the password to provide to the SMTP server when the log is e-mailed. Retype to Confirm Type the password again to make sure that you have entered is correctly. Send Report Now Click this button to have the ZyWALL send the daily e-mail report immediately.
Chapter 38 Log and Report Figure 337 Configuration > Log & Report > Log Setting The following table describes the labels in this screen. Table 195 Configuration > Log & Report > Log Setting LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate.
Chapter 38 Log and Report 38.3.2 Edit System Log Settings The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen (see Section 38.3.1 on page 487), and click the system log Edit icon.
Chapter 38 Log and Report The following table describes the labels in this screen. Table 196 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section. You specify what kinds of log messages are included in log information and what kinds of log messages are included in alerts in the Active Log and Alert section.
Chapter 38 Log and Report Table 196 Configuration > Log & Report > Log Setting > Edit (System Log) (continued) LABEL E-mail Server 2 DESCRIPTION Use the E-Mail Server 2 drop-down list to change the settings for e-mailing logs to e-mail server 2 for all log categories. Using the System Log drop-down list to disable all logs overrides your e-mail server 2 settings. enable normal logs (green check mark) - e-mail log messages for all categories to e-mail server 2.
Chapter 38 Log and Report Figure 339 Configuration > Log & Report > Log Setting > Edit (USB Storage) 492 ZyWALL 110/310/1100 Series User’s Guide
Chapter 38 Log and Report The following table describes the labels in this screen. Table 197 Configuration > Log & Report > Log Setting > Edit (USB Storage) LABEL DESCRIPTION Duplicate logs to USB storage (if ready) Select this to have the ZyWALL save a copy of its system logs to a connected USB storage device. Use the Active Log section to specify what kinds of messages to include. Active Log Selection Use the Selection drop-down list to change the log settings for all of the log categories.
Chapter 38 Log and Report Figure 340 Configuration > Log & Report > Log Setting > Edit (Remote Server) 494 ZyWALL 110/310/1100 Series User’s Guide
Chapter 38 Log and Report The following table describes the labels in this screen. Table 198 Configuration > Log & Report > Log Setting > Edit (Remote Server) LABEL DESCRIPTION Log Settings for Remote Server Active Select this check box to send log information according to the information in this section. You specify what kinds of messages are included in log information in the Active Log section. Log Format This field displays the format of the log information. It is read-only.
Chapter 38 Log and Report Figure 341 Log Category Settings This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 38.3.2 on page 489, where this process is discussed. (The Default category includes debugging messages generated by open source software.
Chapter 38 Log and Report The following table describes the fields in this screen. Table 199 Configuration > Log & Report > Log Setting > Log Category Settings LABEL DESCRIPTION System Log Use the System Log drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not log any information for any category for the system log or e-mail any logs to e-mail server 1 or 2.
Chapter 38 Log and Report Table 199 Configuration > Log & Report > Log Setting > Log Category Settings (continued) LABEL DESCRIPTION System Log Select which events you want to log by Log Category.
C HAPTER 39 File Manager 39.1 Overview Configuration files define the ZyWALL’s settings. Shell scripts are files of commands that you can store on the ZyWALL and run when you need them. You can apply a configuration file or run a shell script without the ZyWALL restarting. You can store multiple configuration files and shell script files on the ZyWALL. You can edit configuration files or shell scripts in a text editor and upload them to the ZyWALL. Configuration files use a .
Chapter 39 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 342 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3 interface ge3 ip address 172.23.37.240 255.255.255.0 ip gateway 172.23.37.
Chapter 39 File Manager Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp ! Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. ! interface ge1 # this interface is a DHCP client ! Lines 1 and 2 are comments. Line 5 exits sub command mode.
Chapter 39 File Manager Configuration File Flow at Restart • If there is not a startup-config.conf when you restart the ZyWALL (whether through a management interface or by physically turning the power off and back on), the ZyWALL uses the system-default.conf configuration file with the ZyWALL’s default settings. • If there is a startup-config.conf, the ZyWALL checks it for errors and applies it. If there are no errors, the ZyWALL uses it and copies it to the lastgood.
Chapter 39 File Manager The following table describes the labels in this screen. Table 201 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Rename Use this button to change the label of a configuration file on the ZyWALL. You can only rename manually saved configuration files. You cannot rename the lastgood.conf, system-default.conf and startup-config.conf files. You cannot rename a configuration file to the name of another configuration file in the ZyWALL.
Chapter 39 File Manager Table 201 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Apply Use this button to have the ZyWALL use a specific configuration file. Click a configuration file’s row to select it and click Apply to have the ZyWALL use that configuration file. The ZyWALL does not have to restart in order to use a different configuration file, although you will need to wait for a few minutes while the system reconfigures.
Chapter 39 File Manager Table 201 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION File Name This column displays the label that identifies a configuration file. You cannot delete the following configuration files or change their file names. The system-default.conf file contains the ZyWALL’s default settings. Select this file and click Apply to reset all of the ZyWALL settings to the factory defaults. This configuration file is included when you upload a firmware package.
Chapter 39 File Manager Figure 347 Maintenance > File Manager > Firmware Package The following table describes the labels in this screen. Table 202 Maintenance > File Manager > Firmware Package LABEL DESCRIPTION Boot Module This is the version of the boot module that is currently on the ZyWALL. Current Version This is the firmware version and the date created. Released Date This is the date that the version of the firmware was created.
Chapter 39 File Manager Figure 350 Firmware Upload Error 39.4 The Shell Script Screen Use shell script files to have the ZyWALL use commands that you specify. Use a text editor to create the shell script files. They must use a “.zysh” filename extension. Click Maintenance > File Manager > Shell Script to open the Shell Script screen. Use the Shell Script screen to store, name, download, upload and run shell script files. You can store multiple shell script files on the ZyWALL at the same time.
Chapter 39 File Manager Each field is described in the following table. Table 203 Maintenance > File Manager > Shell Script LABEL DESCRIPTION Rename Use this button to change the label of a shell script file on the ZyWALL. You cannot rename a shell script to the name of another shell script in the ZyWALL. Click a shell script’s row to select it and click Rename to open the Rename File screen. Figure 352 Maintenance > File Manager > Shell Script > Rename Specify the new name for the shell script file.
Chapter 39 File Manager Table 203 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Upload Shell Script The bottom part of the screen allows you to upload a new or previously saved shell script file from your computer to your ZyWALL. File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process.
C HAPTER 40 Diagnostics 40.1 Overview Use the diagnostics screens for troubleshooting. 40.1.1 What You Can Do in this Chapter • Use the Diagnostics screen (see Section 40.2 on page 510) to generate a file containing the ZyWALL’s configuration and diagnostic information if you need to provide it to customer support during troubleshooting. • Use the Packet Capture screens (see Section 40.3 on page 512) to capture packets going through the ZyWALL. • Use the Core Dump screens (see Section 40.
Chapter 40 Diagnostics The following table describes the labels in this screen. Table 204 Maintenance > Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file. Last modified This is the date and time that the last diagnostic file was created. The format is yyyy-mm-dd hh:mm:ss. Size This is the size of the most recently created diagnostic file.
Chapter 40 Diagnostics Table 205 Maintenance > Diagnostics > Files (continued) LABEL DESCRIPTION # This column displays the number for each file entry. The total number of files that you can save depends on the file sizes and the available storage space. File Name This column displays the label that identifies the file. Size This column displays the size (in bytes) of a file. Last Modified This column displays the date and time that the individual files were saved. 40.
Chapter 40 Diagnostics The following table describes the labels in this screen. Table 206 Maintenance > Diagnostics > Packet Capture LABEL DESCRIPTION Interfaces Enabled interfaces (except for virtual interfaces) appear under Available Interfaces. Select interfaces for which to capture packets and click the right arrow button to move them to the Capture Interfaces list. Use the [Shift] and/or [Ctrl] key to select multiple objects. IP Version Select the version of IP for which to capture packets.
Chapter 40 Diagnostics Table 206 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Duration Set a time limit in seconds for the capture. The ZyWALL stops the capture and generates the capture file when either this period of time has passed or the file reaches the size specified in the File Size field. 0 means there is no time limit. File Suffix Specify text to add to the end of the file name (before the dot and filename extension) to help you identify the packet capture files.
Chapter 40 Diagnostics The following table describes the labels in this screen. Table 207 Maintenance > Diagnostics > Packet Capture > Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the ZyWALL or the connected USB storage device. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete. Download Click a file to select it and click Download to save it to your computer.
Chapter 40 Diagnostics 40.4.1 Core Dump Files Screen Click Maintenance > Diagnostics > Core Dump > Files to open the core dump files screen. This screen lists the core dump files stored on the ZyWALL or a connected USB storage device. You may need to send these files to customer support for troubleshooting. Figure 359 Maintenance > Diagnostics > Core Dump > Files The following table describes the labels in this screen.
Chapter 40 Diagnostics Figure 360 Maintenance > Diagnostics > System Log The following table describes the labels in this screen. Table 210 Maintenance > Diagnostics > System Log LABEL DESCRIPTION Remove Select files and click Remove to delete them from the ZyWALL. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete. Download Click a file to select it and click Download to save it to your computer.
C HAPTER 41 Packet Flow Explore 41.1 Overview Use this to get a clear picture on how the ZyWALL determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot any related problems. 41.1.1 What You Can Do in this Chapter • Use the Routing Status screen (see Section 41.
Chapter 41 Packet Flow Explore Figure 361 Maintenance > Packet Flow Explore > Routing Status (Direct Route) Figure 362 Maintenance > Packet Flow Explore > Routing Status (Policy Route) Figure 363 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT) Figure 364 Maintenance > Packet Flow Explore > Routing Status (SiteToSite VPN) ZyWALL 110/310/1100 Series User’s Guide 519
Chapter 41 Packet Flow Explore Figure 365 Maintenance > Packet Flow Explore > Routing Status (Dynamic VPN) Figure 366 Maintenance > Packet Flow Explore > Routing Status (Static-Dynamic Route) Figure 367 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 368 Maintenance > Packet Flow Explore > Routing Status (Main Route) 520 ZyWALL 110/310/1100 Series User’s Guide
Chapter 41 Packet Flow Explore The following table describes the labels in this screen. Table 211 Maintenance > Packet Flow Explore > Routing Status LABEL DESCRIPTION Routing Flow This section shows you the flow of how the ZyWALL determines where to route a packet. Click a function box to display the related settings in the Routing Table section. Routing Table This section shows the corresponding settings according to the function box you click in the Routing Flow section.
Chapter 41 Packet Flow Explore Table 211 Maintenance > Packet Flow Explore > Routing Status (continued) LABEL DESCRIPTION Outgoing This is the name of an interface which transmits packets out of the ZyWALL. Gateway This is the IP address of the gateway in the same network of the outgoing interface. The following fields are available if you click SiteToSite VPN or Dynamic VPN in the Routing Flow section. # This field is a sequential value, and it is not associated with any entry.
Chapter 41 Packet Flow Explore Figure 370 Maintenance > Packet Flow Explore > SNAT Status (1-1 SNAT) Figure 371 Maintenance > Packet Flow Explore > SNAT Status (Loopback SNAT) Figure 372 Maintenance > Packet Flow Explore > SNAT Status (Default SNAT) The following table describes the labels in this screen.
Chapter 41 Packet Flow Explore Table 212 Maintenance > Packet Flow Explore > SNAT Status (continued) LABEL DESCRIPTION Destination This is the original destination IP address(es). Outgoing This is the outgoing interface that the SNAT rule uses to transmit packets. SNAT This is the source IP address(es) that the SNAT rule uses finally. The following fields are available if you click Loopback SNAT in the SNAT Flow section. # This field is a sequential value, and it is not associated with any entry.
C HAPTER 42 Reboot 42.1 Overview Use this to restart the device (for example, if the device begins behaving erratically). See also Section on page 31 for information on different ways to start and stop the ZyWALL. 42.1.1 What You Need To Know If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot. If you made changes in the CLI, however, you have to use the write command to save the configuration before you reboot.
C HAPTER 43 Shutdown 43.1 Overview Use this to shutdown the device in preparation for disconnecting the power. See also Section on page 31 for information on different ways to start and stop the ZyWALL. Always use the Maintenance > Shutdown > Shutdown screen or the “shutdown” command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. 43.1.1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes.
C HAPTER 44 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. • You can also refer to the logs (see Chapter 6 on page 100). • For the order in which the ZyWALL applies its features and checks, see Chapter 41 on page 518. None of the LEDs turn on. Make sure that you have the power cord connected to the ZyWALL and plugged in to an appropriate power source. Make sure you have the ZyWALL turned on. Check all cable connections.
Chapter 44 Troubleshooting I configured security settings but the ZyWALL is not applying them for certain interfaces. Many security settings are usually applied to zones. Make sure you assign the interfaces to the appropriate zones. When you create an interface, there is no security applied on it until you assign it to a zone. The ZyWALL is not applying the custom policy route I configured. The ZyWALL checks the policy routes in the order that they are listed.
Chapter 44 Troubleshooting The interface’s IP address may have changed. To avoid this create an IP address object based on the interface. This way the ZyWALL automatically updates every rule or setting that uses the object whenever the interface’s IP address settings change. For example, if you change LAN1’s IP address, the ZyWALL automatically updates the corresponding interface-based, LAN1 subnet address object. I cannot set up a PPP interface.
Chapter 44 Troubleshooting The ZyWALL is deleting some zipped files. The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip. The ZyWALL routes and applies SNAT for traffic from some interfaces but not from others. The ZyWALL automatically uses SNAT for traffic it routes from internal interfaces to external interfaces. For example LAN to WAN traffic.
Chapter 44 Troubleshooting subnets. See Asymmetrical Routes on page 268 and the chapter about interfaces for more information. I cannot set up an IPSec VPN tunnel to another device. If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both ZyXEL IPSec routers and check the settings in each field methodically and slowly. Make sure both the ZyWALL and remote IPSec router have the same security settings for the VPN tunnel.
Chapter 44 Troubleshooting • Make sure regular firewall rules allow traffic between the VPN tunnel and the rest of the network. Regular firewall rules check packets the ZyWALL sends before the ZyWALL encrypts them and check packets the ZyWALL receives after the ZyWALL decrypts them. This depends on the zone to which you assign the VPN tunnel and the zone from which and to which traffic may be routed.
Chapter 44 Troubleshooting The default admin account is always authenticated locally, regardless of the authentication method setting. (See Chapter 31 on page 400 for more information about authentication methods.) The ZyWALL fails to authentication the ext-user user accounts I configured. An external server such as AD, LDAP or RADIUS must authenticate the ext-user accounts. If the ZyWALL tries to use the local database to authenticate an ext-user, the authentication attempt will always fail.
Chapter 44 Troubleshooting • PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form. • Binary PKCS#12: This is a format for transferring public key and private key certificates.The private key in a PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords.
Chapter 44 Troubleshooting • Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the ZyWALL exit sub command mode. • Include write commands in your scripts. Otherwise the changes will be lost when the ZyWALL restarts. You could use multiple write commands in a long script. Note: “exit” or “!'” must follow sub commands if it is to make the ZyWALL exit sub command mode. See Chapter 39 on page 499 for more on configuration files and shell scripts.
Chapter 44 Troubleshooting If you want to reboot the device without changing the current configuration, see Chapter 42 on page 525. 1 Make sure the SYS LED is on and not blinking. 2 Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about five seconds.) 3 Release the RESET button, and wait for the ZyWALL to restart. You should be able to access the ZyWALL using the default settings. 44.
A PPENDIX A Legal Information Copyright Copyright © 2013 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
Appendix A Legal Information Taiwanese BSMI (Bureau of Standards, Metrology and Inspection) A Warning: Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada.
Appendix A Legal Information • • CAUTION: RISK OF EXPLOSION IF BATTERY (on the motherboard) IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. Dispose them at the applicable collection point for the recycling of electrical and electronic equipment. For detailed information about recycling of this product, please contact your local city office, your household waste disposal service or the store where you purchased the product.
Appendix A Legal Information 540 ZyWALL 110/310/1100 Series User’s Guide
Index Index Symbols logging in 254 multiple logins 380 see also users 371 Web Configurator 381 access users, see also force user authentication policies Numbers account user 371, 438 3322 Dynamic DNS 215 accounting server 400 3DES 306 Active Directory, see AD 3G see also cellular 132 active protocol 310 AH 310 and encapsulation 311 ESP 310 6in4 tunneling 140 6to4 tunneling 141 active sessions 72, 75, 89 A AAA Base DN 402 Bind DN 403, 405 directory structure 402 Distinguished Name, see DN DN 402
Index address record 452 and WWW 460 create 410 example 409 admin user troubleshooting 533 admin users 371 multiple logins 379 see also users 371 authentication policy 253 exceptional services 255 Advanced Encryption Standard, see AES AES 306 Authentication, Authorization, Accounting servers, see AAA server AF 197 authorization server 400 authentication type 46, 431 AH 289, 310 and transport mode 311 alerts 490, 491, 493, 495, 496, 497 B ALG 233, 238 and firewall 233, 235 and NAT 233, 235 and po
Index signal quality 94, 95 SIM card 137 status 96 system 94, 95 troubleshooting 529 messages 24 popup window 24 Reference Guide 2 client 341 cluster ID 361 certificate troubleshooting 533 commands 20 sent by Web Configurator 24 Certificate Authority (CA) see certificates Common Event Format (CEF) 488, 495 Certificate Revocation List (CRL) 414 vs OCSP 428 computer names 120, 157, 169, 174, 348 certificates 413 advantages of 414 and CA 414 and FTP 478 and HTTPS 457 and IKE SA 310 and SSH 474 and syn
Index access user page 461 login page 461 pool 174 static DHCP 174 DHCP Unique IDentifier 107 D DHCPv6 438 DHCP Unique IDentifier 107 DHCPv6 Request 438 Data Encryption Standard, see DES diagnostics 510, 515 date 445 Diffie-Hellman key group 307 daylight savings 447 DiffServ 197 DDNS 215 backup mail exchanger 219 mail exchanger 219 service providers 215 troubleshooting 530 Digital Signature Algorithm public-key algorithm, see DSA Dead Peer Detection, see DPD direct routes 190 directory 400 dir
Index E egress bandwidth 137, 146 e-mail daily statistics report 485 Encapsulating Security Payload, see ESP encapsulation and active protocol 311 IPSec 289 transport mode 311 tunnel mode 311 VPN 311 encryption IPSec 289 RSA 421 encryption algorithms 306 3DES 306 AES 306 and active protocol 306 DES 306 encryption method 431 end-point security multiple objects 254 enforcing policies in IPSec 289 ESP 289, 310 and transport mode 311 Ethernet interfaces 104 and OSPF 111 and RIP 110 and routing protocols 109 ba
Index and address groups 479 and address objects 479 and certificates 478 and zones 479 signaling port 237 with Transport Layer Security (TLS) 478 full tunnel mode 317, 321 example 465 vs HTTP 457 with Internet Explorer 465 with Netscape Navigator 465 hub-and-spoke VPN, see VPN concentrator HyperText Transfer Protocol over Secure Socket Layer, see HTTPS Fully-Qualified Domain Name, see FQDN I G ICMP 390 Generic Routing Encapsulation, see GRE. IEEE 802.
Index status 72, 84, 85 troubleshooting 528 interfaces 103 and DNS servers 174 and HTTP redirect 232 and layer-3 virtualization 104 and NAT 224 and physical ports 104 and policy routes 194 and static routes 197 and VPN gateways 285 and zones 104 as DHCP relays 174 as DHCP servers 174, 444 backup, see trunks bandwidth management 173, 183, 184 bridge, see also bridge interfaces. cellular 104 DHCP clients 172 Ethernet, see also Ethernet interfaces.
Index and to-ZyWALL firewall 531 authentication algorithms 306 authentication key (manual keys) 312 destination NAT for inbound traffic 313 encapsulation 311 encryption algorithms 306 encryption key (manual keys) 312 local policy 310 manual keys 312 NAT for inbound traffic 312 NAT for outbound traffic 312 Perfect Forward Secrecy (PFS) 311 proposal 311 remote policy 310 search by name 98 search by policy 98 Security Parameter Index (SPI) (manual keys) 312 see also IPSec see also VPN source NAT for inbound t
Index Lightweight Directory Access Protocol, see LDAP troubleshooting 534 load balancing 177 algorithms 178, 182, 184 DNS inbound 247 least load first 178 round robin 179 see also trunks 177 session-oriented 178 spillover 180 weighted round robin 179 management access and device HA 359 local user database 401 metrics, see reports log troubleshooting 534 Microsoft Challenge-Handshake Authentication Protocol (MSCHAP) 431 Challenge-Handshake Authentication Protocol Version 2 (MSCHAP-V2) 431 Point-to-Po
Index port translation, see NAT traversal 309 priority 111 redistribute 203 redistribute type (cost) 205 routers, see OSPF routers virtual links 203 vs RIP 199, 201 NBNS 120, 157, 169, 174, 321 NetBIOS Broadcast over IPSec 288 Name Server, see NBNS. NetBIOS Name Server, see NBNS NetMeeting 238 see also H.
Index PIN code 137 and GRE 175 as VPN 175 PIN generator 401 pointer record 452 prefix delegation 107 Point-to-Point Protocol over Ethernet, see PPPoE.
Index FTP, see FTP see also service control 456 Telnet 476 to-ZyWALL firewall 266 WWW, see WWW remote network 281 remote user screen links 432 Routing Information Protocol, see RIP routing protocols 199 and authentication algorithms 209 and Ethernet interfaces 109 RSA 419, 421, 427 RTP 239 see also ALG 239 replay detection 288 reports collecting data 87 daily 485 daily e-mail 485 specifications 89 traffic statistics 86 reset 535 vs reboot 525 RESET button 535 RFC 1058 1389 1587 1631 1889 2131 2132 2328 2
Index SHA1 306 shell script troubleshooting 534 shell scripts 499 and users 383 downloading 508 editing 507 how applied 500 managing 507 syntax 500 uploading 509 shutdown 526 signal quality 94, 95 SIM card 137 Simple Network Management Protocol, see SNMP Simple Traversal of UDP through NAT, see STUN SIP 234, 238 ALG 233 and firewall 234 and RTP 239 media inactivity timeout 237 signaling inactivity timeout 237 signaling port 237 SNAT 197 troubleshooting 530 SNMP 479, 480 agents 480 and address groups 483 an
Index full tunnel mode 317 network access mode 18 remote desktop connections 432 see also SSL 317 troubleshooting 532 weblink 433 stac compression 431 startup-config.conf 505 and synchronization (device HA) 369 if errors 502 missing at restart 502 present at restart 502 startup-config-bad.
Index management access 534 packet capture 535 policy route 528 PPP 529 RADIUS server 532 routing 530 schedules 533 security settings 528 shell scripts 534 SNAT 530 SSL 532 SSL VPN 532 throughput rate 534 VLAN 529 VPN 532 zipped files 529 trunks 104, 177 and ALG 238 and policy routes 177, 194 member interface mode 183, 184 member interfaces 183, 184 see also load balancing 177 local user database 401 user awareness 373 User Datagram Protocol, see UDP user group objects 371, 438 user groups 371, 372, 438 a
Index Guest (type) 371 lease time 376 limited-admin (type) 371 lockout 380 reauthentication time 376 types of 371 user (type) 371 user names 374 V Vantage Report (VRPT) 488, 495 virtual interfaces 104, 170 basic characteristics 104 not DHCP clients 172 types of 170 vs asymmetrical routes 268 vs triangle routes 268 Virtual Local Area Network, see VLAN. Virtual Local Area Network. See VLAN.
Index WINS server 120, 348 Wizard Setup 33, 43 WWW 457 and address groups 461 and address objects 461 and authentication method objects 460 and certificates 459 and zones 461 see also HTTP, HTTPS 457 Z zipped files troubleshooting 529 zones 211 and firewall 265, 271 and FTP 479 and interfaces 211 and SNMP 483 and SSH 475 and Telnet 477 and VPN 211 and WWW 461 extra-zone traffic 212 inter-zone traffic 212 intra-zone traffic 212 types of traffic 211 ZyWALL 110/310/1100 Series User’s Guide 557
Index 558 ZyWALL 110/310/1100 Series User’s Guide
Index ZyWALL 110/310/1100 Series User’s Guide 559
Index 560 ZyWALL 110/310/1100 Series User’s Guide
Index ZyWALL 110/310/1100 Series User’s Guide 561
Index 562 ZyWALL 110/310/1100 Series User’s Guide
