ZyWALL USG 50 Unified Security Gateway Default Login Details LAN Port P3, P4 IP Address https://192.168.1.1 User Name admin Password 1234 www.zyxel.com Version 2.21 Edition 2, 11/2010 www.zyxel.
About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to want to configure the ZyWALL using the Web Configurator. How To Use This Guide • Read Chapter 1 on page 31 chapter for an overview of features available on the ZyWALL. • Read Chapter 3 on page 43 for web browser requirements and an introduction to the main components, icons and menus in the ZyWALL Web Configurator.
About This User's Guide • Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. • ZyXEL Web Site Please refer to www.zyxel.com for additional support documentation and product certifications. User Guide Feedback Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you! The Technical Writing Team, ZyXEL Communications Corp.
About This User's Guide • Forum This contains discussions on ZyXEL products. Learn from others who use ZyXEL products and share your experiences as well. Customer Support Should problems arise that cannot be solved by the methods listed above, you should contact your vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in which you bought the device. See http://www.zyxel.com/web/contact_us.php for contact information.
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations. Syntax Conventions • The ZyWALL may be referred to as the “ZyWALL”, the “device”, the “system” or the “product” in this User’s Guide.
Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device.
Safety Warnings Safety Warnings • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. • Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. • Connect ONLY suitable accessories to the device. • Do NOT open the device or unit.
Contents Overview Contents Overview User’s Guide ........................................................................................................................... 29 Introducing the ZyWALL ............................................................................................................ 31 Features and Applications ......................................................................................................... 37 Web Configurator ................................................
Contents Overview Addresses ................................................................................................................................ 599 Services ................................................................................................................................... 605 Schedules .................................................................................................................................611 AAA Server ...................................................
Table of Contents Table of Contents About This User's Guide .......................................................................................................... 3 Document Conventions............................................................................................................ 6 Safety Warnings........................................................................................................................ 8 Contents Overview .......................................................
Table of Contents 3.3.3 Main Window .............................................................................................................. 52 3.3.4 Tables and Lists ......................................................................................................... 54 Chapter 4 Installation Setup Wizard ....................................................................................................... 59 4.1 Installation Setup Wizard Screens ...............................................
Table of Contents 6.4 Packet Flow ......................................................................................................................... 91 6.4.1 Routing Table Checking Flow ..................................................................................... 92 6.4.2 NAT Table Checking Flow .......................................................................................... 94 6.5 Feature Configuration Overview ......................................................................
Table of Contents 7.3 How to Configure Load Balancing ......................................................................................115 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces .................................................115 7.3.2 Configure the WAN Trunk .........................................................................................116 7.4 How to Set Up an IPSec VPN Tunnel .................................................................................118 7.4.
Table of Contents 8.1 Overview ............................................................................................................................ 157 8.1.1 What You Can Do in this Chapter ............................................................................ 157 8.2 The Dashboard Screen ..................................................................................................... 157 8.2.1 The CPU Usage Screen ..........................................................................
Table of Contents 10.1.1 What You Can Do in this Chapter .......................................................................... 209 10.1.2 What you Need to Know ........................................................................................ 209 10.2 The Registration Screen ...................................................................................................211 10.3 The Service Screen .................................................................................................
Table of Contents 13.2.1 Policy Route Edit Screen ....................................................................................... 287 13.3 IP Static Route Screen .................................................................................................... 291 13.3.1 Static Route Add/Edit Screen ................................................................................. 292 13.4 Policy Routing Technical Reference ..........................................................................
Table of Contents 18.1 Overview .......................................................................................................................... 331 18.1.1 What You Can Do in this Chapter .......................................................................... 331 18.1.2 What You Need to Know ........................................................................................ 332 18.2 The HTTP Redirect Screen ..................................................................................
Table of Contents 22.3 The Session Limit Screen ................................................................................................ 370 22.3.1 The Session Limit Add/Edit Screen ........................................................................ 372 Chapter 23 IPSec VPN.............................................................................................................................. 375 23.1 IPSec VPN Overview ....................................................................
Table of Contents 27.1 The ZyWALL SecuExtender Icon .................................................................................... 433 27.2 Statistics .......................................................................................................................... 434 27.3 View Log .......................................................................................................................... 435 27.4 Suspend and Resume the Connection ...............................................
Table of Contents 30.4 The Profile Summary Screen .......................................................................................... 485 30.5 Creating New Profiles ...................................................................................................... 486 30.5.1 Procedure To Create a New Profile ........................................................................ 486 30.6 Profiles: Packet Inspection .................................................................................
Table of Contents 32.4 Content Filter Profile Screen .......................................................................................... 540 32.5 Content Filter Categories Screen ................................................................................... 540 32.5.1 Content Filter Blocked and Warning Messages ..................................................... 552 32.6 Content Filter Customization Screen .............................................................................. 553 32.
Table of Contents 36.1.1 What You Can Do in this Chapter .......................................................................... 599 36.1.2 What You Need To Know ....................................................................................... 599 36.2 Address Summary Screen ............................................................................................... 599 36.2.1 Address Add/Edit Screen ....................................................................................... 601 36.
Table of Contents 40.1.2 Before You Begin ................................................................................................... 627 40.1.3 Example: Selecting a VPN Authentication Method ................................................ 627 40.2 Authentication Method Objects ........................................................................................ 628 40.2.1 Creating an Authentication Method Object ............................................................
Table of Contents Chapter 45 System ................................................................................................................................... 675 45.1 Overview .......................................................................................................................... 675 45.1.1 What You Can Do in this Chapter .......................................................................... 675 45.2 Host Name .................................................................
Table of Contents 45.11.1 Configuring Vantage CNM .................................................................................... 720 45.12 Language Screen ......................................................................................................... 722 Chapter 46 Log and Report ..................................................................................................................... 723 46.1 Overview .............................................................................
Table of Contents Chapter 51 Troubleshooting.................................................................................................................... 759 51.1 Resetting the ZyWALL ..................................................................................................... 773 51.2 Getting More Troubleshooting Help ................................................................................. 774 Chapter 52 Product Specifications ......................................................
Table of Contents 28 ZyWALL USG 50 User’s Guide
P ART I User’s Guide 29
CHAPTER 1 Introducing the ZyWALL This chapter gives an overview of the ZyWALL. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is a comprehensive security device. Its flexible configuration helps network administrators set up the network and enforce security policies efficiently.
Chapter 1 Introducing the ZyWALL 1.2 Rack-mounted Installation The ZyWALL can be mounted on an EIA standard size, 19-inch rack or in a wiring closet with other equipment. Follow the steps below to mount your ZyWALL on a standard EIA rack using a rack-mounting kit. Make sure the rack will safely support the combined weight of all the equipment it contains and that the position of the ZyWALL does not make the rack unstable or top-heavy.
Chapter 1 Introducing the ZyWALL 3 After attaching both mounting brackets, position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack. Secure the ZyWALL to the rack with the rack-mounting screws. Figure 2 Rack Mounting 1.3 Front Panel This section introduces the ZyWALL’s front panel. Figure 3 ZyWALL Front Panel 1.3.1 Front Panel LEDs The following table describes the LEDs.
Chapter 1 Introducing the ZyWALL Table 1 Front Panel LEDs (continued) LED COLOR STATUS DESCRIPTION SYS Green Off The ZyWALL is not ready or has failed. On The ZyWALL is ready and running. Blinking The ZyWALL is booting. Red On The ZyWALL had an error or has failed. Green Off There is no traffic on this port. Blinking The ZyWALL is sending or receiving packets on this port. Off There is no connection on this port. On This port has a successful link. 1, 2 ... Orange 1.
Chapter 1 Introducing the ZyWALL Console Port You can use the console port to manage the ZyWALL using CLI commands. See the Command Reference Guide for more information about the CLI. The default settings for the console port are as follows. Table 2 Console Port Default Settings SETTING VALUE Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off 1.5 Starting and Stopping the ZyWALL Here are some of the ways to start and stop the ZyWALL.
Chapter 1 Introducing the ZyWALL The ZyWALL does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources.
CHAPTER 2 Features and Applications This chapter introduces the main features and applications of the ZyWALL. 2.1 Features The ZyWALL’s security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features.
Chapter 2 Features and Applications Firewall The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. Intrusion Detection and Prevention (IDP) IDP (Intrusion Detection and Protection) can detect malicious or suspicious packets and respond instantaneously.
Chapter 2 Features and Applications Anti-Virus Scanner With the anti-virus packet scanner, your ZyWALL scans files transmitting through the enabled interfaces into the network. The ZyWALL helps stop threats at the network edge before they reach the local host computers. Anti-Spam The anti-spam feature can mark or discard spam. Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail.
Chapter 2 Features and Applications 2.2.1 VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also set up additional connections to the Internet to provide better service. Figure 5 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can configure the ZyWALL to provide SSL VPN network access to remote users.
Chapter 2 Features and Applications 2.2.2.1 Full Tunnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network. This allows them to access network resources in the same way as if they were part of the internal network. Figure 6 Network Access Mode: Full Tunnel Mode 192.168.1.100 https;// LAN (192.168.1.
Chapter 2 Features and Applications 2.2.3 User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. Figure 7 Applications: User-Aware Access Control 2.2.4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can balance the loads between them.
CHAPTER 3 Web Configurator The ZyWALL Web Configurator allows easy ZyWALL setup and management using an Internet browser. 3.1 Web Configurator Requirements In order to use the Web Configurator, you must • Use Internet Explorer 7 or later, or Firefox 1.5 or later • Allow pop-up windows (blocked by default in Windows XP Service Pack 2) • Enable JavaScripts (enabled by default) • Enable Java permissions (enabled by default) • Enable cookies The recommended screen resolution is 1024 x 768 pixels. 3.
Chapter 3 Web Configurator 2 Open your web browser, and go to http://192.168.1.1. By default, the ZyWALL automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears. Figure 9 Login Screen 3 Type the user name (default: “admin”) and password (default: “1234”). If your account is configured to use an ASAS authentication server, use the OTP (One-Time Password) token to generate a number. Enter it in the One-Time Password field.
Chapter 3 Web Configurator 5 The screen above appears every time you log in using the default user name and default password. If you change the password for the default user account, this screen does not appear anymore. Follow the directions in this screen. If you change the default password, the Login screen (Figure 9 on page 44) appears after you click Apply.
Chapter 3 Web Configurator The icons provide the following functions. Table 4 Title Bar: Web Configurator Icons LABEL DESCRIPTION Logout Click this to log out of the Web Configurator. Help Click this to open the help page for the current screen. About Click this to display basic information about the ZyWALL. Site Map Click this to see an overview of links to the Web Configurator screens.
Chapter 3 Web Configurator 3.3.2 Navigation Panel Use the menu items on the navigation panel to open screens to configure ZyWALL features. Click the arrow in the middle of the right edge of the navigation panel to hide the navigation panel menus or drag it to resize them. The following sections introduce the ZyWALL’s navigation panel menus and their screens. Figure 14 Navigation Panel 3.3.2.
Chapter 3 Web Configurator Table 6 Monitor Menu Screens Summary (continued) FOLDER OR LINK TAB AppPatrol Statistics FUNCTION Displays bandwidth and protocol statistics. VPN Monitor IPSec Displays and manages the active IPSec SAs. SSL Lists users currently logged into the VPN SSL client portal. You can also log out individual users and delete related session information. Anti-X Statistics Anti-Virus Collect and display statistics on the viruses that the ZyWALL has detected.
Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK Interface Routing TAB FUNCTION Port Role Use this screen to set the ZyWALL’s flexible ports as LAN1 or DMZ. Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces. PPP Create and manage PPPoE and PPTP interfaces. Cellular Configure a cellular Internet connection for an installed 3G card. VLAN Create and manage VLAN interfaces and virtual VLAN interfaces.
Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION AppPatrol General Enable or disable traffic management by application and see registration and signature information. Common Manage traffic of the most commonly used web, file transfer and e-mail protocols. IM Manage instant messenger traffic. Peer to Peer Manage peer-to-peer traffic. VoIP Manage VoIP traffic. Streaming Manage streaming traffic. Other Manage other kinds of traffic.
Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK Service TAB FUNCTION Service Create and manage TCP and UDP services. Service Group Create and manage groups of services. Schedule AAA Server Create one-time and recurring schedules. Active DirectoryDefault Configure the default Active Directory settings. Active DirectoryGroup Create and manage groups of Active Directory servers. LDAP-Default Configure the default LDAP settings.
Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Email Daily Report Configure where and how to send daily reports and what reports to send. Log Setting Configure the system log, e-mail logs, and remote syslog servers. 3.3.2.4 Maintenance Menu Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the ZyWALL.
Chapter 3 Web Configurator 3.3.3.2 Site Map Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen’s link to go to that screen. Figure 16 Site Map 3.3.3.3 Object Reference Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object.
Chapter 3 Web Configurator The fields vary with the type of object. The following table describes labels that can appear in this screen. Table 9 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window. # This field is a sequential value, and it is not associated with any entry.
Chapter 3 Web Configurator 3.3.4.1 Manipulating Table Display Here are some of the ways you can manipulate the Web Configurator tables. 1 Click a column heading to sort the table’s entries according to that column’s criteria. Figure 19 Sorting Table Entries by a Column’s Criteria 2 Click the down arrow next to a column heading for more options about how to display the entries. The options available vary depending on the type of fields in the column.
Chapter 3 Web Configurator 3 Select a column heading cell’s right border and drag to re-size the column. Figure 21 Resizing a Table Column 4 Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location. Figure 22 Changing the Column Order 5 Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time.
Chapter 3 Web Configurator 3.3.4.2 Working with Table Entries The tables have icons for working with table entries. A sample is shown next. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate. Figure 24 Common Table Icons Here are descriptions for the most common table icons. Table 10 Common Table Icons LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 3 Web Configurator you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list.
CHAPTER 4 Installation Setup Wizard 4.1 Installation Setup Wizard Screens If you log into the Web Configurator when the ZyWALL is using its default configuration, the first Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscription services. This chapter provides information on configuring the Web Configurator's installation setup wizard. See the feature-specific chapters in this User’s Guide for background information.
Chapter 4 Installation Setup Wizard The screens vary depending on the encapsulation type. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information. Note: Enter the Internet access information exactly as your ISP gave it to you. Figure 27 Internet Access: Step 1 • I have two ISPs: Select this option to configure two Internet connections. Leave it cleared to configure just one.
Chapter 4 Installation Setup Wizard Note: Enter the Internet access information exactly as given to you by your ISP. Figure 28 Internet Access: Ethernet Encapsulation • Encapsulation: This displays the type of Internet connection you are configuring. • First WAN Interface: This is the number of the interface that will connect with your ISP. • Zone: This is the security zone to which this interface and Internet connection will belong. • IP Address: Enter your (static) public IP address.
Chapter 4 Installation Setup Wizard 4.1.3 Internet Access: PPPoE Note: Enter the Internet access information exactly as given to you by your ISP. Figure 29 Internet Access: PPPoE Encapsulation 4.1.3.1 ISP Parameters • Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and _@$./ characters, and it can be up to 64 characters long.
Chapter 4 Installation Setup Wizard 4.1.3.2 WAN IP Address Assignments • WAN Interface: This is the name of the interface that will connect with your ISP. • Zone: This is the security zone to which this interface and Internet connection will belong. • IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Address Assignment in the previous screen. • First / Second DNS Server: These fields display if you selected static IP address assignment.
Chapter 4 Installation Setup Wizard 4.1.5 ISP Parameters • Authentication Type - Select an authentication protocol for outgoing calls. Options are: • CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by the remote node. • CHAP - Your ZyWALL accepts CHAP only. • PAP - Your ZyWALL accepts PAP only. • MSCHAP - Your ZyWALL accepts MSCHAP only. • MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only. • Type the User Name given to you by your ISP. You can use alphanumeric and _@$.
Chapter 4 Installation Setup Wizard 4.1.6 Internet Access Setup - Second WAN Interface If you selected I have two ISPs, after you configure the First WAN Interface, you can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 4.1.1 on page 59).
Chapter 4 Installation Setup Wizard 4.1.7 Internet Access - Finish You have set up your ZyWALL to access the Internet. After configuring the WAN interface(s), a screen displays with your settings. If they are not correct, click Back. Figure 32 Internet Access: Ethernet Encapsulation Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Next and use the following screen to perform a basic registration (see Section 4.
Chapter 4 Installation Setup Wizard Use the Registration > Service screen to update your service subscription status. Registration • Select new myZyXEL.com account if you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL. • Select existing myZyXEL.com account if you already have an account at myZyXEL.com and enter your user name and password in the fields below to register your ZyWALL.
Chapter 4 Installation Setup Wizard • Trial Service Activation: You can try a trial service subscription. The trial period starts the day you activate the trial. After the trial expires, you can buy an iCard and enter the license key in the Registration > Service screen to extend the service.
CHAPTER 5 Quick Setup 5.1 Quick Setup Overview The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User’s Guide for background information. In the Web Configurator, click Configuration > Quick Setup to open the first Quick Setup screen.
Chapter 5 Quick Setup 5.2 WAN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to connect to the internet. Click Next. Figure 35 WAN Interface Quick Setup Wizard 5.2.1 Choose an Ethernet Interface Select the Ethernet interface that you want to configure for a WAN connection and click Next. Figure 36 Choose an Ethernet Interface 5.2.
Chapter 5 Quick Setup Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP. Figure 37 WAN Interface Setup: Step 2 The screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information. Note: Enter the Internet access information exactly as your ISP gave it to you. 5.2.
Chapter 5 Quick Setup • IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address. Select Static If the ISP assigned a fixed IP address. 5.2.4 WAN and ISP Connection Settings Use this screen to configure the ISP and WAN interface settings. This screen is read-only if you set the IP Address Assignment to Static. Note: Enter the Internet access information exactly as your ISP gave it to you.
Chapter 5 Quick Setup Table 11 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION Authentication Use the drop-down list box to select an authentication protocol for Type outgoing calls. Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node. CHAP - Your ZyWALL accepts CHAP only. PAP - Your ZyWALL accepts PAP only. MSCHAP - Your ZyWALL accepts MSCHAP only. MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only.
Chapter 5 Quick Setup Table 11 WAN and ISP Connection Settings (continued) LABEL First DNS Server Second DNS Server DESCRIPTION These fields only display for an interface with a static IP address. Enter the DNS server IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.
Chapter 5 Quick Setup Table 12 Interface Wizard: Summary WAN LABEL DESCRIPTION User Name This is the user name given to you by your ISP. Nailed-Up If No displays the connection will not time out. Yes means the ZyWALL uses the idle timeout. Idle Timeout This is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server. 0 means no timeout. Connection ID If you specified a connection ID, it displays here.
Chapter 5 Quick Setup 5.4 VPN Setup Wizard: Wizard Type A VPN (Virtual Private Network) tunnel is a secure connection to another computer or network. Use this screen to select which type of VPN connection you want to configure. Figure 42 VPN Setup Wizard: Wizard Type Express: Use this wizard to create a VPN connection with another ZLD-based ZyWALL using a pre-shared key and default security settings. Advanced: Use this wizard to configure detailed VPN security settings such as using certificates.
Chapter 5 Quick Setup 5.5 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 42 on page 76 to display the following screen. Figure 43 VPN Express Wizard: Step 2 Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Select the scenario that best describes your intended VPN connection.
Chapter 5 Quick Setup 5.5.1 VPN Express Wizard - Configuration Figure 44 VPN Express Wizard: Step 3 • Secure Gateway: If Any displays in this field, it is not configurable for the chosen scenario. If this field is configurable, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name. Use 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. • Pre-Shared Key: Type the password.
Chapter 5 Quick Setup 5.5.2 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’s configuration and also commands that you can copy and paste into another ZLD-based ZyWALL’s command line interface to configure it. Figure 45 VPN Express Wizard: Step 4 • Rule Name: Identifies the VPN gateway policy. • Secure Gateway: IP address or domain name of the remote IPSec device. If this field displays Any, only the remote IPSec device can initiate the VPN connection.
Chapter 5 Quick Setup 5.5.3 VPN Express Wizard - Finish Now you can use the VPN tunnel. Figure 46 VPN Express Wizard: Step 6 Note: If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Close to exit the wizard.
Chapter 5 Quick Setup 5.5.4 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 42 on page 76 to display the following screen. Figure 47 VPN Advanced Wizard: Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Select the scenario that best describes your intended VPN connection.
Chapter 5 Quick Setup • Remote Access (Client Role) - Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - Phase 1 Settings There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association).
Chapter 5 Quick Setup that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses a 256-bit key. • Authentication Algorithm: MD5 gives minimal security. SHA-1 gives higher security. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data.
Chapter 5 Quick Setup 5.5.6 VPN Advanced Wizard - Phase 2 Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Figure 49 VPN Advanced Wizard: Step 4 • Active Protocol: ESP is compatible with NAT, AH is not. • Encapsulation: Tunnel is compatible with NAT, Transport is not. • Encryption Algorithm: 3DES and AES use encryption. The longer the AES key, the higher the security (this may affect throughput). Null uses no encryption.
Chapter 5 Quick Setup 5.5.7 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settings. Figure 50 VPN Advanced Wizard: Step 5 • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: IP address or domain name of the remote IPSec device. • Pre-Shared Key: VPN tunnel password. • Certificate: The certificate the ZyWALL uses to identify itself when setting up the VPN tunnel.
Chapter 5 Quick Setup 5.5.8 VPN Advanced Wizard - Finish Now you can use the VPN tunnel. Figure 51 VPN Wizard: Step 6: Advanced Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Close to exit the wizard.
CHAPTER 6 Configuration Basics This information is provided to help you configure the ZyWALL effectively. Some of it is helpful when you are just getting started. Some of it is provided for your reference when you configure various features in the ZyWALL. • Section 6.1 on page 87 introduces the ZyWALL’s object-based configuration. • Section 6.2 on page 88 introduces zones, interfaces, and port groups. • Section 6.3 on page 91 introduces some terminology and organization for the ZyWALL. • Section 6.
Chapter 6 Configuration Basics change an Ethernet interface’s IP address, the ZyWALL automatically updates the rules or settings that use the interface-based, LAN subnet address object. You can use the Configuration > Objects screens to create objects before you configure features that use them. If you are in a screen that uses objects, you can also usually select Create new Object to be able to configure a new object. For a list of common objects, see Section 6.6 on page 105.
Chapter 6 Configuration Basics 6.2.1 Interface Types There are many types of interfaces in the ZyWALL. In addition to being used in various features, interfaces also describe the network that is directly connected to the ZyWALL. • Ethernet interfaces are the foundation for defining other interfaces and network policies. You also configure RIP and OSPF in these interfaces. • Port groups create a hardware connection between physical ports at the layer2 (data link, MAC address) level.
Chapter 6 Configuration Basics Table 14 Default Network Topology ZyWALL USG 50 Default Port, Interface, and Zone Configuration PORT INTERFACE ZONE IP ADDRESS AND DHCP SUGGESTED USE WITH SETTINGS DEFAULT SETTINGS P1, P2 wan1, wan2 WAN DHCP clients Connections to the Internet P3, P4 lan1 LAN1 192.168.1.1, DHCP server enabled Protected LAN P5 lan2 LAN2 192.168.2.1, DHCP server enabled Protected LAN P6 dmz DMZ 192.168.3.
Chapter 6 Configuration Basics 6.3 Terminology in the ZyWALL This section highlights some terminology or organization for ZLD-based ZyWALLs.
Chapter 6 Configuration Basics Packet Flow The packet flow is as follows: • Automatic SNAT and WAN trunk routing for traffic going from internal to external interfaces (you don’t need to configure anything to all LAN to WAN traffic). The ZyWALL automatically adds all of the external interfaces to the default WAN trunk. External interfaces include ppp and cellular interfaces as well as any Ethernet interfaces that are set as external interfaces.
Chapter 6 Configuration Basics of the sections, the ZyWALL stops checking the packets against the routing table and moves on to the other checks, for example the firewall check. Figure 53 Routing Table Checking Flow 1 Direct-connected Subnets: The ZyWALL first checks to see if the packets are destined for an address in the same subnet as one of the ZyWALL’s interfaces.
Chapter 6 Configuration Basics 4 Auto VPN Policy: The ZyWALL automatically creates these routing entries for the VPN rules. Disabling the IPSec VPN feature’s Use Policy Route to control dynamic IPSec rules option moves the routes for dynamic IPSec rules up above the policy routes (see Section 23.2 on page 378). 5 Static and Dynamic Routes: This section contains the user-configured static routes and the dynamic routing information learned from other routers through RIP and OSPF.
Chapter 6 Configuration Basics 4 SNAT is also now performed by default and included in the NAT table. 6.5 Feature Configuration Overview This section provides information about configuring the main features in the ZyWALL. The features are listed in the same sequence as the menu item(s) in the Web Configurator. Each feature description is organized as shown below. 6.5.1 Feature This provides a brief description. See the appropriate chapter(s) in this User’s Guide for more information about any feature.
Chapter 6 Configuration Basics 6.5.2 Licensing Registration Use these screens to register your ZyWALL and subscribe to services like antivirus, IDP and application patrol, more SSL VPN tunnels, and content filtering. You must have Internet access to myZyXEL.com. MENU ITEM(S) Configuration > Licensing > Registration PREREQUISITES Internet access to myZyXEL.com 6.5.
Chapter 6 Configuration Basics 6.5.5 Trunks Use trunks to set up load balancing using two or more interfaces. MENU ITEM(S) Configuration > Network > Interface > Trunk PREREQUISITES Interfaces WHERE USED Policy routes Example: See Chapter 7 on page 109. 6.5.6 Policy Routes Use policy routes to override the ZyWALL’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel.
Chapter 6 Configuration Basics 8 For the Next Hop fields, select Interface as the Type if you have a single WAN connection or Trunk if you have multiple WAN connections. 9 Select the interface that you are using for your WAN connection (wan1 and wan2 are the default WAN interfaces). If you have multiple WAN connections, select the trunk. 10 Specify the amount of bandwidth FTP traffic can use. You may also want to set a low priority for FTP traffic.
Chapter 6 Configuration Basics 6.5.9 DDNS Dynamic DNS maps a domain name to a dynamic IP address. The ZyWALL helps maintain this mapping. MENU ITEM(S) Configuration > Network > DDNS PREREQUISITES Interface 6.5.10 NAT Use Network Address Translation (NAT) to make computers on a private network behind the ZyWALL available outside the private network. The ZyWALL only checks regular (through-ZyWALL) firewall rules for packets that are redirected by NAT, it does not check the to-ZyWALL firewall rules.
Chapter 6 Configuration Basics The ZyWALL does not check to-ZyWALL firewall rules for packets that are redirected by HTTP redirect. It does check regular (through-ZyWALL) firewall rules. MENU ITEM(S) Configuration > Network > HTTP Redirect PREREQUISITES Interfaces Example: Suppose you want HTTP requests from your LAN to go to a HTTP proxy server at IP address 192.168.3.80. 1 Click Configuration > Network > HTTP Redirect. 2 Add an entry. 3 Name the entry.
Chapter 6 Configuration Basics 6.5.14 Firewall The firewall controls the travel of traffic between or within zones. You can also configure the firewall to control traffic for NAT (DNAT) and policy routes (SNAT). You can configure firewall rules based on schedules, specific users (or user groups), source or destination addresses (or address groups) and services (or service groups). Each of these objects must be configured in a different screen. To-ZyWALL firewall rules control access to the ZyWALL.
Chapter 6 Configuration Basics 6.5.15 IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for communication. The ZyWALL also offers hub-and-spoke VPN. MENU ITEM(S) Configuration > VPN > IPSec VPN; you can also use the Quick Setup VPN Setup wizard.
Chapter 6 Configuration Basics 2 Click AppPatrol > Peer to Peer to go to the application patrol configuration screen. Click the BitTorrent application patrol entry’s Edit icon. • Set the default policy’s access to Drop. • Add another policy. • Select the user account that you created for Bob. • You can leave the source, destination and log settings at the default. Note: With this example, Bob would have to log in using his account.
Chapter 6 Configuration Basics 6.5.21 Content Filter Use content filtering to block or allow access to specific categories of web site content, individual web sites and web features (such as cookies). You can define which user accounts (or groups) can access what content and at what times. You must have a subscription in order to use the category-based content filtering. You can subscribe using the menu item or one of the wizards.
Chapter 6 Configuration Basics PREREQUISITES Zones 6.6 Objects Objects store information and are referenced by other features. If you update this information in response to changes, the ZyWALL automatically propagates the change through the features that use the object. Move your cursor over a configuration object that has a magnifying-glass icon (such as a user group, address, address group, service, service group, zone, or schedule) to display basic information about the object.
Chapter 6 Configuration Basics 6.6.1 User/Group Use these screens to configure the ZyWALL’s administrator and user accounts. The ZyWALL provides the following user types.
Chapter 6 Configuration Basics Example: Suppose you want to allow an administrator to use HTTPS to manage the ZyWALL from the WAN. 1 Create an administrator account (Configuration > Object > User/Group). 2 Create an address object for the administrator’s computer (Configuration > Object > Address). 3 Click Configuration > System > WWW to configure the HTTP management access. Enable HTTPS and add an administrator service control entry. • Select the address object for the administrator’s computer.
Chapter 6 Configuration Basics 6.7.4 Diagnostics The ZyWALL can generate a file containing the ZyWALL’s configuration and diagnostic information. It can also capture packets going through the ZyWALL’s interfaces so you can analyze them to identify network problems. MENU ITEM(S) Maintenance > Diagnostics 6.7.5 Shutdown Use this to shutdown the device in preparation for disconnecting the power.
CHAPTER 7 Tutorials Here are examples of using the Web Configurator to set up features in the ZyWALL. Note: The tutorials featured here require a basic understanding of connecting to and using the Web Configurator, see Chapter 3 on page 43 for details. For field descriptions of individual screens, see Technical Reference on page 155. 7.
Chapter 7 Tutorials • Convert P5 (lan2) into a dmz interface. This dmz interface is used for a protected local network. It uses IP address 192.168.4.1 and has a DHCP server. Add it to the LAN zone so all of the LAN zone’s security policies apply to it. Figure 55 Ethernet Interface, Port Roles, and Zone Configuration Example 7.1.1 Configure a WAN Ethernet Interface You need to assign the ZyWALL’s wan1 interface a static IP address of 1.2.3.4.
Chapter 7 Tutorials Click Configuration > Network > Interface > Ethernet and double-click the wan1 interface’s entry. Select Use Fixed IP Address and configure the IP address, subnet mask, and default gateway settings and click OK. Figure 56 Configuration > Network > Interface > Ethernet > Edit wan1 7.1.2 Configure Port Roles Here is how to convert port P5 from the lan2 interface and add it to the dmz interface. 1 Click Configuration > Network > Interface > Role.
Chapter 7 Tutorials 1 Click Configuration > Network > Interface > Ethernet and double-click the lan2 interface’s entry. The Interface Type should be internal. Set the IP Address to 192.168.4.1 and the Subnet Mask to 255.255.255.0. Set DHCP to DHCP Server and click OK. Figure 58 Configuration > Network > Interface > Ethernet > Edit lan2 7.1.4 Configure Zones Do the following to create a VPN zone. 1 112 Click Configuration > Network > Zone and then the Add icon.
Chapter 7 Tutorials 2 Enter VPN as the name, select WIZ_VPN_Connection and move it to the Member box and click OK. Figure 59 Configuration > Network > Zone > WAN Edit 7.2 How to Configure a Cellular Interface Use 3G cards for cellular WAN (Internet) connections. Table 241 on page 775 lists the compatible 3G devices. In this example you connect the 3G USB card before you configure the cellular interfaces but is also possible to reverse the sequence. 1 Make sure the 3G device’s SIM card is installed.
Chapter 7 Tutorials 4 Enable the interface and add it to a zone. It is highly recommended that you set the Zone to WAN to apply your WAN zone security settings to this 3G connection. Leaving Zone set to none has the ZyWALL not apply any security settings to the 3G connection. Enter the PIN Code provided by the cellular 3G service provider (0000 in this example). Figure 61 Configuration > Network > Interface > Cellular > Edit Note: The Network Selection is set to Auto by default.
Chapter 7 Tutorials 6 The ZyWALL automatically adds the cellular interface to the system default WAN trunk. If the ZyWALL is using a user-configured trunk as its default trunk and you want this cellular interface to be part of it, use the Trunk screens to add it. This way the ZyWALL can automatically balance the traffic load amongst the available WAN connections to enhance overall network throughput. Plus, if a WAN connection goes down, the ZyWALL still sends traffic through the remaining WAN connections.
Chapter 7 Tutorials 1 Click Configuration > Network > Interface > Ethernet and double-click the wan1 entry. Enter the available bandwidth (1000 kbps) in the Egress Bandwidth field. Click OK. Figure 64 Configuration > Network > Interface > Ethernet > Edit (wan1) 2 Repeat the process to set the egress bandwidth for wan2 to 512 Kbps. 7.3.2 Configure the WAN Trunk 1 116 Click Configuration > Network > Interface > Trunk. Click the Add icon.
Chapter 7 Tutorials 2 Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin. Add wan1 and enter 2 in the Weight column. Add wan2 and enter 1 in the Weight column. Click OK.
Chapter 7 Tutorials 3 Select the trunk as the default trunk and click Apply. Figure 66 Configuration > Network > Interface > Trunk 7.4 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 76 for details on the VPN quick setup wizard. Figure 67 VPN Example LAN LAN 1.2.3.4 192.168.1.0/24 118 2.2.2.2 172.16.1.
Chapter 7 Tutorials In this example, the ZyWALL is router X (1.2.3.4), and the remote IPSec router is router Y (2.2.2.2). Create the VPN tunnel between ZyWALL X’s LAN subnet (192.168.1.0/24) and the LAN subnet behind peer IPSec router Y (172.16.1.0/ 24). 7.4.1 Set Up the VPN Gateway The VPN gateway manages the IKE SA. You do not have to set up any other objects before you configure the VPN gateway because this VPN tunnel does not use any certificates or extended authentication.
Chapter 7 Tutorials 7.4.2 Set Up the VPN Connection The VPN connection manages the IPSec SA. You have to set up the address objects for the local network and remote network before you can set up the VPN connection. 1 Click Configuration > Object > Address. Click the Add icon. 2 Give the new address object a name (“VPN_REMOTE_SUBNET”), change the Address Type to SUBNET. Set up the Network field to 172.16.1.0 and the Netmask to 255.255.255.0. Click OK.
Chapter 7 Tutorials 4 Enable the VPN connection and name it (“VPN_CONN_EXAMPLE”). Under VPN Gateway select Site-to-site and the VPN gateway (VPN_GW_EXAMPLE). Under Policy, select LAN1_SUBNET for the local network and VPN_REMOTE_SUBNET for the remote. Click OK. Figure 70 Configuration > VPN > IPSec VPN > VPN Connection > Add 5 Now set up the VPN settings on the peer IPSec router and try to establish the VPN tunnel.
Chapter 7 Tutorials 7.5 How to Configure User-aware Access Control You can configure many policies and security settings for specific users or groups of users. This is illustrated in the following example, where you will set up the following policies. This is a simple example that does not include priorities for different types of traffic. See Bandwidth Management on page 439 for more on bandwidth management.
Chapter 7 Tutorials 2 Enter the same user name that is used in the RADIUS server, and set the User Type to ext-user because this user account is authenticated by an external server. Click OK. Figure 71 Configuration > Object > User/Group > User > Add 3 Repeat this process to set up the remaining user accounts. 7.5.2 Set Up User Groups Set up the user groups and assign the users to the user groups. 1 Click Configuration > Object > User/Group > Group. Click the Add icon.
Chapter 7 Tutorials 2 Enter the name of the group that is used in the example in Table 18 on page 122. In this example, it is “Finance”. Then, select User/Leo and click the right arrow to move him to the Member list. This example only has one member in this group, so click OK. Of course you could add more members later. Figure 72 Configuration > Object > User/Group > Group > Add 3 Repeat this process to set up the remaining user groups. 7.5.
Chapter 7 Tutorials 1 Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Configure the RADIUS server’s address authentication port (1812 if you were not told otherwise), key, and click Apply. Figure 73 Configuration > Object > AAA Server > RADIUS > Add 2 Click Configuration > Object > Auth. method. Double-click the default entry. Click the Add icon. Select group radius because the ZyWALL should use the specified RADIUS server for authentication. Click OK.
Chapter 7 Tutorials Note: The users will have to log in using the Web Configurator login screen before they can use HTTP or MSN. Figure 75 Configuration > Object > User/Group > Setting > Add (Force User Authentication Policy) When the users try to browse the web (or use any HTTP/HTTPS application), the Login screen appears. They have to log in using the user name and password in the RADIUS server. 7.5.
Chapter 7 Tutorials 1 Click Configuration > AppPatrol. If application patrol and bandwidth management are not enabled, enable them, and click Apply. Figure 76 Configuration > AppPatrol > General 2 Click the Common tab and double-click the http entry.
Chapter 7 Tutorials 3 Double-click the Default policy. Figure 78 Configuration > AppPatrol > Common > http 4 Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK.
Chapter 7 Tutorials 5 Click the Add icon in the policy list. In the new policy, select one of the user groups that is allowed to browse the web and set the corresponding bandwidth restriction in the Inbound and Outbound fields. Click OK. Repeat this process to add exceptions for all the other user groups that are allowed to browse the web. Figure 80 Configuration > AppPatrol > Common> http > Edit Default 7.5.
Chapter 7 Tutorials 2 Give the schedule a descriptive name. Set up the days (Monday through Friday) and the times (8:30 - 18:00) when Sales is allowed to use MSN. Click OK. Figure 81 Configuration > Object > Schedule > Add (Recurring) 3 Follow the steps in Section 7.5.4 on page 126 to set up the appropriate policies for MSN in application patrol. Make sure to specify the schedule when you configure the policy for the Sales group’s MSN access. 7.5.
Chapter 7 Tutorials 2 Click the Add icon again and create a rule for one of the user groups that is allowed to access the DMZ. Figure 83 Configuration > Firewall > Add 3 Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ. 7.6 How to Use a RADIUS Server to Authenticate User Accounts based on Groups The previous example showed how to have a RADIUS server authenticate individual user accounts.
Chapter 7 Tutorials 1 Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Besides configuring the RADIUS server’s address, authentication port, and key; set the Group Membership Attribute field to the attribute that the ZyWALL is to check to determine to which group a user belongs. This example uses Class. This attribute’s value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss.
Chapter 7 Tutorials 2 Now you add ext-group-user user objects to identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server. Click Configuration > Object > User/Group > User. Click the Add icon. Enter a user name and set the User Type to ext-group-user. In the Group Identifier field, enter Finance, Engineer, Sales, or Boss and set the Associated AAA Server Object to radius.
Chapter 7 Tutorials • Select Endpoint must have Personal Firewall installed and move the Kaspersky Internet Security entries to the allowed list (you can double-click an entry to move it). • Select Endpoint must have Anti-Virus software installed and move the Kaspersky Internet Security and Kaspersky Anti-Virus anti-virus software entries to the allowed list. The following figure shows the configuration screen example.
Chapter 7 Tutorials Repeat as needed to create endpoint security objects for other Windows operating system versions. 7.7.2 Configure the Authentication Policy Click Configuration > Auth. Policy > Add to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy to use endpoint security objects. • Enable the policy and name it.
Chapter 7 Tutorials 4 Turn on authentication policy and click Apply. Figure 88 Configuration > Auth. Policy The following figure shows an error message example when a user’s computer does not meet an endpoint security object’s requirements. Click Close to return to the login screen. Figure 89 Example: Endpoint Security Error Message 7.
Chapter 7 Tutorials user access (logging into SSL VPN for example). See Chapter 45 on page 675 for more on service control. The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to the ZyWALL. They do not distinguish between administrator management access and user access. If you configure service control to allow management or user HTTP or HTTPS access, make sure the firewall is not configured to block that access. 7.8.
Chapter 7 Tutorials 4 Select the new rule and click the Add icon. Figure 92 Configuration > System > WWW (First Example Admin Service Rule Configured) 5 In the Zone field select ALL and set the Action to Deny. Click OK.
Chapter 7 Tutorials 6 Click Apply. Figure 94 Configuration > System > WWW (Second Example Admin Service Rule Configured) Now administrator access to the Web Configurator can only come from the LAN1 zone. Non-admin users can still use HTTPS to log into the ZyWALL from any of the ZyWALL’s zones (to use SSL VPN for example). 7.9 How to Allow Incoming H.323 Peer-to-peer Calls Suppose you have a H.323 device on the LAN1 for VoIP calls and you want it to be able to receive peer-to-peer calls from the WAN.
Chapter 7 Tutorials for wan1 IP address 10.0.0.8 to a H.323 device located on the LAN and using IP address 192.168.1.56. Figure 95 WAN to LAN H.323 Peer-to-peer Calls Example 192.168.1.56 10.0.0.8 7.9.1 Turn On the ALG Click Configuration > Network > ALG. Select Enable H.323 ALG and Enable H.323 transformations and click Apply. Figure 96 Configuration > Network > ALG 7.9.2 Set Up a NAT Policy For H.323 In this example, you need a NAT policy to forward H.
Chapter 7 Tutorials 1 Use Configuration > Object > Address > Add to create an address object for the public WAN IP address (called WAN_IP-for-H323 here). Then use it again to create an address object for the H.323 device’s private LAN1 IP address (called LAN_H323 here).
Chapter 7 Tutorials 2 Click Configuration > Network > NAT > Add. Configure a name for the rule (WAN-LAN_H323 here). You want the LAN H.323 device to receive peer-to-peer calls from the WAN and also be able to initiate calls to the WAN so you set the Classification to NAT 1:1. Set the Incoming Interface to wan1. Set the Original IP to the WAN address object (WAN_IP-for-H323). Set the Mapped IP to the H.323 device’s LAN1 IP address object (LAN_H323).
Chapter 7 Tutorials 1 Click Configuration > Firewall > Add. In the From field select WAN. In the To field select LAN1. Configure a name for the rule (WAN-to-LAN_H323 here). Set the Destination to the H.323 device’s LAN1 IP address object (LAN_H323). LAN_H323 is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule. Set the Service to H.323. Click OK. Figure 99 Configuration > Firewall > Add 7.
Chapter 7 Tutorials 7.10.1 Create the Address Objects Use Configuration > Object > Address > Add to create the address objects. 1 Create a host address object named DMZ_HTTP for the HTTP server’s private IP address of 192.168.3.7. Figure 101 Creating the Address Object for the HTTP Server’s Private IP Address 2 Create a host address object named Public_HTTP_Server_IP for thepublic WAN IP address 1.1.1.1. Figure 102 Creating the Address Object for thePublic IP Address 7.10.
Chapter 7 Tutorials • Keep Enable NAT Loopback selected to allow users connected to other interfaces to access the HTTP server (see NAT Loopback on page 327 for details). Figure 103 Creating the NAT Entry 7.10.3 Set Up a Firewall Rule The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send HTTP traffic to IP address 1.1.1.1 in order to access the HTTP server. If a domain name is registered for IP address 1.1.1.
Chapter 7 Tutorials 1 Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Set the Destination to the HTTP server’s DMZ IP address object (DMZ_HTTP). DMZ_HTTP is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule. Set the Access field to allow and the Service to HTTP, and click OK. Figure 104 Configuration > Firewall > Add 7.
Chapter 7 Tutorials address 1.1.1.2 that you will use on the wan1 interface and map to the IPPBX’s private IP address of 192.168.3.7. The local SIP clients are on the LAN.
Chapter 7 Tutorials 7.11.1 Turn On the ALG Click Configuration > Network > ALG. Select Enable SIP ALG and Enable SIP Transformations and click Apply. Figure 106 Configuration > Network > ALG 7.11.2 Create the Address Objects Use Configuration > Object > Address > Add to create the address objects. 1 Create a host address object named IPPBX-DMZ for the IPPBX’s private DMZ IP address of 192.168.3.9.
Chapter 7 Tutorials 2 Create a host address object named IPPBX-Public for thepublic WAN IP address 1.1.1.2. Figure 108 Creating the Public IP Address Object 7.11.3 Setup a NAT Policy for the IPPBX Click Configuration > Network > NAT > Add. • Configure a name for the rule (WAN-DMZ_IPPBX here). • You want the IPPBX to receive calls from the WAN and also be able to send calls to the WAN so you set the Classification to NAT 1:1. • Set the Incoming Interface to wan1.
Chapter 7 Tutorials • Click OK. Figure 109 Configuration > Network > NAT > Add 7.11.4 Set Up a WAN to DMZ Firewall Rule for SIP The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send SIP traffic to the IPPBX. If a domain name is registered for IP address 1.1.1.2, users can use it to connect to for making SIP calls.
Chapter 7 Tutorials 1 Click Configuration > Firewall > Add. Set the From field as WAN and the To field as DMZ. Set the Destination to the IPPBX’s DMZ IP address object (DMZ_SIP). IPPBX_DMZ is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule. Set the Access field to allow and click OK. Figure 110 Configuration > Firewall > Add 7.11.
Chapter 7 Tutorials 1 Click Configuration > Firewall > Add. Set the From field as DMZ and the To field as LAN. Set the Destination to the IPPBX’s DMZ IP address object (DMZ_SIP). Set the Source to IPPBX_DMZ. Leave the Access field to allow and click OK. Figure 111 Configuration > Firewall > Add 7.
Chapter 7 Tutorials 7.12.2 Configure the Policy Route Now you need to configure a policy route that has the ZyWALL use the range of public IP addresses as the source address for WAN to LAN traffic. Click Configuration > Network > Routing > Add. Although adding a description is optional, it is recommended. This example uses LAN-to-WAN-Range. Specifying a Source Address is also optional although recommended. This example uses LAN_SUBNET1. Set the Source Network Address Translation to Public-IPs and click OK.
Chapter 7 Tutorials 154 ZyWALL USG 50 User’s Guide
P ART II Technical Reference 155
CHAPTER 8 Dashboard 8.1 Overview Use the Dashboard screens to check status information about the ZyWALL. 8.1.1 What You Can Do in this Chapter Use the Dashboard screens for the following. • Use the main Dashboard screen (see Section 8.2 on page 157) to see the ZyWALL’s general device information, system status, system resource usage, licensed service status, and interface status. You can also display other status screens for more information. • Use the VPN status screen (see Section 8.2.
Chapter 8 Dashboard interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets. Figure 114 Dashboard A B C D E The following table describes the labels in this screen. Table 19 Dashboard LABEL DESCRIPTION Widget Setting (A) Use this link to re-open closed widgets. Widgets that are already open appear grayed out. Up Arrow (B) Click this to collapse a widget.
Chapter 8 Dashboard Table 19 Dashboard (continued) LABEL DESCRIPTION Device This field displays the name of the device connected to the extension slot (or none if no device is detected). Status This field displays the current status of each interface or device installed in a slot. The possible values depend on what type of interface it is. For Ethernet interfaces: Inactive - The Ethernet interface is disabled.
Chapter 8 Dashboard Table 19 Dashboard (continued) LABEL DESCRIPTION Flash Usage This field displays what percentage of the ZyWALL’s onboard flash memory is currently being used. Active Sessions This field displays how many traffic sessions are currently open on the ZyWALL. These are the sessions that are traversing the ZyWALL. Hover your cursor over this field to display icons. Click the Detail icon to go to the Session Monitor screen to see details about the active sessions.
Chapter 8 Dashboard Table 19 Dashboard (continued) LABEL Status DESCRIPTION For cellular (3G) interfaces, see Section 9.9 on page 183 for the status that can appear. System Status System Uptime This field displays how long the ZyWALL has been running since it last restarted or was turned on. Current Date/Time This field displays the current date and time in the ZyWALL. The format is yyyy-mm-dd hh:mm:ss. VPN Status Click this to look at the VPN tunnels that are currently established. See Section 8.2.
Chapter 8 Dashboard Table 19 Dashboard (continued) LABEL Expiration DESCRIPTION If the service license is valid, this shows when it will expire. N/A displays if the service license does not have a limited period of validity. Top 5 Viruses # This is the entry’s rank in the list of the most commonly detected viruses. Virus ID This is the IDentification number of the anti-virus signature. Virus Name This is the name of a detected virus.
Chapter 8 Dashboard The following table describes the labels in this screen. Table 20 Dashboard > CPU Usage LABEL DESCRIPTION The y-axis represents the percentage of CPU usage. The x-axis shows the time period over which the CPU usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Click this to update the information in the window right away. 8.2.2 The Memory Usage Screen Use this screen to look at a chart of the ZyWALL’s recent memory (RAM) usage.
Chapter 8 Dashboard 8.2.3 The Active Sessions Screen Use this screen to look at a chart of the ZyWALL’s recent traffic session usage. To access this screen, click Session Usage in the dashboard. Figure 117 Dashboard > Session Usage The following table describes the labels in this screen. Table 22 Dashboard > Session Usage LABEL DESCRIPTION Sessions The y-axis represents the number of session.
Chapter 8 Dashboard 8.2.4 The VPN Status Screen Use this screen to look at the VPN tunnels that are currently established. To access this screen, click VPN Status in the dashboard. Figure 118 Dashboard > VPN Status The following table describes the labels in this screen. Table 23 Dashboard > VPN Status LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific SA. Name This field displays the name of the IPSec SA.
Chapter 8 Dashboard The following table describes the labels in this screen. Table 24 Dashboard > DHCP Table LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific entry. Interface This field identifies the interface that assigned an IP address to a DHCP client. IP Address This field displays the IP address currently assigned to a DHCP client or reserved for a specific MAC address. Click the column’s heading cell to sort the table entries by IP address.
Chapter 8 Dashboard The following table describes the labels in this screen. Table 25 Dashboard > Number of Login Users LABEL DESCRIPTION # This field is a sequential value and is not associated with any entry. User ID This field displays the user name of each user who is currently logged in to the ZyWALL. Reauth Lease T. This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user. See Chapter 35 on page 583.
Chapter 8 Dashboard 168 ZyWALL USG 50 User’s Guide
CHAPTER 9 Monitor 9.1 Overview Use the Monitor screens to check status and statistics information. 9.1.1 What You Can Do in this Chapter Use the Monitor screens for the following. • Use the System Status > Port Statistics screen (see Section 9.2.1 on page 172) to look at packet statistics for each physical port. • Use the System Status > Port Statistics > Graph View screen (see Section 9.2.1 on page 172) to look at a line graph of packet statistics for each physical port.
Chapter 9 Monitor • Use the Anti-X Statistics > Anti-Virus screen (see Section 9.13 on page 194) to start or stop data collection and view virus statistics. • Use the Anti-X Statistics > IDP screen (Section 9.14 on page 196) to start or stop data collection and view IDP statistics. • Use the Anti-X Statistics > Content Filter screen (Section 9.15 on page 198) to start or stop data collection and view content filter statistics. • Use the Anti-X Statistics > Content Filter > Cache screen (Section 9.
Chapter 9 Monitor Table 26 Monitor > System Status > Port Statistics (continued) LABEL DESCRIPTION Stop Click this to stop the window from updating automatically. You can start it again by setting the Poll Interval and clicking Set Interval. Switch to Graphic View Click this to display the port statistics as a line graph. # This field displays the port’s number in the list. Port This field displays the physical port number. Status This field displays the current status of the physical port.
Chapter 9 Monitor 9.2.1 The Port Statistics Graph Screen Use this screen to look at a line graph of packet statistics for each physical port. To access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button. Figure 122 Monitor > System Status > Port Statistics > Switch to Graphic View The following table describes the labels in this screen.
Chapter 9 Monitor Table 27 Monitor > System Status > Port Statistics > Switch to Graphic View LABEL DESCRIPTION Last Update This field displays the date and time the information in the window was last updated. System Up Time This field displays how long the ZyWALL has been running since it last restarted or was turned on. 9.3 Interface Status Screen This screen lists all of the ZyWALL’s interfaces and gives packet statistics for them.
Chapter 9 Monitor Table 28 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Port This field displays the physical port number. Status This field displays the current status of each interface. The possible values depend on what type of interface it is. For Ethernet interfaces: Inactive - The Ethernet interface is disabled. Down - The Ethernet interface does not have any physical ports associated with it or the Ethernet interface is enabled but not connected.
Chapter 9 Monitor Table 28 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Refresh Click this button to update the information in the screen. Expand/Close Click this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces. Name This field displays the name of each interface. If there is a Expand icon (plus-sign) next to the name, click this to look at the statistics for virtual interfaces on top of this interface.
Chapter 9 Monitor You use the Traffic Statistics screen to tell the ZyWALL when to start and when to stop collecting information for these reports. You cannot schedule data collection; you have to start and stop it manually in the Traffic Statistics screen. Figure 124 Monitor > System Status > Traffic Statistics There is a limit on the number of records shown in the report. Please see Table 30 on page 178 for more information. The following table describes the labels in this screen.
Chapter 9 Monitor Table 29 Monitor > System Status > Traffic Statistics (continued) LABEL DESCRIPTION Traffic Type Select the type of report to display. Choices are: Host IP Address/User - displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one. Service/Port - displays the most-used protocols or service ports and the amount of traffic for each one. Web Site Hits - displays the most-visited Web sites and how many times each one has been visited.
Chapter 9 Monitor Table 29 Monitor > System Status > Traffic Statistics (continued) LABEL DESCRIPTION Amount This field displays how much traffic was sent or received from the indicated service / port. If the Direction is Ingress, a red bar is displayed; if the Direction is Egress, a blue bar is displayed. The unit of measure is bytes, Kbytes, Mbytes, Gbytes, or Tbytes, depending on the amount of traffic for the particular protocol or service port.
Chapter 9 Monitor • Number of bytes transmitted (so far) • Duration (so far) You can look at all the active sessions by user, service, source IP address, or destination IP address. You can also filter the information by user, protocol / service or service group, source address, and/or destination address and view it by user. Click Monitor > System Status > Session Monitor to display the following screen.
Chapter 9 Monitor Table 31 Monitor > System Status > Session Monitor (continued) LABEL DESCRIPTION User This field displays when View is set to all sessions. Type the user whose sessions you want to view. It is not possible to type part of the user name or use wildcards in this field; you must enter the whole user name. Service This field displays when View is set to all sessions. Select the service or service group whose sessions you want to view.
Chapter 9 Monitor 9.6 The DDNS Status Screen The DDNS Status screen shows the status of the ZyWALL’s DDNS domain names. Click Monitor > System Status > DDNS Status to open the following screen. Figure 126 Monitor > System Status > DDNS Status The following table describes the labels in this screen. Table 32 Monitor > System Status > DDNS Status LABEL DESCRIPTION Update Click this to have the ZyWALL update the profile to the DDNS server.
Chapter 9 Monitor established a session with the ZyWALL. Devices that have never established a session with the ZyWALL do not display in the list. Figure 127 Monitor > System Status > IP/MAC Binding The following table describes the labels in this screen. Table 33 Monitor > System Status > IP/MAC Binding LABEL DESCRIPTION Interface Select a ZyWALL interface that has IP/MAC binding enabled to show to which devices it has assigned an IP address. # This is the index number of an IP/MAC binding entry.
Chapter 9 Monitor The following table describes the labels in this screen. Table 34 Monitor > System Status > Login Users LABEL DESCRIPTION # This field is a sequential value and is not associated with any entry. User ID This field displays the user name of each user who is currently logged in to the ZyWALL. Reauth Lease T. This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user. See Chapter 35 on page 583.
Chapter 9 Monitor Table 35 Monitor > System Status > Cellular Status (continued) 184 LABEL DESCRIPTION Connected Device This field displays the model name of the cellular card. Status No device - no 3G device is connected to the ZyWALL. No Service - no 3G network is available in the area; you cannot connect to the Internet. Limited Service - returned by the service provider in cases where the SIM card is expired, the user failed to pay for the service and so on; you cannot connect to the Internet.
Chapter 9 Monitor Table 35 Monitor > System Status > Cellular Status (continued) LABEL DESCRIPTION Service Provider This displays the name of your network service provider. This shows Limited Service if the service provider has stopped service to the 3G SIM card. For example if the bill has not been paid or the account has expired. Cellular System This field displays what type of cellular network the 3G connection is using.
Chapter 9 Monitor The following table describes the labels in this screen. Table 36 Monitor > System Status > More Information LABEL DESCRIPTION Extension Slot This field displays where the entry’s cellular card is located. Service Provider This displays the name of your network service provider. This shows Limited Service if the service provider has stopped service to the 3G SIM card. For example if the bill has not been paid or the account has expired.
Chapter 9 Monitor 9.10.1 Application Patrol Statistics: General Setup Use the top of the Monitor > AppPatrol Statistics screen to configure what to display. Figure 131 Monitor > AppPatrol Statistics: General Setup The following table describes the labels in this screen. Table 37 Monitor > AppPatrol Statistics: General Settings LABEL DESCRIPTION Refresh Interval Select how often you want the statistics display to update. Display Protocols Select the protocols for which to display statistics.
Chapter 9 Monitor 9.10.2 Application Patrol Statistics: Bandwidth Statistics The middle of the Monitor > AppPatrol Statistics screen displays a bandwidth usage line graph for the selected protocols. Figure 132 Monitor > AppPatrol Statistics: Bandwidth Statistics • The y-axis represents the amount of bandwidth used. • The x-axis shows the time period over which the bandwidth usage occurred. • A solid line represents a protocol’s incoming bandwidth usage.
Chapter 9 Monitor 9.10.3 Application Patrol Statistics: Protocol Statistics The bottom of the Monitor > AppPatrol Statistics screen displays statistics for each of the selected protocols. Figure 133 Monitor > AppPatrol Statistics: Protocol Statistics The following table describes the labels in this screen. Table 38 Monitor > AppPatrol Statistics: Protocol Statistics LABEL DESCRIPTION Service This is the protocol.
Chapter 9 Monitor Table 38 Monitor > AppPatrol Statistics: Protocol Statistics (continued) LABEL DESCRIPTION Rule This is a protocol’s rule. Inbound Kbps This is the incoming bandwidth usage for traffic that matched this protocol rule, in kilobits per second. This is the protocol’s traffic that the ZyWALL sends to the initiator of the connection. So for a connection initiated from the LAN to the WAN, the traffic sent from the WAN to the LAN is the inbound traffic.
Chapter 9 Monitor The following table describes the labels in this screen. Table 39 Monitor > AppPatrol Statistics > Service LABEL DESCRIPTION Service Name This is the application. Rule Statistics This table displays the statistics for each of the service’s application patrol rules. # This field is a sequential value, and it is not associated with a specific rule. Inbound Kbps This is the incoming bandwidth usage for traffic that matched this protocol rule, in kilobits per second.
Chapter 9 Monitor Each field is described in the following table. Table 40 Monitor > VPN Monitor > IPSec LABEL DESCRIPTION Name Enter the name of a IPSec SA here and click Search to find it (if it is associated). You can use a keyword or regular expression. Use up to 30 alphanumeric and _+-.()!$*^:?|{}[]<>/ characters. See Section 9.11.1 on page 192 for more details. Policy Enter the IP address(es) or names of the local and remote policies for an IPSec SA and click Search to find it.
Chapter 9 Monitor Wildcards (*) let multiple VPN connection or policy names match the pattern. For example, use “*abc” (without the quotation marks) to specify any VPN connection or policy name that ends with “abc”. A VPN connection named “testabc” would match. There could be any number (of any type) of characters in front of the “abc” at the end and the VPN connection or policy name would still match. A VPN connection or policy name named “testacc” for example would not match.
Chapter 9 Monitor Table 41 Monitor > VPN Monitor > SSL (continued) LABEL DESCRIPTION User This field displays the account user name used to establish this SSL VPN connection. Access This field displays the name of the SSL VPN application the user is accessing. Login Address This field displays the IP address the user used to establish this SSL VPN connection. Connected Time This field displays the time this connection was established.
Chapter 9 Monitor The following table describes the labels in this screen. Table 42 Monitor > Anti-X Statistics > Anti-Virus LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect anti-virus statistics. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. Refresh Click this button to update the report display.
Chapter 9 Monitor The statistics display as follows when you display the top entries by destination. Figure 139 Monitor > Anti-X Statistics > Anti-Virus: Destination IP 9.14 The IDP Statistics Screen Click Monitor > Anti-X Statistics > IDP to display the following screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. Figure 140 Monitor > Anti-X Statistics > IDP: Signature Name The following table describes the labels in this screen.
Chapter 9 Monitor Table 43 Monitor > Anti-X Statistics > IDP (continued) LABEL DESCRIPTION Total Session Scanned This field displays the number of sessions that the ZyWALL has checked for intrusion characteristics. Total Packet Dropped The ZyWALL can detect and drop malicious packets from network traffic. This field displays the number of packets that the ZyWALL has dropped. Total Packet Reset The ZyWALL can detect and drop malicious packets from network traffic.
Chapter 9 Monitor The statistics display as follows when you display the top entries by destination. Figure 142 Monitor > Anti-X Statistics > IDP: Destination 9.15 The Content Filter Statistics Screen Click Monitor > Anti-X Statistics > Content Filter to display the following screen. This screen displays content filter statistics.
Chapter 9 Monitor The following table describes the labels in this screen. Table 44 Monitor > Anti-X Statistics > Content Filter LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect content filtering statistics. The collection starting time displays after you click Apply. All of the statistics in this screen are for the time period starting at the time displayed here. The format is year, month, day and hour, minute, second.
Chapter 9 Monitor Table 44 Monitor > Anti-X Statistics > Content Filter (continued) LABEL DESCRIPTION Managed Web Pages This is the number of requested web pages that the ZyWALL’s content filtering service identified as belonging to a category that was selected to be managed. Report Server Click this link to go to http://www.myZyXEL.com where you can view content filtering reports after you have activated the category-based content filtering subscription service. 9.
Chapter 9 Monitor Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 144 Anti-X > Content Filter > Cache The following table describes the labels in this screen. Table 45 Anti-X > Content Filter > Cache LABEL DESCRIPTION URL Cache Entry Refresh Click this button to reload the list of content filter cache entries. Flush Click this button to clear all web site addresses from the cache manually.
Chapter 9 Monitor Table 45 Anti-X > Content Filter > Cache (continued) LABEL DESCRIPTION Category This field shows whether access to the web site’s URL was blocked or allowed. Click the column heading to sort the entries. Point the triangle up to display the blocked URLs before the URLs to which access was allowed. Point the triangle down to display the URLs to which access was allowed before the blocked URLs.
Chapter 9 Monitor 9.17 The Anti-Spam Statistics Screen Click Monitor > Anti-X Statistics > Anti-Spam to display the following screen. This screen displays spam statistics. Figure 145 Monitor > Anti-X Statistics > Anti-Spam The following table describes the labels in this screen. Table 46 Monitor > Anti-X Statistics > Anti-Spam LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect anti-spam statistics. Apply Click Apply to save your changes back to the ZyWALL.
Chapter 9 Monitor Table 46 Monitor > Anti-X Statistics > Anti-Spam (continued) LABEL DESCRIPTION Spam Mails This is the number of e-mails that the ZyWALL has determined to be spam. Spam Mails Detected by Black List This is the number of e-mails that matched an entry in the ZyWALL’s antispam black list. Spam Mails Detected by DNSBL The ZyWALL can check the sender and relay IP addresses in an e-mail’s header against DNS (Domain Name Service)-based spam Black Lists (DNSBLs).
Chapter 9 Monitor 9.18 The Anti-Spam Status Screen Click Monitor > Anti-X Statistics > Anti-Spam > Status to display the AntiSpam Status screen. Use the Anti-Spam Status screen to see how many e-mail sessions the antispam feature is scanning and statistics for the DNSBLs. Figure 146 Monitor > Anti-X Statistics > Anti-Spam > Status The following table describes the labels in this screen.
Chapter 9 Monitor 9.19 Log Screen Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regular log, you can look at all the log messages by selecting All Logs, or you can select a specific category of log messages (for example, firewall or user). You can also look at the debugging log by selecting Debug Log. All debugging messages have the same priority. To access this screen, click Monitor > Log. The log is displayed in the following screen.
Chapter 9 Monitor The following table describes the labels in this screen. Table 48 Monitor > Log LABEL DESCRIPTION Show Filter / Hide Filter Click this button to show or hide the filter settings. If the filter settings are hidden, the Display, Email Log Now, Refresh, and Clear Log fields are available. If the filter settings are shown, the Display, Priority, Source Address, Destination Address, Service, Keyword, and Search fields are available.
Chapter 9 Monitor Table 48 Monitor > Log (continued) LABEL DESCRIPTION Priority This field displays the priority of the log message. It has the same range of values as the Priority field above. Category This field displays the log that generated the log message. It is the same value used in the Display and (other) Category fields. Message This field displays the reason the log message was generated.
CHAPTER 10 Registration 10.1 Overview Use the Configuration > Licensing > Registration screens to register your ZyWALL and manage its service subscriptions. 10.1.1 What You Can Do in this Chapter • Use the Registration screen (see Section 10.2 on page 211) to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. • Use the Service screen (see Section 10.3 on page 213) to display the status of your service registrations and upgrade licenses. 10.1.
Chapter 10 Registration Subscription Services Available on the ZyWALL You can have the ZyWALL use anti-virus, IDP/AppPatrol (Intrusion Detection and Prevention and application patrol), and content filtering subscription services. You can also purchase and enter a license key to have the ZyWALL use more SSL VPN tunnels. See the respective User’s Guide chapters for more information about these features. Anti-Virus Engines Subscribe to signature files for Kaspersky’s anti-virus engine.
Chapter 10 Registration 10.2 The Registration Screen Use this screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. Click Configuration > Licensing > Registration in the navigation panel to open the screen as shown next. Figure 148 Configuration > Licensing > Registration The following table describes the labels in this screen. Table 49 Configuration > Licensing > Registration LABEL DESCRIPTION General Settings If you select existing myZyXEL.
Chapter 10 Registration Table 49 Configuration > Licensing > Registration (continued) LABEL DESCRIPTION Confirm Password Enter the password again for confirmation. E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces. Country Select your country from the drop-down box list. Trial Service Activation Select the check box to activate a trial service subscription.
Chapter 10 Registration Note: If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated (if any). You can still select the unchecked trial service(s) to activate it after registration. Use the Service screen to update your service subscription status. Figure 149 Configuration > Licensing > Registration: Registered Device 10.3 The Service Screen Use this screen to display the status of your service registrations and upgrade licenses.
Chapter 10 Registration The following table describes the labels in this screen. Table 50 Configuration > Licensing > Registration > Service LABEL DESCRIPTION License Status # This is the entry’s position in the list. Service This lists the services that available on the ZyWALL. Status This field displays whether a service is activated (Licensed) or not (Not Licensed) or expired (Expired).
CHAPTER 11 Interfaces 11.1 Interface Overview Use the Interface screens to configure the ZyWALL’s interfaces. You can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. • Interfaces are used within the system operationally. You use them in configuring various features. An interface also describes a network that is directly connected to the ZyWALL. For example, You connect the LAN1 network to the LAN1 interface.
Chapter 11 Interfaces 11.1.2 What You Need to Know Interface Characteristics Interfaces generally have the following characteristics (although not all characteristics apply to each type of interface). • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. • Many interfaces can share the same physical port. • An interface belongs to at most one zone. • Many interfaces can belong to the same zone.
Chapter 11 Interfaces virtual--have a lot of similar characteristics. These characteristics are listed in the following table and discussed in more detail below.
Chapter 11 Interfaces Table 52 Relationships Between Different Types of Interfaces (continued) INTERFACE REQUIRED PORT / INTERFACE PPP interface WAN1, WAN2 virtual interface (virtual Ethernet interface) (virtual VLAN interface) Ethernet interface* VLAN interface* bridge interface (virtual bridge interface) trunk Ethernet interface Cellular interface VLAN interface bridge interface PPP interface * - You cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underl
Chapter 11 Interfaces 1 A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyWALL's lan1, lan2 or dmz IP address. 2 Use the appropriate lan1, lan2 or dmz IP address to access the ZyWALL. Figure 151 Configuration > Network > Interface > Port Role Physical Ports Interfaces Each section in this screen is described below.
Chapter 11 Interfaces Unlike other types of interfaces, you cannot create new Ethernet interfaces nor can you delete any of them. If an Ethernet interface does not have any physical ports assigned to it (see Section 11.2 on page 218), the Ethernet interface is effectively removed from the ZyWALL, but you can still configure it. Ethernet interfaces are similar to other types of interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions.
Chapter 11 Interfaces Each field is described in the following table. Table 54 Configuration > Network > Interface > Ethernet LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove a virtual interface, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Activate To turn on an interface, select it and click Activate.
Chapter 11 Interfaces • Enable and disable RIP in the underlying physical port or port group. • Select which direction(s) routing information is exchanged - The ZyWALL can receive routing information, send routing information, or do both. • Select which version of RIP to support in each direction - The ZyWALL supports RIP-1, RIP-2, and both versions. • Select the broadcasting method used by RIP-2 packets - The ZyWALL can use subnet broadcasting or multicasting.
Chapter 11 Interfaces Figure 153 Configuration > Network > Interface > Ethernet > Edit (WAN) ZyWALL USG 50 User’s Guide 223
Chapter 11 Interfaces Figure 154 Configuration > Network > Interface > Ethernet > Edit (DMZ) This screen’s fields are described in the table below. Table 55 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface.
Chapter 11 Interfaces Table 55 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL Interface Type DESCRIPTION This field is read-only. Internal is for connecting to a local network. Other corresponding configuration options: DHCP server and DHCP relay. The ZyWALL automatically adds default SNAT settings for traffic flowing from this interface to an external interface. External is for connecting to an external network (like the Internet).
Chapter 11 Interfaces Table 55 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL Metric DESCRIPTION This option appears when Interface Properties is External or General. Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the ZyWALL uses the one that was configured first.
Chapter 11 Interfaces Table 55 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL Check Port DHCP Setting DHCP DESCRIPTION This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. These fields appear when Interface Properties is Internal or General. Select what type of DHCP service the ZyWALL provides to the network. Choices are: None - the ZyWALL does not provide any DHCP services.
Chapter 11 Interfaces Table 55 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION First WINS Server, Second WINS Server Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.
Chapter 11 Interfaces Table 55 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL V2-Broadcast OSPF Setting DESCRIPTION This field is effective when RIP is enabled. Select this to send RIP-2 packets using subnet broadcasting; otherwise, the ZyWALL uses multicasting. See Section 14.3 on page 299 for more information about OSPF. Area Select the area in which this interface belongs. Select None to disable OSPF in this interface.
Chapter 11 Interfaces Table 55 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL Overwrite Default MAC Address DESCRIPTION Select this option to have the interface use a different MAC address. Either enter the MAC address in the fields or click Clone by host and enter the IP address of the device or computer whose MAC you are cloning. Once it is successfully configured, the address will be copied to the configuration file.
Chapter 11 Interfaces Table 56 Object References (continued) LABEL DESCRIPTION Service This is the type of setting that references the selected object. Click a service’s name to display the service’s configuration screen in the main window. Priority If it is applicable, this field lists the referencing configuration item’s position in its list, otherwise N/A displays. Name This field identifies the configuration item that references the object.
Chapter 11 Interfaces 11.4.1 PPP Interface Summary This screen lists every PPPoE/PPTP interface. To access this screen, click Configuration > Network > Interface > PPP. Configuration > Network > Interface > PPP Each field is described in the table below. Table 57 Configuration > Network > Interface > PPP LABEL DESCRIPTION User Configuration / System Default The ZyWALL comes with the (non-removable) System Default PPP interfaces pre-configured.
Chapter 11 Interfaces Table 57 Configuration > Network > Interface > PPP (continued) LABEL DESCRIPTION Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. The connect icon is lit when the interface is connected and dimmed when it is disconnected. Name This field displays the name of the interface. Base Interface This field displays the interface on the top of which the PPPoE/PPTP interface is.
Chapter 11 Interfaces Figure 157 Configuration > Network > Interface > PPP > Add Each field is explained in the following table. Table 58 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 11 Interfaces Table 58 Configuration > Network > Interface > PPP > Add (continued) LABEL Enable Interface DESCRIPTION Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Name Specify a name for the interface. It can use alphanumeric characters, hyphens, and underscores, and it can be up to 11 characters long. Base Interface Select the interface upon which this PPP interface is built.
Chapter 11 Interfaces Table 58 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION Interface Parameters Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576. Ingress Bandwidth This is reserved for future use. MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface.
Chapter 11 Interfaces Table 58 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 11.5 Cellular Configuration Screen (3G) 3G (Third Generation) is a digital, packet-switched wireless technology. Bandwidth usage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data.
Chapter 11 Interfaces Aside from selecting the 3G network, the 3G card may also select an available 2.5G or 2.75G network automatically. See the following table for a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies. Table 59 2G, 2.5G, 2.75G, 3G and 3.5G Wireless Technologies MOBILE PHONE AND DATA STANDARDS DATA SPEED NAME TYPE GSM-BASED CDMA-BASED 2G CircuitGSM (Global System for Mobile switched Communications), Personal Handy-phone System (PHS), etc.
Chapter 11 Interfaces Figure 158 Configuration > Network > Interface > Cellular The following table describes the labels in this screen. Table 60 Configuration > Network > Interface > Cellular LABEL DESCRIPTION Add Click this to create a new cellular interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 11 Interfaces Figure 159 Configuration > Network > Interface > Cellular > Add 240 ZyWALL USG 50 User’s Guide
Chapter 11 Interfaces The following table describes the labels in this screen. Table 61 Configuration > Network > Interface > Cellular > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this option to turn on this interface. Interface Properties Interface Name Select a name for the interface.
Chapter 11 Interfaces Table 61 Configuration > Network > Interface > Cellular > Add (continued) LABEL Dial String DESCRIPTION Enter the dial string if your ISP provides a string, which would include the APN, to initialize the 3G card. You can enter up to 63 ASCII printable characters. Spaces are allowed. This field is available only when you insert a GSM 3G card. Authentication Type The ZyWALL supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol).
Chapter 11 Interfaces Table 61 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576. This setting is used in WAN load balancing and bandwidth management. Ingress Bandwidth This is reserved for future use. MTU Maximum Transmission Unit.
Chapter 11 Interfaces Table 61 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Get Automatically Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use Fixed IP Address Select this option If the ISP assigned a fixed IP address. IP Address Assignment Enter the cellular interface’s WAN IP address in this field if you selected Use Fixed IP Address. Metric Enter the priority of the gateway (if any) on this interface.
Chapter 11 Interfaces Table 61 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Time Budget Select this and specify the amount of time (in hours) that the 3G connection can be used within one month. If you change the value after you configure and enable budget control, the ZyWALL resets the statistics. Data Budget Select this and specify how much downstream and/or upstream data (in Mega bytes) can be transmitted via the 3G connection within one month.
Chapter 11 Interfaces Table 61 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Actions when over % of time budget or % of data budget Specify the actions the ZyWALL takes when the specified percentage of time budget or data limit is exceeded. Enter a number from 1 to 99 in the percentage fields. If you change the value after you configure and enable budget control, the ZyWALL resets the statistics.
Chapter 11 Interfaces Figure 161 Example: After VLAN A B Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways. Each VLAN also has a unique identification number (ID). The ID is a 12bit value that is stored in the MAC header. The VLANs are connected to switches, and the switches are connected to the router. (If one switch has enough connections for the entire network, the network does not need switches A and B.
Chapter 11 Interfaces • Between the router and VLAN 3. VLAN Interfaces Overview In the ZyWALL, each VLAN is called a VLAN interface. As a router, the ZyWALL routes traffic between VLAN interfaces, but it does not route traffic within a VLAN interface. All traffic for each VLAN interface can go through only one Ethernet interface, though each Ethernet interface can have one or more VLAN interfaces. Note: Each VLAN interface is created on top of only one Ethernet interface.
Chapter 11 Interfaces Table 62 Configuration > Network > Interface > VLAN (continued) LABEL DESCRIPTION Object References Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 11.3.2 on page 230 for an example. # This field is a sequential value, and it is not associated with any interface. Status This icon is lit when the entry is active and dimmed when the entry is inactive. Name This field displays the name of the interface.
Chapter 11 Interfaces Figure 163 Configuration > Network > Interface > VLAN > Edit 250 ZyWALL USG 50 User’s Guide
Chapter 11 Interfaces Each field is explained in the following table. Table 63 Configuration > Network > Interface > VLAN > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this to turn this interface on. Clear this to disable this interface. Interface Properties Interface Name This field is read-only if you are editing an existing VLAN interface.
Chapter 11 Interfaces Table 63 Configuration > Network > Interface > VLAN > Edit (continued) LABEL Metric DESCRIPTION Enter the priority of the gateway (if any) on this interface. The ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the ZyWALL uses the one that was configured first.
Chapter 11 Interfaces Table 63 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DHCP DESCRIPTION Select what type of DHCP service the ZyWALL provides to the network. Choices are: None - the ZyWALL does not provide any DHCP services. There is already a DHCP server on the network. DHCP Relay - the ZyWALL routes DHCP requests to one or more DHCP servers you specify. The DHCP server(s) may be on another network.
Chapter 11 Interfaces Table 63 Configuration > Network > Interface > VLAN > Edit (continued) LABEL Lease time DESCRIPTION Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP addresses are valid.
Chapter 11 Interfaces Table 63 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION OSPF Setting See Section 14.3 on page 299 for more information about OSPF. Area Select the area in which this interface belongs. Select None to disable OSPF in this interface. Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Router (DR) or Backup Designated Router (BDR).
Chapter 11 Interfaces 11.7 Bridge Interfaces This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces. Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments. When the bridge receives a packet, the bridge records the source MAC address and the port on which it was received in a table.
Chapter 11 Interfaces If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to port 2 accordingly. Table 65 Example: Bridge Table After Computer B Responds to Computer A MAC ADDRESS PORT 0A:0A:0A:0A:0A:0A 2 0B:0B:0B:0B:0B:0B 4 Bridge Interface Overview A bridge interface creates a software bridge between the members of the bridge interface.
Chapter 11 Interfaces 11.7.1 Bridge Summary This screen lists every bridge interface and virtual interface created on top of bridge interfaces. To access this screen, click Configuration > Network > Interface > Bridge. Figure 164 Configuration > Network > Interface > Bridge Each field is described in the following table. Table 67 Configuration > Network > Interface > Bridge LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 11 Interfaces 11.7.2 Bridge Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen. The following screen appears.
Chapter 11 Interfaces Figure 165 Configuration > Network > Interface > Bridge > Add 260 ZyWALL USG 50 User’s Guide
Chapter 11 Interfaces Each field is described in the table below. Table 68 Configuration > Network > Interface > Bridge > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Name This field is read-only if you are editing the interface.
Chapter 11 Interfaces Table 68 Configuration > Network > Interface > Bridge > Edit (continued) LABEL Gateway DESCRIPTION This field is enabled if you select Use Fixed IP Address. Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. Metric Enter the priority of the gateway (if any) on this interface.
Chapter 11 Interfaces Table 68 Configuration > Network > Interface > Bridge > Edit (continued) LABEL IP Pool Start Address DESCRIPTION Enter the IP address from which the ZyWALL begins allocating IP addresses. If you want to assign a static IP address to a specific computer, click Add Static DHCP. If this field is blank, the Pool Size must also be blank.
Chapter 11 Interfaces Table 68 Configuration > Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. # This field is a sequential value, and it is not associated with a specific entry. IP Address Enter the IP address to assign to a device with this entry’s MAC address.
Chapter 11 Interfaces interface, VLAN interface, or bridge interface in the respective interface summary screen. Figure 166 Configuration > Network > Interface > Add Each field is described in the table below. Table 69 Configuration > Network > Interface > Add LABEL DESCRIPTION Interface Properties Interface Name This field is read-only. It displays the name of the virtual interface, which is automatically derived from the underlying Ethernet interface, VLAN interface, or bridge interface.
Chapter 11 Interfaces Table 69 Configuration > Network > Interface > Add (continued) LABEL DESCRIPTION Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can send through the interface to the network. Allowed values are 0 - 1048576. Ingress Bandwidth This is reserved for future use. Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can receive from the network through the interface. Allowed values are 0 - 1048576.
Chapter 11 Interfaces because it is a point-to-point interface. For these interfaces, you can only enter the IP address. In many interfaces, you can also let the IP address and subnet mask be assigned by an external DHCP server on the network. In this case, the interface is a DHCP client. Virtual interfaces, however, cannot be DHCP clients. You have to assign the IP address and subnet mask manually.
Chapter 11 Interfaces If you set the bandwidth restrictions very high, you effectively remove the restrictions. The ZyWALL also restricts the size of each data packet. The maximum number of bytes in each packet is called the maximum transmission unit (MTU). If a packet is larger than the MTU, the ZyWALL divides it into smaller fragments. Each fragment is sent separately, and the original packet is re-assembled later.
Chapter 11 Interfaces • IP address - If the DHCP client’s MAC address is in the ZyWALL’s static DHCP table, the interface assigns the corresponding IP address. If not, the interface assigns IP addresses from a pool, defined by the starting address of the pool and the pool size. Table 72 Example: Assigning IP Addresses from a Pool START IP ADDRESS POOL SIZE RANGE OF ASSIGNED IP ADDRESS 50.50.50.33 5 50.50.50.33 - 50.50.50.37 75.75.75.1 200 75.75.75.1 - 75.75.75.200 99.99.1.1 1023 99.99.1.1 - 99.
Chapter 11 Interfaces PPPoE/PPTP Overview Point-to-Point Protocol over Ethernet (PPPoE, RFC 2516) and Point-to-Point Tunneling Protocol (PPTP, RFC 2637) are usually used to connect two computers over phone lines or broadband connections. PPPoE is often used with cable modems and DSL connections. It provides the following advantages: • The access and authentication method works with existing systems, including RADIUS. • You can access one of several network services.
CHAPTER 12 Trunks 12.1 Overview Use trunks for WAN traffic load balancing to increase overall network throughput and reliability. Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links. Maybe you have two Internet connections with different bandwidths.
Chapter 12 Trunks 12.1.2 What You Need to Know • Add WAN interfaces to trunks to have multiple connections share the traffic load. • If one WAN interface’s connection goes down, the ZyWALL sends traffic through another member of the trunk. • For example, you connect one WAN interface to one ISP and connect a second WAN interface to a second ISP. The ZyWALL balances the WAN traffic load between the connections.
Chapter 12 Trunks 2 The ZyWALL is using active/active load balancing. So when LAN user A tries to access something on the server, the request goes out through wan2. 3 The server finds that the request comes from wan2’s IP address instead of wan1’s IP address and rejects the request. If link sticking had been configured, the ZyWALL would have still used wan1 to send LAN user A’s request to the server and server would have given the user A access.
Chapter 12 Trunks Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the ZyWALL will send the subsequent new session traffic through WAN 2. Table 73 Least Load First Example OUTBOUND INTERFACE LOAD BALANCING INDEX (M/A) AVAILABLE (A) MEASURED (M) WAN 1 512 K 412 K 0.8 WAN 2 256 K 198 K 0.77 Weighted Round Robin The Weighted Round Robin (WRR) algorithm is best suited for situations when the bandwidths set for the two WAN interfaces are different.
Chapter 12 Trunks interface. This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoid overloading the interface. In this example figure, the upper threshold of the first interface is set to 800K. The ZyWALL sends network traffic of new sessions that exceed this limit to the secondary WAN interface. Figure 171 Spillover Algorithm Example Finding Out More • See Section 6.5.5 on page 97 for related information on the Trunk screens. • See Section 7.
Chapter 12 Trunks 12.2 The Trunk Summary Screen Click Configuration > Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. Figure 172 Configuration > Network > Interface > Trunk The following table describes the items in this screen.
Chapter 12 Trunks Table 74 Configuration > Network > Interface > Trunk (continued) LABEL DESCRIPTION Enable Default SNAT Select this to have the ZyWALL use the IP address of the outgoing interface as the source IP address of the packets it sends out through its WAN trunks. The ZyWALL automatically adds SNAT settings for traffic it routes from internal interfaces to external interfaces.
Chapter 12 Trunks Each field is described in the table below. Table 75 Configuration > Network > Interface > Trunk > Add (or Edit) LABEL DESCRIPTION Name This is read-only if you are editing an existing trunk. When adding a new trunk, enter a descriptive name for this trunk. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 12 Trunks Table 75 Configuration > Network > Interface > Trunk > Add (or Edit) (continued) LABEL DESCRIPTION Egress Bandwidth This field displays with the least load first or spillover load balancing algorithm.It displays the maximum number of kilobits of data the ZyWALL is to send out through the interface per second. Spillover This field displays with the spillover load balancing algorithm.
Chapter 12 Trunks 280 ZyWALL USG 50 User’s Guide
CHAPTER 13 Policy and Static Routes 13.1 Policy and Static Routes Overview Use policy routes and static routes to override the ZyWALL’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the ZyWALL’s LAN interface. The ZyWALL routes most traffic from A to the Internet through the ZyWALL’s default gateway (R1).
Chapter 13 Policy and Static Routes • Use the Static Route screens (see Section 13.3 on page 291) to list and configure static routes. 13.1.2 What You Need to Know Policy Routing Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Chapter 13 Policy and Static Routes Policy Routes Versus Static Routes • Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules, NAT, and bandwidth management. • Policy routes are only used within the ZyWALL itself. Static routes can be propagated to other routers using RIP or OSPF. • Policy routes take priority over static routes.
Chapter 13 Policy and Static Routes Finding Out More • See Section 6.5.6 on page 97 for related information on the policy route screens. • See Section 7.12 on page 152 for an example of creating a policy route for using multiple static public WAN IP addresses for LAN to WAN traffic. • See Section 13.4 on page 293 for more background information on policy routing. 13.2 Policy Route Screen Click Configuration > Network > Routing to open the Policy Route screen.
Chapter 13 Policy and Static Routes The following table describes the labels in this screen. Table 76 Configuration > Network > Routing > Policy Route LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL.
Chapter 13 Policy and Static Routes Table 76 Configuration > Network > Routing > Policy Route (continued) LABEL DESCRIPTION DSCP Code This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP values or no DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic The “af” entries stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences.
Chapter 13 Policy and Static Routes 13.2.1 Policy Route Edit Screen Click Configuration > Network > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. Use this screen to configure or edit a policy route. Figure 176 Configuration > Network > Routing > Policy Route > Add The following table describes the labels in this screen.
Chapter 13 Policy and Static Routes Table 77 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Incoming Select where the packets are coming from; any, an interface, a tunnel, an SSL VPN, or the ZyWALL itself. For an interface, a tunnel, or an SSL VPN, you also need to select the individual interface, VPN tunnel, or SSL VPN connection. Source Address Select a source IP address object from which the packets are sent.
Chapter 13 Policy and Static Routes Table 77 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION VPN Tunnel This field displays when you select VPN Tunnel in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the ZyWALL directly. Auto Destination Address This field displays when you select VPN Tunnel in the Type field.
Chapter 13 Policy and Static Routes Table 77 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Source Network Address Translation Select none to not use NAT for the route. Select outgoing-interface to use the IP address of the outgoing interface as the source IP address of the packets that matches this route. If you select outgoing-interface, you can also configure port trigger settings for this interface.
Chapter 13 Policy and Static Routes Table 77 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Maximum Bandwidth Specify the maximum bandwidth (from 1 to 1048576) allowed for the route in kbps. If you enter 0 here, there is no bandwidth limitation for the route. If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth.
Chapter 13 Policy and Static Routes The following table describes the labels in this screen. Table 78 Configuration > Network > Routing > Static Route LABEL DESCRIPTION Add Click this to create a new static route. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. # This is the number of an individual static route.
Chapter 13 Policy and Static Routes Table 79 Configuration > Network > Routing > Static Route > Add (continued) LABEL DESCRIPTION Gateway IP Select the radio button and enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your ZyWALL's interface(s). The gateway helps forward packets to their destinations. Interface Select the radio button and a predefined interface through which the traffic is sent.
Chapter 13 Policy and Static Routes following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets.
Chapter 13 Policy and Static Routes 3 Computer A and game server 1 are connected to each other until the connection is closed or times out. Any other computers (such as B or C) cannot connect to remote server 1 using the same port triggering rule as computer A unless they are using a different next hop (gateway, outgoing interface, VPN tunnel or trunk) from computer A or until the connection is closed or times out.
Chapter 13 Policy and Static Routes 296 ZyWALL USG 50 User’s Guide
CHAPTER 14 Routing Protocols 14.1 Routing Protocols Overview Routing protocols give the ZyWALL routing information about the network from other routers. The ZyWALL stores this routing information in the routing table it uses to make routing decisions. In turn, the ZyWALL can also use routing protocols to propagate routing information to other routers. See Section 6.6 on page 105 for related information on the RIP and OSPF screens.
Chapter 14 Routing Protocols 14.2 The RIP Screen RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a device to exchange routing information with other routers. RIP is a vector-space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest. Unfortunately, it also broadcasts its routes asynchronously to the network and converges slowly. Therefore, RIP is more suitable for small networks (up to 15 routers).
Chapter 14 Routing Protocols The following table describes the labels in this screen. Table 82 Configuration > Network > Routing Protocol > RIP LABEL DESCRIPTION Authentication Authentication Select the authentication method used in the RIP network. This authentication protects the integrity, but not the confidentiality, of routing updates. None uses no authentication. Text uses a plain text password that is sent over the network (not very secure).
Chapter 14 Routing Protocols System (AS). OSPF offers some advantages over vector-space routing protocols like RIP. • OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more efficiently. • OSPF filters and summarizes routing information, which reduces the size of routing tables throughout the network. • OSPF responds to changes in the network, such as the loss of a router, more quickly.
Chapter 14 Routing Protocols Each type of area is illustrated in the following figure. Figure 181 OSPF: Types of Areas This OSPF AS consists of four areas, areas 0-3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X and Y. Area 2 is a stub area. It has routing information about the OSPF AS, but it depends on a default route to send information to networks X and Y.
Chapter 14 Routing Protocols • An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in networks outside the OSPF AS. This is called redistribution in OSPF. Table 83 OSPF: Redistribution from Other Sources to Each Type of Area SOURCE \ TYPE OF AREA NORMAL NSSA STUB Static routes Yes Yes No RIP Yes Yes Yes • A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone router, and so is every ABR.
Chapter 14 Routing Protocols to logically connect the area to the backbone. This is illustrated in the following example. Figure 183 OSPF: Virtual Link In this example, area 100 does not have a direct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10. The virtual link becomes the connection between area 100 and the backbone. You cannot create a virtual link to a router in a different area.
Chapter 14 Routing Protocols Click Configuration > Network > Routing > OSPF to open the following screen. Figure 184 Configuration > Network > Routing > OSPF The following table describes the labels in this screen. See Section 14.3.2 on page 306 for more information as well. Table 84 Configuration > Network > Routing Protocol > OSPF LABEL DESCRIPTION OSPF Router ID Select the 32-bit ID the ZyWALL uses in the OSPF AS.
Chapter 14 Routing Protocols Table 84 Configuration > Network > Routing Protocol > OSPF (continued) LABEL Type DESCRIPTION Select how OSPF calculates the cost associated with routing information from static routes. Choices are: Type 1 and Type 2. Type 1 - cost = OSPF AS cost + external cost (Metric) Type 2 - cost = external cost (Metric); the OSPF AS cost is ignored. Metric Area Type the external cost for routes provided by static routes.
Chapter 14 Routing Protocols 14.3.2 OSPF Area Add/Edit Screen The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. To access this screen, go to the OSPF summary screen (see Section 14.3 on page 299), and click either the Add icon or an Edit icon. Figure 185 Configuration > Network > Routing > OSPF > Add The following table describes the labels in this screen.
Chapter 14 Routing Protocols Table 85 Configuration > Network > Routing > OSPF > Add (continued) LABEL DESCRIPTION Text Authentication Key This field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 8 characters long. MD5 Authentication ID This field is available if the Authentication is MD5. Type the default ID for MD5 authentication in the area.
Chapter 14 Routing Protocols 306) has the Type set to Normal, a Virtual Link table displays. Click either the Add icon or an entry and the Edit icon to display a screen like the following. Figure 186 Configuration > Network > Routing > OSPF > Add > Add The following table describes the labels in this screen. Table 86 Configuration > Network > Routing > OSPF > Add > Add LABEL DESCRIPTION Peer Router ID Enter the 32-bit ID (in IP address format) of the other ABR in the virtual link.
Chapter 14 Routing Protocols Authentication Types Authentication is used to guarantee the integrity, but not the confidentiality, of routing updates. The transmitting router uses its key to encrypt the original message into a smaller message, and the smaller message is transmitted with the original message. The receiving router uses its key to encrypt the received message and then verifies that it matches the smaller message sent with it.
Chapter 14 Routing Protocols 310 ZyWALL USG 50 User’s Guide
CHAPTER 15 Zones 15.1 Zones Overview Set up zones to configure network security and network policies in the ZyWALL. A zone is a group of interfaces and/or VPN tunnels. The ZyWALL uses zones instead of interfaces in many security and policy settings, such as firewall rules, Anti-X, and remote management. Zones cannot overlap. Each Ethernet interface, VLAN interface, bridge interface, PPPoE/PPTP interface and VPN tunnel can be assigned to at most one zone.
Chapter 15 Zones 15.1.2 What You Need to Know Effects of Zones on Different Types of Traffic Zones effectively divide traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone traffic--which are affected differently by zone-based security and policy settings. Intra-zone Traffic • Intra-zone traffic is traffic between interfaces or VPN tunnels in the same zone. For example, in Figure 187 on page 311, traffic between VLAN 2 and the Ethernet is intra-zone traffic.
Chapter 15 Zones 15.2 The Zone Screen The Zone screen provides a summary of all zones. In addition, this screen allows you to add, edit, and remove zones. To access this screen, click Configuration > Network > Zone. Configuration > Network > Zone The following table describes the labels in this screen. Table 87 Configuration > Network > Zone LABEL DESCRIPTION User Configuration / System Default The ZyWALL comes with pre-configured System Default zones that you cannot delete.
Chapter 15 Zones 15.3 Zone Edit The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone screen (see Section 15.2 on page 313), and click the Add icon or an Edit icon. Figure 188 Network > Zone > Add The following table describes the labels in this screen. Table 88 Network > Zone > Edit LABEL DESCRIPTION Name For a system default zone, the name is read only. For a user-configured zone, type the name used to refer to the zone.
CHAPTER 16 DDNS 16.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 16.1.1 What You Can Do in this Chapter • Use the DDNS screen (see Section 16.2 on page 316) to view a list of the configured DDNS domain names and their details. • Use the DDNS Add/Edit screen (see Section 16.2.1 on page 318) to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. 16.1.
Chapter 16 DDNS Note: Record your DDNS account’s user name, password, and domain name to use to configure the ZyWALL. After, you configure the ZyWALL, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly. Finding Out More See Section 6.5.9 on page 99 for related information on these screens. 16.2 The DDNS Screen The DDNS screen provides a summary of all DDNS domain names and their configuration.
Chapter 16 DDNS Table 90 Configuration > Network > DDNS (continued) LABEL DESCRIPTION Primary Interface/IP This field displays the interface to use for updating the IP address mapped to the domain name followed by how the ZyWALL determines the IP address for the domain name. from interface - The IP address comes from the specified interface. auto detected -The DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name.
Chapter 16 DDNS 16.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen. Figure 190 Configuration > Network > DDNS > Add The following table describes the labels in this screen.
Chapter 16 DDNS Table 91 Configuration > Network > DDNS > Add (continued) LABEL DESCRIPTION Username Type the user name used when you registered your domain name. You can use up to 31 alphanumeric characters and the underscore. Spaces are not allowed. For a Dynu DDNS entry, this user name is the one you use for logging into the service, not the name recorded in your personal information in the Dynu website. Password Type the password provided by the DDNS provider.
Chapter 16 DDNS Table 91 Configuration > Network > DDNS > Add (continued) LABEL IP Address DESCRIPTION The options available in this field vary by DDNS provider. Interface -The ZyWALL uses the IP address of the specified interface. This option appears when you select a specific interface in the Backup Binding Address Interface field. Auto -The DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name.
CHAPTER 17 NAT 17.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. Use Network Address Translation (NAT) to make computers on a private network behind the ZyWALL available outside the private network.
Chapter 17 NAT 17.1.2 What You Need to Know NAT is also known as virtual server, port forwarding, or port translation. Finding Out More • See Section 6.5.10 on page 99 for related information on these screens. • See Section 17.3 on page 327 for technical background information related to these screens. • See Section 7.9.2 on page 140 for an example of how to configure NAT to allow H.323 traffic from the WAN to the LAN. • See Section 7.10.
Chapter 17 NAT Table 92 Configuration > Network > NAT (continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. # This field is a sequential value, and it is not associated with a specific entry. Status This icon is lit when the entry is active and dimmed when the entry is inactive.
Chapter 17 NAT 17.2.1 The NAT Add/Edit Screen The NAT Add/Edit screen lets you create new NAT rules and edit existing ones. To open this window, open the NAT summary screen. (See Section 17.2 on page 322.) Then, click on an Add icon or Edit icon to open the following screen. Figure 193 Configuration > Network > NAT > Add The following table describes the labels in this screen.
Chapter 17 NAT Table 93 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Classification Select what kind of NAT this rule is to perform. Virtual Server - This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL (like the Internet).
Chapter 17 NAT Table 93 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Mapped IP Subnet/Range This field displays for Many 1:1 NAT. Select to which translated destination IP address subnet or IP address range this NAT rule forwards packets. The original and mapped IP address subnets or ranges must have the same number of IP addresses.
Chapter 17 NAT Table 93 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Firewall By default the firewall blocks incoming connections from external addresses. After you configure your NAT rule settings, click the Firewall link to configure a firewall rule to allow the NAT rule’s traffic to come in. The ZyWALL checks NAT rules before it applies To-ZyWALL firewall rules, so To-ZyWALL firewall rules do not apply to traffic that is forwarded by NAT rules.
Chapter 17 NAT For example, a LAN user’s computer at IP address 192.168.1.89 queries a public DNS server to resolve the SMTP server’s domain name (xxx.LAN-SMTP.com in this example) and gets the SMTP server’s mapped public IP address of 1.1.1.1. Figure 194 LAN Computer Queries a Public DNS Server DNS xxx.LAN-SMTP.com = 1.1.1.1 xxx.LAN-SMTP.com = ? 1.1.1.1 LAN 192.168.1.89 192.168.1.21 The LAN user’s computer then sends traffic to IP address 1.1.1.1.
Chapter 17 NAT SMTP server replied directly to the LAN user without the traffic going through NAT, the source would not match the original destination address which would cause the LAN user’s computer to shut down the session. Figure 196 LAN to LAN Return Traffic NAT Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP LAN 192.168.1.21 ZyWALL USG 50 User’s Guide 192.168.1.
Chapter 17 NAT 330 ZyWALL USG 50 User’s Guide
CHAPTER 18 HTTP Redirect 18.1 Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server. In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN1 zone wants to open a web page, its HTTP request is redirected to proxy server A first. If proxy server A cannot find the web page in its cache, a policy route allows it to access the Internet to get them from a server.
Chapter 18 HTTP Redirect 18.1.2 What You Need to Know Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services. A proxy server can act as a firewall or an ALG (application layer gateway) between the private network and the Internet or other networks. It also keeps hackers from knowing internal IP addresses. A client connects to a web proxy server each time he/she wants to access the Internet.
Chapter 18 HTTP Redirect • a application patrol rule to allow HTTP traffic between dmz and wan1. • a policy route to forward HTTP traffic from proxy server A to the Internet. Finding Out More See Section 6.5.11 on page 99 for related information on these screens. 18.2 The HTTP Redirect Screen To configure redirection of a HTTP request to a proxy server, click Configuration > Network > HTTP Redirect. This screen displays the summary of the HTTP redirect rules.
Chapter 18 HTTP Redirect Table 94 Configuration > Network > HTTP Redirect (continued) LABEL DESCRIPTION Port This is the service port number used by the proxy server. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 18.2.1 The HTTP Redirect Edit Screen Click Network > HTTP Redirect to open the HTTP Redirect screen. Then click the Add or Edit icon to open the HTTP Redirect Edit screen where you can configure the rule.
CHAPTER 19 ALG 19.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the ZyWALL’s NAT. • SIP - Session Initiation Protocol (SIP) - An application-layer protocol that can be used to create voice and multimedia sessions over Internet. • H.323 - A teleconferencing protocol suite that provides audio, data and video conferencing. • FTP - File Transfer Protocol - an Internet file transfer service.
Chapter 19 ALG 19.1.2 What You Need to Know Application Layer Gateway (ALG), NAT and Firewall The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP) to operate properly through the ZyWALL’s NAT and firewall. The ZyWALL dynamically creates an implicit NAT session and firewall session for the application’s traffic from the WAN to the LAN. The ALG on the ZyWALL supports all of the ZyWALL’s NAT mapping types.
Chapter 19 ALG • There should be only one SIP server (total) on the ZyWALL’s private networks. Any other SIP servers must be on the WAN. So for example you could have a Back-to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the LAN but not on both. • Using the SIP ALG allows you to use bandwidth management on SIP traffic. • The SIP ALG handles SIP calls that go through NAT or that the ZyWALL routes. You can also make other SIP calls that do not go through NAT or routing.
Chapter 19 ALG can receive incoming calls from the Internet, LAN IP addresses B and C can still make calls out to the Internet. Figure 202 VoIP Calls from the WAN with Multiple Outgoing Calls VoIP with Multiple WAN IP Addresses With multiple WAN IP addresses on the ZyWALL, you can configure different firewall and NAT (port forwarding) rules to allow incoming calls from each WAN IP address to go to a specific IP address on the LAN (or DMZ). Use policy routing to have the H.
Chapter 19 ALG • See Section 19.3 on page 341 for ALG background/technical information. 19.1.3 Before You Begin You must also configure the firewall and enable NAT in the ZyWALL to allow sessions initiated from the WAN. 19.2 The ALG Screen Click Configuration > Network > ALG to open the ALG screen. Use this screen to turn ALGs off or on, configure the port numbers to which they apply, and configure SIP ALG time outs.
Chapter 19 ALG The following table describes the labels in this screen. Table 96 Configuration > Network > ALG LABEL DESCRIPTION Enable SIP ALG Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the ZyWALL’s NAT. Enabling the SIP ALG also allows you to use the application patrol to detect SIP traffic and manage the SIP traffic’s bandwidth (see Chapter 28 on page 437).
Chapter 19 ALG Table 96 Configuration > Network > ALG (continued) LABEL DESCRIPTION Enable FTP ALG Turn on the FTP ALG to detect FTP (File Transfer Program) traffic and help build FTP sessions through the ZyWALL’s NAT. Enabling the FTP ALG also allows you to use the application patrol to detect FTP traffic and manage the FTP traffic’s bandwidth (see Chapter 28 on page 437).
Chapter 19 ALG connections to the second (passive) interface when the active interface’s connection goes down. When the active interface’s connection fails, the client needs to re-initialize the connection through the second interface (that was set to passive) in order to have the connection go through the second interface. VoIP clients usually re-register automatically at set intervals or the users can manually force them to re-register.
CHAPTER 20 IP/MAC Binding 20.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The ZyWALL uses DHCP to assign IP addresses and records to MAC address it assigned each IP address. The ZyWALL then checks incoming connection attempts against this list. A user cannot manually assign another IP to his computer and use it to connect to the ZyWALL. Suppose you configure access privileges for IP address 192.168.1.
Chapter 20 IP/MAC Binding 20.1.2 What You Need to Know DHCP IP/MAC address bindings are based on the ZyWALL’s dynamic and static DHCP entries. Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, VLAN interfaces. You can also enable or disable IP/MAC binding and logging in an interface’s configuration screen. 20.
Chapter 20 IP/MAC Binding Table 97 Configuration > Network > IP/MAC Binding > Summary (continued) LABEL DESCRIPTION Status This icon is lit when the entry is active and dimmed when the entry is inactive. Interface This is the name of an interface that supports IP/MAC binding. Number of Binding This field displays the interface’s total number of IP/MAC bindings and IP addresses that the interface has assigned by DHCP. Apply Click Apply to save your changes back to the ZyWALL. 20.2.
Chapter 20 IP/MAC Binding Table 98 Configuration > Network > IP/MAC Binding > Edit (continued) LABEL DESCRIPTION Static DHCP Bindings This table lists the bound IP and MAC addresses. The ZyWALL checks this table when it assigns IP addresses. If the computer’s MAC address is in the table, the ZyWALL assigns the corresponding IP address. You can also access this table from the interface’s edit screen. Add Click this to create a new entry.
Chapter 20 IP/MAC Binding Table 99 Configuration > Network > IP/MAC Binding > Edit > Add (continued) LABEL DESCRIPTION MAC Address Enter the MAC address of the device to which the ZyWALL assigns the entry’s IP address. Description Enter up to 64 printable ASCII characters to help identify the entry. For example, you may want to list the computer’s owner. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 20.
Chapter 20 IP/MAC Binding 348 ZyWALL USG 50 User’s Guide
CHAPTER 21 Authentication Policy 21.1 Overview Use authentication policies to control who can access the network. You can authenticate users (require them to log in) and even perform Endpoint Security (EPS) checking to make sure users’ computers comply with defined corporate policies before they can access the network. After a users passes authentication the user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access.
Chapter 21 Authentication Policy 21.1.2 What You Need to Know Authentication Policy and VPN Authentication policies are applied based on a traffic flow’s source and destination IP addresses. If VPN traffic matches an authentication policy’s source and destination IP addresses, the user must pass authentication. Multiple Endpoint Security Objects You can set an authentication policy to use multiple endpoint security objects. This allows checking of computers with different OSs or security settings.
Chapter 21 Authentication Policy Click Configuration > Auth. Policy to display the screen. Figure 211 Configuration > Auth.
Chapter 21 Authentication Policy The following table gives an overview of the objects you can configure. Table 101 Configuration > Auth. Policy LABEL DESCRIPTION Enable Authentication Policy Select this to turn on the authentication policy feature. Exceptional Services Use this table to list services that users can access without logging in. Click Add to change the list’s membership. A screen appears. Available services appear on the left.
Chapter 21 Authentication Policy Table 101 Configuration > Auth. Policy (continued) LABEL DESCRIPTION Status This icon is lit when the entry is active and dimmed when the entry is inactive. Priority This is the position of the authentication policy in the list. The priority is important as the policies are applied in order of priority. Default displays for the default authentication policy that the ZyWALL uses on traffic that does not match any exceptional service or other authentication policy.
Chapter 21 Authentication Policy Figure 213 Configuration > Auth. Policy > Add The following table gives an overview of the objects you can configure. Table 102 Configuration > Auth. Policy > Add 354 LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Enable Policy Select this check box to activate the authentication policy. This field is available for user-configured policies.
Chapter 21 Authentication Policy Table 102 Configuration > Auth. Policy > Add (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies. Otherwise, select none and the rule is always effective. This is none and not configurable for the default policy. Authentication Select the authentication requirement for users when their traffic matches this policy. unnecessary - Users do not need to be authenticated. required - Users need to be authenticated.
Chapter 21 Authentication Policy 356 ZyWALL USG 50 User’s Guide
CHAPTER 22 Firewall 22.1 Overview Use the firewall to block or allow services that use static port numbers. Use application patrol (see Chapter 28 on page 437) to control services using flexible/ dynamic port numbers. The firewall can also limit the number of user sessions. This figure shows the ZyWALL’s default firewall rules in action and demonstrates how stateful inspection works. User 1 can initiate a Telnet session from within the LAN1 zone and responses to this request are allowed.
Chapter 22 Firewall 22.1.2 What You Need to Know Stateful Inspection The ZyWALL has a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. Zones A zone is a group of interfaces or VPN tunnels. Group the ZyWALL’s interfaces into different zones based on your needs.
Chapter 22 Firewall • The ZyWALL drops most packets from the WAN zone to the ZyWALL itself, except for ESP/AH/IKE/NATT/HTTPS services for VPN tunnels, and generates a log. • The ZyWALL drops most packets from the DMZ zone to the ZyWALL itself, except for DNS and NetBIOS traffic, and generates a log. When you configure a firewall rule for packets destined for the ZyWALL itself, make sure it does not conflict with your service control rule.
Chapter 22 Firewall Firewall and VPN Traffic After you create a VPN tunnel and add it to a zone, you can set the firewall rules applied to VPN traffic. If you add a VPN tunnel to an existing zone (the LAN1 zone for example), you can configure a new LAN1 to LAN1 firewall rule or use intrazone traffic blocking to allow or block VPN traffic transmitting between the VPN tunnel and other interfaces in the LAN zone.
Chapter 22 Firewall the firewall rule to always be in effect. The following figure shows the results of this rule. Figure 215 Blocking All LAN to WAN IRC Traffic Example Your firewall would have the following rules. Table 104 Blocking All LAN to WAN IRC Traffic Example # USER SOURCE DESTINATION SCHEDULE SERVICE ACTION 1 Any Any Any Any IRC Deny 2 Any Any Any Any Any Allow • The first row blocks LAN access to the IRC service on the WAN.
Chapter 22 Firewall Now you configure a LAN1 to WAN firewall rule that allows IRC traffic from the IP address of the CEO’s computer (192.168.1.7 for example) to go to any destination address. You do not need to specify a schedule since you want the firewall rule to always be in effect. The following figure shows the results of your two custom rules. Figure 216 Limited LAN to WAN IRC Traffic Example LAN1 Your firewall would have the following configuration.
Chapter 22 Firewall • The first row allows any LAN1 computer to access the IRC service on the WAN by logging into the ZyWALL with the CEO’s user name. • The second row blocks LAN1 access to the IRC service on the WAN. • The third row is the firewall’s default policy of allowing all traffic from the LAN1 to go to the WAN. The rule for the CEO must come before the rule that blocks all LAN1 to WAN IRC traffic.
Chapter 22 Firewall 5 The screen for configuring a service object opens. Configure it as follows and click OK. Figure 219 Firewall Example: Create a Service Object 6 Select From WAN and To LAN1. 7 Enter the name of the firewall rule. 8 Select Dest_1 is selected for the Destination and Doom is selected as the Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done.
Chapter 22 Firewall 9 The firewall rule appears in the firewall rule summary. Figure 221 Firewall Example: Doom Rule in Summary 22.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL. This is called an asymmetrical or “triangle” route. This causes the ZyWALL to reset the connection, as the connection has not been acknowledged.
Chapter 22 Firewall 4 The ZyWALL then sends it to the computer on the LAN1 in Subnet 1. Figure 222 Using Virtual Interfaces to Avoid Asymmetrical Routes LAN1 22.2.1 Configuring the Firewall Screen Click Configuration > Firewall to open the Firewall screen. Use this screen to enable or disable the firewall and asymmetrical routes, set a maximum number of sessions per host, and display the configured firewall rules.
Chapter 22 Firewall • The ordering of your rules is very important as rules are applied in sequence. Figure 223 Configuration > Firewall The following table describes the labels in this screen. Table 107 Configuration > Firewall LABEL DESCRIPTION General Settings Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control when the firewall is activated.
Chapter 22 Firewall Table 107 Configuration > Firewall (continued) LABEL DESCRIPTION From Zone / To Zone This is the direction of travel of packets. Select from which zone the packets come and to which zone they go. Firewall rules are grouped based on the direction of travel of packets to which they apply. For example, from LAN1 to LAN1 means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN1.
Chapter 22 Firewall Table 107 Configuration > Firewall (continued) LABEL DESCRIPTION Service This displays the service object to which this firewall rule applies. Access This field displays whether the firewall silently discards packets (deny), discards packets and sends a TCP reset packet to the sender (reject) or permits the passage of packets (allow). Log This field shows you whether a log (and alert) is created when packets match this rule or not.
Chapter 22 Firewall Table 108 Configuration > Firewall > Add (continued) LABEL DESCRIPTION Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule. Spaces are allowed. Schedule Select a schedule that defines when the rule applies. Otherwise, select none and the rule is always effective. User This field is not available when you are configuring a to-ZyWALL rule. Select a user name or user group to which to apply the rule.
Chapter 22 Firewall individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both. Figure 225 Configuration > Firewall > Session Limit The following table describes the labels in this screen. Table 109 Configuration > Firewall > Session Limit LABEL DESCRIPTION General Settings Enable Session limit Select this check box to control the number of concurrent sessions hosts can have.
Chapter 22 Firewall Table 109 Configuration > Firewall > Session Limit (continued) LABEL DESCRIPTION # This is the index number of a session limit rule. It is not associated with a specific rule. User This is the user name or user group name to which this session limit rule applies. Address This is the address object to which this session limit rule applies. Limit This is how many concurrent sessions this user or address is allowed to have.
Chapter 22 Firewall Table 110 Configuration > Firewall > Session Limit > Edit (continued) LABEL DESCRIPTION User Select a user name or user group to which to apply the rule. The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out. Otherwise, select any and there is no need for user logging.
Chapter 22 Firewall 374 ZyWALL USG 50 User’s Guide
CHAPTER 23 IPSec VPN 23.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Chapter 23 IPSec VPN • Use the VPN Gateway screens (see Section 23.2.1 on page 380) to manage the ZyWALL’s VPN gateways. A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can also activate and deactivate each VPN gateway. 23.1.2 What You Need to Know An IPSec VPN tunnel is usually established in two phases.
Chapter 23 IPSec VPN Application Scenarios The ZyWALL’s application scenarios make it easier to configure your VPN connection settings. Table 111 IPSec VPN Application Scenarios SITE-TO-SITE Choose this if the remote IPSec router has a static IP address or a domain name. This ZyWALL can initiate the VPN tunnel. The remote IPSec router can also initiate the VPN tunnel if this ZyWALL has a static IP address or a domain name.
Chapter 23 IPSec VPN • See Section 23.4 on page 399 for IPSec VPN background information. • See Section 5.4 on page 76 for the IPSec VPN quick setup wizard. • See Section 7.4 on page 118 for an example of configuring IPSec VPN. 23.1.3 Before You Begin This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting. You should set up the following features before you set up the VPN tunnel.
Chapter 23 IPSec VPN SA). Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 229 Configuration > VPN > IPSec VPN > VPN Connection Each field is discussed in the following table. See Section 23.2.2 on page 387 and Section 23.2.1 on page 380 for more information.
Chapter 23 IPSec VPN Table 112 Configuration > VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. The connect icon is lit when the interface is connected and dimmed when it is disconnected. Name This field displays the name of the IPSec SA. VPN Gateway This field displays the associated VPN gateway(s). If there is no VPN gateway, this field displays “manual key”.
Chapter 23 IPSec VPN Figure 230 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL USG 50 User’s Guide 381
Chapter 23 IPSec VPN Each field is described in the following table. Table 113 Configuration > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Create new Object Use to configure any new settings objects that you need to use in this screen. General Settings Enable Select this check box to activate this VPN connection.
Chapter 23 IPSec VPN Table 113 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL Manual Key DESCRIPTION Select this option to configure a VPN connection policy that uses a manual key instead of IKE key management. This may be useful if you have problems with IKE key management. See Section 23.2.2 on page 387 for how to configure the manual key fields. Note: Only use manual key as a temporary solution, because it is not as secure as a regular IPSec SA.
Chapter 23 IPSec VPN Table 113 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Remove Select an entry and click this to delete it. # This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. Encryption This field is applicable when the Active Protocol is ESP. Select which key size and encryption algorithm to use in the IPSec SA.
Chapter 23 IPSec VPN Table 113 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL Check Method DESCRIPTION Select how the ZyWALL checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the ZyWALL regularly ping the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to respond to pings.
Chapter 23 IPSec VPN Table 113 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Inbound Traffic 386 Source NAT This translation hides the source address of computers in the remote network. Source Select the address object that represents the original source address (or select Create Object to configure a new one). This is the address object for the remote network.
Chapter 23 IPSec VPN 23.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one using a manual key. This is useful if you have problems with IKE key management. To access this screen, go to the VPN Connection summary screen (see Section 23.2 on page 378), and click either the Add icon or an existing manual key entry’s Edit icon. In the VPN Gateway section of the screen, select Manual Key.
Chapter 23 IPSec VPN Table 114 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Secure Gateway Address Type the IP address of the remote IPSec router in the IPSec SA. SPI Type a unique SPI (Security Parameter Index) between 256 and 4095. The SPI is used to identify the ZyWALL during authentication. The ZyWALL and remote IPSec router must use the same SPI. Encapsulation Mode Select which type of encapsulation the IPSec SA uses.
Chapter 23 IPSec VPN Table 114 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Encryption Key This field is applicable when you select an Encryption Algorithm. Enter the encryption key, which depends on the encryption algorithm.
Chapter 23 IPSec VPN 23.3 The VPN Gateway Screen The VPN Gateway summary screen displays the IPSec VPN gateway policies in the ZyWALL, as well as the ZyWALL’s address, remote IPSec router’s address, and associated VPN connections for each one. In addition, it also lets you activate and deactivate each VPN gateway. To access this screen, click Configuration > VPN > Network > IPSec VPN > VPN Gateway. The following screen appears.
Chapter 23 IPSec VPN Table 115 Configuration > VPN > IPSec VPN > VPN Gateway (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 23.3.1 The VPN Gateway Add/Edit Screen The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN Gateway summary screen (see Section 23.
Chapter 23 IPSec VPN Figure 233 Configuration > VPN > IPSec VPN > VPN Gateway > Edit Each field is described in the following table. Table 116 Configuration > VPN > IPSec VPN > VPN Gateway > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings VPN Gateway Name Type the name used to identify this VPN gateway.
Chapter 23 IPSec VPN Table 116 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL My Address DESCRIPTION Select how the IP address of the ZyWALL in the IKE SA is defined. If you select Interface, select the Ethernet interface, VLAN interface, virtual Ethernet interface, virtual VLAN interface or PPPoE/ PPTP interface. The IP address of the ZyWALL in the IKE SA is the IP address of the interface. If you select Domain Name / IP, enter the domain name or the IP address of the ZyWALL.
Chapter 23 IPSec VPN Table 116 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Certificate DESCRIPTION Select this to have the ZyWALL and remote IPSec router use certificates to authenticate each other when they negotiate the IKE SA. Then select the certificate the ZyWALL uses to identify itself to the remote IPsec router. This certificate is one of the certificates in My Certificates. If this certificate is self-signed, import it into the remote IPsec router.
Chapter 23 IPSec VPN Table 116 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Peer ID Type DESCRIPTION Select which type of identification is used to identify the remote IPSec router during authentication.
Chapter 23 IPSec VPN Table 116 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Content DESCRIPTION This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPSec router during authentication. The identity depends on the Peer ID Type. If the ZyWALL and remote IPSec router do not use certificates, IP - type an IP address; see the note at the end of this description.
Chapter 23 IPSec VPN Table 116 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Negotiation Mode DESCRIPTION Select the negotiation mode to use to negotiate the IKE SA. Choices are Main - this encrypts the ZyWALL’s and remote IPSec router’s identities but takes more time to establish the IKE SA Aggressive - this is faster but does not encrypt the identities The ZyWALL and the remote IPSec router must use the same negotiation mode. Proposal Add Click this to create a new entry.
Chapter 23 IPSec VPN Table 116 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL NAT Traversal DESCRIPTION Select this if any of these conditions are satisfied. • • This IKE SA might be used to negotiate IPSec SAs that use ESP as the active protocol. There are one or more NAT routers between the ZyWALL and remote IPSec router, and these routers do not support IPSec pass-thru or a similar feature.
Chapter 23 IPSec VPN 23.4 IPSec VPN Background Information Here is some more detailed IPSec VPN background information. IKE SA Overview The IKE SA provides a secure connection between the ZyWALL and remote IPSec router. It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Note: Both routers must use the same negotiation mode.
Chapter 23 IPSec VPN 1 X 2 Y The ZyWALL sends one or more proposals to the remote IPSec router. (In some devices, you can only set up one proposal.) Each proposal consists of an encryption algorithm, authentication algorithm, and DH key group that the ZyWALL wants to use in the IKE SA. The remote IPSec router selects an acceptable proposal and sends the accepted proposal back to the ZyWALL.
Chapter 23 IPSec VPN keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4, as illustrated next. Figure 235 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange Diffie-Hellman key exchange 3 X 4 Y DH public-key cryptography is based on DH key groups. Each key group is a fixed number of bits long. The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information.
Chapter 23 IPSec VPN 5 X Y 6 Router identity consists of ID type and content. The ID type can be domain name, IP address, or e-mail address, and the content is a (properly-formatted) domain name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you enter does not have to actually exist. Similarly, any domain name or IP address that you enter does not have to correspond to the ZyWALL’s or remote IPSec router’s properties.
Chapter 23 IPSec VPN the identity of the remote IPSec router (for example, extended authentication) or if you are troubleshooting a VPN tunnel. Additional Topics for IKE SA This section provides more information about IKE SA. Negotiation Mode There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. Main mode takes six steps to establish an IKE SA. Steps 1 - 2: The ZyWALL sends its proposals to the remote IPSec router.
Chapter 23 IPSec VPN If router A does NAT, it might change the IP addresses, port numbers, or both. If router X and router Y try to establish a VPN tunnel, the authentication fails because it depends on this information. The routers cannot establish a VPN tunnel. Most routers like router A now have an IPSec pass-thru feature. This feature helps router A recognize VPN packets and route them appropriately.
Chapter 23 IPSec VPN Certificates It is possible for the ZyWALL and remote IPSec router to authenticate each other with certificates. In this case, you do not have to set up the pre-shared key, local identity, or remote identity because the certificates provide this information instead. • Instead of using the pre-shared key, the ZyWALL and remote IPSec router check the signatures on each other’s certificates. Unlike pre-shared keys, the signatures do not have to match.
Chapter 23 IPSec VPN Encapsulation There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks. Note: The ZyWALL and remote IPSec router must use the same encapsulation. These modes are illustrated below.
Chapter 23 IPSec VPN If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure. If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys.
Chapter 23 IPSec VPN NAT for Inbound and Outbound Traffic The ZyWALL can translate the following types of network addresses in IPSec SA. • Source address in outbound packets - this translation is necessary if you want the ZyWALL to route packets from computers outside the local network through the IPSec SA. • Source address in inbound packets - this translation hides the source address of computers in the remote network.
Chapter 23 IPSec VPN • Destination - the original destination address; the remote network (B). • SNAT - the translated source address; the local network (A). Source Address in Inbound Packets (Inbound Traffic, Source NAT) You can set up this translation if you want to change the source address of computers in the remote network. To set up this NAT, you have to specify the following information: • Source - the original source address; the remote network (B).
Chapter 23 IPSec VPN 410 ZyWALL USG 50 User’s Guide
CHAPTER 24 SSL VPN 24.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login (the remote users do not need a VPN router or VPN client software. 24.1.1 What You Can Do in this Chapter • Use the VPN > SSL VPN > Access Privilege screens (see Section 24.2 on page 413) to configure SSL access policies. • Use the Click VPN > SSL VPN > Global Setting screen (see Section 24.
Chapter 24 SSL VPN • apply Endpoint Security (EPS) checking to require users’ computers to comply with defined corporate policies before they can access the SSL VPN tunnel. • limit user access to specific applications or files on the network. • allow user access to specific networks. • assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks. SSL Access Policy Objects The SSL access policies reference the following objects.
Chapter 24 SSL VPN 24.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL access policies. Figure 241 VPN > SSL VPN > Access Privilege The following table describes the labels in this screen. Table 120 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.
Chapter 24 SSL VPN Table 120 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Apply Click Apply to save the settings. Reset Click Reset to discard all changes. 24.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen.
Chapter 24 SSL VPN The following table describes the labels in this screen. Table 121 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Configuration Enable Policy Select this option to activate this SSL access policy. Name Enter a descriptive name to identify this policy. You can enter up to 15 characters (“a-z”, A-Z”, “0-9”) with no spaces allowed.
Chapter 24 SSL VPN Table 121 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION SSL Application List (Optional) The Selectable Application Objects list displays the name(s) of the SSL application(s) you can select for this SSL access policy. To associate an SSL application to this SSL access policy, select a name and click >> to add to the Selected Application Objects list. You can select more than one application.
Chapter 24 SSL VPN on your network for full tunnel mode access, enter access messages or upload a custom logo to be displayed on the remote user screen. Figure 243 VPN > SSL VPN > Global Setting The following table describes the labels in this screen. Table 122 VPN > SSL VPN > Global Setting LABEL DESCRIPTION Global Setting Network Extension Local IP Specify the IP address of the ZyWALL (or a gateway device) for full tunnel mode SSL VPN access.
Chapter 24 SSL VPN Table 122 VPN > SSL VPN > Global Setting (continued) LABEL DESCRIPTION Logout Message Specify a message to display on the screen when a user logs out and the SSL VPN connection is terminated successfully. You can enter up to 60 characters (“a-z”, A-Z”, “0-9”) with spaces allowed. Update Client Virtual Desktop Logo You can upload a graphic logo to be displayed on the web browser on the remote user computer. The ZyXEL company logo is the default logo.
Chapter 24 SSL VPN The following shows an example logo on the remote user screen. Figure 244 Example Logo Graphic Display 24.4 Establishing an SSL VPN Connection After you have configured the SSL VPN settings on the ZyWALL, use the ZyWALL login screen’s SSL VPN button to establish an SSL VPN connection. See the User’s Guide Section 25.2 on page 422 for details. 1 Display the ZyWALL’s login screen and enter your user account information (the user name and password). Click SSL VPN.
Chapter 24 SSL VPN 2 SSL VPN connection starts. This may take several minutes depending on your network connection. Once the connection is up, you should see the client portal screen. The following shows an example. Figure 246 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access, an “SSL VPN connection is not activated” message displays in the Login screen. Clear the Login to SSL VPN check box and try logging in again.
CHAPTER 25 SSL User Screens 25.1 Overview This chapter introduces the remote user SSL VPN screens. The following figure shows a network example where a remote user (A) logs into the ZyWALL from the Internet to access the web server (WWW) on the local network. Figure 247 Network Example Internet WWW A 25.1.
Chapter 25 SSL User Screens System Requirements Here are the browser and computer system requirements for remote user access. • Windows 7 (32 or 64-bit), Vista (32 or 64-bit), 2003 (32-bit), XP (32-bit), or 2000 (32-bit) • Internet Explorer 7 and above or Firefox 1.5 and above • Using RDP requires Internet Explorer • Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a minimum version of 1.6.
Chapter 25 SSL User Screens 1 Open a web browser and enter the web site address or IP address of the ZyWALL. For example, “http://sslvpn.mycompany.com”. Figure 248 Enter the Address in a Web Browser 2 Click OK or Yes if a security screen displays. Figure 249 Login Security Screen 3 A login screen displays. Enter the user name and password of your login account. If a token password is also required, enter it in the One-Time Password field.
Chapter 25 SSL User Screens 5 Your computer starts establishing a secure connection to the ZyWALL after a successful login. This may take up to two minutes. If you get a message about needing Java, download and install it and restart your browser and re-login. If a certificate warning screen displays, click OK, Yes or Continue. Figure 251 Java Needed Message 6 The ZyWALL tries to install the SecuExtender client.
Chapter 25 SSL User Screens 7 The ZyWALL tries to install the SecuExtender client. You may need to click a popup to get your browser to allow this. In Internet Explorer, click Install. Figure 253 SecuExtender Blocked by Internet Explorer 8 The ZyWALL tries to run the “ssltun” application. You may need to click something to get your browser to allow this. In Internet Explorer, click Run.
Chapter 25 SSL User Screens 10 If a screen like the following displays, click Continue Anyway to finish installing the SecuExtender client on your computer. Figure 256 Hardware Installation Warning 11 The Application screen displays showing the list of resources available to you. See Figure 257 on page 427 for a screen example. Note: Available resource links vary depending on the configuration your network administrator made.
Chapter 25 SSL User Screens 25.3 The SSL VPN User Screens This section describes the main elements in the remote user screens. Figure 257 Remote User Screen 2 3 4 1 5 6 The following table describes the various parts of a remote user screen. Table 123 Remote User Screen Overview # DESCRIPTION 1 Click on a menu tab to go to the Application screen. 2 Click this icon to log out and terminate the secure connection.
Chapter 25 SSL User Screens 25.4 Bookmarking the ZyWALL You can create a bookmark of the ZyWALL by clicking the Add to Favorite icon. This allows you to access the ZyWALL using the bookmark without having to enter the address every time. 1 In any remote user screen, click the Add to Favorite icon. 2 A screen displays. Accept the default name in the Name field or enter a descriptive name to identify this link. 3 Click OK to create a bookmark in your web browser. Figure 258 Add Favorite 25.
Chapter 25 SSL User Screens 3 An information screen displays to indicate that the SSL VPN connection is about to terminate.
Chapter 25 SSL User Screens 430 ZyWALL USG 50 User’s Guide
CHAPTER 26 SSL User Application Screens 26.1 SSL User Application Screens Overview Use the Application screen to access web-based applications (such as web sites and e-mail) on the network through the SSL VPN connection. Which applications you can access depends on the ZyWALL’s configuration. 26.2 The Application Screen Click the Application tab to display the screen. The Name field displays the descriptive name for an application.
Chapter 26 SSL User Application Screens 432 ZyWALL USG 50 User’s Guide
CHAPTER 27 ZyWALL SecuExtender The ZyWALL automatically loads the ZyWALL SecuExtender client program to your computer after a successful login. The ZyWALL SecuExtender lets you: • Access servers, remote desktops and manage files as if you were on the local network. • Use applications like e-mail, file transfer, and remote desktop programs directly without using a browser. For example, you can use Outlook for e-mail instead of the ZyWALL’s web-based e-mail.
Chapter 27 ZyWALL SecuExtender 27.2 Statistics Right-click the ZyWALL SecuExtender icon in the system tray and select Status to open the Status screen. Use this screen to view the ZyWALL SecuExtender’s statistics. Figure 263 ZyWALL SecuExtender Status The following table describes the labels in this screen.
Chapter 27 ZyWALL SecuExtender Table 124 ZyWALL SecuExtender Statistics LABEL DESCRIPTION Transmitted This is how many bytes and packets the computer has sent through the SSL VPN connection. Received This is how many bytes and packets the computer has received through the SSL VPN connection. 27.3 View Log If you have problems with the ZyWALL SecuExtender, customer support may request you to provide information from the log.
Chapter 27 ZyWALL SecuExtender connected but not send any traffic through it until you right-click the icon and resume the connection. 27.5 Stop the Connection Right-click the icon and select Stop Connection to disconnect the SSL VPN tunnel. 27.6 Uninstalling the ZyWALL SecuExtender Do the following if you need to remove the ZyWALL SecuExtender. 1 Click start > All Programs > ZyXEL > ZyWALL SecuExtender > Uninstall. 2 In the confirmation screen, click Yes.
CHAPTER 28 Application Patrol 28.1 Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications. You can even control the use of a particular application’s individual features (like text messaging, voice, video conferencing, and file transfers).
Chapter 28 Application Patrol 28.1.2 What You Need to Know If you want to use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. Note: The ZyWALL checks firewall rules before it checks application patrol rules for traffic going through the ZyWALL. Application patrol examines every TCP and UDP connection passing through the ZyWALL and identifies what application is using the connection.
Chapter 28 Application Patrol numbers for SIP traffic. Likewise, configuring the SIP ALG to use custom port numbers for SIP traffic also configures application patrol to use the same port numbers for SIP traffic. DiffServ and DSCP Marking QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class.
Chapter 28 Application Patrol • The outbound traffic flows from the connection initiator to the connection responder. • The inbound traffic flows from the connection responder to the connection initiator. For example, a LAN1 to WAN connection is initiated from LAN1 and goes to the WAN. • Outbound traffic goes from a LAN1 zone device to a WAN zone device. Bandwidth management is applied before sending the packets out a WAN zone interface on the ZyWALL.
Chapter 28 Application Patrol • Inbound traffic is limited to 500 kbs. The connection initiator is on the LAN1 so inbound means the traffic traveling from the WAN to the LAN1. Figure 268 LAN1 to WAN, Outbound 200 kbps, Inbound 500 kbps Outbound 200 kbps Outbound 200 kbps Inbound 500 kbps Bandwidth Management Priority • The ZyWALL gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate. • Then lower-priority traffic gets bandwidth.
Chapter 28 Application Patrol outgoing speed of 1000 kbps. You configure policy A for server A’s traffic and policy B for server B’s traffic. Figure 269 Bandwidth Management Behavior BWM 1000 kbps 1000 kbps 1000 kbps Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate. Table 125 Configured Rate Effect POLICY CONFIGURED RATE MAX. B. U.
Chapter 28 Application Patrol So server A gets its configured rate of 300 kbps plus 250 kbps for a total of 550 kbps. Server B gets its configured rate of 200 kbps plus 250 kbps for a total of 450 kbps. Table 127 Maximize Bandwidth Usage Effect POLICY CONFIGURED RATE MAX. B. U.
Chapter 28 Application Patrol • HTTP traffic needs to be given priority over FTP traffic. • FTP traffic from the WAN to the DMZ must be limited so it does not interfere with SIP and HTTP traffic. • FTP traffic from the LAN1 to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but it must be the lowest priority and limited so it does not interfere with SIP and HTTP traffic.
Chapter 28 Application Patrol • Enable maximize bandwidth usage so the SIP traffic can borrow unused bandwidth. Figure 271 SIP Any to WAN Bandwidth Management Example Outbound: 200 kbps BWM BWM Inbound: 200 kbps 28.1.3.3 SIP WAN to Any Bandwidth Management Example You also create a policy for calls coming in from the SIP server on the WAN. It is the same as the SIP Any to WAN policy, but with the directions reversed (WAN to Any instead of Any to WAN). 28.1.3.
Chapter 28 Application Patrol 28.1.3.5 FTP WAN to DMZ Bandwidth Management Example • ADSL supports more downstream than upstream so you allow remote users 300 kbps for uploads to the DMZ FTP server (outbound) but only 100 kbps for downloads (inbound). • Third highest priority (3). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. Figure 273 FTP WAN to DMZ Bandwidth Management Example Outbound: 300 kbps BWM BWM Inbound: 100 kbps 28.1.3.
Chapter 28 Application Patrol 28.2 Application Patrol General Screen Use this screen to enable and disable application patrol. It also lists the registration status and details about the signature set the ZyWALL is using. Note: You must register for the IDP/AppPatrol signature service (at least the trial) before you can use it. See Section 10.1 on page 209 for how to register. Click Configuration > App Patrol to open the following screen.
Chapter 28 Application Patrol Table 129 Configuration > App Patrol > General (continued) LABEL Enable Highest Bandwidth Priority for SIP Traffic Registration DESCRIPTION Select this to maximize the throughput of SIP traffic to improve SIPbased VoIP call sound quality. This has the ZyWALL immediately send SIP traffic upon identifying it.
Chapter 28 Application Patrol Click Configuration > App Patrol > Common to open the following screen. Figure 276 Configuration > App Patrol > Common The following table describes the labels in this screen. See Section 28.3.1 on page 449 for more information as well. Table 130 Configuration > App Patrol > Common LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Chapter 28 Application Patrol Streaming screen and click an application’s Edit icon. The screen displayed here is for the MSN instant messenger service. Figure 277 Application Edit The following table describes the labels in this screen. Table 131 Application Edit LABEL DESCRIPTION Service Enable Service Select this check box to turn on patrol for this application. Service Identification Name This field displays the name of the application.
Chapter 28 Application Patrol Table 131 Application Edit (continued) LABEL # DESCRIPTION This field is a sequential value, and it is not associated with a specific entry. Note: The ZyWALL checks ports in the order they appear in the list. While this sequence does not affect the functionality, you might improve the performance of the ZyWALL by putting more commonly used ports at the top of the list. Service Port This column lists port numbers the ZyWALL uses to identify this application.
Chapter 28 Application Patrol Table 131 Application Edit (continued) LABEL Access DESCRIPTION This field displays what the ZyWALL does with packets for this application that match this policy. forward - the ZyWALL routes the packets for this application. Drop - the ZyWALL does not route the packets for this application and does not notify the client of its decision. Reject - the ZyWALL does not route the packets for this application and notifies the client of its decision.
Chapter 28 Application Patrol Table 131 Application Edit (continued) LABEL DESCRIPTION OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. 28.3.2 The Application Patrol Policy Edit Screen The Application Policy Edit screen allows you to edit a group of settings for an application.
Chapter 28 Application Patrol Table 132 Application Policy Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 38 on page 611 for details). Otherwise, select none to make the policy always effective. User Select a user name or user group to which to apply the policy. Use Create new Object if you need to configure a new user account (see Section 35.2.1 on page 586 for details).
Chapter 28 Application Patrol Table 132 Application Policy Edit (continued) LABEL DESCRIPTION Action Block For some applications, you can select individual uses of the application that the policy will have the ZyWALL block. These fields only apply when Access is set to forward. Login - Select this option to block users from logging in to a server for this application. Message - Select this option to block users from sending or receiving instant messages.
Chapter 28 Application Patrol Table 132 Application Policy Edit (continued) LABEL Priority DESCRIPTION This field displays when the inbound or outbound bandwidth management is not set to 0. Enter a number between 1 and 7 to set the priority for this application’s traffic that matches this policy. The smaller the number, the higher the priority. The ZyWALL gives traffic of an application with higher priority bandwidth before traffic of an application with lower priority.
Chapter 28 Application Patrol Click AppPatrol > Other to open the Other (applications) screen. Figure 279 AppPatrol > Other The following table describes the labels in this screen. See Section 28.4.1 on page 459 for more information as well. Table 133 AppPatrol > Other LABEL DESCRIPTION Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Select an entry and click this to be able to modify it.
Chapter 28 Application Patrol Table 133 AppPatrol > Other (continued) LABEL DESCRIPTION Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination. Protocol This is the protocol of the traffic to which this policy applies. Access This field displays what the ZyWALL does with packets that match this policy. forward - the ZyWALL routes the packets.
Chapter 28 Application Patrol Table 133 AppPatrol > Other (continued) LABEL DESCRIPTION Log Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or neither (no) when traffic matches this policy. See Chapter 46 on page 723 for more on logs. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 28.4.
Chapter 28 Application Patrol Table 134 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Chapter 38 on page 611 for details). Otherwise, select any to make the policy always effective. User Select a user name or user group to which to apply the policy. Use Create new Object if you need to configure a new user account (see Section 35.2.1 on page 586 for details).
Chapter 28 Application Patrol Table 134 AppPatrol > Other > Edit (continued) LABEL Inbound kbps DESCRIPTION Type how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the ZyWALL sends to a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the ZyWALL sends to the initiator.
Chapter 28 Application Patrol Table 134 AppPatrol > Other > Edit (continued) 462 LABEL DESCRIPTION OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes.
CHAPTER 29 Anti-Virus 29.1 Overview Use the ZyWALL’s anti-virus feature to protect your connected network from virus/ spyware infection. The ZyWALL checks traffic going in the direction(s) you specify for signature matches. In the following figure the ZyWALL is set to check traffic coming from the WAN zone (which includes two interfaces) to the LAN zone. Figure 281 ZyWALL Anti-Virus Example 29.1.1 What You Can Do in this Chapter • Use the General screens (Section 29.
Chapter 29 Anti-Virus 29.1.2 What You Need to Know Anti-Virus Engines Subscribe to signature files for Kaspersky’s anti-virus engine. After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and register it in the Registration > Service screen. You must use the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine. See Section 10.1 on page 209 for details.
Chapter 29 Anti-Virus 3 The scanning engine checks the contents of the packets for virus. 4 If a virus pattern is matched, the ZyWALL removes the infected portion of the file along with the rest of the file. The un-infected portion of the file before a virus pattern was matched still goes through. 5 If the send alert message function is enabled, the ZyWALL sends an alert to the file’s intended destination computer(s).
Chapter 29 Anti-Virus 29.2 Anti-Virus Summary Screen Click Configuration > Anti-X > Anti-Virus to display the configuration screen as shown next. Figure 282 Configuration > Anti-X > Anti-Virus > General The following table describes the labels in this screen. Table 135 Configuration > Anti-X > Anti-Virus > General 466 LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 29 Anti-Virus Table 135 Configuration > Anti-X > Anti-Virus > General (continued) LABEL DESCRIPTION Scan EICAR Select this option to have the ZyWALL check for the EICAR test file and treat it in the same way as a real virus file. The EICAR test file is a standardized test file for signature based anti-virus scanners. When the virus scanner detects the EICAR file, it responds in the same way as if it found a real virus.
Chapter 29 Anti-Virus Table 135 Configuration > Anti-X > Anti-Virus > General (continued) LABEL License Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard). None displays when the service is not activated. Apply new Registration This link appears if you have not registered for the service or only have the trial registration. Click this link to go to the screen where you can register for the service.
Chapter 29 Anti-Virus 29.2.1 Anti-Virus Policy Add or Edit Screen Click the Add or Edit icon in the Configuration > Anti-X > Anti-Virus > General screen to display the configuration screen as shown next. Figure 283 Configuration > Anti-X > Anti-Virus > General > Add The following table describes the labels in this screen.
Chapter 29 Anti-Virus Table 136 Configuration > Anti-X > Anti-Virus > General > Add (continued) LABEL DESCRIPTION Actions When Matched Destroy infected file When you select this check box, if a virus pattern is matched, the ZyWALL overwrites the infected portion of the file (and the rest of the file) with zeros. The un-infected portion of the file before a virus pattern was matched goes through unmodified.
Chapter 29 Anti-Virus Table 136 Configuration > Anti-X > Anti-Virus > General > Add (continued) LABEL Destroy compressed files that could not be decompressed DESCRIPTION Note: When you select this option, the ZyWALL deletes ZIP files that use password encryption. Select this check box to have the ZyWALL delete any ZIP files that it is not able to unzip. The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file.
Chapter 29 Anti-Virus The following table describes the labels in this screen. Table 137 Configuration > Anti-X > Anti-Virus > Black/White List > Black List LABEL DESCRIPTION Enable Black List Select this check box to log and delete files with names that match the black list patterns. Use the black list to log and delete files with names that match the black list patterns. Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it.
Chapter 29 Anti-Virus The following table describes the labels in this screen. Table 138 Configuration > Anti-X > Anti-Virus > Black/White List > Black List (or White List) > Add LABEL DESCRIPTION Enable If this is a black list entry, select this option to have the ZyWALL apply this entry when using the black list. If this is a white list entry, select this option to have the ZyWALL apply this entry when using the white list.
Chapter 29 Anti-Virus column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 286 Configuration > Anti-X > Anti-Virus > Black/White List > White List The following table describes the labels in this screen.
Chapter 29 Anti-Virus If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
Chapter 29 Anti-Virus The following table describes the labels in this screen. Table 140 Configuration > Anti-X > Anti-Virus > Signature LABEL DESCRIPTION Signatures Search Select the criteria on which to perform the search. Select By Name from the drop down list box and type the name or part of the name of the signature(s) you want to find. This search is not case-sensitive. Select By ID from the drop down list box and type the ID or part of the ID of the signature you want to find.
Chapter 29 Anti-Virus 29.7 Anti-Virus Technical Reference Types of Computer Viruses The following table describes some of the common computer viruses. Table 141 Common Computer Virus Types TYPE DESCRIPTION File Infector This is a small program that embeds itself in a legitimate program. A file infector is able to copy and attach itself to other programs that are executed on an infected computer.
Chapter 29 Anti-Virus A host-based anti-virus (HAV) scanner is often software installed on computers and/or servers in the network. It inspects files for virus patterns as they are moved in and out of the hard drive. However, host-based anti-virus scanners cannot eliminate all viruses for a number of reasons: • HAV scanners are slow in stopping virus threats through real-time traffic (such as from the Internet).
CHAPTER 30 IDP 30.1 Overview This chapter introduces packet inspection IDP (Intrusion, Detection and Prevention), IDP profiles, binding an IDP profile to a traffic flow, custom signatures and updating signatures. An IDP system can detect malicious or suspicious packets and respond instantaneously. IDP on the ZyWALL protects against network-based intrusions. 30.1.1 What You Can Do in this Chapter • Use the Anti-X > IDP > General screen (Section 30.
Chapter 30 IDP IDP Profiles An IDP profile is a set of related IDP signatures that you can activate as a set and configure common log and action settings. You can apply IDP profiles to traffic flowing from one zone to another. For example, apply the default LAN_IDP profile to any traffic going to the LAN zone in order to protect your LAN computers. Note: You can only apply one IDP profile to one traffic flow. Base IDP Profiles Base IDP profiles are templates that you use to create new IDP profiles.
Chapter 30 IDP 30.2 The IDP General Screen Click Configuration > Anti-X > IDP > General to open this screen. Use this screen to turn IDP on or off, bind IDP profiles to traffic directions, and view registration and signature information. Note: You must register in order to use packet inspection signatures. See the Registration screens. If you try to enable IDP when the IDP service has not yet been registered, a warning screen displays and IDP is not enabled.
Chapter 30 IDP Table 142 Configuration > Anti-X > IDP > General (continued) LABEL DESCRIPTION Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate.
Chapter 30 IDP Table 142 Configuration > Anti-X > IDP > General (continued) LABEL Apply new Registration Signature Information DESCRIPTION This link appears if you have not registered for the service or only have the trial registration. Click this link to go to the screen where you can register for the service. The following fields display information on the current signature set that the ZyWALL is using. Current Version This field displays the IDP signature set version number.
Chapter 30 IDP 30.3.1 Base Profiles The ZyWALL comes with several base profiles. You use base profiles to create new profiles. In the Configuration > Anti-X > IDP > Profile screen, click Add to display the following screen. Figure 289 Base Profiles The following table describes this screen. Table 143 Base Profiles BASE PROFILE 484 DESCRIPTION none All signatures are disabled. No logs are generated nor actions are taken. all All signatures are enabled.
Chapter 30 IDP Table 143 Base Profiles (continued) BASE PROFILE DESCRIPTION dmz This profile is most suitable for networks containing your servers. Signatures for common services such as DNS, FTP, HTTP, ICMP, IMAP, MISC, NETBIOS, POP3, RPC, RSERVICE, SMTP, SNMP, SQL, TELNET, Oracle, MySQL are enabled. Signatures with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped.
Chapter 30 IDP Table 144 Configuration > Anti-X > IDP > Profile (continued) LABEL DESCRIPTION Name This is the name of the profile you created. Base Profile This is the base profile from which the profile was created. 30.5 Creating New Profiles You may want to create a new profile if not all signatures in a base profile are applicable to your network. In this case you should disable non-applicable signatures so as to improve ZyWALL IDP processing efficiency.
Chapter 30 IDP 30.6 Profiles: Packet Inspection Select Configuration > Anti-X > IDP > Profile and then add a new or edit an existing profile select. Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer-4 to layer-7. 30.6.
Chapter 30 IDP The following table describes the fields in this screen. Table 145 Configuration > Anti-X > IDP > Profile > Group View LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 30 IDP Table 145 Configuration > Anti-X > IDP > Profile > Group View (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL takes when a packet matches a signature, select the signature and use the Action icon. none: Select this action on an individual signature or a complete service group to have the ZyWALL take no action when a packet matches the signature(s).
Chapter 30 IDP Table 145 Configuration > Anti-X > IDP > Profile > Group View (continued) LABEL DESCRIPTION Log These are the log options. To edit this, select an item and use the Log icon. Action This is the action the ZyWALL should take when a packet matches a signature here. To edit this, select an item and use the Action icon. OK A profile consists of three separate screens.
Chapter 30 IDP Table 146 Policy Types (continued) POLICY TYPE DESCRIPTION Scan A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found. Scans occur on several network levels. A network scan occurs at layer-3. For example, an attacker looks for network devices such as a router or server running in an IP network. A scan on a protocol is commonly referred to as a layer-4 scan.
Chapter 30 IDP Table 147 IDP Service Groups (continued) SQL SNMP SMTP RSERVICES RPC POP3 POP2 P2P ORACLE NNTP NETBIOS MYSQL MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC IMAP IM ICMP FTP FINGER DNS The following figure shows the WEB_PHP service group that contains signatures related to attacks on web servers using PHP exploits. PHP (PHP: Hypertext Preprocessor) is a server-side HTML embedded scripting language that allows web developers to build dynamic websites.
Chapter 30 IDP 30.6.4 Profile > Query View Screen Click Switch to query view in the screen as shown in Figure 291 on page 487 to go to a signature query screen. In the query view screen, you can search for signatures by criteria such as name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions. Figure 293 Configuration > Anti-X > IDP > Profile: Query View The following table describes the fields specific to this screen’s query view.
Chapter 30 IDP Table 148 Configuration > Anti-X > IDP > Profile: Query View (continued) LABEL Severity DESCRIPTION Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections. These are the severities as defined in the ZyWALL. The number in brackets is the number you use if using commands. Severe (5): These denote attacks that try to run arbitrary code or gain system privileges.
Chapter 30 IDP 30.6.
Chapter 30 IDP • Actions: Any Figure 294 Query Example Search Criteria Figure 295 Query Example Search Results 496 ZyWALL USG 50 User’s Guide
Chapter 30 IDP 30.7 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others. You need some knowledge of packet headers and attack types to create your own custom signatures. 30.7.1 IP Packet Header These are the fields in an Internet Protocol (IP) version 4 packet header.
Chapter 30 IDP Table 149 IP v4 Packet Headers (continued) HEADER DESCRIPTION Time To Live This is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. It is used to prevent accidental routing loops. Protocol The protocol indicates the type of transport packet being carried, for example, 1 = ICMP; 2= IGMP; 6 = TCP; 17= UDP.
Chapter 30 IDP Note: The ZyWALL checks all signatures and continues searching even after a match is found. If two or more rules have conflicting actions for the same packet, then the ZyWALL applies the more restrictive action (reject-both, reject-receiver or reject-sender, drop, none in this order). If a packet matches a rule for rejectreceiver and it also matches a rule for reject-sender, then the ZyWALL will reject-both.
Chapter 30 IDP Table 150 Configuration > Anti-X > IDP > Custom Signatures (continued) LABEL DESCRIPTION Customer Signature Rule Importing Use this part of the screen to import custom signatures (previously saved to your computer) to the ZyWALL. Note: The name of the complete custom signature file on the ZyWALL is ‘custom.rules’. If you import a file named ‘custom.rules’, then all custom signatures on the ZyWALL are overwritten with the new file.
Chapter 30 IDP Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit.
Chapter 30 IDP The following table describes the fields in this screen. Table 151 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 30 IDP Table 151 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Fragmentation A fragmentation flag identifies whether the IP datagram should be fragmented, not fragmented or is a reserved bit. Some intrusions can be identified by this flag. Select the check box and then select the flag that the intrusion uses. Fragmentation Offset When an IP datagram is fragmented, it is reassembled at the final destination.
Chapter 30 IDP Table 151 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL Flow DESCRIPTION If selected, the signature only applies to certain directions of the traffic flow and only to clients or servers. Select Flow and then select the identifying options.
Chapter 30 IDP Table 151 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL Payload Size DESCRIPTION This field may be used to check for abnormally sized packets or for detecting buffer overflows. Select the check box, then select Equal, Smaller or Greater and then type the payload size. Stream rebuilt packets are not checked regardless of the size of the payload. Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it.
Chapter 30 IDP Table 151 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION OK Click this button to save your changes to the ZyWALL and return to the summary screen. Cancel Click this button to return to the summary screen without saving any changes. 30.8.2 Custom Signature Example Before creating a custom signature, you must first clearly understand the vulnerability. 30.8.2.1 Understand the Vulnerability Check the ZyWALL logs when the attack occurs.
Chapter 30 IDP 30.8.2.2 Analyze Packets Use the packet capture screen (see Section 48.3 on page 750) and a packet analyzer (also known as a network or protocol analyzer) such as Wireshark or Ethereal to investigate some more. Figure 299 DNS Query Packet Details From the details about DNS query you see that the protocol is UDP and the port is 53. The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2. Therefore enter |010| as the first pattern.
Chapter 30 IDP The final custom signature should look like as shown in the following figure. Figure 300 Example Custom Signature 30.8.3 Applying Custom Signatures After you create your custom signature, it becomes available in the IDP service group category in the Configuration > Anti-X > IDP > Profile > Edit screen. Custom signatures have an SID from 9000000 to 9999999.
Chapter 30 IDP You can activate the signature, configure what action to take when a packet matches it and if it should generate a log or alert in a profile. Then bind the profile to a zone. Figure 301 Example: Custom Signature in IDP Profile 30.8.4 Verifying Custom Signatures Configure the signature to create a log when traffic matches the signature. (You may also want to configure an alert if it is for a serious attack and needs immediate attention.
Chapter 30 IDP destination port is the service port (53 for DNS in this case) that the attack tries to exploit. Figure 302 Custom Signature Log 30.9 IDP Technical Reference This section contains some background information on IDP. Host Intrusions The goal of host-based intrusions is to infiltrate files on an individual computer or server in with the goal of accessing confidential information or destroying information on a computer. You must install a host IDP directly on the system being protected.
Chapter 30 IDP Network Intrusions Network-based intrusions have the goal of bringing down a network or networks by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with the goal of bringing down the computer/ server.
Chapter 30 IDP Table 152 ZyWALL - Snort Equivalent Terms (continued) ZYWALL TERM SNORT EQUIVALENT TERM Same IP sameip Transport Protocol Transport Protocol: TCP Port (In Snort rule header) Flow flow Flags flags Sequence Number seq Ack Number ack Window Size window Transport Protocol: UDP Port (In Snort rule header) (In Snort rule header) Transport Protocol: ICMP Type itype Code icode ID icmp_id Sequence Number icmp_seq Payload Options (Snort rule options) Payload Size dsize Of
CHAPTER 31 ADP 31.1 Overview This chapter introduces ADP (Anomaly Detection and Prevention), anomaly profiles and applying an ADP profile to a traffic direction. ADP protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal flows such as port scans. 31.1.
Chapter 31 ADP Protocol Anomalies Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder. Protocol anomaly rules may be updated when you upload new firmware. ADP Profile An ADP profile is a set of traffic anomaly rules and protocol anomaly rules that you can activate as a set and configure common log and action settings.
Chapter 31 ADP 31.2 The ADP General Screen Click Configuration > Anti-X > ADP > General. Use this screen to turn anomaly detection on or off and apply anomaly profiles to traffic directions. Figure 303 Configuration > Anti-X > ADP > General The following table describes the screens in this screen. Table 153 Configuration > Anti-X > ADP > General LABEL DESCRIPTION General Settings Enable Anomaly Detection Policies Select this check box to enable traffic anomaly and protocol anomaly detection.
Chapter 31 ADP Table 153 Configuration > Anti-X > ADP > General (continued) LABEL DESCRIPTION Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. From, To This is the direction of travel of packets to which an anomaly profile is bound. Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to. Use the From field to specify the zone from which the traffic is coming.
Chapter 31 ADP 31.3.1 Base Profiles The ZyWALL comes with base profiles. You use base profiles to create new profiles. In the Configuration > Anti-X > ADP > Profile screen, click Add to display the following screen. Figure 304 Base Profiles These are the default base profiles at the time of writing. Table 154 Base Profiles BASE PROFILE DESCRIPTION none All traffic anomaly and protocol anomaly rules are disabled. No logs are generated nor actions are taken.
Chapter 31 ADP The following table describes the fields in this screen. Table 155 Anti-X > ADP > Profile LABEL DESCRIPTION Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. # This is the entry’s index number in the list. Name This is the name of the profile you created. Base Profile This is the base profile from which the profile was created. 31.3.
Chapter 31 ADP belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab.
Chapter 31 ADP The following table describes the fields in this screen. Table 156 Configuration > ADP > Profile > Traffic Anomaly LABEL DESCRIPTION Name This is the name of the ADP profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 31 ADP Table 156 Configuration > ADP > Profile > Traffic Anomaly (continued) LABEL DESCRIPTION Name This is the name of the traffic anomaly rule. Click the Name column heading to sort in ascending or descending order according to the rule name. Log These are the log options. To edit this, select an item and use the Log icon. Action This is the action the ZyWALL should take when a packet matches a rule. To edit this, select an item and use the Action icon.
Chapter 31 ADP Figure 307 Profiles: Protocol Anomaly 522 ZyWALL USG 50 User’s Guide
Chapter 31 ADP The following table describes the fields in this screen. Table 157 Configuration > ADP > Profile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 31 ADP Table 157 Configuration > ADP > Profile > Protocol Anomaly (continued) LABEL DESCRIPTION Action To edit what action the ZyWALL takes when a packet matches a signature, select the signature and use the Action icon. original setting: Select this action to return each signature in a service group to its previously saved configuration. none: Select this action on an individual signature or a complete service group to have the ZyWALL take no action when a packet matches a rule.
Chapter 31 ADP Table 157 Configuration > ADP > Profile > Protocol Anomaly (continued) LABEL DESCRIPTION OK Click OK to save your settings to the ZyWALL, complete the profile and return to the profile summary page. Cancel Click Cancel to return to the profile summary page without saving any changes. Save Click Save to save the configuration to the ZyWALL but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile.
Chapter 31 ADP Decoy Port Scans Decoy port scans are scans where the attacker has spoofed the source address. These are some decoy scan types: • TCP Decoy Portscan • UDP Decoy Portscan • IP Decoy Portscan Distributed Port Scans Distributed port scans are many-to-one port scans. Distributed port scans occur when multiple hosts query one host for open services. This may be used to evade intrusion detection.
Chapter 31 ADP • ICMP Filtered Portsweep • TCP Filtered Distributed • UDP Filtered Portscan Distributed Portscan • IP Filtered Distributed Portscan Flood Detection Flood attacks saturate a network with useless data, use up all available bandwidth, and therefore make communications in the network impossible. ICMP Flood Attack An ICMP flood is broadcasting many pings or UDP packets so that so much data is sent to the system, that it slows it down or locks it up.
Chapter 31 ADP the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. Figure 309 TCP Three-Way Handshake A SYN flood attack is when an attacker sends a series of SYN packets. Each packet causes the receiver to reply with a SYN-ACK response. The receiver then waits for the ACK that follows the SYN-ACK, and stores all outstanding SYN-ACK responses on a backlog queue.
Chapter 31 ADP UDP Flood Attack UDP is a connection-less protocol and it does not require any connection setup procedure to transfer data. A UDP flood attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port.
Chapter 31 ADP Table 158 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL 530 DESCRIPTION DOUBLE-ENCODING ATTACK This rule is IIS specific. IIS does two passes through the request URI, doing decodes in each one. In the first pass, IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is done. In the second pass ASCII, bare byte, and %u encodings are done. IIS-BACKSLASHEVASION ATTACK This is an IIS emulation rule that normalizes backslashes to slashes.
Chapter 31 ADP Table 158 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL WEBROOT-DIRECTORYTRAVERSAL ATTACK DESCRIPTION This is when a directory traversal traverses past the web server root directory. This generates much fewer false positives than the directory option, because it doesn’t alert on directory traversals that stay within the web server directory structure.
Chapter 31 ADP Table 158 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL 532 DESCRIPTION TRUNCATED-HEADER ATTACK This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP header length. This may cause some applications to crash. TRUNCATEDTIMESTAMP-HEADER ATTACK This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP Time Stamp header length. This may cause some applications to crash.
CHAPTER 32 Content Filtering 32.1 Overview Use the content filtering feature to control access to specific web sites or web content. 32.1.1 What You Can Do in this Chapter • Use the General screens (Section 32.2 on page 535) to configure global content filtering settings, configure content filtering policies, and check the content filtering license status. • Use the Filter Profile screens (Section 32.4 on page 540) to set up content filtering profiles. 32.1.
Chapter 32 Content Filtering Content Filtering Profiles A content filtering profile conveniently stores your custom settings for the following features. • Category-based Blocking The ZyWALL can block access to particular categories of web site content, such as pornography or racial intolerance. • Restrict Web Features The ZyWALL can disable web proxies and block web features such as ActiveX controls, Java applets and cookies.
Chapter 32 Content Filtering Since the ZyWALL checks the URL’s domain name (or IP address) and file path separately, it will not find items that go across the two. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the ZyWALL would find “tw” in the domain name (www.zyxel.com.tw). It would also find “news” in the file path (news/pressroom.php) but it would not find “tw/news”. Finding Out More • See Section 6.5.21 on page 104 for related information on these screens. • See Section 32.
Chapter 32 Content Filtering your list of content filter policies, create a denial of access message or specify a redirect URL and check your external web filtering service registration status. Figure 311 Configuration > Anti-X > Content Filter > General The following table describes the labels in this screen. Table 159 Configuration > Anti-X > Content Filter > General LABEL DESCRIPTION General Settings Enable Content Filter Select this check box to enable the content filter.
Chapter 32 Content Filtering Table 159 Configuration > Anti-X > Content Filter > General (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. # This column lists the index numbers of the content filter policies.
Chapter 32 Content Filtering Table 159 Configuration > Anti-X > Content Filter > General (continued) LABEL DESCRIPTION License Status This read-only field displays the status of your content-filtering database service registration. Not Licensed displays if you have not successfully registered and activated the service. Expired displays if your subscription to the service has expired. Licensed displays if you have successfully registered the ZyWALL and activated the service.
Chapter 32 Content Filtering filter policy. A content filter policy defines which content filter profile should be applied, when it should be applied, and to whose web access it should be applied. Figure 312 Configuration > Anti-X > Content Filter > General > Add l The following table describes the labels in this screen.
Chapter 32 Content Filtering 32.4 Content Filter Profile Screen Click Configuration > Anti-X > Content Filter > Filter Profile to open the Filter Profile screen. A content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied. Figure 313 Configuration > Anti-X > Content Filter > Filter Profile The following table describes the labels in this screen.
Chapter 32 Content Filtering See Chapter 33 on page 557 for how to view content filtering reports.
Chapter 32 Content Filtering The following table describes the labels in this screen. Table 162 Configuration > Anti-X > Content Filter > Filter Profile > Add LABEL DESCRIPTION License Status This read-only field displays the status of your content-filtering database service registration. Not Licensed displays if you have not successfully registered and activated the service. Expired displays if your subscription to the service has expired.
Chapter 32 Content Filtering Table 162 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Action for Unsafe Web Pages Select Pass to allow users to access web pages that match the unsafe categories that you select below. Select Block to prevent users from accessing web pages that match the unsafe categories that you select below.
Chapter 32 Content Filtering Table 162 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Action When Category Server Is Unavailable Select Pass to allow users to access any requested web page if the external content filtering database is unavailable. Select Block to block access to any requested web page if the external content filtering database is unavailable.
Chapter 32 Content Filtering Table 162 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Spyware/Malware Sources This category includes pages which distribute spyware and other malware. Spyware and malware are defined as software which takes control of your computer, modifies computer settings, collects or reports personal information, or misrepresents itself by tricking users to install, download, or enter personal information.
Chapter 32 Content Filtering Table 162 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Nudity This category includes pages containing nude or seminude depictions of the human body. These depictions are not necessarily sexual in intent or effect, but may include pages containing nude paintings or photo galleries of artistic nature. This category also includes nudist or naturist pages that contain pictures of nude individuals.
Chapter 32 Content Filtering Table 162 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Arts/Entertainment This category includes pages that promote and provide information about motion pictures, videos, television, music and programming guides, books, comics, movie theatres, galleries, artists or reviews on entertainment.
Chapter 32 Content Filtering Table 162 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Government/Legal This category includes pages sponsored by or which provide information on government, government agencies and government services such as taxation and emergency services. It also includes pages that discuss or explain laws of various governmental entities.
Chapter 32 Content Filtering Table 162 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Religion This category includes pages that promote and provide information on conventional or unconventional religious or quasi-religious subjects, as well as churches, synagogues, or other houses of worship. It does not include pages containing alternative religions such as Wicca or witchcraft or atheist beliefs (Alternative Spirituality/Occult).
Chapter 32 Content Filtering Table 162 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) 550 LABEL DESCRIPTION Sports/Recreation/ Hobbies This category includes pages that promote or provide information about spectator sports, recreational activities, or hobbies. This includes pages that discuss or promote camping, gardening, and collecting.
Chapter 32 Content Filtering Table 162 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Alcohol Sites that promote, offer for sale, glorify, review, or in any way advocate the use or creation of alcoholic beverages, including but not limited to beer, wine, and hard liquors. Pages that sell alcohol as a subset of other products such as restaurants or grocery stores are not included.
Chapter 32 Content Filtering Table 162 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Placeholders This category includes pages that are under construction, parked domains, search-bait or otherwise generally having no useful value. Test Web Site Category URL to test You can check which category a web page belongs to. Enter a web site URL in the text box.
Chapter 32 Content Filtering 32.6 Content Filter Customization Screen Click Configuration > Anti-X > Content Filter > Filter Profile > Add or Edit > Customization to open the Customization screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list.
Chapter 32 Content Filtering Table 163 Configuration > Anti-X > Content Filter > Filter Profile > Customization LABEL DESCRIPTION Allow Web traffic for trusted web sites only When this box is selected, the ZyWALL blocks Web access to sites that are not on the Trusted Web Sites list. If they are chosen carefully, this is the most effective way to block objectionable material. Restricted Web Features Select the check box(es) to restrict a feature.
Chapter 32 Content Filtering Table 163 Configuration > Anti-X > Content Filter > Filter Profile > Customization LABEL DESCRIPTION Forbidden Web Sites This list displays the forbidden web sites already added. Enter host names such as www.bad-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are also blocked. For example, entering “bad-site.com” also blocks “www.badsite.com”, “partner.bad-site.com”, “press.bad-site.com”, and do on.
Chapter 32 Content Filtering External Content Filter Server Lookup Procedure The content filter lookup process is described below. Figure 317 Content Filter Lookup Procedure 556 1 A computer behind the ZyWALL tries to access a web site. 2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache. The ZyWALL blocks, blocks and logs or just logs the request based on your configuration.
CHAPTER 33 Content Filter Reports 33.1 Overview You can view content filtering reports after you have activated the category-based content filtering subscription service. See Section 10.1 on page 209 on how to create a myZyXEL.com account, register your device and activate the subscription services. 33.2 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the categories you selected in your device content filter screen.
Chapter 33 Content Filter Reports 2 Fill in your myZyXEL.com account information and click Login. Figure 318 myZyXEL.
Chapter 33 Content Filter Reports 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 320 on page 560). Figure 319 myZyXEL.
Chapter 33 Content Filter Reports 4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 320 myZyXEL.com: Service Management 5 In the Web Filter Home screen, click the Reports tab.
Chapter 33 Content Filter Reports 6 Select items under Global Reports to view the corresponding reports. Figure 322 Content Filter Reports: Report Home 7 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Chapter 33 Content Filter Reports 8 A chart and/or list of requested web site categories display in the lower half of the screen.
Chapter 33 Content Filter Reports 9 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested.
Chapter 33 Content Filter Reports 564 ZyWALL USG 50 User’s Guide
CHAPTER 34 Anti-Spam 34.1 Overview The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers. 34.1.1 What You Can Do in this Chapter • Use the General screens (Section 34.3 on page 567) to turn anti-spam on or off and manage anti-spam policies.
Chapter 34 Anti-Spam Black List Configure black list entries to identify spam. The black list entries have the ZyWALL classify any e-mail that is from or forwarded by a specified IP address or uses a specified header field and header value as being spam. If an e-mail does not match any of the white list entries, the ZyWALL checks it against the black list entries. The ZyWALL classifies an e-mail that matches a black list entry as spam and immediately takes the configured action for dealing with spam.
Chapter 34 Anti-Spam E-mail Header Buffer Size The ZyWALL has a 5 K buffer for an individual e-mail header. If an e-mail’s header is longer than 5 K, the ZyWALL only checks up to the first 5 K. DNSBL A DNS Black List (DNSBL) is a server that hosts a list of IP addresses known or suspected of having sent or forwarded spam. A DNSBL is also known as a DNS spam blocking list.
Chapter 34 Anti-Spam spam policies. You can also select the action the ZyWALL takes when the mail sessions threshold is reached. Figure 325 Configuration > Anti-X > Anti-Spam > General The following table describes the labels in this screen. Table 164 Configuration > Anti-X > Anti-Spam > General LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 34 Anti-Spam Table 164 Configuration > Anti-X > Anti-Spam > General LABEL DESCRIPTION Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed.
Chapter 34 Anti-Spam check, which e-mail protocols to scan, the scanning options, and the action to take on spam traffic. Figure 326 Configuration > Anti-X > Anti-Spam > General > Add The following table describes the labels in this screen. Table 165 Configuration > Anti-X > Anti-Spam > General > Add LABEL DESCRIPTION Enable Policy Select this check box to have the ZyWALL apply this anti-spam policy to check e-mail traffic for spam.
Chapter 34 Anti-Spam Table 165 Configuration > Anti-X > Anti-Spam > General > Add (continued) LABEL DESCRIPTION Check White List Select this check box to check e-mail against the white list. The ZyWALL classifies e-mail that matches a white list entry as legitimate (not spam). Check Black List Select this check box to check e-mail against the black list. The ZyWALL classifies e-mail that matches a black list entry as spam.
Chapter 34 Anti-Spam specific subject text. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 327 Configuration > Anti-X > Anti-Spam > Black/White List > Black List The following table describes the labels in this screen.
Chapter 34 Anti-Spam 34.4.1 The Anti-Spam Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to display the following screen. Use this screen to configure an anti-spam black list entry to identify spam e-mail. You can create entries based on specific subject text, or the sender’s or relay’s IP address or e-mail address. You can also create entries that check for particular header fields and values.
Chapter 34 Anti-Spam Table 167 Configuration > Anti-X > Anti-Spam > Black/White List > Black List (or White List) > Add LABEL DESCRIPTION Sender or Mail Relay IP Address This field displays when you select the IP type. Enter an IP address in dotted decimal notation. Netmask This field displays when you select the IP type. Enter the subnet mask here, if applicable. Sender E-Mail Address This field displays when you select the E-Mail type. Enter a keyword (up to 63 ASCII characters). See Section 34.4.
Chapter 34 Anti-Spam 34.5 The Anti-Spam White List Screen Click Configuration > Anti-X > Anti-Spam > Black/White List and then the White List tab to display the Anti-Spam White List screen. Configure the white list to identify legitimate e-mail. You can create white list entries based on the sender’s or relay’s IP address or e-mail address. You can also create entries that check for particular header fields and values or specific subject text.
Chapter 34 Anti-Spam Table 168 Configuration > Anti-X > Anti-Spam > Black/White List > White List LABEL DESCRIPTION Type This field displays whether the entry is based on the e-mail’s subject, source or relay IP address, source e-mail address, or a header. Content This field displays the subject content, source or relay IP address, source e-mail address, or header value for which the entry checks. OK Click OK to save your changes.
Chapter 34 Anti-Spam The following table describes the labels in this screen. Table 169 Configuration > Anti-X > Anti-Spam > DNSBL LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Enable DNS Black List (DNSBL) Checking Select this to have the ZyWALL check the sender and relay IP addresses in e-mail headers against the DNSBL servers maintained by the DNSBL domains listed in the ZyWALL.
Chapter 34 Anti-Spam Table 169 Configuration > Anti-X > Anti-Spam > DNSBL (continued) LABEL DESCRIPTION Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. # This is the entry’s index number in the list.
Chapter 34 Anti-Spam Here is an example of an e-mail classified as spam based on DNSBL replies. Figure 331 DNSBL Spam Detection Example DNSBL A IPs: a.a.a.a b.b.b.b 1 4 a? . a. ? a . a b m .b . pa ts b .b o N .a a . a.a 2 a.a.a.a? b.b.b.b? DNSBL B a .a . b .b a .a ? .b . b? b .b .b . DNSBL C bS pa m 3 1 The ZyWALL receives an e-mail that was sent from IP address a.a.a.a and relayed by an e-mail server at IP address b.b.b.b.
Chapter 34 Anti-Spam Here is an example of an e-mail classified as legitimate based on DNSBL replies. Figure 332 DNSBL Legitimate E-mail Detection Example DNSBL A IPs: c.c.c.c d.d.d.d c? .c . ? c . c d .d . d .d 1 c.c.c.c? d.d.d.d? d.d.d.d Not spam c .c 4 d .d c.c 580 DNSBL B 2 .c . c? .d . d? DNSBL C .c. c No ts pa m 3 1 The ZyWALL receives an e-mail that was sent from IP address c.c.c.c and relayed by an e-mail server at IP address d.d.d.d.
Chapter 34 Anti-Spam If the ZyWALL receives conflicting DNSBL replies for an e-mail routing IP address, the ZyWALL classifies the e-mail as spam. Here is an example. Figure 333 Conflicting DNSBL Replies Example DNSBL A IPs: a.b.c.d w.x.y.z 1 4 d? . c. a.b y.z? m . pa ts w.x o dN .c. b . a 2 a.b.c.d? w.x.y.z? a.b.c.d Spam! a .b w.x . DNSBL B 3 . c. d? y.z ? DNSBL C 1 The ZyWALL receives an e-mail that was sent from IP address a.b.c.d and relayed by an e-mail server at IP address w.x.y.z.
Chapter 34 Anti-Spam 582 ZyWALL USG 50 User’s Guide
CHAPTER 35 User/Group 35.1 Overview This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them. 35.1.1 What You Can Do in this Chapter • The User screen (see Section 35.2 on page 586) provides a summary of all user accounts. • The Group screen (see Section 35.3 on page 589) provides a summary of all user groups.
Chapter 35 User/Group Table 170 Types of User Accounts (continued) TYPE ABILITIES LOGIN METHOD(S) limited-admin Look at ZyWALL configuration (web, CLI) WWW, TELNET, SSH, Console Perform basic diagnostics (CLI) Access Users user Access network services WWW, TELNET, SSH Browse user-mode commands (CLI) guest Access network services WWW ext-user External user account WWW ext-group-user External group user account WWW Note: The default admin account is always authenticated locally, regardless of
Chapter 35 User/Group See Setting up User Attributes in an External Server on page 597 for a list of attributes and how to set up the attributes in an external server. Ext-Group-User Accounts Ext-Group-User accounts work are similar to ext-user accounts but allow you to group users by the value of the group membership attribute configured for the AD or LDAP server. See Section 39.2.1 on page 621 for more on the group membership attribute.
Chapter 35 User/Group 35.2 User Summary Screen The User screen provides a summary of all user accounts. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group. Figure 334 Configuration > Object > User/Group The following table describes the labels in this screen. Table 171 Configuration > Object > User/Group LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 35 User/Group • - [dashes] The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (). Other limitations on user names are: • User names are case-sensitive. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP, it will use the account settings used for 'BOB' not ‘bob’. • User names have to be different than user group names.
Chapter 35 User/Group The following table describes the labels in this screen. Table 172 Configuration > User/Group > User > Add LABEL DESCRIPTION User Name Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User names have to be different than user group names, and some words are reserved. See Section 35.2.1.1 on page 586.
Chapter 35 User/Group Table 172 Configuration > User/Group > User > Add (continued) LABEL DESCRIPTION Reauthentication Time This field is not available if you select the ext-group-user type. Configuration Validation Use a user account from the group specified above to test if the configuration is correct. Enter the account’s user name in the User Name field and click Test. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes.
Chapter 35 User/Group Table 173 Configuration > Object > User/Group > Group (continued) LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific user group. Group Name This field displays the name of each user group. Description This field displays the description for each user group. Member This field lists the members in the user group. Each member is separated by a comma. 35.3.
Chapter 35 User/Group Table 174 Configuration > User/Group > Group > Add (continued) LABEL DESCRIPTION Member List The Member list displays the names of the users and user groups that have been added to the user group. The order of members is not important. Select users and groups from the Available list that you want to be members of this group and move them to the Member list.
Chapter 35 User/Group To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > Setting. Figure 338 Configuration > Object > User/Group > Setting The following table describes the labels in this screen. Table 175 Configuration > Object > User/Group > Setting LABEL DESCRIPTION User Authentication Timeout Settings 592 Default Authentication Timeout Settings These authentication timeout settings are used by default when you create a new user account.
Chapter 35 User/Group Table 175 Configuration > Object > User/Group > Setting (continued) LABEL User Type DESCRIPTION These are the kinds of user account the ZyWALL supports.
Chapter 35 User/Group Table 175 Configuration > Object > User/Group > Setting (continued) LABEL DESCRIPTION Limit the number of simultaneous logons for administration account Select this check box if you want to set a limit on the number of simultaneous logins by admin users. If you do not select this, admin users can login as many times as they want at the same time using the same or different IP addresses. Maximum number per administration account This field is effective when Limit ...
Chapter 35 User/Group To access this screen, go to the Configuration > Object > User/Group > Setting screen (see Section 35.4 on page 591), and click one of the Default Authentication Timeout Settings section’s Edit icons. Figure 339 Configuration > Object > User/Group > Setting > Edit The following table describes the labels in this screen.
Chapter 35 User/Group 35.4.2 User Aware Login Example Access users cannot use the Web Configurator to browse the configuration of the ZyWALL. Instead, after access users log into the ZyWALL, the following screen appears. Figure 340 Web Configurator for Non-Admin Users The following table describes the labels in this screen. Table 177 Web Configurator for Non-Admin Users LABEL DESCRIPTION User-defined lease time (max ...
Chapter 35 User/Group 35.5 User /Group Technical Reference This section provides some information on users who use an external authentication server in order to log in. Setting up User Attributes in an External Server To set up user attributes, such as reauthentication time, in LDAP or RADIUS servers, use the following keywords in the user configuration file. Table 178 LDAP/RADIUS: Keywords for User Attributes KEYWORD CORRESPONDING ATTRIBUTE IN WEB CONFIGURATOR type User Type.
Chapter 35 User/Group 598 ZyWALL USG 50 User’s Guide
CHAPTER 36 Addresses 36.1 Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. 36.1.1 What You Can Do in this Chapter • The Address screen (Section 36.2 on page 599) provides a summary of all addresses in the ZyWALL. Use the Address Add/Edit screen to create a new address or edit an existing one. • Use the Address Group summary screen (Section 36.
Chapter 36 Addresses • RANGE - a range address is defined by a Starting IP Address and an Ending IP Address. • SUBNET - a network address is defined by a Network IP address and Netmask subnet mask. The Address screen provides a summary of all addresses in the ZyWALL. To access this screen, click Configuration > Object > Address > Address. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.
Chapter 36 Addresses 36.2.1 Address Add/Edit Screen The Configuration > Address Add/Edit screen allows you to create a new address or edit an existing one. To access this screen, go to the Address screen (see Section 36.2 on page 599), and click either the Add icon or an Edit icon. Figure 344 Configuration > Object > Address > Address > Edit The following table describes the labels in this screen.
Chapter 36 Addresses Table 180 Configuration > Object > Address > Address > Edit (continued) LABEL DESCRIPTION Interface If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as the Address Type, use this field to select the interface of the network that this address object represents. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. 36.
Chapter 36 Addresses 36.3.1 Address Group Add/Edit Screen The Address Group Add/Edit screen allows you to create a new address group or edit an existing one. To access this screen, go to the Address Group screen (see Section 36.3 on page 602), and click either the Add icon or an Edit icon. Figure 346 Configuration > Object > Address > Address Group > Add The following table describes the labels in this screen.
Chapter 36 Addresses 604 ZyWALL USG 50 User’s Guide
CHAPTER 37 Services 37.1 Overview Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 37.1.1 What You Can Do in this Chapter • Use the Service screens (Section 37.2 on page 606) to view and configure the ZyWALL’s list of services and their definitions. • Use the Service Group screens (Section 37.2 on page 606) to view and configure the ZyWALL’s list of service groups. 37.1.
Chapter 37 Services Both TCP and UDP use ports to identify the source and destination. Each port is a 16-bit number. Some port numbers have been standardized and are used by lowlevel system processes; many others have no particular meaning. Unlike TCP and UDP, Internet Control Message Protocol (ICMP, IP protocol 1) is mainly used to send error messages or to investigate problems. For example, ICMP is used to send the response if a computer cannot be reached. Another use is ping.
Chapter 37 Services entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 347 Configuration > Object > Service > Service The following table describes the labels in this screen. Table 183 Configuration > Object > Service > Service LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Chapter 37 Services 37.2.1 The Service Add/Edit Screen The Service Add/Edit screen allows you to create a new service or edit an existing one. To access this screen, go to the Service screen (see Section 37.2 on page 606), and click either the Add icon or an Edit icon. Figure 348 Configuration > Object > Service > Service > Edit The following table describes the labels in this screen.
Chapter 37 Services To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service Group. Figure 349 Configuration > Object > Service > Service Group The following table describes the labels in this screen. See Section 37.3.1 on page 610 for more information as well. Table 185 Configuration > Object > Service > Service Group LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 37 Services 37.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. To access this screen, go to the Service Group screen (see Section 37.3 on page 608), and click either the Add icon or an Edit icon. Figure 350 Configuration > Object > Service > Service Group > Edit The following table describes the labels in this screen.
CHAPTER 38 Schedules 38.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. The ZyWALL supports onetime and recurring schedules. One-time schedules are effective only once, while recurring schedules usually repeat. Both types of schedules are based on the current date and time in the ZyWALL. Note: Schedules are based on the ZyWALL’s current date and time. 38.1.
Chapter 38 Schedules Finding Out More • See Section 6.6 on page 105 for related information on these screens. • See Section 45.3 on page 676 for information about the ZyWALL’s current date and time. 38.2 The Schedule Summary Screen The Schedule summary screen provides a summary of all schedules in the ZyWALL. To access this screen, click Configuration > Object > Schedule. Figure 351 Configuration > Object > Schedule The following table describes the labels in this screen. See Section 38.2.
Chapter 38 Schedules Table 187 Configuration > Object > Schedule (continued) LABEL DESCRIPTION Recurring Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Object References Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 11.3.
Chapter 38 Schedules Table 188 Configuration > Object > Schedule > Edit (One Time) (continued) LABEL DESCRIPTION Date Time StartDate Specify the year, month, and day when the schedule begins. Year - 1900 - 2999 Month - 1 - 12 Day - 1 - 31 (it is not possible to specify illegal dates, such as February 31.) Hour - 0 - 23 Minute - 0 - 59 StartTime Specify the hour and minute when the schedule begins. Hour - 0 - 23 Minute - 0 - 59 StopDate Specify the year, month, and day when the schedule ends.
Chapter 38 Schedules (see Section 38.2 on page 612), and click either the Add icon or an Edit icon in the Recurring section. Figure 353 Configuration > Object > Schedule > Edit (Recurring) The Year, Month, and Day columns are not used in recurring schedules and are disabled in this screen. The following table describes the remaining labels in this screen.
Chapter 38 Schedules 616 ZyWALL USG 50 User’s Guide
CHAPTER 39 AAA Server 39.1 Overview You can use a AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The AAA server can be a Active Directory, LDAP, or RADIUS server. Use the AAA Server screens to create and manage objects that contain settings for using AAA servers. You use AAA server objects in configuring ext-group-user user objects and authentication method objects (see Chapter 40 on page 627). 39.1.
Chapter 39 AAA Server 39.1.2 RADIUS Server RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external server instead of (or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS authentication allows you to validate a large number of users from a central location. Figure 355 RADIUS Server Network Example 39.1.
Chapter 39 AAA Server • Use the Configuration > Object > AAA Server > RADIUS screen (Section 39.3 on page 623) to configure the default external RADIUS server to use for user authentication. 39.1.5 What You Need To Know AAA Servers Supported by the ZyWALL The following lists the types of authentication server the ZyWALL supports.
Chapter 39 AAA Server organizational boundaries. The following figure shows a basic directory structure branching from countries to organizations to organizational units to individuals. Figure 356 Basic Directory Structure Sales Sprint RD3 US QA UPS CSO Root Sales Japan NEC Countries Organizations RD Organization Units Unique Common Name (cn) Distinguished Name (DN) A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas.
Chapter 39 AAA Server • See Section 7.6 on page 131 for an example of how to use a RADIUS server to authenticate user accounts based on groups. 39.2 Active Directory or LDAP Server Summary Use the Active Directory or LDAP screen to manage the list of AD or LDAP servers the ZyWALL can use in authenticating users. Click Configuration > Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen.
Chapter 39 AAA Server following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 358 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add The following table describes the labels in this screen. Table 191 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add LABEL DESCRIPTION Name Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes.
Chapter 39 AAA Server Table 191 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add LABEL DESCRIPTION Base DN Specify the directory (up to 127 alphanumerical characters). For example, o=ZyXEL, c=US. Use SSL Select Use SSL to establish a secure connection to the AD or LDAP server(s). Search time limit Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the AD or LDAP server. In this case, user authentication fails.
Chapter 39 AAA Server Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Figure 359 Configuration > Object > AAA Server > RADIUS The following table describes the labels in this screen. Table 192 Configuration > Object > AAA Server > RADIUS LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Chapter 39 AAA Server 39.3.1 Adding a RADIUS Server Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 360 Configuration > Object > AAA Server > RADIUS > Add The following table describes the labels in this screen.
Chapter 39 AAA Server Table 193 Configuration > Object > AAA Server > RADIUS > Add (continued) LABEL DESCRIPTION Timeout Specify the timeout period (between 1 and 300 seconds) before the ZyWALL disconnects from the RADIUS server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.
CHAPTER 40 Authentication Method 40.1 Overview Authentication method objects set how the ZyWALL authenticates wireless, HTTP/ HTTPS clients, and peer IPSec routers (extended authentication) clients. Configure authentication method objects to have the ZyWALL use the local user database, and/or the authentication servers and authentication server groups specified by AAA server objects. By default, user accounts created and stored on the ZyWALL are authenticated locally. 40.1.
Chapter 40 Authentication Method 3 Select Server Mode and select an authentication method object from the dropdown list box. 4 Click OK to save the settings. Figure 361 Example: Using Authentication Method in VPN 40.2 Authentication Method Objects Click Configuration > Object > Auth. Method to display the screen as shown. Note: You can create up to 16 authentication method objects. Figure 362 Configuration > Object > Auth. Method The following table describes the labels in this screen.
Chapter 40 Authentication Method Table 194 Configuration > Object > Auth. Method (continued) LABEL DESCRIPTION Method List This field displays the authentication method(s) for this entry. Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to remove an entry. 40.2.1 Creating an Authentication Method Object Follow the steps below to create an authentication method object. 1 Click Configuration > Object > Auth. Method. 2 Click Add.
Chapter 40 Authentication Method 7 Click OK to save the settings or click Cancel to discard all changes and return to the previous screen. Figure 363 Configuration > Object > Auth. Method > Add The following table describes the labels in this screen. Table 195 Configuration > Object > Auth. Method > Add LABEL DESCRIPTION Name Specify a descriptive name for identification purposes. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number.
Chapter 40 Authentication Method Table 195 Configuration > Object > Auth. Method > Add (continued) LABEL DESCRIPTION Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to delete an entry. OK Click OK to save the changes. Cancel Click Cancel to discard the changes.
Chapter 40 Authentication Method 632 ZyWALL USG 50 User’s Guide
CHAPTER 41 Certificates 41.1 Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication. 41.1.1 What You Can Do in this Chapter • Use the My Certificate screens (see Section 41.2 on page 637 to Section 41.2.
Chapter 41 Certificates 2 Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not. 3 Tim uses his private key to sign the message and sends it to Jenny. 4 Jenny receives the message and uses Tim’s public key to verify it.
Chapter 41 Certificates Factory Default Certificate The ZyWALL generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate. Certificate File Formats Any certificate that you want to import has to be in one of these file formats: • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. • PEM (Base-64) encoded X.
Chapter 41 Certificates 2 Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 364 Remote Host Certificates 3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figure 365 Certificate Details 4 636 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields.
Chapter 41 Certificates 41.2 The My Certificates Screen Click Configuration > Object > Certificate > My Certificates to open the My Certificates screen. This is the ZyWALL’s summary list of certificates and certification requests. Figure 366 Configuration > Object > Certificate > My Certificates The following table describes the labels in this screen.
Chapter 41 Certificates Table 196 Configuration > Object > Certificate > My Certificates (continued) LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request. SELF represents a self-signed certificate.
Chapter 41 Certificates ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.
Chapter 41 Certificates The following table describes the labels in this screen. Table 197 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters. Subject Information Use these fields to record information that identifies the owner of the certificate.
Chapter 41 Certificates Table 197 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Create a certification request and save it locally for later manual enrollment Select this to have the ZyWALL generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority.
Chapter 41 Certificates Table 197 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Request Authentication When you select Create a certification request and enroll for a certificate immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request. Fill in both the Reference Number and the Key fields if your certification authority uses the CMP enrollment protocol.
Chapter 41 Certificates 41.2.2 The My Certificates Edit Screen Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name.
Chapter 41 Certificates The following table describes the labels in this screen. Table 198 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters. Certification Path This field displays for a certificate, not a certification request.
Chapter 41 Certificates Table 198 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the ZyWALL uses RSA encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative Name This field displays the certificate owner‘s IP address (IP), domain name (DNS) or e-mail address (EMAIL).
Chapter 41 Certificates Table 198 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION OK Click OK to save your changes back to the ZyWALL. You can only change the name. Cancel Click Cancel to quit and return to the My Certificates screen. 41.2.3 The My Certificates Import Screen Click Configuration > Object > Certificate > My Certificates > Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the ZyWALL.
Chapter 41 Certificates Table 199 Configuration > Object > Certificate > My Certificates > Import (continued) LABEL DESCRIPTION Password This field only applies when you import a binary PKCS#12 format file. Type the file’s password that was created when the PKCS #12 file was exported. OK Click OK to save the certificate on the ZyWALL. Cancel Click Cancel to quit and return to the My Certificates screen. 41.
Chapter 41 Certificates Table 200 Configuration > Object > Certificate > Trusted Certificates (continued) LABEL DESCRIPTION Object References You cannot delete certificates that any of the ZyWALL’s features are configured to use. Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 11.3.2 on page 230 for an example. # This field displays the certificate index number. The certificates are listed in alphabetical order.
Chapter 41 Certificates authority’s list of revoked certificates before trusting a certificate issued by the certification authority.
Chapter 41 Certificates The following table describes the labels in this screen. Table 201 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Chapter 41 Certificates Table 201 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Type This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). X.509 means that this certificate was created and signed according to the ITU-T X.
Chapter 41 Certificates Table 201 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION SHA1 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.
Chapter 41 Certificates The following table describes the labels in this screen. Table 202 Configuration > Object > Certificate > Trusted Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL. Browse Click Browse to find the certificate file you want to upload. OK Click OK to save the certificate on the ZyWALL.
Chapter 41 Certificates 654 ZyWALL USG 50 User’s Guide
CHAPTER 42 ISP Accounts 42.1 Overview Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/PPTP interfaces. An ISP account is a profile of settings for Internet access using PPPoE or PPTP. Finding Out More • See Section 11.4 on page 231 for information about PPPoE/PPTP interfaces. • See Section 6.6 on page 105 for related information on these screens. 42.1.1 What You Can Do in this Chapter Use the Object > ISP Account screens (Section 42.
Chapter 42 ISP Accounts The following table describes the labels in this screen. See the ISP Account Edit section below for more information as well. Table 203 Configuration > Object > ISP Account LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 42 ISP Accounts The following table describes the labels in this screen. Table 204 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you are editing an existing account. Type in the profile name of the ISP account. The profile name is used to refer to the ISP account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 42 ISP Accounts Table 204 Configuration > Object > ISP Account > Edit (continued) 658 LABEL DESCRIPTION Compression Select On button to turn on stac compression, and select Off to turn off stac compression. Stac compression is a data compression technique capable of compressing data by a factor of about four. Idle Timeout This value specifies the number of seconds that must elapse without outbound traffic before the ZyWALL automatically disconnects from the PPPoE/PPTP server.
CHAPTER 43 SSL Application 43.1 Overview You use SSL application objects in SSL VPN. Configure an SSL application object to specify the type of application and the address of the local computer, server, or web site SSL users are to be able to access. You can apply one or more SSL application objects in the VPN > SSL VPN screen for a user account/user group. 43.1.1 What You Can Do in this Chapter • Use the SSL Application screen (Section 43.
Chapter 43 SSL Application Remote Desktop Connections Use SSL VPN to allow remote users to manage LAN computers. Depending on the functions supported by the remote desktop software, they can install or remove software, run programs, change settings, and open, copy, create, and delete files. This is useful for troubleshooting, support, administration, and remote access to files and programs.
Chapter 43 SSL Application 2 Click the Add button and select Web Application in the Type field. In the Server Type field, select Web Server. Enter a descriptive name in the Display Name field. For example, “CompanyIntranet”. In the Address field, enter “http://info”. Select Web Page Encryption to prevent users from saving the web content. Click Apply to save the settings. The configuration screen should look similar to the following figure.
Chapter 43 SSL Application The following table describes the labels in this screen. Table 205 Configuration > Object > SSL Application LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 43 SSL Application The following table describes the labels in this screen. Table 206 Configuration > Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings This displays for VNC or RDP type web application objects. Click this button to display a greater or lesser number of configuration fields. Create new Object Use this to configure any new settings objects that you need to use in this screen.
Chapter 43 SSL Application Table 206 Configuration > Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Server Address(es) This field displays if the Server Type is set to RDP or VNC. Specify the IP address or Fully-Qualified Domain Name (FQDN) of the computer(s) that you want to allow the remote users to manage. Starting Port This field displays if the Server Type is set to RDP or VNC.
CHAPTER 44 Endpoint Security 44.1 Overview Use Endpoint Security (EPS), also known as endpoint control, to make sure users’ computers comply with defined corporate policies before they can access the network or an SSL VPN tunnel. After a successful user authentication, a user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access.
Chapter 44 Endpoint Security 44.1.1 What You Can Do in this Chapter Use the Configuration > Object > Endpoint Security screens (Section 44.2 on page 667) to create and manage endpoint security objects. 44.1.2 What You Need to Know What Endpoint Security Can Check The settings endpoint security can check vary depending on the OS of the user’s computer.
Chapter 44 Endpoint Security 44.2 Endpoint Security Screen The Endpoint Security screen displays the endpoint security objects you have configured on the ZyWALL. Click Configuration > Object > Endpoint Security to display the screen. Figure 380 Configuration > Object > Endpoint Security The following table gives an overview of the objects you can configure. Table 207 Configuration > Object > Endpoint Security LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 44 Endpoint Security Table 207 Configuration > Object > Endpoint Security (continued) 668 LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings.
Chapter 44 Endpoint Security 44.3 Endpoint Security Add/Edit Click Configuration > Object > Endpoint Security and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint security object.
Chapter 44 Endpoint Security Figure 381 Configuration > Object > Endpoint Security > Add 670 ZyWALL USG 50 User’s Guide
Chapter 44 Endpoint Security The following table gives an overview of the objects you can configure. Table 208 Configuration > Object > Endpoint Security > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Setup Object Name Specify a descriptive name for identification purposes. You can enter up to 31 characters (“0-9”, “a-z”, “A-Z”, “-”, “_” with no spaces allowed).
Chapter 44 Endpoint Security Table 208 Configuration > Object > Endpoint Security > Add (continued) LABEL DESCRIPTION Checking Item - Personal Firewall If you selected Windows as the operating system, you can select whether or not the user’s computer is required to have personal firewall software installed. Move the permitted personal firewalls from the Available list to the Allowed Personal Firewall List. Use the [Shift] and/or [Ctrl] key to select multiple entries.
Chapter 44 Endpoint Security Table 208 Configuration > Object > Endpoint Security > Add (continued) LABEL DESCRIPTION Checking Item - File Information If you selected Windows or Linux as the operating system, you can use this table to check details of specific files on the user’s computer.
Chapter 44 Endpoint Security 674 ZyWALL USG 50 User’s Guide
CHAPTER 45 System 45.1 Overview Use the system screens to configure general ZyWALL settings. 45.1.1 What You Can Do in this Chapter • Use the System > Host Name screen (see Section 45.2 on page 676) to configure a unique name for the ZyWALL in your network. • Use the System > Date/Time screen (see Section 45.3 on page 676) to configure the date and time for the ZyWALL. • Use the System > Console Speed screen (see Section 45.
Chapter 45 System • Vantage CNM (Centralized Network Management) is a browser-based global management tool that allows an administrator to manage ZyXEL devices. Use the System > Vantage CNM screen (see Section 45.11 on page 719) to allow your ZyWALL to be managed by the Vantage CNM server. • Use the System > Language screen (see Section 45.12 on page 722) to set a language for the ZyWALL’s Web Configurator screens. Note: See each section for related background information and term definitions. 45.
Chapter 45 System a software mechanism to set the time manually or get the current time and date from an external server. To change your ZyWALL’s time based on your local time zone and date, click Configuration > System > Date/Time. The screen displays as shown. You can manually set the ZyWALL’s time and date or have the ZyWALL get the date and time from a time server. Figure 383 Configuration > System > Date and Time The following table describes the labels in this screen.
Chapter 45 System Table 210 Configuration > System > Date and Time (continued) LABEL DESCRIPTION New Time (hhmm-ss) This field displays the last updated time from the time server or the last time configured manually. When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply. New Date (yyyy-mm-dd) This field displays the last updated date from the time server or the last date configured manually.
Chapter 45 System Table 210 Configuration > System > Date and Time (continued) LABEL DESCRIPTION End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving. The at field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the first Sunday of November. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time.
Chapter 45 System 45.3.2 Time Server Synchronization Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field. When the Please Wait... screen appears, you may have to wait up to one minute. Figure 384 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful. If the synchronization was not successful, a log displays in the View Log screen.
Chapter 45 System 5 Under Time and Date Setup, enter a Time Server Address (Table 211 on page 679). 6 Click Apply. 45.4 Console Port Speed This section shows you how to set the console port speed when you connect to the ZyWALL via the console port using a terminal emulation program. See Table 2 on page 35 for default console port settings. Click Configuration > System > Console Speed to open the Console Speed screen.
Chapter 45 System 45.5.1 DNS Server Address Assignment The ZyWALL can get the DNS server addresses in the following ways. • The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields. • If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL’s WAN IP address), set the DNS server fields to get the DNS server address from the ISP.
Chapter 45 System The following table describes the labels in this screen. Table 213 Configuration > System > DNS LABEL DESCRIPTION Address/PTR Record This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Chapter 45 System Table 213 Configuration > System > DNS (continued) LABEL DESCRIPTION DNS Server This is the IP address of a DNS server. This field displays N/A if you have the ZyWALL get a DNS server IP address from the ISP dynamically but the specified interface is not active. Query Via This is the interface through which the ZyWALL sends DNS queries to the entry’s DNS server. If the ZyWALL connects through a VPN tunnel, tunnel displays.
Chapter 45 System 45.5.3 Address Record An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com” is the top level domain. mail.myZyXEL.com.tw is also a FQDN, where “mail” is the host, “myZyXEL” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Chapter 45 System The following table describes the labels in this screen. Table 214 Configuration > System > DNS > Address/PTR Record Edit LABEL DESCRIPTION FQDN Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Chapter 45 System The following table describes the labels in this screen. Table 215 Configuration > System > DNS > Domain Zone Forwarder Add LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address.
Chapter 45 System 45.5.9 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 389 Configuration > System > DNS > MX Record Add The following table describes the labels in this screen. Table 216 Configuration > System > DNS > MX Record Add LABEL DESCRIPTION Domain Name Enter the domain name where the mail is destined for.
Chapter 45 System The following table describes the labels in this screen. Table 217 Configuration > System > DNS > Service Control Rule Add LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen. Address Object Select ALL to allow or deny any computer to send DNS queries to the ZyWALL. Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the ZyWALL.
Chapter 45 System 1 You have disabled that service in the corresponding screen. 2 The allowed IP address (address object) in the Service Control table does not match the client IP address (the ZyWALL disallows the session). 3 The IP address (address object) in the Service Control table is not in the allowed zone or the action is set to Deny. 4 There is a firewall rule that blocks it. 45.6.2 System Timeout There is a lease timeout for administrators.
Chapter 45 System Please refer to the following figure. 1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the ZyWALL’s web server. 2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL’s web server. Figure 391 HTTP/HTTPS Implementation Note: If you disable HTTP in the WWW screen, then the ZyWALL blocks all HTTP connection attempts. 45.6.4 Configuring WWW Service Control Click Configuration > System > WWW to open the WWW screen.
Chapter 45 System Note: Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the ZyWALL (logging into SSL VPN for example). Figure 392 Configuration > System > WWW > Service Control The following table describes the labels in this screen.
Chapter 45 System Table 218 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Server Port The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the ZyWALL, for example 8443, then you must notify people who need to access the ZyWALL Web Configurator to use “https://ZyWALL IP Address:8443” as the URL.
Chapter 45 System Table 218 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION HTTP Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL Web Configurator using HTTP connections. Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service to access the ZyWALL.
Chapter 45 System Table 218 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 45.6.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule. Figure 393 Configuration > System > Service Control Rule > Edit The following table describes the labels in this screen.
Chapter 45 System also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet. See Chapter 35 on page 583 for more on access user accounts.
Chapter 45 System The following figures identify the parts you can customize in the login and access pages.
Chapter 45 System • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color. • Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. • Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)” for black.
Chapter 45 System Table 220 Configuration > System > WWW > Login Page LABEL DESCRIPTION Note Message Enter a note to display below the title. Use up to 64 printable ASCII characters. Spaces are allowed. Window Background Set how the window’s background looks. To use a graphic, select Picture and upload a graphic. Specify the location and file name of the logo graphic or click Browse to locate it. Note: Use a GIF, JPG, or PNG of 100 kilobytes or less.
Chapter 45 System 45.6.7.2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click Examine Certificate if you want to verify that the certificate is from the ZyWALL. If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape.
Chapter 45 System • The issuing certificate authority of the ZyWALL’s HTTPS server certificate is not one of the browser’s trusted certificate authorities. The issuing certificate authority of the ZyWALL's factory default certificate is the ZyWALL itself since the certificate is a self-signed certificate. • For the browser to trust a self-signed certificate, import the self-signed certificate into your operating system as a trusted certificate.
Chapter 45 System Apply for a certificate from a Certification Authority (CA) that is trusted by the ZyWALL (see the ZyWALL’s Trusted CA Web Configurator screen). Figure 401 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). 45.6.7.5.1 Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
Chapter 45 System 45.6.7.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. Figure 403 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box.
Chapter 45 System 3 Enter the password given to you by the CA. Figure 405 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.
Chapter 45 System 5 Click Finish to complete the wizard and begin the import process. Figure 407 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 408 Personal Certificate Import Wizard 6 45.6.7.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field.
Chapter 45 System 2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL. This screen displays even if you only have a single certificate as in the example. Figure 410 SSL Client Authentication 3 You next see the Web Configurator login screen. Figure 411 Secure Web Configurator Login Screen 45.7 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s command line interface.
Chapter 45 System SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session. Figure 412 SSH Communication Over the WAN Example 45.7.
Chapter 45 System 2 Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. 3 Authentication and Data Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server. 45.7.
Chapter 45 System Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 414 Configuration > System > SSH The following table describes the labels in this screen. Table 221 Configuration > System > SSH LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service.
Chapter 45 System Table 221 Configuration > System > SSH (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. # This the index number of the service control rule. Zone This is the zone on the ZyWALL the user is allowed or denied to access.
Chapter 45 System Enter the password to log in to the ZyWALL. The CLI screen displays next. 45.7.5.2 Example 2: Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions. 1 Test whether the SSH service is available on the ZyWALL. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the ZyWALL (using the default IP address of 192.168.1.1).
Chapter 45 System 45.8.1 Configuring Telnet Click Configuration > System > TELNET to configure your ZyWALL for remote Telnet access. Use this screen to specify from which zones Telnet can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come. Figure 418 Configuration > System > TELNET The following table describes the labels in this screen.
Chapter 45 System Table 222 Configuration > System > TELNET (continued) LABEL DESCRIPTION # This the index number of the service control rule. The entry with a hyphen (-) instead of a number is the ZyWALL’s (nonconfigurable) default policy. The ZyWALL applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the ZyWALL will not have to use the default policy.
Chapter 45 System be used to access the ZyWALL. You can also specify from which IP addresses the access can come. Figure 419 Configuration > System > FTP The following table describes the labels in this screen. Table 223 Configuration > System > FTP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL using this service.
Chapter 45 System Table 223 Configuration > System > FTP (continued) LABEL DESCRIPTION Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. # This the index number of the service control rule. The entry with a hyphen (-) instead of a number is the ZyWALL’s (nonconfigurable) default policy.
Chapter 45 System and version two (SNMPv2c). The next figure illustrates an SNMP management operation. Figure 420 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Chapter 45 System • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. • Set - Allows the manager to set values for object variables within an agent. • Trap - Used by the agent to inform the manager of some events. 45.10.
Chapter 45 System settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come. Figure 421 Configuration > System > SNMP The following table describes the labels in this screen. Table 225 Configuration > System > SNMP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL using this service.
Chapter 45 System Table 225 Configuration > System > SNMP (continued) LABEL DESCRIPTION Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 219 on page 695 for details on the screen that opens. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Chapter 45 System 45.11.1 Configuring Vantage CNM Vantage CNM is disabled on the device by default. Click Configuration > System > Vantage CNM to configure your device’s Vantage CNM settings. Figure 422 Configuration > System > Vantage CNM The following table describes the labels in this screen. Table 226 Configuration > System > Vantage CNM LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 45 System Table 226 Configuration > System > Vantage CNM (continued) LABEL DESCRIPTION Transfer Protocol Select whether the Vantage CNM sessions should use regular HTTP connections or secure HTTPS connections. Note: HTTPS is recommended. The Vantage CNM server must use the same setting. Device Management IP Select Auto to have the ZyWALL allow Vantage CNM sessions to connect to any of the ZyWALL’s IP addresses. Custom IP Specify the ZyWALL’s IP address that allows Vantage CNM sessions.
Chapter 45 System 45.12 Language Screen Click Configuration > System > Language to open the following screen. Use this screen to select a display language for the ZyWALL’s Web Configurator screens. Figure 423 Configuration > System > Language The following table describes the labels in this screen. Table 227 Configuration > System > Language 722 LABEL DESCRIPTION Language Setting Select a display language for the ZyWALL’s Web Configurator screens.
CHAPTER 46 Log and Report 46.1 Overview Use these screens to configure daily reporting and log settings. 46.1.1 What You Can Do In this Chapter • Use the Email Daily Report screen (Section 46.2 on page 723) to configure where and how to send daily reports and what reports to send. • Use the Maintenance > Log Setting screens (Section 46.3 on page 725) to specify which log messages are e-mailed, where they are e-mailed, and how often they are e-mailed. 46.
Chapter 46 Log and Report Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the ZyWALL e-mail you system statistics every day.
Chapter 46 Log and Report The following table describes the labels in this screen. Table 228 Configuration > Log & Report > Email Daily Report LABEL DESCRIPTION Enable Email Daily Report Select this to send reports by e-mail every day. Mail Server Type the name or IP address of the outgoing SMTP server. Mail Subject Type the subject line for the outgoing e-mail. Select Append system name to add the ZyWALL’s system name to the subject.
Chapter 46 Log and Report The Log Setting tab also controls what information is saved in each log. For the system log, you can also specify which log messages are e-mailed, where they are e-mailed, and how often they are e-mailed. For alerts, the Log Settings tab controls which events generate alerts and where alerts are e-mailed. The Log Settings Summary screen provides a summary of all the settings.
Chapter 46 Log and Report Table 229 Configuration > Log & Report > Log Setting (continued) LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific log. Name This field displays the name of the log (system log or one of the remote servers). Log Format This field displays the format of the log. Internal - system log; you can view the log on the View Log tab. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format.
Chapter 46 Log and Report Figure 426 Configuration > Log & Report > Log Setting > Edit (System Log) 728 ZyWALL USG 50 User’s Guide
Chapter 46 Log and Report The following table describes the labels in this screen. Table 230 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section. You specify what kinds of log messages are included in log information and what kinds of log messages are included in alerts in the Active Log and Alert section.
Chapter 46 Log and Report Table 230 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL E-mail Server 1 DESCRIPTION Use the E-Mail Server 1 drop-down list to change the settings for e-mailing logs to e-mail server 1 for all log categories. Using the System Log drop-down list to disable all logs overrides your e-mail server 1 settings. enable normal logs (green check mark) - e-mail log messages for all categories to e-mail server 1.
Chapter 46 Log and Report Table 230 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION Active Select this to activate log consolidation. Log consolidation aggregates multiple log messages that arrive within the specified Log Consolidation Interval. In the View Log tab, the text “[count=x]”, where x is the number of original log messages, is appended at the end of the Message field, when multiple log messages were aggregated.
Chapter 46 Log and Report 46.3.3 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 46.3.1 on page 726), and click a remote server Edit icon.
Chapter 46 Log and Report The following table describes the labels in this screen. Table 231 Configuration > Log & Report > Log Setting > Edit (Remote Server) LABEL DESCRIPTION Log Settings for Remote Server Active Select this check box to send log information according to the information in this section. You specify what kinds of messages are included in log information in the Active Log section. Log Format This field displays the format of the log information. It is read-only.
Chapter 46 Log and Report 46.3.4 Active Log Summary Screen The Active Log Summary screen allows you to view and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time. It does not let you change other log settings (for example, where and how often log information is e-mailed or remote server names).To access this screen, go to the Log Settings Summary screen (see Section 46.3.1 on page 726), and click the Active Log Summary button.
Chapter 46 Log and Report The following table describes the fields in this screen. Table 232 Configuration > Log & Report > Log Setting > Active Log Summary LABEL DESCRIPTION System log Use the System Log drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not log any information for any category for the system log or e-mail any logs to e-mail server 1 or 2.
Chapter 46 Log and Report Table 232 Configuration > Log & Report > Log Setting > Active Log Summary LABEL DESCRIPTION System log Select which events you want to log by Log Category.
CHAPTER 47 File Manager 47.1 Overview Configuration files define the ZyWALL’s settings. Shell scripts are files of commands that you can store on the ZyWALL and run when you need them. You can apply a configuration file or run a shell script without the ZyWALL restarting. You can store multiple configuration files and shell script files on the ZyWALL. You can edit configuration files or shell scripts in a text editor and upload them to the ZyWALL. Configuration files use a .
Chapter 47 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 429 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3 interface ge3 ip address 172.23.37.240 255.255.255.0 ip gateway 172.23.37.
Chapter 47 File Manager Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the ZyWALL exit sub command mode. Note: “exit” or “!'” must follow sub commands if it is to make the ZyWALL exit sub command mode. Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp ! Lines 1 and 3 in the following example are comments and line 4 exits sub command mode.
Chapter 47 File Manager 47.2 The Configuration File Screen Click Maintenance > File Manager > Configuration File to open the Configuration File screen. Use the Configuration File screen to store, run, and name configuration files. You can also download configuration files from the ZyWALL to your computer and upload configuration files from your computer to the ZyWALL.
Chapter 47 File Manager The following table describes the labels in this screen. Table 234 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Rename Use this button to change the label of a configuration file on the ZyWALL. You can only rename manually saved configuration files. You cannot rename the lastgood.conf, system-default.conf and startupconfig.conf files. You cannot rename a configuration file to the name of another configuration file in the ZyWALL.
Chapter 47 File Manager Table 234 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Copy Use this button to save a duplicate of a configuration file on the ZyWALL. Click a configuration file’s row to select it and click Copy to open the Copy File screen. Figure 432 Maintenance > File Manager > Configuration File > Copy Specify a name for the duplicate configuration file. Use up to 25 characters (including a-zA-Z0-9;‘~!@#$%^&()_+[]{}’,.=-).
Chapter 47 File Manager Table 234 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Apply Use this button to have the ZyWALL use a specific configuration file. Click a configuration file’s row to select it and click Apply to have the ZyWALL use that configuration file. The ZyWALL does not have to restart in order to use a different configuration file, although you will need to wait for a few minutes while the system reconfigures.
Chapter 47 File Manager Table 234 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION File Name This column displays the label that identifies a configuration file. You cannot delete the following configuration files or change their file names. The system-default.conf file contains the ZyWALL’s default settings. Select this file and click Apply to reset all of the ZyWALL settings to the factory defaults. This configuration file is included when you upload a firmware package.
Chapter 47 File Manager Note: The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “zywall.bin”.
Chapter 47 File Manager After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. Figure 435 Firmware Upload In Process Note: The ZyWALL automatically reboots after a successful upload. The ZyWALL automatically restarts causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Chapter 47 File Manager Note: You should include write commands in your scripts. If you do not use the write command, the changes will be lost when the ZyWALL restarts. You could use multiple write commands in a long script. Figure 438 Maintenance > File Manager > Shell Script Each field is described in the following table. Table 236 Maintenance > File Manager > Shell Script LABEL DESCRIPTION Rename Use this button to change the label of a shell script file on the ZyWALL.
Chapter 47 File Manager Table 236 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Copy Use this button to save a duplicate of a shell script file on the ZyWALL. Click a shell script file’s row to select it and click Copy to open the Copy File screen. Figure 440 Maintenance > File Manager > Shell Script > Copy Specify a name for the duplicate file. Use up to 25 characters (including a-zAZ0-9;‘~!@#$%^&()_+[]{}’,.=-).
CHAPTER 48 Diagnostics 48.1 Overview Use the diagnostics screens for troubleshooting. 48.1.1 What You Can Do in this Chapter • Use the Maintenance > Diagnostics screen (see Section 48.2 on page 749) to generate a file containing the ZyWALL’s configuration and diagnostic information if you need to provide it to customer support during troubleshooting. • Use the Maintenance > Diagnostics > Packet Capture screens (see Section 48.3 on page 750) to capture packets going through the ZyWALL. 48.
Chapter 48 Diagnostics The following table describes the labels in this screen. Table 237 Maintenance > Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file. Last modified This is the date and time that the last diagnostic file was created. The format is yyyy-mm-dd hh:mm:ss. Size This is the size of the most recently created diagnostic file. Collect Now Click this to have the ZyWALL create a new diagnostic file.
Chapter 48 Diagnostics The following table describes the labels in this screen. Table 238 Maintenance > Diagnostics > Packet Capture LABEL DESCRIPTION Interfaces Enabled interfaces (except for virtual interfaces) appear under Available Interfaces. Select interfaces for which to capture packets and click the right arrow button to move them to the Capture Interfaces list. Use the [Shift] and/or [Ctrl] key to select multiple objects. IP Type Select the protocol of traffic for which to capture packets.
Chapter 48 Diagnostics Table 238 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Capture Click this button to have the ZyWALL capture packets according to the settings configured in this screen. You can configure the ZyWALL while a packet capture is in progress although you cannot modify the packet capture settings. The ZyWALL’s throughput or performance may be affected while a packet capture is in progress.
Chapter 48 Diagnostics Table 239 Maintenance > Diagnostics > Packet Capture > Files (continued) LABEL DESCRIPTION # This column displays the number for each packet capture file entry. The total number of packet capture files that you can save depends on the file sizes and the available flash storage space. File Name This column displays the label that identifies the file. The file name format is interface name-file suffix.cap. Size This column displays the size (in bytes) of a configuration file.
Chapter 48 Diagnostics 754 ZyWALL USG 50 User’s Guide
CHAPTER 49 Reboot 49.1 Overview Use this to restart the device (for example, if the device begins behaving erratically). See also Section 1.5 on page 35 for information on different ways to start and stop the ZyWALL. 49.1.1 What You Need To Know If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot. If you made changes in the CLI, however, you have to use the write command to save the configuration before you reboot.
Chapter 49 Reboot 756 ZyWALL USG 50 User’s Guide
CHAPTER 50 Shutdown 50.1 Overview Use this to shutdown the device in preparation for disconnecting the power. See also Section 1.5 on page 35 for information on different ways to start and stop the ZyWALL. Always use the Maintenance > Shutdown > Shutdown screen or the “shutdown” command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. 50.1.1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes.
Chapter 50 Shutdown 758 ZyWALL USG 50 User’s Guide
CHAPTER 51 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. • You can also refer to the logs (see Chapter 9 on page 206). For individual log descriptions, see the User’s Guide appendix Appendix A on page 783. • For the order in which the ZyWALL applies its features and checks, see Section 6.4 on page 91. None of the LEDs turn on. Make sure that you have the power cord connected to the ZyWALL and plugged in to an appropriate power source.
Chapter 51 Troubleshooting • If you’ve forgotten the ZyWALL’s IP address, you can use the commands through the console port to check it. Connect your computer to the CONSOLE port using a console cable. Your computer should have a terminal emulation communications program (such as HyperTerminal) set to VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, no flow control and 115200 bps port speed. I cannot access the Internet.
Chapter 51 Troubleshooting • Make sure your ZyWALL has the content filter category service registered and that the license is not expired. Purchase a new license if the license is expired. • Make sure your ZyWALL is connected to the Internet. I configured security settings but the ZyWALL is not applying them for certain interfaces. Many security settings are usually applied to zones. Make sure you assign the interfaces to the appropriate zones.
Chapter 51 Troubleshooting I cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface on an Ethernet interface. You cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it. My rules and settings that apply to a particular interface no longer work.
Chapter 51 Troubleshooting • If the ZyWALL has multiple WAN interfaces, make sure their IP addresses are on different subnets. I cannot configure a particular VLAN interface on top of an Ethernet interface even though I have it configured it on top of another Ethernet interface. Each VLAN interface is created on top of only one Ethernet interface. The ZyWALL is not applying an interface’s configured ingress bandwidth limit.
Chapter 51 Troubleshooting matched still goes through. Since the ZyWALL erases the infected portion of the file before sending it, you may not be able to open the file. The ZyWALL is not scanning some zipped files. The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip. The ZyWALL is deleting some zipped files.
Chapter 51 Troubleshooting ZyWALL are overwritten with the new file. If this is not your intention, make sure that the files you import are not named ‘custom.rules’. I cannot configure some items in IDP that I can configure in Snort. Not all Snort functionality is supported in the ZyWALL. The ZyWALL’s performance seems slower after configuring ADP. Depending on your network topology and traffic load, applying an anomaly profile to each and every packet direction may affect the ZyWALL’s performance.
Chapter 51 Troubleshooting • The ZyWALL may not determine the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server. I cannot create a second HTTP redirect rule for an incoming interface. You can configure up to one HTTP redirect rule for each (incoming) interface. I cannot get the application patrol to manage SIP traffic. Make sure you have the SIP ALG enabled. I cannot get the application patrol to manage H.323 traffic. Make sure you have the H.323 ALG enabled.
Chapter 51 Troubleshooting I cannot set up an IPSec VPN tunnel to another device. If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both ZyXEL IPSec routers and check the settings in each field methodically and slowly. Make sure both the ZyWALL and remote IPSec router have the same security settings for the VPN tunnel. It may help to display the settings for both routers side-by-side. Here are some general suggestions.
Chapter 51 Troubleshooting • Make sure the To-ZyWALL firewall rules allow IPSec VPN traffic to the ZyWALL. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. • The ZyWALL supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make sure the To-ZyWALL firewall rules allow UDP port 4500 too. • Make sure regular firewall rules allow traffic between the VPN tunnel and the rest of the network.
Chapter 51 Troubleshooting Available resource links vary depending on the SSL application object’s configuration. I cannot download the ZyWALL’s firmware package. The ZyWALL’s firmware package cannot go through the ZyWALL when you enable the anti-virus Destroy compressed files that could not be decompressed option. The ZyWALL classifies the firmware package as not being able to be decompressed and deletes it.
Chapter 51 Troubleshooting I configured policy routes to manage the bandwidth of TCP and UDP traffic but the bandwidth management is not being applied properly. It is recommended to use application patrol instead of policy routes to manage the bandwidth of TCP and UDP traffic. I cannot get the RADIUS server to authenticate the ZyWALL‘s default admin account. The default admin account is always authenticated locally, regardless of the authentication method setting.
Chapter 51 Troubleshooting I cannot get a certificate to import into the ZyWALL. 1 For My Certificates, you can import a certificate that matches a corresponding certification request that was generated by the ZyWALL. You can also import a certificate in PKCS#12 format, including the certificate’s public and private keys. 2 You must remove any spaces from the certificate’s filename before you can import the certificate.
Chapter 51 Troubleshooting I uploaded a logo to use as the screen or window background but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. The ZyWALL’s traffic throughput rate decreased after I started collecting traffic statistics. Data collection may decrease the ZyWALL’s traffic throughput rate. I can only see newer logs. Older logs are missing.
Chapter 51 Troubleshooting See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. My packet capture captured less than I wanted or failed. The packet capture screen’s File Size sets a maximum size limit for the total combined size of all the capture files on the ZyWALL, including any existing capture files and any new capture files you generate. If you have existing capture files you may need to set this size larger or delete existing capture files.
Chapter 51 Troubleshooting 2 Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about five seconds.) 3 Release the RESET button, and wait for the ZyWALL to restart. You should be able to access the ZyWALL using the default settings. 51.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions.
CHAPTER 52 Product Specifications The following specifications are subject to change without notice. See Chapter 2 on page 37 for a general overview of key features. This table provides basic device specifications. Table 240 Default Login Information ATTRIBUTE SPECIFICATION Default IP Address (P3, P4) 192.168.1.1 Default Subnet Mask (P3, P4) 255.255.255.0 (24 bits) Default Password 1234 This table provides hardware specifications.
Chapter 52 Product Specifications This table gives details about the ZyWALL’s features. Table 242 ZyWALL Feature Specifications FEATURE # of MAC 6 Flash Size 256 DRAM Size 256 INTERFACE VLAN 16 Virtual (alias) 4 per interface PPP (system default) 2 PPP (user created) 4 Bridge 4 ROUTING Static Routes 128 Policy Routes 200 Sessions 10,000 ARP Table Size 1024 MAC Table Size (For Bridge Mode only) 8K NAT MAX.
Chapter 52 Product Specifications Table 242 ZyWALL Feature Specifications (continued) FEATURE Address Groups 50 Maximum address object in one group 128 Service Objects 200 Service Groups 50 Maximum service object in one group 128 Schedule Objects 32 ISP Account 8 Maximum Number of LDAP Groups 2 Maximum Number of LDAP Servers for Each LDAP Group 2 Maximum Number of RADIUS Groups 2 Maximum Number of RADIUS Servers for Each RADIUS Group 2 Maximum AD server for each AD group 2 Maximum A
Chapter 52 Product Specifications Table 242 ZyWALL Feature Specifications (continued) FEATURE Custom Signatures 16 Maximum Number of IDP Rules 16 ADP Maximum Number of ADP Profiles 8 Maximum Number of ADP Rules 16 Maximum Block Host Number 1000 Maximum Block Period 3600 CONTENT FILTER Maximum Number of Content Filter Policies 16 Maximum Number of Content Filter Profiles 16 Maximum Number of Forbidden Domain Entries 64 per profile Maximum Number of Trusted Domain Entries 64 per profile M
Chapter 52 Product Specifications The following table, which is not exhaustive, lists standards referenced by ZyWALL features. Table 243 Standards Referenced by Features FEATURE STANDARDS REFERENCED Interface-Bridge A subset of the ANSI/IEEE 802.1d standard Interface RFCs 2131, 2132, 1541 Interface-PPP RFCs 1144, 1321, 1332, 1334, 1661, 1662, 2472 Interface-PPTP RFCs 2637, 3078 Interface-PPPOE RFC 2516 Interface-VLAN IEEE 802.
Chapter 52 Product Specifications 52.1 Power Adaptor Specifications Table 244 North American Plug Standards AC POWER ADAPTOR MODEL PSA18R-120P (ZA)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 20 W MAX. SAFETY STANDARDS UL, CUL (UL 60950-1 FIRST EDITION CSA C22.2 NO. 60950-1-03 1ST.) Table 245 European Plug Standards AC POWER ADAPTOR MODEL PSA18R-120P (ZE)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 20 W MAX.
Chapter 52 Product Specifications Table 249 China Plug Standards POWER CONSUMPTION 20 W MAX.
Chapter 52 Product Specifications 782 ZyWALL USG 50 User’s Guide
APPENDIX A Log Descriptions This appendix provides descriptions of example log messages for the ZLD-based ZyWALLs. The logs do not all apply to all of the ZLD-based ZyWALLs. You will not necessecarily see all of these logs in your device. Table 250 Content Filter Logs LOG MESSAGE DESCRIPTION Content filter has been enabled An administrator turned the content filter on. Content filter has been disabled An administrator turned the content filter off.
Appendix A Log Descriptions Table 252 Blocked Web Site Logs LOG MESSAGE DESCRIPTION %s :%s The rating server responded that the web site is in a specified category and access was blocked according to a content filter profile. 1st %s: website host 2nd %s: website category %s: Unrated The rating server responded that the web site cannot be categorized and access was blocked according to a content filter profile.
Appendix A Log Descriptions Table 252 Blocked Web Site Logs (continued) LOG MESSAGE DESCRIPTION %s: Proxy mode is detected The system detected a proxy connection and blocked access according to a profile. %s: website host %s: Forbidden Web site The web site is in forbidden web site list. %s: website host %s: Keyword blocking The web content matched a user defined keyword.
Appendix A Log Descriptions Table 253 Anti-Spam Logs (continued) 786 LOG MESSAGE DESCRIPTION Black List checking has been activated. The anti-spam black list has been turned on. Black List checking has been deactivated. The anti-spam black list has been turned off. Black List rule %d has been added. The anti-spam black list rule with the specified index number (%d) has been added. Black List rule %d has been modified.
Appendix A Log Descriptions Table 254 SSL VPN Logs LOG MESSAGE DESCRIPTION %s %s from %s has logged in SSLVPN A user has logged into SSL VPN. The first %s is the type of user account. The second %s is the user’s user name. The third %s is the name of the service the user is using (HTTP or HTTPS). %s %s from %s has logged out SSLVPN A user has logged out of SSL VPN. The first %s is the type of user account. The second %s is the user’s user name.
Appendix A Log Descriptions Table 254 SSL VPN Logs (continued) 788 LOG MESSAGE DESCRIPTION The %s address-object is wrong type for 'network' in SSL Policy %s. The listed address object (first %s) is not the right kind to be specified as a network in the listed SSL VPN policy (second %s). The SSL VPN policy %s has been changed 'ippool' value. The IP pool setting has been modified in the specified SSL VPN policy (%s). The SSL VPN policy %s has been changed '1stdns' value.
Appendix A Log Descriptions Table 254 SSL VPN Logs (continued) LOG MESSAGE DESCRIPTION %s %s from %s has been logged out SSLVPN (reauth timeout) The specified user was signed out by the device due to a reauthentication timeout. The first %s is the type of user account. The second %s is the user’s user name. The third %s is the name of the service the user is using (HTTP or HTTPS).
Appendix A Log Descriptions The ZySH logs deal with internal system errors. Table 255 ZySH Logs LOG MESSAGE DESCRIPTION Invalid message queue. Maybe someone starts another zysh daemon.
Appendix A Log Descriptions Table 255 ZySH Logs (continued) LOG MESSAGE DESCRIPTION Can't remove %s 1st:zysh list name Table OPS %s: cannot retrieve entries from table! 1st:zysh table name %s: index is out of range! 1st:zysh table name %s: cannot set entry #%d 1st:zysh table name,2st: zysh entry num %s: table is full! 1st:zysh table name %s: invalid old/new index! 1st:zysh table name Unable to move entry #%d! 1st:zysh entry num %s: invalid index! 1st:zysh table name Unable to delete entry
Appendix A Log Descriptions Table 256 ADP Logs LOG MESSAGE DESCRIPTION from to [type=] , Action: , Severity: The ZyWALL detected an anomaly in traffic traveling between the specified zones. The = {scan-detection() | flooddetection() | http-inspection() | tcpdecoder()}. The gives details about the attack, although the message is dropped if the log is more than 128 characters.
Appendix A Log Descriptions Table 257 Anti-Virus Logs LOG MESSAGE DESCRIPTION Initializing Anti-Virus signature reference table has failed. The ZyWALL failed to initialize the anti-virus signatures due to an internal error. Reloading Anti-Virus signature database has failed. The ZyWALL failed to reload the anti-virus signatures due to an internal error. Reloading Anti-Virus signature reference table has failed. The ZyWALL failed to reload the anti-virus signatures due to an internal error.
Appendix A Log Descriptions Table 257 Anti-Virus Logs (continued) LOG MESSAGE DESCRIPTION AV signature update has failed. Can not update last update time. The anti-virus signatures update did not succeed. AV signature update has failed. (Replacement failure) Anti-virus signatures update failed because the ZyWALL was not able to replace the old set of anti-virus signatures with the new one. AV signature update has failed. (Unknown signature package).
Appendix A Log Descriptions Table 257 Anti-Virus Logs (continued) LOG MESSAGE DESCRIPTION Anti-Virus rule %d has been modified. The anti-virus rule of the specified number has been changed. Anti-Virus rule %d has been inserted. An anti-virus rule has been inserted. %d is the number of the new rule. Anti-Virus rule %d has been appended. The anti-virus rule with the listed number (%d) has been added to the end of the list.
Appendix A Log Descriptions Table 258 User Logs LOG MESSAGE DESCRIPTION %s %s from %s has logged in ZyWALL A user logged into the ZyWALL. 1st %s: The type of user account. 2nd %s: The user’s user name. 3rd %s: The name of the service the user is using (HTTP, HTTPS, FTP, Telnet, SSH, or console). %s %s from %s has logged out ZyWALL A user logged out of the ZyWALL. 1st %s: The type of user account. 2nd %s: The user’s user name.
Appendix A Log Descriptions Table 258 User Logs (continued) LOG MESSAGE DESCRIPTION Failed login attempt to ZyWALL from %s (login on a lockout address) A login attempt came from an IP address that the ZyWALL has locked out. Failed login attempt to ZyWALL from %s (reach the max. number of user) The ZyWALL blocked a login because the maximum login capacity for the particular service has already been reached. Failed login attempt to ZyWALL from %s (reach the max.
Appendix A Log Descriptions Table 259 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Registration has failed. Because of lack must fields. The device received an incomplete response from the myZyXEL.com server and it caused a parsing error for the device. %s:Trial service activation has failed:%s. Trail service activation failed for the specified service, an error message returned by the MyZyXEL.com server will be appended to this log.
Appendix A Log Descriptions Table 259 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Do device register. The device started device registration. Do trial service activation. The device started trail service activation. Do standard service activation. The device started standard service activation. Do expiration check. The device started the service expiration day check. Build query message has failed. Some information was missing in the packets that the device sent to the MyZyXEL.
Appendix A Log Descriptions Table 259 myZyXEL.com Logs (continued) 800 LOG MESSAGE DESCRIPTION Device has latest signature file; no need to update The device already has the latest version of the signature file so no update is needed. Connect to update server has failed. The device cannot connect to the update server. Wrong format for packets received. The device cannot parse the response returned by the server. Maybe some required fields are missing. Server setting error. Update stop.
Appendix A Log Descriptions Table 259 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Get server response has failed. The device sent packets to the server, but did not receive a response. The root cause may be that the connection is abnormal. Expiration dailycheck has failed:%s. The daily check for service expiration failed, an error message returned by the MyZyXEL.com server will be appended to this log. %s: error message returned by myZyXEL.com server Do expiration dailycheck has failed.
Appendix A Log Descriptions Table 259 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Self signed certificate. Verification of a server’s certificate failed because it is selfsigned. Self signed certificate in certificate chain. Verification of a server’s certificate failed because there is a self-signed certificate in the server’s certificate chain. Verify peer certificates has succeeded. The device verified a server’s certificate while processing an HTTPS connection.
Appendix A Log Descriptions Table 260 IDP Logs (continued) LOG MESSAGE DESCRIPTION Enable IDP engine succeeded. The device turned on the IDP engine. Disable IDP engine succeeded. The device turned off the IDP engine. IDP service is not registered. IDP will not be activated. The IDP service could has not been turned on and the IDP signatures will not be updated because the IDP service is not registered. IDP service standard license is expired. Update signature failed.
Appendix A Log Descriptions Table 260 IDP Logs (continued) 804 LOG MESSAGE DESCRIPTION Add custom signature error: signature is over length. An attempt to add a custom IDP signature failed because the signature’s contents were too long. Edit custom signature error: signature is over length. An attempt to edit a custom IDP signature failed because the signature’s contents were too long. IDP off-line update failed. File damaged. An update attempt for the IDP signatures failed.
Appendix A Log Descriptions Table 260 IDP Logs (continued) LOG MESSAGE DESCRIPTION from to [type=] , Action: , Severity: The ZyWALL detected an intrusion in traffic traveling between the specified zones. The = {scan-detection() | flooddetection() | http-inspection() | tcpdecoder()}. The gives details about the attack, although the message is dropped if the log is more than 128 characters.
Appendix A Log Descriptions Table 260 IDP Logs (continued) LOG MESSAGE DESCRIPTION Duplicate sid in import file at line . The listed signature ID is duplicated at the listed line number in the signature file. IDP rule has been deleted. The listed IDP rule has been removed. IDP rule has been moved to . The IDP rule with the specified index number (first num) was moved to the specified index number (second num). New IDP rule has been appended.
Appendix A Log Descriptions Table 261 Application Patrol (continued) MESSAGE EXPLANATION Protocol %s has been enabled. The listed protocol has been turned on in the application patrol. Protocol %s has been disabled. The listed protocol has been turned off in the application patrol. Classification mode of protocol %s has been modified to portless. The device will now use the portless classification mode to identify the listed protocol’s traffic.
Appendix A Log Descriptions Table 262 IKE Logs LOG MESSAGE DESCRIPTION Peer has not announced DPD capability The remote IPSec router has not announced its dead peer detection (DPD) capability to this device. [COOKIE] Invalid cookie, no sa found Cannot find SA according to the cookie. [DPD] No response from peer. Using existing Phase-1 SA in %u seconds. Trying with Phase-1 rekey. The device’s DPD feature has not detected a response from the remote IPSec router. %u is the retry time.
Appendix A Log Descriptions Table 262 IKE Logs (continued) LOG MESSAGE DESCRIPTION [SA] : Tunnel [%s] Phase 1 invalid protocol %s is the tunnel name. When negotiating Phase-1, the packet was not a ISKAMP packet in the protocol field. [SA] : Tunnel [%s] Phase 1 invalid transform %s is the tunnel name. When negotiating Phase-1, the transform ID was invalid. [SA] : Tunnel [%s] Phase 1 key group mismatch %s is the tunnel name.
Appendix A Log Descriptions Table 262 IKE Logs (continued) LOG MESSAGE DESCRIPTION Could not dial manual key tunnel "%s" %s is the tunnel name. The manual key tunnel cannot be dialed. DPD response with invalid ID When receiving a DPD response with invalid ID ignored. DPD response with no active request When receiving a DPD response with no active query. IKE Packet Retransmit When retransmitting the IKE packets. Phase 1 IKE SA process done When Phase 1 negotiation is complete.
Appendix A Log Descriptions Table 262 IKE Logs (continued) LOG MESSAGE DESCRIPTION VPN gateway %s was enabled %s is the gateway name. An administrator enabled the VPN gateway. XAUTH fail! My name: %s %s is the my xauth name. This indicates that my name is invalid. XAUTH fail! Remote user: %s %s is the remote xauth name. This indicates that a remote user’s name is invalid. XAUTH succeed! My name: %s %s is the my xauth name. This indicates that my name is valid.
Appendix A Log Descriptions Table 263 IPSec Logs (continued) LOG MESSAGE DESCRIPTION Get outbound transform fail When outgoing packet need to be transformed, the engine cannot obtain the transform context. Inbound transform operation fail After encryption or hardware accelerated processing, the hardware accelerator dropped a packet (resource shortage, corrupt packet, invalid MAC, and so on).
Appendix A Log Descriptions Table 264 Firewall Logs (continued) LOG MESSAGE DESCRIPTION Firewall %s %s rule %d was %s. 1st %s is from zone, 2nd %s is to zone, %d is the index of the rule 3rd %s is appended/inserted/modified Firewall %s %s rule %d has been moved to %d. 1st %s is from zone, 2nd %s is to zone, 1st %d is the old index of the rule 2nd %d is the new index of the rule Firewall %s %s rule %d has been deleted.
Appendix A Log Descriptions Table 266 Policy Route Logs (continued) LOG MESSAGE DESCRIPTION The policy route %d Use an empty object group. uses empty user group! %d: the policy route rule number The policy route %d uses empty source address group! Use an empty object group. The policy route %d uses empty destination address group! Use an empty object group. The policy route %d uses empty service group Use an empty object group. Policy-route rule %d was inserted. Rules is inserted into system.
Appendix A Log Descriptions Table 267 Built-in Services Logs LOG MESSAGE DESCRIPTION User on %u.%u.%u.%u has been denied access from %s HTTP/HTTPS/TELNET/SSH/FTP/SNMP access to the device was denied. %u.%u.%u.%u is IP address %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET HTTPS certificate:%s An administrator assigned a nonexistent certificate to HTTPS. does not exist. HTTPS service will not work. %s is certificate name assigned by user HTTPS port has been changed to port %s.
Appendix A Log Descriptions Table 267 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION SNMP port has been changed to port %s. An administrator changed the port number for SNMP. SNMP port has been changed to default port. An administrator changed the port number for SNMP back to the default (161). Console baud has been changed to %s. An administrator changed the console port baud rate. Console baud has been reset to %d.
Appendix A Log Descriptions Table 267 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION DNS access control rule %u has been moved to %d. An administrator moved the rule %u to index %d. %u is previous index %d variable is current index The default record of Zone Forwarder have reached the maximum number of 128 DNS servers. The default record DNS servers is more than 128. Interface %s ping check is successful. Zone Forwarder adds DNS servers in records. Ping check ok, add DNS servers in bind.
Appendix A Log Descriptions Table 267 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION Access control rule %u of %s was modified. An access control rule was modified successfully. %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. Access control rule %u of %s was deleted. An access control rule was removed successfully. %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET.
Appendix A Log Descriptions Table 268 System Logs (continued) LOG MESSAGE DESCRIPTION DHCP Server executed with cautious mode disabled DHCP Server executed with cautious mode disabled. Received packet is not A packet was received but it is not an ARP response packet. an ARP response packet Receive an ARP response The device received an ARP response. Receive ARP response from %s (%s) The device received an ARP response from the listed source.
Appendix A Log Descriptions Table 268 System Logs (continued) 820 LOG MESSAGE DESCRIPTION Device is rebooted by administrator! An administrator restarted the device. Insufficient memory. Cannot allocate system memory. Connect to dyndns server has failed. Cannot connect to members.dyndns.org to update DDNS. Update the profile %s has failed because of strange server response. Update profile failed because the response was strange, %s is the profile name.
Appendix A Log Descriptions Table 268 System Logs (continued) LOG MESSAGE DESCRIPTION Update the profile %s has failed because the feature requested is only available to donators. Update profile failed because the feature requested is only available to donators, %s is the profile name. Update the profile %s has failed because of error response. Update profile failed because the response is incorrect, %s is the profile name.
Appendix A Log Descriptions Table 268 System Logs (continued) LOG MESSAGE DESCRIPTION DDNS profile %s has been renamed as %s. Rename DDNS profile, 1st %s is the original profile name, 2nd %s is the new profile name. DDNS profile %s has been deleted. Delete DDNS profile, %s is the profile name, DDNS Initialization has failed. Initialize DDNS failed, All DDNS profiles are deleted All DDNS profiles have been removed. Collect Diagnostic Information has failed - Server did not respond.
Appendix A Log Descriptions Table 269 Connectivity Check Logs (continued) LOG MESSAGE DESCRIPTION The connectivitycheck is activate for %s interface The link status of interface is still activate after check of connectivity check process. The connectivitycheck is fail for %s interface The link status of interface is fail after check of connectivity check process. Can't get gateway IP of %s interface The connectivity check process can't get the gateway IP address for the specified interface.
Appendix A Log Descriptions Table 269 Connectivity Check Logs (continued) LOG MESSAGE DESCRIPTION Can't get MAC address of %s interface! The connectivity check process can't get MAC address of interface. %s: interface name To send ARP REQUEST error! The connectivity check process can't send ARP request packet. The %s routing status seted to DEAD by connectivity-check The interface routing can't forward packet.
Appendix A Log Descriptions Table 270 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION RIP redistribute static routes has been enabled. RIP redistribute static routes has been enabled. RIP on interface %s has been deactivated. RIP on interface %s has been deactivated. %s: Interface Name RIP direction on interface %s has been changed to BiDir. RIP direction on interface %s has been changed to BiDir. %s: Interface Name RIP authentication has benn disabled.
Appendix A Log Descriptions Table 270 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION Invalid OSPF %s authentication of area %s. OSPF md5 or text authentication has been set without setting md5 authentication id and key, or text authentication key first. Invalid OSPF virtuallink %d md5 authentication of area %s. Virtual-link %s md5 authentication has been set without setting md5 authentication id and key first. %s: Virtual-Link ID Invalid OSPF virtuallink %s text authentication of area %s.
Appendix A Log Descriptions Table 271 NAT Logs (continued) LOG MESSAGE DESCRIPTION %s SIP ALG has succeeded. The SIP ALG has been turned on or off. %s: Enable or Disable Extra signal port of SIP ALG has been modified. Extra SIP ALG port has been changed. Signal port of SIP ALG has been modified. Default SIP ALG port has been changed. Register SIP ALG extra port=%d failed. SIP ALG apply additional signal port failed. %d: Port number Register SIP ALG SIP ALG apply signal port failed.
Appendix A Log Descriptions Table 272 PKI Logs (continued) 828 LOG MESSAGE DESCRIPTION Prepare to import "%s" into "My Certificate" %s is the name of a certificate request. Prepare to import "%s" into Trusted Certificate" %s is the name of a certificate request. CMP enrollment "%s" successfully, CA "%s", URL "%s" The device used CMP to enroll a certificate. 1st %s is a request name, 2nd %s is the CA name, 3rd %s is the URL .
Appendix A Log Descriptions Table 272 PKI Logs (continued) LOG MESSAGE DESCRIPTION Export X509 certificate "%s" from "My Certificate" failed The device was not able to export a x509 format certificate from My Certificates. %s is the certificate request name. Export X509 certificate "%s" from "Trusted Certificate" failed The device was not able to export a x509 format certificate from Trusted Certificates. %s is the certificate request name.
Appendix A Log Descriptions Table 273 Certificate Path Verification Failure Reason Codes (continued) CODE DESCRIPTION 15 CRL is too old. 16 CRL is not valid. 17 CRL signature was not verified correctly. 18 CRL was not found (anywhere). 19 CRL was not added to the cache. 20 CRL decoding failed. 21 CRL is not currently valid, but in the future. 22 CRL contains duplicate serial numbers. 23 Time interval is not continuous. 24 Time information not available.
Appendix A Log Descriptions Table 274 Interface Logs (continued) LOG MESSAGE DESCRIPTION (%s MTU - 8) < %s MTU, %s may not work correctly. An administrator configured ethernet, vlan or bridge and this interface is base interface of PPP interface. PPP interface MTU > (base interface MTU - 8), PPP interface may not run correctly because PPP packets will be fragmented by base interface and peer will not receive correct PPP packets.1st %s: Ethernet interface name, 2nd %s: PPP interface name.
Appendix A Log Descriptions Table 274 Interface Logs (continued) 832 LOG MESSAGE DESCRIPTION Interface %s is disconnected. A PPP interface disconnected successfully. %s: interface name. Interface %s connect failed: Peer not responding. The interface’s connection will be terminated because the server did not send any LCP packets. %s: interface name. Interface %s connect failed: PAP authentication failed.
Appendix A Log Descriptions Table 274 Interface Logs (continued) LOG MESSAGE DESCRIPTION "SIM card of interface cellular%d in %s is damaged or not inserted. Please remove the device, then check the SIM card. The SIM card for the cellular device associated with the listed cellular interface (%d) cannot be detected. The SIM card may be missing, not inserted properly, or damaged. Remove the device and check its SIM card. If it does not appear to be damaged, try re-inserting the SIM card.
Appendix A Log Descriptions Table 274 Interface Logs (continued) LOG MESSAGE DESCRIPTION Interface cellular%d required authentication password.Please set password in cellular%d edit page. You need to manually enter the password for the listed cellular interface (%d). "Cellular%d (IMSI=%s or ESN=%s) over time budget!(budget = %d seconds). The listed cellular interface (%d) with the listed SIM card IMSI number or IMEI/ESN number went over the listed time budget threshold value (second %d).
Appendix A Log Descriptions Table 274 Interface Logs (continued) LOG MESSAGE DESCRIPTION Duplicated interface name. A duplicate name was not permitted for an interface. This Interface can not be renamed. An interface’s name cannot be changed. Virtual interface is not supported on this type of interface. A virtual interface was not created on an interface because the type of interface does not support virtual interfaces. Virtual interface need to be removed before changing the interface property.
Appendix A Log Descriptions Table 274 Interface Logs (continued) LOG MESSAGE DESCRIPTION name=%s,status=%s,TxP kts=%u, RxPkts=%u,Colli.=%u,T xB/s=%u, RxB/s=%u,UpTime=%s This log is sent to the VRPT server to show the specified PPP/ Cellular interface’s statistics and uptime. Interface %s has been renamed from '%s' to '%s ' The user-configurable name of the specified interface (internal system name) has been renamed from one name to another.
Appendix A Log Descriptions Table 277 Force Authentication Logs LOG MESSAGE DESCRIPTION Force User Authentication will be enabled due to http server is enabled. Force user authentication will be turned on because HTTP server was turned on. Force User Authentication will be disabled due to http server is disabled. Force user authentication will be turned off because HTTP server was turned off.
Appendix A Log Descriptions Table 278 File Manager Logs (continued) LOG MESSAGE DESCRIPTION Running %s... An administrator ran the listed shell script. %s is script file name. Going to rollback previous runningconfig. Applying the configuration file failed and the ZyWALL is going to roll back to the previous running-config.
Appendix A Log Descriptions Table 280 E-mail Daily Report Logs (continued) LOG MESSAGE DESCRIPTION Failed to send report. Mail From address %s1 is inconsistent with SMTP account %s2. The user name and password configured for authenticating with the e-mail server are correct, but the (listed) sender email address does not match the (listed) SMTP e-mail account. Failed to connect to mail server %s. The ZyWALL could not connect to the SMTP e-mail server (%s).
Appendix A Log Descriptions Table 283 EPS Logs 840 LOG MESSAGE DESCRIPTION Windows service pack check fail in %s The Windows service pack on a user’s computer did not match the specified EPS object. Windows auto update check fail in %s The Windows automatic update setting on a user’s computer did not match the specified EPS object. Windows security patch check fail in %s The Windows security patch on a user’s computer did not match the specified EPS object.
APPENDIX B Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/ code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. • Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like. • Protocol: This is the type of IP protocol used by the service.
Appendix B Common Services Table 284 Commonly Used Services (continued) 842 NAME PROTOCOL PORT(S) DESCRIPTION ESP (IPSEC_TUNNEL) User-Defined 50 The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. FTP TCP 20 TCP 21 File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. H.
Appendix B Common Services Table 284 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION PPTP TCP 1723 Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel. PPTP_TUNNEL (GRE) User-Defined 47 PPTP (Point-to-Point Tunneling Protocol) enables secure transfer of data over public networks. This is the data channel. RCMD TCP 512 Remote Command Service.
Appendix B Common Services Table 284 Commonly Used Services (continued) 844 NAME PROTOCOL PORT(S) DESCRIPTION TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE TCP 7000 Another videoconferencing solution.
APPENDIX C Importing Certificates This appendix shows you how to import public key certificates into your web browser. Public key certificates are used by web browsers to ensure that a secure web site is legitimate. When a certificate authority such as VeriSign, Comodo, or Network Solutions, to name a few, receives a certificate request from a website operator, they confirm that the web domain and contact information in the request match those on public record with a domain name registrar.
Appendix C Importing Certificates 1 If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Figure 447 Internet Explorer 7: Certification Error 2 Click Continue to this website (not recommended). Figure 448 Internet Explorer 7: Certification Error 3 In the Address Bar, click Certificate Error > View certificates.
Appendix C Importing Certificates 4 In the Certificate dialog box, click Install Certificate. Figure 450 Internet Explorer 7: Certificate 5 In the Certificate Import Wizard, click Next.
Appendix C Importing Certificates 6 If you want Internet Explorer to Automatically select certificate store based on the type of certificate, click Next again and then go to step 9. Figure 452 Internet Explorer 7: Certificate Import Wizard 7 Otherwise, select Place all certificates in the following store and then click Browse.
Appendix C Importing Certificates 8 In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. Figure 454 Internet Explorer 7: Select Certificate Store 9 In the Completing the Certificate Import Wizard screen, click Finish.
Appendix C Importing Certificates 10 If you are presented with another Security Warning, click Yes. Figure 456 Internet Explorer 7: Security Warning 11 Finally, click OK when presented with the successful certificate installation message. Figure 457 Internet Explorer 7: Certificate Import Wizard 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information.
Appendix C Importing Certificates Installing a Stand-Alone Certificate File in Internet Explorer Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. 1 Double-click the public key certificate file. Figure 459 Internet Explorer 7: Public Key Certificate File 2 In the security warning dialog box, click Open.
Appendix C Importing Certificates 1 Open Internet Explorer and click Tools > Internet Options. Figure 461 Internet Explorer 7: Tools Menu 2 In the Internet Options dialog box, click Content > Certificates.
Appendix C Importing Certificates 3 In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certificate that you want to delete, and then click Remove. Figure 463 Internet Explorer 7: Certificates 4 In the Certificates confirmation, click Yes. Figure 464 Internet Explorer 7: Certificates 5 In the Root Certificate Store dialog box, click Yes.
Appendix C Importing Certificates 6 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Firefox The following example uses Mozilla Firefox 2 on Windows XP Professional; however, the screens can also apply to Firefox 2 on all platforms. 1 If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.
Appendix C Importing Certificates 3 The certificate is stored and you can now connect securely to the Web Configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web page’s security information.
Appendix C Importing Certificates 1 Open Firefox and click Tools > Options. Figure 468 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates.
Appendix C Importing Certificates 3 In the Certificate Manager dialog box, click Web Sites > Import. Figure 470 4 Use the Select File dialog box to locate the certificate and then click Open. Figure 471 5 Firefox 2: Certificate Manager Firefox 2: Select File The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information.
Appendix C Importing Certificates Removing a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2. 1 Open Firefox and click Tools > Options. Figure 472 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates.
Appendix C Importing Certificates 3 In the Certificate Manager dialog box, select the Web Sites tab, select the certificate that you want to remove, and then click Delete. Figure 474 4 Firefox 2: Certificate Manager In the Delete Web Site Certificates dialog box, click OK. Figure 475 Firefox 2: Delete Web Site Certificates 5 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.
Appendix C Importing Certificates 1 If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. 2 Click Install to accept the certificate. Figure 476 Opera 9: Certificate signer not found 3 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details.
Appendix C Importing Certificates Installing a Stand-Alone Certificate File in Opera Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. 1 Open Opera and click Tools > Preferences.
Appendix C Importing Certificates 2 In Preferences, click Advanced > Security > Manage certificates.
Appendix C Importing Certificates 3 In the Certificates Manager, click Authorities > Import. Figure 480 4 Opera 9: Certificate manager Use the Import certificate dialog box to locate the certificate and then click Open.
Appendix C Importing Certificates 5 In the Install authority certificate dialog box, click Install. Figure 482 6 Next, click OK. Figure 483 7 Opera 9: Install authority certificate Opera 9: Install authority certificate The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9.
Appendix C Importing Certificates 1 Open Opera and click Tools > Preferences. Figure 484 Opera 9: Tools Menu 2 In Preferences, Advanced > Security > Manage certificates.
Appendix C Importing Certificates 3 In the Certificates manager, select the Authorities tab, select the certificate that you want to remove, and then click Delete. Figure 486 4 Opera 9: Certificate manager The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Note: There is no confirmation when you delete a certificate authority, so be absolutely certain that you want to go through with it before clicking the button.
Appendix C Importing Certificates 2 Click Continue. Figure 487 Konqueror 3.5: Server Authentication 3 Click Forever when prompted to accept the certificate. Figure 488 Konqueror 3.5: Server Authentication 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page’s security details. Figure 489 Konqueror 3.
Appendix C Importing Certificates Installing a Stand-Alone Certificate File in Konqueror Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. 1 Double-click the public key certificate file. Figure 490 Konqueror 3.5: Public Key Certificate File 2 In the Certificate Import Result - Kleopatra dialog box, click OK. Figure 491 Konqueror 3.
Appendix C Importing Certificates 3 The next time you visit the web site, click the padlock in the address bar to open the KDE SSL Information window to view the web page’s security details. Removing a Certificate in Konqueror This section shows you how to remove a public key certificate in Konqueror 3.5. 1 Open Konqueror and click Settings > Configure Konqueror. Figure 493 Konqueror 3.5: Settings Menu 2 In the Configure dialog box, select Crypto.
Appendix C Importing Certificates 4 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Note: There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button.
APPENDIX D Open Software Announcements End-User License Agreement for “ZyWALL USG 50” WARNING: ZyXEL Communications Corp. IS WILLING TO LICENSE THE SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. PLEASE READ THE TERMS CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AS INSTALLING THE SOFTWARE WILL INDICATE YOUR ASSENT TO THEM.
Appendix D Open Software Announcements therein shall remain at all times with ZyXEL. Any other use of the Software by any other entity is strictly forbidden and is a violation of this License Agreement. 3. Copyright The Software and Documentation contain material that is protected by International Copyright Law and trade secret law, and by international treaty provisions. All rights not granted to you herein are expressly reserved by ZyXEL.
Appendix D Open Software Announcements You acknowledge that the Software contains proprietary trade secrets of ZyXEL and you hereby agree to maintain the confidentiality of the Software using at least as great a degree of care as you use to maintain the confidentiality of your own most confidential information.
Appendix D Open Software Announcements THIS LICENSE AGREEMENT IS EXPRESSLY MADE SUBJECT TO ANY APPLICABLE LAWS, REGULATIONS, ORDERS, OR OTHER RESTRICTIONS ON THE EXPORT OF THE SOFTWARE OR INFORMATION ABOUT SUCH SOFTWARE WHICH MAY BE IMPOSED FROM TIME TO TIME. YOU SHALL NOT EXPORT THE SOFTWARE, DOCUMENTATION OR INFORMATION ABOUT THE SOFTWARE AND DOCUMENTATION WITHOUT COMPLYING WITH SUCH LAWS, REGULATIONS, ORDERS, OR OTHER RESTRICTIONS.
Appendix D Open Software Announcements NOTE: Some components of this product incorporate source code covered under the open source code licenses. Further, for at least three (3) years from the date of distribution of the applicable product or software, we will give to anyone who contacts us at the ZyXEL Technical Support (support@zyxel.com.
Appendix D Open Software Announcements The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
Appendix D Open Software Announcements --------------/* ================================================== * Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2.
Appendix D Open Software Announcements * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.
Appendix D Open Software Announcements * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ Original SSLeay License ----------------------/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL.
Appendix D Open Software Announcements * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2.
Appendix D Open Software Announcements * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED.
Appendix D Open Software Announcements This is the BSD license without the obnoxious advertising clause. It's also known as the "modified BSD license." Note that the University of California now prefers this license to the BSD license with advertising clause, and now allows BSD itself to be used under the three-clause license.
Appendix D Open Software Announcements OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. This Product includes httpd software developed by the Apache Software Foundation under Apache License. Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.
Appendix D Open Software Announcements work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
Appendix D Open Software Announcements (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that
Appendix D Open Software Announcements 8. Limitation of Liability.
Appendix D Open Software Announcements THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Appendix D Open Software Announcements Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price.
Appendix D Open Software Announcements derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License.
Appendix D Open Software Announcements software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".
Appendix D Open Software Announcements part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
Appendix D Open Software Announcements significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work.
Appendix D Open Software Announcements include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system.
Appendix D Open Software Announcements License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all.
Appendix D Open Software Announcements NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/ OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Appendix D Open Software Announcements commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price.
Appendix D Open Software Announcements copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1.
Appendix D Open Software Announcements Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3.
Appendix D Open Software Announcements all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein.
Appendix D Open Software Announcements Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this.
Appendix D Open Software Announcements The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Appendix D Open Software Announcements NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. This Product includes openldap software under the OpenLdap License The Public License Version 2.
Appendix D Open Software Announcements Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. This Product includes libpng software under the Libpng License This copy of the libpng notices is provided for your convenience. In case of any discrepancy between this copy and the notices in the file png.h that is included in the libpng distribution, the latter shall prevail.
Appendix D Open Software Announcements disclaimer and license as libpng-0.96, with the following individuals added to the list of Contributing Authors: Tom Lane Glenn Randers-Pehrson Willem van Schaik libpng versions 0.89, June 1996, through 0.96, May 1997, are Copyright (c) 1996, 1997 Andreas Dilger Distributed according to the same disclaimer and license as libpng-0.
Appendix D Open Software Announcements 2. Altered versions must be plainly marked as such and must not be misrepresented as being the original source. 3. This Copyright notice may not be removed or altered from any source or altered source distribution. The Contributing Authors and Group 42, Inc. specifically permit, without fee, and encourage the use of this source code as a component to supporting the PNG file format in commercial products.
Appendix D Open Software Announcements This Product includes pcmcia-cs software under the MPL License Mozilla Public License Version 1.1 1. Definitions. 1.0.1. "Commercial Use" means distribution or otherwise making the Covered Code available to a third party. 1.1. "Contributor" means each entity that creates or contributes to the creation of Modifications. 1.2.
Appendix D Open Software Announcements 1.8.1. "Licensable" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently acquired, any and all of the rights conveyed herein. 1.9. "Modifications" means any addition to or deletion from the substance or structure of either the Original Code or any previous Modifications. When Covered Code is released as a series of files, a Modification is: a.
Appendix D Open Software Announcements 2.1. The Initial Developer Grant. The Initial Developer hereby grants You a world-wide, royalty-free, non-exclusive license, subject to third party intellectual property claims: a. under intellectual property rights (other than patent or trademark) Licensable by Initial Developer to use, reproduce, modify, display, perform, sublicense and distribute the Original Code (or portions thereof) with or without Modifications, and/or as part of a Larger Work; and b.
Appendix D Open Software Announcements The Modifications which You create or to which You contribute are governed by the terms of this License, including without limitation Section 2.2. The Source Code version of Covered Code may be distributed only under the terms of this License or a future version of this License released under Section 6.1, and You must include a copy of this License with every copy of the Source Code You distribute.
Appendix D Open Software Announcements (b) Contributor APIs If Contributor's Modifications include an application programming interface and Contributor has knowledge of patent licenses which are reasonably necessary to implement that API, Contributor must also include this information in the legal file. (c) Representations. Contributor represents that, except as disclosed pursuant to Section 3.
Appendix D Open Software Announcements alone, not by the Initial Developer or any Contributor. You hereby agree to indemnify the Initial Developer and every Contributor for any liability incurred by the Initial Developer or such Contributor as a result of any such terms You offer. 3.7. Larger Works. You may create a Larger Work by combining Covered Code with other code not governed by the terms of this License and distribute the Larger Work as a single product.
Appendix D Open Software Announcements "MOZILLAPL", "MOZPL", "Netscape", "MPL", "NPL" or any confusingly similar phrase do not appear in your license (except to note that your license differs from this License) and (b) otherwise make it clear that Your version of the license contains terms which differ from the Mozilla Public License and Netscape Public License.
Appendix D Open Software Announcements payment arrangement are not mutually agreed upon in writing by the parties or the litigation claim is not withdrawn, the rights granted by Participant to You under Sections 2.1 and/or 2.2 automatically terminate at the expiration of the 60 day notice period specified above. b.
Appendix D Open Software Announcements 11. Miscellaneous This License represents the complete agreement concerning subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This License shall be governed by California law provisions (except to the extent applicable law, if any, provides otherwise), excluding its conflict-of-law provisions.
Appendix D Open Software Announcements The Original Code is ______________________________________. The Initial Developer of the Original Code is ________________________. Portions created by ______________________ are Copyright (C) ______ _______________________. All Rights Reserved. Contributor(s): ______________________________________.
Appendix D Open Software Announcements 916 ZyWALL USG 50 User’s Guide
APPENDIX E Legal Information Copyright Copyright © 2010 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
Appendix E Legal Information • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations. This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
Appendix E Legal Information Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada. Viewing Certifications 1 Go to http://www.zyxel.com. 2 Select your product on the ZyXEL home page to go to that product's page.
Appendix E Legal Information To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http:// www.zyxel.com/web/support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com.
Index Index Numerics 3322 Dynamic DNS 315 3DES 400 3G 113 3G see also cellular 237 A AAA Base DN 620 Bind DN 620, 623 directory structure 619 Distinguished Name, see DN DN 620, 621, 623, 624 password 623 port 622, 625 search time limit 623 SSL 623 AAA server 617 AD 619 and users 584 directory service 617 LDAP 617, 619 local user database 619 object, where used 105 RADIUS 618, 619, 623 RADIUS group 625 see also RADIUS access 43 access control attacks 491 Access Point Name, see APN access users 584, 585 cus
Index types of 599 where used 105 address record 685 admin user troubleshooting 770 admin users 583 multiple logins 594 see also users 583 ADP 513 base profiles 514, 517 configuration overview 103 false negatives 518 false positives 518 inline profile 518 monitor profile 518 port scanning 525 prerequisites 103 protocol anomaly 514 traffic anomaly 514, 518 Advanced Encryption Standard, see AES AES 400 AF 293 AH 383, 405 and transport mode 406 alerts 726, 729, 730, 733, 734, 735 anti-spam 570 anti-virus 470 I
Index APN 241 Application Layer Gateway, see ALG application order 91 application patrol 437 actions 438 and firewall 438 and HTTP redirect 332 bandwidth management 439 bandwidth management behavior 441 bandwidth management examples 443 bandwidth statistics 188 classification 438 configuration overview 102 configured rate effect 442 exceptions 438 interface’s bandwidth 444 maximize bandwidth usage 441, 442, 456, 461 over allotment of bandwidth 443 port-less 438 ports 438 prerequisites 102 priority 443 prior
Index and routing protocols 309 MD5 309, 400 SHA1 400 text 309 Authentication Header, see AH authentication method objects 627 and users 584 and WWW 694 create 629 example 627 where used 105 authentication policy 349 exceptional services 352 authentication type 73, 657 troubleshooting 763 bare byte encoding 529 bare byte encoding attack 529 Base DN 620 base profiles in ADP 514, 517 in IDP 480, 484 base36-encoding 529 base36-encoding attack 529 Bind DN 620, 623 BitTorrent 490 black list 571 anti-spam 566 A
Index certificate troubleshooting 771 client 433 Certificate Authority (CA) see certificates cold start 35 CNM 720 Certificate Management Protocol (CMP) 641 commands 34 sent by Web Configurator 54 Certificate Revocation List (CRL) 634 vs OCSP 653 Common Event Format (CEF) 727, 733 certificates 633 advantages of 634 and CA 634 and FTP 714 and HTTPS 690 and IKE SA 405 and SSH 709 and VPN gateways 378 and WWW 693 certification path 634, 644, 650 expired 634 factory-default 635 file formats 635 fingerp
Index and address objects 533, 534, 539 and registration 538, 540, 542 and schedules 533, 534 and user groups 533 and users 533 by category 534, 544 by keyword (in URL) 534, 555 by URL 534, 554 by web feature 534, 554 cache 200, 556 categories 544 category service 542 configuration overview 104 default policy 534, 536 external web filtering service 542, 556 filter list 534 managed web pages 543 message for blocked access 537 policies 533, 534 prerequisites 104 registration status 214, 538, 542 reports, see
Index directory service 617 file structure 619 directory traversal attack 529 directory traversals 529 disclaimer 5, 917 Distinguished Name (DN) 620, 621, 623, 624 Distributed Denial of Service (DDoS) attacks 490 distributed port scans 526 DN 620, 621, 623, 624 DNS 681 address records 685 domain name forwarders 686 domain name to IP address 685 IP address to domain name 685 Mail eXchange (MX) records 687 pointer (PTR) records 685 DNS Blacklist see DNSBL 567 DNS servers 74, 682, 686 and interfaces 269 DNSBL
Index and VPN gateways 378 IKE SA 404 ext-user troubleshooting 770 F false negatives 486, 518 false positives 486, 518, 520 FCC interference statement 917 feature specifications 776 features overview 37 file decompression (in anti-virus) 470 file extensions configuration files 737 shell scripts 737 file infector 477 file manager 737 configuration overview 107 filtered port scan 526 Firefox 43 firewall 357, 358 actions 370 and address groups 354, 370 and address objects 354, 370 and ALG 335, 338 and applica
Index ge2 32 troubleshooting 766 ge3 32 Generic Routing Encapsulation, see GRE.
Index Snort signatures 511 statistics 196 traffic directions 479 trial service activation 212 troubleshooting 760, 764 troubleshooting signatures update 760 verifying custom signatures 509 IEEE 802.
Index Internet Protocol Security, see IPSec Internet Protocol (IP) 497 intrusions host 510 network 511 Intrusion, Detection and Prevention see IDP 479 IP address 32 IP alias, see virtual interfaces IP decoy portscan 526 IP distributed portscan 526 IP options 498, 503 IP policy routing, see policy routes IP pool 416 IP portscan 525 IP portsweep 526 IP protocols 605 and service objects 606 ICMP, see ICMP TCP, see TCP UDP, see UDP IP security option 498 IP static routes, see static routes IP stream identifier
Index IP/MAC binding 343 exempt list 347 monitor 181 static DHCP 346 ISP account CHAP 657 CHAP/PAP 657 MPPE 657 MSCHAP 657 MSCHAP-V2 657 PAP 657 ISP accounts 655 and PPPoE/PPTP interfaces 231, 655 authentication type 657 encryption method 657 stac compression 658 J Java 554 permissions 43 JavaScripts 43 port 622, 625 search time limit 623 SSL 623 user attributes 597 least load first load balancing 273 LED troubleshooting 759 legitimate e-mail 565 level-4 inspection 438 level-7 inspection 438 license key 2
Index configuration overview 107 descriptions 783 e-mail profiles 725 e-mailing log messages 207, 729 formats 727 log consolidation 730 settings 725 syslog servers 725 system 725 types of 725 loose source routing 498 ADP 518 IDP 486 MPPE (Microsoft Point-to-Point Encryption) 657 MSCHAP (Microsoft Challenge-Handshake Authentication Protocol) 657 MSCHAP-V2 (Microsoft Challenge-Handshake Authentication Protocol Version 2) 657 MTU 243 multiple slash encoding 530 multi-slash-encoding attack 530 mutation virus 4
Index Name Server, see NBNS. NetBIOS Name Server, see NBNS OSI level-4 438 NetMeeting 342 see also H.
Index P P2P (Peer-to-peer) 490 attacks 490 see also Peer-to-peer packet flow 91 inspection signatures 483, 487 scan 464 statistics 170, 172 packet capture 750 example 753 files 752 troubleshooting 773 packet captures downloading files 752 padding 498 PAP (Password Authentication Protocol) 657 password 32 Password Authentication Protocol (PAP) 657 payload option 504 size 505 Peanut Hull 315 Peer-to-peer (P2P) 490 calls 139, 337 managing 437 Perfect Forward Secrecy (PFS) 384 Diffie-Hellman key group 406 perf
Index PPP interfaces subnet mask 266 RADIUS server troubleshooting 770 PPPoE 270 and RADIUS 270 TCP port 1723 270 RDP 660 PPPoE/PPTP interfaces 216, 231 and ISP accounts 231, 655 basic characteristics 217 gateway 231 subnet mask 231 reboot 35, 108, 755 vs reset 755 PPTP 270 and GRE 270 as VPN 270 privacy concerns 545 problems 759 product overview 31 registration 920 profiles packet inspection 487 protocol anomaly 514, 529 detection 521 protocol usage statistics 189, 190 proxy servers 332 web, see web
Index anti-virus 194 collecting data 176 configuration overview 107 content filtering 198 daily 724 daily e-mail 724 IDP 196 specifications 178 traffic statistics 175 RSA 640, 644, 651 RTP 342 see also ALG 342 S safety warnings 8 reset 773 vs reboot 755 same IP 503 RESET button 35, 773 scanner types 477 RFC 1058 (RIP) 298 1389 (RIP) 298 1587 (OSPF areas) 300 1631 (NAT) 293 1889 (RTP) 342 2131 (DHCP) 268 2132 (DHCP) 268 2328 (OSPF) 299 2402 (AH) 383, 405 2406 (ESP) 383, 405 2510 (Certificate Managemen
Index and firewall 606 and IP protocols 606 and policy routes 606 Simple Network Management Protocol, see SNMP service subscription status 214 Simple Traversal of UDP through NAT, see STUN services 605, 841 and firewall 370 and port triggering 290 subscription 210 where used 105 SIP 336, 342 ALG 335 and firewall 337 and RTP 342 media inactivity timeout 340 signaling inactivity timeout 340 signaling port 340 troubleshooting 766 Session Initiation Protocol, see SIP session limits 360, 370 sessions 178 s
Index and certificates 709 and zones 710 client requirements 708 encryption methods 708 for secure Telnet 710 how connection is established 707 versions 708 with Linux 711 with Microsoft Windows 710 SSL 411, 416, 690 access policy 411 and AAA 623 and AD 623 and LDAP 623 certificates 422 client 433 client virtual desktop logo 418 computer names 416 connection monitor 193 full tunnel mode 416 global setting 416 IP pool 416 network list 416 remote user login 422 remote user logout 428 SecuExtender 433 see also
Index content filtering 212 IDP 212 new IDP/AppPatrol signatures 212 see also IDP SSL VPN 210 SSL VPN, see also SSL VPN status 214, 448, 467 upgrading 214 with ZyNOS 91 three-way handshake 528 throughput rate troubleshooting 772 TightVNC 660 time 676 time servers (default) 679 supported browsers 43 time to live 498 SWM 285 timestamp 498 SYN flood 528 token 618 syntax conventions 6 to-ZyWALL firewall 358 and NAT 327 and NAT traversal (VPN) 768 and OSPF 300 and remote management 359 and RIP 298 and s
Index ext-user 770 firewall 761 firmware package 769 firmware upload 772 FTP 766 HTTP redirect 766 H.
Index local user database 619 ext-group-user (type) 584 Ext-User (type) 584 ext-user (type) 584 groups, see user groups Guest (type) 584 lease time 588 limited-admin (type) 584 lockout 594 prerequisites for force user authentication policies 106 reauthentication time 589 types of 583 user names 586 user (type) 584 user awareness 585 User Datagram Protocol, see UDP user group objects 583 user groups 583, 585 and content filtering 533 and firewall 370, 373 and policy routes 287, 288, 451, 454, 457, 460 conf
Index VLAN interfaces 216, 248 and Ethernet interfaces 248, 763 basic characteristics 217 VoIP pass through 342 and firewall 338 and NAT 338 and policy routes 337, 338 see also ALG 336 VPN 375 active protocol 405 and NAT 403 and the firewall 360 basic troubleshooting 767 IKE SA, see IKE SA IPSec 375 IPSec SA proposal 400 security associations (SA) 376 see also IKE SA see also IPSec 375 see also IPSec SA status 165 troubleshooting 768 VPN connections and address objects 378 and policy routes 289, 767 VPN gat
Index and VPN 88, 311 and WWW 695 block intra-zone traffic 314, 366 configuration overview 98 default 89 extra-zone traffic 312 inter-zone traffic 312 intra-zone traffic 312 prerequisites 98 types of traffic 312 where used 98 ZyWALL terminology differences 91 ZyXEL web site 4 944 ZyWALL USG 50 User’s Guide
