System information

ManualsBrandsZyXEL Communications ManualsComputer equipmentZYWALL 35 - V4.03

ZyXEL

Firmware Release Note

ZyWALL 35

Release 4.03(WZ.1)C0

Date:

Jan 31，2008

Author: Wgang Wang

Project Leader: Joe Zhao

Summary of content (84 pages)

PAGE 1
ZyXEL Firmware Release Note ZyWALL 35 Release 4.03(WZ.
PAGE 2
ZyXEL ZyWALL 35 Standard Version Release 4.03(WZ.1)C0 Release Note Date: Jan 31, 2008 Supported Platforms: ZyXEL ZyWALL 35 Versions: ZyNOS Version: V4.03(WZ.1) | 01/31/2008 BootBase : V1.08 | 01/30/2005 Agent Version: V2.1.6(WZ.0)base Notes: 1. 2. Restore to Factory Defaults Setting Requirement: No. The setting of ignore triangle route is on in default ROM FILE. Triangle route network topology has potential security crisis.
PAGE 3
11. In previous 3.64 firmware, the VID value of DPD is not correct. VID change will cause current version doesn’t work with the wrong value. Please be sure to connect with devices which has updated VID, or the DPD may not work correctly. 12. In SMT menu 24.1, "WCRD" only represents the WLAN card status when you insert WLAN card into the ZyWALL. If you insert TRUBO card, you will see " WCRD" is always down. 13.
PAGE 4
(3) The host can still ping Internet using LAN DHCP address. (4) The scenario will continue about 30secs. 3. When device is writing flash, all the interrupt/service will be stopped. (Firmware upload and signature update for full version will take tens of seconds) 4. Because of the memory shortage (ZW5/P1), device have to restart when customer need to upgrade firmware sometimes. Issues [ALG] 1. H323 does not support the server in LAN topology. 2.
PAGE 5
displayed on console. This is because some predefined CI commands in autoexec.net is forbidden to execute in Bridge Mode. 2. In the following topology, Firewall VPN to LAN ping can’t be permitted. PC1--------------DUT1--------NAT Router------PQA lab-----DUT2------PC2 IP: 192.168.1.33 IP: 192.168.1.2 LAN: 192.168.1.1 GW: 192.168.1.2 WAN: 172.25.21.200 WAN: 172.25.21.24 IP: 192.168.2.33 LAN: 192.168.2.1 GW: 192.168.2.1 (1) DUT1 is on bridge mode, DUT2 is on router mode, build VPN tunnel between them.
PAGE 6
(2) In eWC->SECURITY->CONTENT FILTER->Customization page, enable "Web site customization" and "Don't block Java/ActiveX/Cookies/Web proxy to trusted Web sites". Add "web.haccpsoft.it" to "Trusted Web Sites". (3) A PC in ZYWALL's LAN side browses "http://web.haccpsoft.it:8080" website. (4) Login in and click the date, the popup window should show a calendar instead of another login page. (5) It is blocked by content filter. 5. There is a forward log of the blocked web site.
PAGE 7
(1) Type CI “ip icmp death 1000” or “ip icmp death 1500”. (2) PC1 ping PC2 with DOS command “ping 172.25.21.254 –l 1600”, the log is shown as: “ping of death. ICMP(Echo)”. (3) Type CI “ip icmp death 1501” or other number bigger than 1500. (4) PC1 ping PC2 with DOS command “ping 172.25.21.254 –l 2000”, the log is shown as: “ping of death. ICMP(Echo Reply)”. That is to say when argument in CI “ip icmp death” is bigger than 1500, the log is different. And sometimes the log shown as “ping of death.
PAGE 8
(5) (6) (7) (8) (9) b) Mail Subject = test c) Mail Sender = your_email_address@zyxel.cn d) Send Log to = your_email_address@zyxel.cn e) Send Alerts to = your_email_address@zyxel.cn Generate Log in ZyWALL continuously (you can use Firewall Log). In eWC>>LOGS>>View Log, click “Email Log Now”, you will see “SMTP fails…….” Then click it 2 times again. There is nothing SMTP Log. sys log mail port 25 sys log save In eWC>>LOGS>>View Log, click “Email Log Now”.
PAGE 9
Is: Update error: The hostname specified does not exist. |DDNS 6. [ENHANCEMENT] DDNS client will force update with Dyndns.org server in every 28 days automatically. 7. [FEATURE CHANGE] SPR ID: 070806425 WAS: Some IPSec network policies can be saved even they conflict with each other. IS: Device will check network policies under two condition: (1) To save a network policy under static IKE rule --> compare with other network policies under static IKE rules.
PAGE 10
(4) ZyWALL crashes. 11. [BUG FIX] SPR ID: 071114969 Symptom: IKE SA Leak in customer site. Topology: |----ZyWALL1 ZyWALL_DUT(WAN)----(WAN)NAT Router(LAN)----| |----ZyWALL2 Condition: (1) Configure one IKE rule IKE1 in ZyWALL_DUT, set NAT Router as "Remote Gateway". (2) Add two IPSec rules under IKE1 in ZyWALL_DUT. IPSec1: ZyWALL_DUT--ZyWALL1 IPSec2: ZyWALL_DUT--ZyWALL2. (3) In ZyWALL1, configure IKE and IPsec rule. Enable Nailup. Make sure the Tunnel can be built successfully.
PAGE 11
Condition: (1) Enable Collect Statistics of ZyWALL5 under system reports. (2) PC visits a web page on the internet. (3) We can not see the statistics of host IP reports in ZyWALL5. 14. [BUG FIX] SPR ID: 070411473 Symptom: VPN traffic stops between two gateways. Topology: (192.168.100.0/24) PC1--(LAN) ZyWALL 5-----+ +--- ZyWALL 70(LAN)----PC2 | | ----+--+--+---| ZyWALL 35 (DMZ)| |(LAN) (Safenet) | | PC3-------------+ +---------------PC4 (10.10.10.0/24) (192.168.10.
PAGE 12
LAN and WAN". Condition: Topology: PC1-----(LAN)ZyWALL2+_1(WAN+PPTP)----VPN---(Ethernet+WAN)ZyWALL2+_2(LAN)----PC2 (1) The encapsulation mode of ZyWALL2+_1 is PPTP, and the encapsulation mode of ZyWALL2+_2 is Ethernet. (2) Build the gateway to gateway VPN tunnel from ZyWALL2+_1 to ZyWALL2+_2. (3) PC1 can not visit PC2 share folder(\\PC2 address) if the "Allow between LAN and WAN" is not checked. 17.
PAGE 13
|| |WLAN STA Association Again | | --------------------------------------------------------------------------------------------------|| |WLAN STA denied by WLAN MAC Filter | | --------------------------------------------------------------------------------------------------|| |WLAN STA allowed by WLAN MAC Filter | | --------------------------------------------------------------------------------------------------|| |DHCP server assigns 10.10.101.
PAGE 14
(5) When WAN2 is down, policy route=active, from 192.168.10.33 can access 192.168.1.60 FTP server via WAN1. (6) When WAN2 is up, policy route = active, from 192.168.10.33 cannot access 192.168.1.60 FTP server via WAN1. 22. [BUG FIX] SPR ID: 071115018 Symptom: Log of DNS will show wrong port number when LAN DNS server forwards DNS request to external server. Topology: PC---------------------(LAN)ZyWALL(WAN)----DNS Server (192.168.1.33) | (172.25.5.1) | LAN DNS Server-----(192.168.1.
PAGE 15
certificate can not be exported. Condition: (1) Edit eWC>CERTIFICATES>My Certificates, create a certificate as Certificate Name="DUT IP" Host IP Address="192.168.12.100" Organizational Unit="DUT_IP" Organization="DUT_IP" Country="DUT_IP" Key Length="1024" (2) Then apply, it can be created successful, the DUT didn't show error message. Check web eWC>My Certificates, the DUT IP is on the table. (3) When export this certificate, it fails. 25.
PAGE 16
(4) Enable "Check WAN1 Connectivity" and let system PING "www.abcdefg123aabbccdd.com" which doesn't exist. (5) There is log for ping check fail, but, Source IP =WAN IP, Destination IP=1.1.1.1, so, log is incorrect. If your domain inexistent, Source IP and Destination IP should equal to NULL. 28. [BUG FIX] SPR ID: 071120339 Symptom: The static DHCP rule cannot be saved under special condition. Condition: (1) Add a static DHCP rule at the end of the DHCP table.
PAGE 17
(8) Then view CF report using URL "http://203.160.254.52?mac=0000AA780145", you will find URL "www.google.cn" in blocked list. In fact, it should be in allowed list. Modifications in V4.03(WZ.0) | 11/07/2007 Modify for formal release. Modifications in V 4.03(WZ.0)b5 | 10/29/2007 1. [ENHANCEMENT] Add Vantage CNM device agent – 2.1.6(WM.0) which support Vantage CNM server – version 3.0.00.61.00. 2. [BUG FIX] SPR ID: 070924386 Symptom: CF schedule works abnormal. Condition: (1) Enable CF.
PAGE 18
cannot save. (3) If you add a policy(policy name: aaa) and repeat step 2 again and it works. (4) Add another policy again(policy name: bbb) and save it. (5) Disable policy aaa and test the unrated functionality for policy bbb. It will fail. 6. [BUG FIX] SPR ID: 070914803 Symptom: Policy route doesn’t work correctly. Conditions: (LAN: 192.168.1.1) (192.168.1.33) ZW_A -------Switch--------PC_A |----(WAN: 192.168.2.33) ZW_B (LAN: 192.168.10.1) -----PC_B (192.168.10.33) (1) In ZyWALL_A, LAN Alias IP = 192.168.
PAGE 19
10. [BUG FIX] SPR ID: 071015779 Symptom: Device hang when input command "ip cf ob add trust aa.aa". Conditions: (1) Input command "ip cf ob add trust aa.aa" in SMT 24.8 and device hangs. 11. [BUG FIX] SPR ID: 071017888 Symptom: Missing help page in VPN>Network Policy>Edit>Port Forwarding Rules. Conditions: (1) Go to eWC>VPN>Network Policy>Edit>Port Forwarding Rules page, click help page and you will find there is no help page in it. 12.
PAGE 20
15. [ENHANCEMENT] SPR ID: ITS #:18000 Add a hidden CI command "ipsec maxIkePskLength [31|32]" to turn on 32-byte PSK. After turn on 32-byte PSK, the user can save a 32-byte length IPSec Pre-share key. 32-byte PSK only can be used in ASCII format. Modifications in V 4.03(WZ.0)b2 | 08/10/2007 1. [BUG FIX] ITS #14567 Symptom: IPSec tunnel can't be builded up with draft 0. Condition: ZyWALL-----NAT Router-----Fortinet 200 (1) Create a VPN tunnel with Fortinet. (2) Enable NAT-Traversal.
PAGE 21
for FTP, H323 or SIP. Note: The default port of well known service will still work well even if the user customized another port for the same service. e.g. When the user defined port 1688 for FTP, the ZyWALL will support both port 21 and 1688 for FTP service at the same time. 5. [ENHANCEMENT] Add Diagnostic feature for the ZyWALL to send out the system information automatically when the CPU load is reached the threshold. The purpose is for system diagnostic. 6.
PAGE 22
Extend the length of Anti Spam Xtag from 23 to 47. 12. [ENHANCEMENT] SPR ID: 060807425 Enhancement of GUI Home page. (1) Add a link for Intrusion Detected/Virus Detected/Spam Mail Detected/Web Site Blocked to connect to its corresponding web page. (2) Change the status of Intrusion Detected/Virus Detected/Spam Mail Detected (a) N/A --- No Turbo Card. (b) Disable --- UTM or main feature not active. (c) Numeric --- The count of detected. (3) Add note for UTM report. 13.
PAGE 23
19. [BUG FIX] SPR ID: 060705202 Symptom: The format and content of "System Resources" is shown different in eWC>>Home and SNMP management software. Condition: (1) See "System Resources" in eWC>>Home. They are shown like: Flash 9/16 MB Memory 42/64 MB Sessions 87/10000 CPU 0% (2) See "sysCPUUsage", "sysFlashUsage", "sysRAMUsage" and "sysSessionUsage" in SNMP management software, e.g. SNMPc Network Manager. They are shown like: sysCPUUsage.0=0 sysFlashUsage.0=3 sysRAMUsage.0=30 sysSessionUsage.
PAGE 24
Symptom: There will be a large latency in VPN1 if an new SA set up. Condition: Topology: PC1 | | LAN ZWA | WAN | ----------+-----------+------------+-------------------| | | WAN | WAN ZWB ZWC | LAN | | PC2 VPN1: ZyWALLB build a VPN with ZWA VPN2: ZWC build a VPN with ZWA (1) Build the VPN1 and ping PC1 from PC2. (2) Build VPN2. (3) There will be a large delay in the ping. 24.
PAGE 25
(1) In SMT menu 4, delete ISP's name. Save it. (2) In SMT menu 11, edit ISP's name as "WAN". Save it. (3) We can't enter SMT menu 4 anymore. 27. [BUG FIX] SPR ID: 060714836, 060714837, 060714838. Symptom: Trace route fails to get response from our device. Condition: Topology: PC-----(LAN)ZWA(WAN) (1) On PC, try trace route a host(www.yahoo.com). (2) Trace route cannot get response from our device. 28. [BUG FIX] SPR ID: 060721405. Symptom: Traffic log does not work in bridge mode.
PAGE 26
31. [BUG FIX] SPR ID: 060731994, 060731995 Symptom: Policy route is failed in a special topology. Condition: Topology: ZyWALL B || PC1(192.168.1.33)-----(SWITCH)-----(192.168.2.33)ZyWALL A(192.168.10.1)-----PC2(192.168.10.33) (1) The device under test is ZyWALL B, the LAN subnet is 192.168.1.x with a LAN IP alias 192.168.2.x. (2) In ZyWALL B, there is a policy route rule that will redirect the range 192.168.10.1-192.168.10.250 to 192.168.2.33. (3) In ZyWALL A, disable NAT and firewall feature.
PAGE 27
in LAN side. (5) Keep attacking and reboot the device. (6) Check the centralized log, there be lots of "Common TOS double free" log. 35. [BUG FIX] SPR ID: 060926698 Symptom: The default route learning from LAN side router cannot work. Condition: Topology: PC------(192.168.1.1)DUT(WAN) | ---(192.168.1.100)Router(WAN)----- (Internet) (1) Disconnect WAN cable of DUT, and connect WAN cable of router. (2) DUT and router restore default romfile. (3) Change router's LAN IP as "192.168.1.
PAGE 28
(2)omni.net connects with a ISDN simulator, and PPP server is P2002+. (3)When WAN is down and the dialbackup is up, ZyWALL crash occurs. 40. [BUG FIX] Symptom: Can't see the site on the public DMZ from Internet Topology: PC1---(LAN)-+ +-(WAN1)---Internet-----PC3 | | +-ZyWALL-+ | | PC2---(DMZ)-+ +-(WAN2)---Internet Condition: The NAT setup of WAN 1 is full feature, and NAT setup of WAN 2 is SUA. Can't see the site on the public DMZ from Internet 1. Set LAN to 192.168.1.1/24, DMZ to a public subnet. 2.
PAGE 29
Condition: (1) Add a BM filter for SIP on WAN interface. (2) Enable SIP ALG. (3) SIP connection can be built successfully with Customer's SIP server. (4) But SIP Traffic can't be monitored. 44. [BUG FIX] Symptom: Some formats of logs should be consistent.
PAGE 30
|| |MACAddr:0013026c13a3 | | | | --------------------------------------------------------------------------------------------------|| |WLAN STA denied by WLAN MAC Filter | | | | || |MACAddr:0013026c13a3 | | | | --------------------------------------------------------------------------------------------------|| |DHCP server assigns IP:10.10.101.222 to | | | | || |Kurt-I6400(00:13:02:88:79:59) | | | | --------------------------------------------------------------------------------------------------- 45.
PAGE 31
Symptom: ZyWALL (bridge mode) cannot forward the broadcast fragmented UDP packets. Condition: Topology: Sender --- [WAN]DUT (Bridge Mode)[LAN] --- Receiver (1) In bridge mode, set Firewall WAN->LAN permit, enable DoS attack protection on WAN and LAN. (2) Sender begins to send the broadcast fragmented UDP packets. (3) Receiver cannot receive all the broadcast fragmented UDP packets. 4. [BUG FIX] ITS #13880 Symptom: Nokia E-series phones failed to retrieve e-mail from a server behind ZW 5.
PAGE 32
CN=zyxel, OU=ms, O=sen, L=hamburg, ST=hamburg, C=de". 8. [BUG FIX] ITS #15262 Symptom: There's an delay of 2 seconds when checking DNS with NSLOOKUP if using the ZyWALL as an DNS server. Condition: Toplolgy: PC-----(LAN) DUT (WAN)----internet (1) PC must join to a domain name. (2) Advance->DNS->System, and put in a public DNS server in the list or get one dynamically. (3) Advance->DNS->Cache, enable Cache Negative DNS Resolutions.
PAGE 33
| LAN | | PC2 VPN1: ZyWALL35B build a VPN with ZW35A VPN2: ZW5 build a VPN with ZW35A (1) Build the VPN1 from ZW35B and ping PC1 from PC2. (2) Build VPN2. from ZW5 (3) There will be a large delay in the ping from PC2 to PC1. 11. [BUG FIX] SPR ID: 070118898, 070118896 Symptom: The format and content of "System Resources" is shown different in eWC>>Home and SNMP management software. Condition: (1) See "System Resources" in eWC>>Home.
PAGE 34
>sys trcpacket chan enet1 bothway >sys trcpacket switch on >sys trcdisplay brief (3) WAN connect to PPTP server, soon the device crashes. 13. [BUG FIX] SPR ID: 070206519 Symptom: Device crash when release/ renew IP in menu24.4 . Condition: (1) Change DUTˇs MAC and reboot it. (2) Into Menu24.4, release/ renew IP several times. (3) Device crash. (4) Can’t reproduce 14. [BUG FIX] SPR ID: 061211692 Symptom: Console shows "tosFree is not in network task..." messages Sometimes.
PAGE 35
Condition: (1) Configure eWC>Advanced>NAT>NAT Overview, enable WAN1 NAT with SUA (2) Configure eWC>Security>Firewall>Default Rule, WAN1 to WAN1 = Permit (3) Open 4 portscan tools to scan WAN1 IP from WAN site, DUT crash after a peroid time 17. [BUG FIX] SPR ID: 070322438 Symptom: ZyWALL often occurs "Cannot receive a complete result from the external server" when enable CF. Condition: (1) Enable the external server and some category items.
PAGE 36
Symptom: Device does not log any CF customization events. Condition: (1) Enable content filteting. (2) Enable Web site customization in the Customization page. (3) Add Forbidden Web Site or Keyword Blocking. (4) Access the Web Page which should be blocked. (5) You can see the blocked page but there is no blocked log in the Logs page. 3. [BUG FIX] #ITS 14936 Symptom: This kind of URL request such as "http://www.host:80" can not pass through content filter trusted web site.
PAGE 37
(1) Let device register to Vantage with Ether encapsulation. (2) Change WAN encapsulation from Ether to PPPoE and fill incorrect login name and password. (3) Device's WAN can't dial up because incorrect login name and password. (4) Device crash after 2 minutes. 9. [BUG FIX] 070208756 Symptom: Device crash. Condition: (1) Configure device via Vantage. (2) Reset device to default setting. Then register to Vantage again. (3) Start synchronizes all setting from Vantage to device. (4) Device crash sometimes. 10.
PAGE 38
(1) Setup one VPN between ZW5 and ZW70. (2) Enable the AV and IDP in ZW5, and enable the zip file scan in AV. (3) PC1 start FTP and HTTP download one 50Mbps ZIP file. (4) About 3 minutes, PC1 can not ping PC2 and can not access Internet. 4. [ENHANCEMENT] (1) Support direct ACK/BYE sip request. (2) Support different global IP address for SIP clients and SIP server. Note: Please refer to the appendix 14, we solve the limitation about item 2 and 3. 5.
PAGE 39
(3) But only the first connected VPN client can access ZyWALL 70's LAN side at a time. 8. [BUG FIX] 061128584, 061128585 (ITS#13932) Symptom: Device crashes by hardware watchdog. Condition: Topology: (a) PC --- [LAN]ZyWALL[WAN] --- HTTP server (b) HTTP server --- [LAN] ZyWALL [WAN] --- PC (1) Restore default romfile. (2) When the PC connects to HTTP server (http://www.alektogroup.com) by ZyWALL, the ZyWALL will crash sometimes. 9.
PAGE 40
PC --- [LAN] ZyWALL [WAN] --- Internet (1) In router mode, enable content filter and set the block message but leave the Redirect URL blank. (2) Enable external database content filtering and block matched web pages. (3) Select search engines/portals categories. (4) Open the http://www.sina.com.cn in Firefox and MSIE7.0. The block message cannot be shown completely in MSIE7.0 and nothing in Firefox. 12. [BUG FIX] 061122298, 061122299, 061122300, 061107323 Symptom: Sometimes DUT cannot detect eicar AV.
PAGE 41
WAS: Change cnm encryption mode with 2 CLIs: 'cnm encrykey ' and 'cnm encrymode '. IS: Change cnm encryption mode with one CLI: 'cnm encry ' 17. [BUG FIX] 070105291 Symptom: DUT reboot. Condition: (1) Set DUT WAN as PPPoE connection (2) Enable H323 alg (3) Firewall forward H323 protocol from WAN1 to LAN (4) DUT forward 1720 port from WAN1 to LAN (5) Make a H323 connection from WAN to LAN using OpenH323 software, DUT can reboot. 18. [BUG FIX] Symptom: Ping DMZ IP from PC in DMZ.
PAGE 42
(2) Set a static route, let traffic go to some destination A by WAN2. (3) When WAN2 is down, using "ip ro st" to show route table, the static route disappears, the traffic goes to some destination will go through WAN1. (4) After WAN2 is up again, the static route won't come back, the traffic to destination A still goes through WAN1. 23. [ENHANCEMENT] Support IXP425 B1 version CPU. WAS: Support IXP425 A0/B0 version CPU IS: Support IXP425 A0/B0/B1 version CPU 24.
PAGE 43
Symptom: The "Up Time" shown on the Port Statistics and Home page is quite different when the ZyWALL uptime is more than 100 hours. Condition: (1) Let ZyWALL WAN1 uptime be more than 300 hours. (2) Go to eWC>HOME page, the "Up Time" is "4:00:00". (3) Click "Port Statistics" button, the WAN1 "Up time" of pop-up window is "300.00.00". 5. [BUG FIX] SPR ID: 060420608 Symptom: Two SIP clients cannot talk to each other when both of them are in LAN.
PAGE 44
10. [BUG FIX] SPR ID: 061024810 Symptom: Multiple PPPoE cannot use the same PPPoE session ID. Condition: Topology: ZyWALL [WAN1] --- PPPoE [WAN2] --- PPPoE (1) Set ZyWALL's WAN1 & WAN2 encapsulations are PPPoE, and connect to different PPPoE servers. (2) The WAN1 & WAN2 will get same PPPoE session ID sometimes, this will confuse PPPoE packet flow. 11. [BUG FIX] SPR ID: 060928848, 060928863 Symptom: Mail gets stuck when using VPN + PPPoE Condition: Topology: DeviceA(PPPoE) --- DeviceB --- PC(192.168.2.
PAGE 45
SMTP Authentication and set related SMTP settings. (3) The device sends mail will fail on SMTP authentication. 15. [BUG FIX] SPR ID: 060822272 Symptom: ZyWALL will not mail its LOG if the IP specified on the One-To-One Public IP. Condition: Topology: Mail Server-----------(DMZ)ZyWALL(WAN) 192.168.2.33 192.168.2.1 10.0.0.1 10.0.0.2 (1) Restore to default romfile. (2) Set NAT type to full feature. (3) Build a one-to-one rule for mail server in DMZ. Local IP Global IP 192.168.2.33 <-> 10.0.0.
PAGE 46
breaks the first infected file packet and stop track the file session in the previous mechanism. The old one has better performance, but there is a risk that it couldn't break the file with more than one virus. Now ZyWALL breaks the first infected file packet and the following file packet as well. It is safer but downs performance for handling infected files. We also fix the line-assembly bug for FTP and HTTP in this enhancement. 20. [ENHANCEMENT] SPR ID: 060809590, 060809591, 060809592.
PAGE 47
Engineer note: The bug fix only applies to multiple WAN products. 26. [BUG FIX] SPR ID: 060809598 Symptom: PC can not access the web server (www.fapa.com.pl) via our ZyWALL. Condition: PC---(LAN)ZyWALL(WAN)---internet (1) Get a ZyWALL with default romfile. (2) Let PC try to access www.fapa.com.pl. (3) PC can not access the web server. (4) It is OK without ZyWALL. Special case packet flow: Client(PC) Server(www.fapa.com.pl) SYN -> <- ACK = 0 <- SYN, ACK = 1 ACK = 1 -> HTTP Get -> 27.
PAGE 48
(2) System crashes sometimes. 30. [BUG FIX] SPR ID: 060831744 Symptom: PC cannot ping WLAN interface IP. Condition: Topology: PC1(10.0.0.1)----(10.0.0.2)(WAN)ZyWALL(WLAN)(192.168.7.1) (1) Restore default ROM file. (2) Disable firewall feature. (3) In SMT 24.8, type "ip nat routing 2 1". (4) Set WLAN interface IP as "192.168.7.1". (5) Set NAT to "Full Feature" mode. (6) PC1 generates a PING packet to "192.168.7.1". (7) There is no response from "192.168.7.
PAGE 49
Support 60 categories in content filtering. New categories: ""Hacking", Phishing", "Spyware/Malware Sources", "Spyware Effects/Privacy Concerns", "Open Image/Media Search", "Social Networking", "Online Storage", "Remote Access Tools", "Peer-to-Peer", "Streaming Media/MP3s" and "Proxy Avoidance". 2. [ENHANCEMENT] Add second time schedule setting in content filtering. 3. [ENHANCEMENT] Enhance the CI command "ip ifconfig". (1) Add a new argument "mss" to configure the MSS value.
PAGE 50
Symptom: The packet will be dropped if the device does not have the ARP entry of the receiver of this packet. Condition: (1) Clear ARP table by "CI>ip arp flush". (2) Send a ping to 168.95.1.1, but the PC will not get a response in the first ICMP Echo Request. (3) After the first ping, the rest of pings can get responses. 10. [BUG FIX] Symptom: PPTP can not pass through ZyWALL from time to time.
PAGE 51
PC-----(LAN)ZW70(WAN) (1) On PC, try trace route a host(www.yahoo.com). (2) Trace route cannot get response from our device. 15. [BUG FIX] Symptom: Device crashes (software watchdog wakes up by NAT). Condition: (1) Restore default romfile. (2) After a while, the device will crash sometimes. 16. [BUG FIX] Symptom: Backuping the configuration of AntiVirus is too slow. Condition: (1) In eWC->SECURITY->ANTI-VIRUS->Backup & Restore, click "Backup" button to backup the AntiVirus configuration.
PAGE 52
(1) Goto eWC>Maintenance to upload F/W. (2) ZyWALL should show a progress page, but it is not. (3) ZyWALL should display login page after reboot, but it is not. Modifications in V 4.01(WZ.0)b3 | 06/25/2006 5. [FEATURE CHANGE] Change log format of Spam mail. Was: Mail score is higher than threshold - Spam Score:!<direction> Is: Mail score is higher or equal than threshold - Spam Score:<score><title>!<direction> 6. [FEATURE CHANGE] Change some wordings which contain "fail back" in GUI and log.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-53.html>PAGE 53</a></h6><p>(2) Disable Outlook SMTP authentication in PC. (3) PC on LAN and sent out Microsoft Outlook testing mail. (4) Device will crash immediately. 13. [BUG FIX] Symptom: ZyWALL WLAN & DMZ ports cannot work in dynamic VLAN ports. Condition: (1) Restore default romfile. (2) Set Port Roles as 1>LAN, 2>LAN, 3>DMZ, 4>WLAN. (3) Set DMZ IP as 10.10.2.1/24, DHCP as None. (4) Set Wireless Card bridge to WLAN. (5) Unplug wireless card and reboot device. (6) PC connects to DMZ port, IP is 10.10.2.100/24 and gateway is 10.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-54.html>PAGE 54</a></h6><p>18. [BUG FIX] Symptom: The ZyWALL should use user configured time server to do daily time adjustment. Condition: (1) Reboot the ZyWALL, set 'abc.abc.edu' as user defined 'Time Server Address'. (2) The time synchronization will fail at start-up and use the default built-in time server list. (3) The ZyWALL will always use one of built-in time servers to adjust time daily, but the ZyWALL should use user configured time server to do daily time adjustment. 19.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-55.html>PAGE 55</a></h6><p>Modifications in V 4.01(WZ.0)b2 | 05/22/2006 1. [FEATURE CHANGE] The multicast AH or ESP packet will not pass to the VPN module in ZyWALL. 2. [FEATURE CHANGE] Change wording of one category name in external content filtering. Was: Streaming Media/MP3 Is: Streaming Media/MP3/P2P 3. [FEATURE CHANGE] WAS: In SMT 24.8, "ipsec adjTcpMss auto" will let the "IPSec adjust TCP MSS" switch to auto mode. IS: "ipsec adjTcpMss 0" will change to auto mode. 4. [ENHANCEMENT] (1) System Resources: 1.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-56.html>PAGE 56</a></h6><p>DMZ link to eWC>Network>DMZ>DMZ page IP alias1/2 link to eWC>DMZ>IP alias 1/2 page (6) Remove underlines from the links in eWC>Homepage. (7) Put eWC>Homepage a warning message for Turbo card is not installed. (8) If there is no Turbo Card installed, the Security Services should be presented accordingly: WAS: Intrusion Detected 0 Virus Detected 0 IS: Intrusion Detected N/A Virus Detected N/A 5. [ENHANCEMENT] Support dual multiple WAN devices for IPSec HA scenario. 6.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-57.html>PAGE 57</a></h6><p>Enable Nail up SA lifetime = 28800 seconds Policy 2: Local network: 192.168.1.33/24 Remote network: 192.168.2.33/24 SA lifetime = 180 seconds (2) VPN configuration on ZW_B: IKE 1: Secure gateway: 192.168.70.100 Enable XAUTH server SA lifetime = 180 seconds Policy 1: Local network: 2.2.2.2/24 Remote network: 1.1.1.1/24 SA lifetime = 28800 seconds Policy 2: Local network: 192.168.2.33/24 Remote network: 192.168.1.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-58.html>PAGE 58</a></h6><p>13. [BUG FIX][060427219] Symptom: In PPTP encapsulation, enable VPN, AV and AS, PC can not receive the mail via VPN tunnel. Condition: PC1(mail-server:argosoft1.8)--(DMZ)ZW70(WAN:PPPoE)---(WAN:PPTP)ZW5(L AN) ------PC2(Outlook Express) (1) Establish a VPN tunnel between ZW70 and ZW5. (2) In ZW70, enable AV, disable AS. (3) In ZW5, enable AS. (4) PC2 can’t receive the mail from PC1. 14. [BUG FIX][060424803] Symptom: ZyWALL crashes after changing MAC address.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-59.html>PAGE 59</a></h6><p>Local ID: Type=DNS Content = d.c.b.a Peer ID: Type=DNS Content = a.b.c.d IPSEC Policy: Local=Single 1.1.1.1, Remote=Single 2.2.2.2 (3) Dial VPN tunnel from Bridge_A to Bridge_B, the VPN tunnel will fail to build up by phase one ID mismatch. 17. [BUG FIX][ 060426102] Symptom: User can’t receive mail through VPN tunnel when WAN is in PPTP encapsulation. Condition: Topology: PC1 (mail client) --- ZW5 (PPTP) === VPN tunnel === ZW70 ---- PC2 (mail server) (1) Establish VPN tunnel between ZW5 and ZW70.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-60.html>PAGE 60</a></h6><p>End Port=21. (4) Disable Firewall. (5) PC1 ftp to PC2, and then PC2 ftp to PC1. (6) PC2 disconnects ftp session and then reconnects to PC1 will be fail, while PC1 ftp session still connected. 20. [BUG FIX][060424820] Symptom: GUI popup java script error in eWC>NAT>NAT Overview Condition: (1) Go to eWC>NAT>NAT, change Max concurrent session per host to 500 and press key "Enter". (2) ZyWALL popup java script error. (3) The status bar shows "spSave () fail with Error -6103". 21.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-61.html>PAGE 61</a></h6><p>(2) Go to eWC/Network/Wireless Card/Wireless Card, enable wireless card and set ESSID as "testWlan". (2) Wireless Client can scan the "testWlan" network by Odyssey tool. (3) Disable wireless card. (4) Wireless Client still can scan the "testWlan" network by Odyssey tool. 25. [BUG FIX][060426084] Symptom: ZyWALL crashes when setting NAT address mapping rules. Condition: (1) Go to eWC＞NAT＞Address Mapping page. (2) Add a new rule, configure Type= Many-to-Many-Overload, Local Start IP= 1.1.1.1 Local End IP= 3.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-62.html>PAGE 62</a></h6><p>Condition: (1) Put PC1 and PC2 on LAN side of ZyWALL. (2) ZyWALL enables Anti-Spam and disables External Database. (3) PC2 installs the Merak Mail Server. (4) PC1 uses the outlook express to send mail to itself by the mail server of PC2. (5) When the PC1 is sending mails will cause mail stuck until timeout. 30. [BUG FIX][060412729] Symptom: Device responds an invalid sysObjectID value while SNMP browsing. Condition: (1) Restore default romfile.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-63.html>PAGE 63</a></h6><p>WLAN has a mail client. All of them are on IxLoad (3) Run IxLoad 10 minutes，device crash 34. [BUG FIX][060418336] Symptom: Traffic can’t go out after use the tfgen tool. Condition: (1) Restore default rom file. (2) In LAN, use the TfGen with following setting. Utilization: 40000 Destination: 168.95.1.1 Port: 777 After use the tfgen, all the traffic from LAN can’t go outside. Modifications in V 4.01(WZ.0)b1 | 04/24/2006 1. 2. 3. 4. 5. 6. 7. 8. 9. [ENHANCEMENT] (1) Add UTM reports for IDP/AV/AS.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-64.html>PAGE 64</a></h6><p>WLAN Zone enhancement. (1) ZyWALL has an independent WLAN Zone interface, no matter WLAN card. (2) WLAN card is not the independent WLAN interface. (3) WLAN card can be bridged to LAN, DMZ and WLAN Zone interface. 10. [ENHANCEMENT] support WLAN in "ip nat routing" CI command. Turn on this option for LAN/DMZ/WLAN, packets will be routed when it cannot match any NAT rule. 11. [ENHANCEMENT]. Add a CI command "ip alg ftpPortNum [port number]" to support a different port number on FTP ALG.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-65.html>PAGE 65</a></h6><p>Appendix 1 Remote Management Enhancement (Add SNMP & DNS Control) New function (1) You can change the server port. (2) You can set the security IP address for each type of server. (3) You can define the rule for server access. (WAN only/LAN only, None, ALL). (4) The secure IP and port of the SNMP server is read only (5) The port of the SNMP and DNS server is read only. (6) The default server access of the SNMP and DNS is ALL. Modification (1) The default value for Server access rule is ALL.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-66.html>PAGE 66</a></h6><p>Press ENTER to Confirm or ESC to Cancel:</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-67.html>PAGE 67</a></h6><p>Appendix 2 Trigger Port Introduction Some routers try to get around this "one port per customer" limitation by using "triggered" maps. Triggered maps work by having the router watch outgoing data for a specific port number and protocol. When the router finds a match, it remembers the IP address of the computer that sent the matching data.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-68.html>PAGE 68</a></h6><p>"Incoming Port". If it matches, Prestige will forward the packet to the recorded IP address in the internal table for this port. (This behavior is the same as we did for port forwarding.) (3) The recorded IP in the internal table will be cleared if machine A disconnect from the sessions that matches the "Trigger Port". Notes (1) Trigger events can't happen on data coming from outside the firewall because the NAT router's sharing function doesn't work in that direction.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-69.html>PAGE 69</a></h6><p>Appendix 3 Hard-coded packet filter for "NetBIOS over TCP/IP" (NBT) The new set C/I commands is under "sys filter netbios" sub-command. Default values of any direction are “Forward”, and trigger dial is “Disabled”. There are two CI commands: (1) "sys filter netbios disp": It will display the current filter mode.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-70.html>PAGE 70</a></h6><p>Appendix 4 Traffic Redirect/Static Route Application Note Why traffic redirect/static route be blocked by ZyWALL ZyWALL is the ideal secure gateway for all data passing between the Internet and the LAN. For some reasons (load balance or backup line), users want traffics be re-routed to another Internet access devices while still be protected by ZyWALL. The network topology is the most important issue. Here is the common example that people misemploy the LAN traffic redirect and static route.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-71.html>PAGE 71</a></h6><p>normal function. Figure 5-2 Gateway on alias IP network (2) Gateway on WAN side A working topology is suggested as below. Figure 5-3 Gateway on WAN side Appendix 5 IPSec FQDN support ZyWALL A-------------Router C (with NAT) ------------ZyWALL B (WAN) (WAN) (LAN) (WAN) If ZyWALL A wants to build a VPN tunnel with ZyWALL B by passing through Router C with NAT, A can not see B. It has to secure gateway as C. However, ZyWALL B will send it packet with its own IP and its ID to ZyWALL A.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-72.html>PAGE 72</a></h6><p>contents are consistent and they can connect. Basically the story is the same when ID type is IP. If user configures ID content, then ZyWALL will use it as a check. So the ID content also has to match each other. For example, ID type and ID content of incoming packets must match “Peer ID Type” and “Peer ID content”. Or ZyWALL will reject the connection. However, user can leave “ID content” blank if the ID type is IP. ZyWALL will put proper value in it during IKE negotiation.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-73.html>PAGE 73</a></h6><p>1. When Local ID Content is blank which means user doesn’t type anything here, during IKE negotiation, my ID content will be “My IP Addr” (if it’s not 0.0.0.0) or local’s WAN IP. 2. When “Peer ID Content” is not blank, ID of incoming packet has to match our setting. Or the connection request will be rejected. 3. When “Secure Gateway IP Addr” is 0.0.0.0 and “Peer ID Content” is blank, system can only check ID type.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-74.html>PAGE 74</a></h6><p>ISP(or network). This secondary WAN port can be used in “active-active” load sharing or fail-over configuration providing a highly efficient method for maximizing total network bandwidth. The default mode of the WAN 2 interface is “Active-Passive” or “Fail-Over” mode, that is the secondary WAN will automatically “bring-up” when the first WAN fails. The user can enter eWC/WAN/General page to select WAN to “Active/Active” mode.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-75.html>PAGE 75</a></h6><p>Appendix 9 IPSec IP Overlap Support PCA 1.1.1.33 PCC 1.1.2.250 LAN 1.1.1.0/24 WAN ZyWALL B ZyWALL A LAN 1.1.2.0/28 IP Alias 1.1.2.0/24 PCB 1.1.2.250 Figure 1 The ZyWALL uses the network policy to decide if the traffic matches a VPN rule. But if the ZyWALL finds that the traffic whose local address overlaps with the remote address range, it will be confused if it needs to trigger the VPN tunnel or just route this packet. So we provide a CI command “ipsec swSkipOverlapIp” to trigger the VPN rule.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-76.html>PAGE 76</a></h6><p>Appendix 10 VPN Local IP Address Limitation PCA 1.1.1.33 PCC 1.1.2.250 LAN 1.1.1.0/24 WAN ZyWALL B ZyWALL A LAN 1.1.2.0/28 IP Alias 1.1.2.0/24 PCB 1.1.2.250 Figure 1 There is a limitation when you configure the VPN network policy to use any Local IP address. When you set the Local address to 0.0.0.0 and the Remote address to include any interface IP of the ZyWALL at the same time, it may cause the traffic related to remote management or DHCP between PCs and the ZyWALL to work incorrectly.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-77.html>PAGE 77</a></h6><p>ZyXEL VPN Client Security Gateway: 1.1.1.1 Phase one Authentication method: Preshare Key Remote: 192.168.1.0/24 In example 1, user may wonder why ZyWALL swap to dynamic rule even VPN client only set authentication method as “Preshare Key” not “Preshare Key+XAuth”. The root cause is that currently ZyXEL VPN Cient will send XAuth VID no matter what authentication mode that him set. Because of the XAuth VID, ZyWALL will swap to dynamic rule. This unexpected rule swap result is a limitation of our design.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-78.html>PAGE 78</a></h6><p>on forceUpdate, then the ZyWALL gets gratuitous ARP, it will force to update MAC mapping into the ARP table, otherwise if turn off forceUpdate, then the ZyWALL gets gratuitous ARP, it will update MAC mapping into the ARP table only when there is no such MAC mapping in the ARP table. Give an example for its purpose, there is a backup gateway on the network as the picture.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-79.html>PAGE 79</a></h6><p>(2)ipsec initContactMode tunnel When the ZyWALL receives a IKE packets with IC, it deletes only one existing tunnel, whose security gateway IP is not only the same as this IKE's one and also its phase 2 ID(network policy) should match. It is suitable when your tunnel is created from a VPN peer to ZyWALL and there are more than two this kind of VPN peers build tunnels behind the same NAT router. Take the picture 2 as example, PC 1, PC2 and PC3 has it's own VPN software to create tunnels with ZW.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-80.html>PAGE 80</a></h6><p>Figure 1. But there are still some limitations remain that we need to overcome in the future. When you deploy your SIP server on LAN for SIP service, please make sure that prevent your topology from any case listed as below. (1) When SIP client is on LAN, do not use NAT lookback on SIP server.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-81.html>PAGE 81</a></h6><p>Figure 2. (2) Try not use different global IPs for SIP client and SIP server on NAT. Currently, there are still some limitations when use different global IPs for SIP client and SIP server. For instance, in Figure 3, SIP server and a SIP client B are on the same LAN. If we use different global IP for SIP server and the SIP client, the SIP client A which is behind another NAT router will fail to communication with SIP client B. Figure 3.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-82.html>PAGE 82</a></h6><p>phone B. Thus will be fail on call setup. This limitation is SIP client related issue, some SIP clients will send ACK request direct to the remote clients, some may send through proxy server. Figure 4. (4) We do not support multiple SIP proxies in the middle of way. We haven’t implemented or take care on this kind topology (Figure 5), so the result is still unknown.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-83.html>PAGE 83</a></h6><p>(4) "Update Server" will reply a file list to the PC, the download address of the fill will be "File Server", at the same time "Update Server" will inform that there is a PC located at "WAN1" IP address will get file from you. (5) PC knows the file address and retrieve the file through "WAN2". (6) "File Sever" think the PC's IP should be "WAN1" instead of "WAN2". It rejects the PC's request.</p></li><li><h6><a class="text-decoration-none text-link fw-bold" href=/manual/zyxel-communications/zywall-35-v4-03/system-information-english/page-84.html>PAGE 84</a></h6><p>If we set the timeout value as "10 seconds", 5 seconds is not timeout. The device will route the new session to the same interface.</p></li></ul></nav></div></section></section></main><footer class=page-footer><div class="container flex-column py-3 py-sm-4"><div class="row mb-1 mb-sm-2 mb-md-5"><a href=/ class="brand offset-sm-0 col-sm-4 col-md-3 col-lg-2 offset-2 col-8 text-center text-md-start"><img class=logo-small src=/assets/img/brand-large.png alt=Manualshelf></a></div><div class=row><dl class="text-center text-sm-start col-sm-3"><dt class=fw-bold>Who We Are</dt><dd><a class=text-decoration-none href=/about>About Us</a></dd><dd><a class=text-decoration-none href=/company>Company</a></dd><dd><a class=text-decoration-none href=/careers>Careers</a></dd><dd><a class=text-decoration-none href=/terms>Terms & Privacy</a></dd></dl><dl class="text-center text-sm-start col-sm-3"><dt class=fw-bold>Resources</dt><dd><a class=text-decoration-none href=/brands>List of Manufacturers</a></dd><dd><a href=/ class=text-decoration-none>Support</a></dd><dd><a class=text-decoration-none href=/press>For the Press</a></dd><dd><a class=text-decoration-none href=/press#assets>Media assets</a></dd><dd><a class=text-decoration-none href=/faq>FAQ</a></dd></dl><dl class="text-center text-sm-start col-sm-3"><dt class=fw-bold>Get in touch</dt><dd><a class=text-decoration-none href=#>Blog</a></dd><dd><a class=text-decoration-none href=#>Email</a></dd><dd><a class=text-decoration-none href=/dmca>DMCA</a></dd></dl></div><div class=row><div class="text-center text-sm-start col-sm-4 pe-sm-0"><a href=https://www.facebook.com/pages/ManualShelf/1488826334681423 class="fs-5 text-center d-inline-block social rounded-2 align-middle text-decoration-none me-2"><i class="fab fa-facebook-f"></i></a><a href=https://www.twitter.com/ManualShelf class="fs-5 text-center d-inline-block social rounded-2 align-middle text-decoration-none me-2"><i class="fab fa-twitter"></i></a><a href=https://plus.google.com/+ManualShelf class="fs-5 text-center d-inline-block social rounded-2 align-middle text-decoration-none me-2"><i class="fab fa-google-plus-g"></i></a><a href=http://www.pinterest.com/ManualShelf class="fs-5 text-center d-inline-block social rounded-2 align-middle text-decoration-none"><i class="fab fa-pinterest-p"></i></a></div><div class="col col-sm-8 d-flex flex-column align-items-center flex-sm-row flex-wrap flex-sm-nowrap justify-content-center justify-content-sm-end"><div class="copy w-auto d-flex align-items-center justify-content-center justify-content-sm-end mt-2 mt-sm-0 me-2">ManualShelf © 2013-2025</div><select class="form-select form-select-sm w-auto mt-2 mt-sm-0"><option value=usa>USA</option></select><div></div></div><div id=pixel><script> googletag.cmd.push(function() { googletag.display('pixel'); }); </script></div></footer><script src=/assets/js/jquery-3.3.1.min.js></script><script src=/assets/js/bootstrap.bundle.min.js></script><script src=/assets/js/jquery.autocomplete.min.js></script><script type=text/javascript> $.extend({ redirectPost: function(location, args) { var form = ''; $.each(args, function(key, value) { form += '<input type="hidden" name="' + key + '" value="' + value + '">'; }); form = '<form id="s1" action="' + location + '" method="POST">' + form + '</form>'; $(document.body).append(form); $("#s1").submit(); } }); $(document).ready(function(){ $("#query").autocomplete({ minChars: 3, groupBy: 'type', paramName: 'q', dataType: 'json', serviceUrl: '/autocomplete', noCache: true, showNoSuggestionNotice: true, noSuggestionNotice: 'Zarro results found', onSelect: function (suggestion) { $.redirectPost(suggestion.data.url, {highlight: encodeURIComponent(JSON.stringify(suggestion.data.hls))}); } }); var toc = $('.toc-selector'); if (toc.length) { var slideParams = { duration: 800, easing: 'linear' }; toc.click(function() { $(this).toggleClass('open'); var section = $('.toc-content'); var isCollapsed = section.attr('data-collapsed') === 'true'; if (isCollapsed) { section.slideDown(slideParams) section.attr('data-collapsed', 'false') } else { section.slideUp(slideParams); section.attr('data-collapsed', 'true') } }); } }); var lastSmall = $(window).width() < 576; $(window).resize(function() { var newSmall = $(window).width() < 576; if (lastSmall != newSmall) { lastSmall = newSmall; window.location.href = window.location.href; } }); </script></body></html>