ZyXEL Firmware Release Note ZyWALL 35 Release 4.04(WZ.
ZyXEL ZyWALL 35 Standard Version Release 4.04(WZ.6)C0 Release Note Date: October 13, 2009 Supported Platforms: ZyXEL ZyWALL 35 Versions: ZyNOS Version: V4.04(WZ.6) | 10/13/2009 BootBase: V1.09 | 02/12/2009 Agent Version: V2.1.7(WZ.0)base Notes: 1. 2. Restore to Factory Defaults Setting Requirement: No. The setting of ignore triangle route is on in default ROM FILE. Triangle route network topology has potential security risks.
12. 13. 14. 15. 16. 17. 18. 19. 20. cause current version not work with the wrong value. Please be sure to connect with devices which have updated VID, or the DPD may not work correctly. In SMT menu 24.1, "WCRD" only represents the WLAN card status when you insert WLAN card into the ZyWALL. If you insert TRUBO card, you will see " WCRD" is always down.
. upload and signature update for full version will take tens of seconds) Because of the memory shortage (ZW5/P1), device have to restart when customer need to upgrade firmware sometimes. Issues [ALG] 1. H323 does not support the server in LAN topology. 2. Currently, we do not support NAT loopback on SIP registration or proxy server, which means if your SIP client is located on LAN, your registration server address cannot use ZyWALL WAN IP to do loopback to SIP server which located on LAN.
them. (2) On DUT1 enable Firewall, and set Drop for VPN to LAN, then add a firewall rule of VPN to LAN: Source address = 192.168.2.33 Destination Address = 192.168.1.33 Selected Service = Any (ICMP) Action for matched Packets = Permit. (3) Can’t ping 192.168.1.33 from 192.168.2.33 and you can find “Unsupported/out-of-order ICMP: ICMP (Echo Reply)” log on log page. Note: (1) Here, PC1’s GW is DUT1’s LAN IP. With the ICMP reply packet, the destination IP is 192.168.2.33.
(5) It is blocked by content filter. 5. There is a forward log of the blocked web site. Condition: (1) Register Content Filter service. (2) Enable Content Filter and Enable External Database Content Filtering. Block “Email” category. (3) Log “Forward Web Sites”, “Blocked Web Sites”, “Blocked Java etc.” in “Log Settings”. (4) Visit http://www.email.com which is in Email category in LAN PC, the web site will be blocked and there is a blocked log of it.
And sometimes the log shown as “ping of death. ICMP(W to L, Echo Reply)”. [UPnP] 1. Sometimes on screen the “Local Area Connection” icon for UPnP disappears. The icon shows again when restarting PC. [VPN] 1. VPN rule swap does not support NAT Traversal. [MISC] 1. The DMZ TxPkts counter increment at about 1 pkt/min even without any Ethernet cables ever connected. 2. ZyWALL does not support WAN 1/WAN 2 on the same sub-net.
1. Symptom: Cannot configure DDNS from SMT. Condition: (1) Enter SMT menu1, Edit Dynamic DNS= Yes. (2) Try to input username and password. (3) Cannot input username, only can select yes or no.
Features: Modifications in V4.04(WZ.6) | 10/13/2009 Modify for formal release. Modifications in V4.04(WZ.6)b2 | 10/07/2009 1. [FEATURE CHANGE] The registration and/or signature update will not be affected by SSL certificate renewal on the servers – customer can continue to do registration and/or signature update. Modifications in V4.04(WZ.6)b1 | 09/25/2009 1. [BUG FIX] SPR ID: 090717298 Symptom: DNS proxy doesn't work in certain condition. Condition: (1)Configure 4 DNS servers on the ZyWALL.
(2) On eWC NETWORK>>WAN, configure it with fixed IP address. (3) On eWC ADVANCED>>DNS>>System, add a public DNS server "172.25.5.1" (4) On eWC SECURITY>>CONTENT FILTER >>General, enable Content Filter. (5) On eWC SECURITY>>CONTENT FILTER >>Policy, add a policy for "any" address, and select all categories for external DB. (6) Configure LAN PC with public DNS server "4.2.2.2". Access to "www.sina.com.cn" on LAN PC is blocked by the device. (7) Reboot the device and refresh service on device.
6. [BUG FIX] SPR ID: 080526515 Symptom: The hyperlink of signature policy in mail report is wrong. Condition: (1) Enable IDP function. (2) Enable UTM (IDP) report function and mail report function. (3) Send report mail. (4) The hyperlink of signature policy in mail report is wrong, but such hyperlink in log page, IDP report or home page is ok. 7. [BUG FIX] SPR ID: 090602115 Symptom: With PPPoE connection, device hangs when it works as DNS proxy.
to 62. 3. [ENHANCEMENT] For dial backup, add a CI "aux ignoreDSRSignal" to support 3G modem which doesn't issue DSR signal. 4. [ENHANCEMENT] Add a note for Diagnostics page 5. [BUG FIX] SPR ID: 081128311 Symptom: When ZW lan PC do torrent download, lan pc will could not ping out. Topology: LAN PC-----ZW70----Internet. Condition: When ZW lan PC do torrent download, lan pc will could not ping out.Device RX has some issue. 6. [BUG FIX] SPR ID: 081124085 Symptom: ZyWALL tranfer avidp signature type error.
(2) Make connection from another PC to ZyWALL via SSH, but second connection could not be established. 9. [BUG FIX] SPR ID: 090105014 Symptom: Firewall blocks GRE packets between two Cisco routers. Topology: /----DMZ(public IP)------Cisco router2(LAN:8.1.1.2) (lan:8.1.1.1)Cisco router1------(wan)ZW5-\----LAN Condition: (1) In firewall, traffic between WAN & DMZ is allowed. And log is enabled for WAN ---- >DMZ. (2) Configure NAT only for lan to wan, no nat between dmz and wan. (3) Ping from 8.1.1.1 to 8.1.1.
(FQDN = "aaabbbcc.china.com", IP Address = "192.168.2.33"). (5) On PC1, do nslookup "aaabbbcc.china.com", the result is request timeout. Modifications in V 4.04(WZ.3) | 11/04/2008 Modify for formal release. Modifications in V 4.04(WZ.3)b2 | 10/29/2008 1. [FEATURE CHANGE] WAS: Support URL link to bluecoat. IS: Remove URL link to bluecoat 2. [BUG FIX] SPR ID: 081023045 Symptom: Device often can’t work when its CF buffer reduces to a low value. Condition: (1) ZW70 F/W 4.04(WM.
WAS: First DNS server for DHCP client is “From ISP” IS: First DNS server for DHCP client is “DNS Relay” 9. [BUG FIX] SPR ID: 080905612 Symptom: After synchronization with same NTP server on PC and ZyWALL, the time on ZyWALL is always 5 seconds later than PC time. Topology: PC------------- (L) ZyWALL (W) ---Internet Condition: (1) Restore to default romfile, login Web page. (2) Edit eWC/MAINTENCE/Time and Date, Time Protocol=NTP(RFC-1305), Time Server Address=”time.stdtime.gov.
mszie=00000324 12. [BUG FIX] SPR ID: 080825919 Symptom: HTTP Service can't be detected when using http upload. Condition: (1) Enable AV, enable Zip file scan, Active HTTP, select direction WAN->LAN, then Apply. (2) Edit SMT 24.8, set with CI command “av load”, “av config httpPost on”, “av save”. (3) Setup http server on LAN PC. HTTP Upload eicar.com and eicar_com.zip from WAN pc to HTTP Server (you can get these files from http://www.eicar.org/anti_virus_test_file.htm).
(1) Switch on UPnP of ZyWALL. (2) Open uTorrent 1.8 to download some files. (3) In eWC>ADVANCED>UPnP>Ports, there is only one port mapping rule of uTorrent, of which protocol is UDP. And no TCP port mapping rule appears. In fact, there should be two port mapping rules of uTorrent, one TCP rule and one UDP rule. Modifications in V 4.04(WZ.2) | 09/10/2008 Modify for formal release. Modifications in V 4.04(WZ.2)b2 | 09/04/2008 1. [BUG FIX] SPR ID: 080827154 Symptom: After flush route table, RIP doesn’t work.
Symptom: Upload FW to 4.04 patch 2 b1, High and severe IDP signatures ARE NOT LOGGED BY DEFAULT Condition: 1) Upload the 4.04 pre-version FW, for example,4.04 patch1 and reset to default romfile 2) Update the signature 3) Upload the 4.04 patch 2 FW 4) High and severe IDP signatures ARE NOT LOGGED BY DEFAULT, even update the latest version signature Modifications in V 4.04(WZ.2)b1 | 08/20/2008 1. [ENHANCEMENT] Enhance DNS proxy to support random transaction id and random source port. 2.
WAN-LAN. Configure X-Header, Phishing Tag and Spam Tag (3) Go to eWC>Security>Anti-Spam> External DB, enable it and set the threshold to 0. (4) When client receives a specific mail, ZW5 would crash. (5) Description of an example mail: The mail body is NULL; the number of bits (including mail subject, “mail to”, and “mail from”) must be 217. 5. [BUG FIX] SPR ID: 080707264 Symptom: When set a port forwarding rule, can't configure LAN server ip 172.20.10.0. Condition: (1) Configure the LAN subnet as 172.20.10.
8. [BUG FIX] SPR ID: 080710761 Symptom: Device will crash while Click a button on web page http://www.doxpara.com/". Topology: PC--------- (L) Device (W) --------Internet Condition: (1) Manually appoint the DNS server of PC as the LAN IP of device. (2) Open web page "http://www.doxpara.com/" with IE or Firefox on PC. (3) Click the button "Check My DNS" on the web page, device will crash. 9. [BUG FIX] SPR ID: 080717141 Symptom: White list does not take effect. Condition: Condition 1: (1) Active CF service.
Topology: PC------(L)ZyWALL(W)------PPTP Server (PPTP Client) Condition: (1) Setup PPTP server on Redhat Linux. (2) Create PPTP client on PC with Windows XP OS. (3) Connect PPTP client with PPTP server, sometimes can't connect it. 3. [BUG FIX] SPR ID: 080530974 Symptom: ZyWALL crash as a DNS proxy when the external DNS is unavailable after several days Condition: Topology: PC--------- (L) Device (W) --------Internet (1) Reset device's configuration file.
Topology: ZyWALL 35(DUT)(W)----Internet---- (W)Checkpoint Condition: (1) Configure a static IPSec VPN rule on DUT for checkpoint. The Remote Gateway IP is checkpoint's WAN IP, the peer ID type is IP and peer ID content is "0.0.0.0". (2) A corresponding rule is configured on Checkpoint. Its local ID content is"0.0.0.0". (3) Dial VPN from ZyWALL 35, fail to build the tunnel for ID content mismatch. Modifications in V 4.04(WZ.1)b1 | 05/16/2008 7.
(2) Select the log schedule as "When Log is Full". (3) Ping ZyWALL35's LAN port nonstop from the PC in LAN. There will be high ping response delay from time to time. 13. [BUG FIX] SPR ID: 071228633 Symptom: Incoming ESP packets can't pass through ZyWALL with 1-1 NAT rule. Condition: PC1---ZWA(W)---(L)DUT(W)---(W)ZWB---PC2 |---------VPN-----------| (1) Configure DUT as full-feature NAT; add a 1-1 rule on DUT for ZWA. (2) Configure VPN tunnel between ZWA and ZWB, NAT-T is disabled on ZWA and ZWB.
17. [BUG FIX] SPR ID: 080307371 Symptom: OIDs for VPN does not work. Even after tunnel has been up for a while and traffic has been passed, those OIDs just show 0 in all table. Condition: (1) Set up topology:ZW70---internet--VPN--internet-----ZW35(DUT) (2) Setup an SNMP server (software on PC) on ZW35 WAN subnet. (3) Add zyxel.mib and zyxel-zywall mib. (4) Dial up VPN on DUT, generate some traffic through VPN. (5) From the SNMP server, it's observed that following OIDs are always 0: vpnTunnelTxPktCnt .1.3.
LAN-C Yes 10.21.10.0 / 255.255.255.0 10.1.1.21 (2) PC1 begin to ping PC2, can't receive any reply from PC2. 19. [BUG FIX] SPR ID: 080303009 Symptom: Device crashes when plug with G100 wireless card. Condition: (1) Get NBG460N(version: 3.60(AMX.0)b0) and load attachement romfile. (2) Active wireless with ZyWALL.(with G100 wireless card) (3) Device keeps crashes 20.
Symptom: Fail to dial into the sip phone when the packets generated from SIP provider are fragmented. Condition: Topology: SIP phone 1-----SIP server-----(WAN)ZyWALL(LAN)------SIP phone 2 SIP phone 1,SIP server and ZyWALL WAN are in same subnet. (1) SIP phone1 is a software (3CX phone)installed in one PC, change the PC's MTU to 800. (2) SIP server is "ser" installed on Linux OS, also change this server's MTU to 800 (3) Turn SIP ALG on ZyWALL.
Service configuration: Select Active FTP Service, Direction: LAN->WAN1, and WAN1->LAN (3) Using some ftp client in ZyWALL LAN side to download 4 zip files located at ftp://ftp.zyxel.com/NWA-3500/firmware/ at the same time. (4) ZyWALL will crash during downloading files. 27. [BUG FIX] SPR ID: 080318099 Symptom: In DMZ web help, there is not description for ”Windows Networking (NetBIOS over TCP/IP) ”.This is different from LAN and WLAN.
Modifications in V 4.04(WZ.0)C0 | 03/28/2008 Modify for formal release Modifications in V 4.04(WZ.0)b5 | 03/21/2008 1. [BUG FIX] SPR ID: 080313755 Symptom: ZyWALL SMT menu refreshes continually after upgrade firmware from 4.02 to 4.04. Condition: (1) Upload 4.02 firmware to DUT and then reset to factory default. (2) Then Upgrade the firmware to 4.04. (3) The SMT menu refreshes continually and can not be stopped. 2. [BUG FIX] SPR ID: 080312702 Symptom: DDNS hostname has been blocked for abuse.
(2) Goto SMT menu24.8, key command “d d 1” to dail PPTP again. (3) Get information “Remote node [WAN 1] is connected, IP is dd783c36”. (4) The IP is strange. 7. [BUG FIX] SPR ID: 080122128 Symptom: Some action in CF is wrong. Condition: (1) CF>General, disable Unrated Web Pages & When Content Filter Server Is Unavailable (2) Insert a policy, enable external DB, and choose a Category (3) Flush cache (4) Opens a page which will be rated as Unrated, such as "172.25.21.80".
Condition: (1) Rom restores (2) On SMT24.8, input command: sys tos fwSchedule active on (3) In eWC>Firewall, add a rule on LAN to WAN, block TCP & FTP Services during 10:30~10:35. (4) Before 10:30, LAN pc connects WAN side FTP server, and upload a big file. (5) After 10:30, this connection will be dropped. This is right. (6) But after 10:35, when LAN pc tries to connect the FTP server again, some NAT debug info "natFreeSlotByIamt: Iamt Reference ERROR" displayed in SMT.
(3) In ZyWALL1, configure IKE and IPsec rule. Enable Nailup. Make sure the tunnel can be built successfully. (4) In ZyWALL2, configure IKE rule and IPsec rule correctly except Pre-shared Key. Enable Nailup. Make sure the Tunnel couldn't build successfully. (5) After long time run, ZyWALL_DUT will crash because of IKE SA leak. 5. [BUG FIX] SPR ID: 071023165 Symptom: "send/recv” bytes in syslog are a minus number. Condition: (1) Configure syslog server. (2) Enable REPORTS->SYSTERM REPORTS->Reports.
8. [BUG FIX] SPR ID: 071115009 Symptom: When adding a new sub-class with bandwidth budget = 0, can save, but cannot edit or delete. Condition: (1) Reset rom. (2) EWC>ADVANCED>BW MGMT>Summary, active bandwidth management on WAN1. (3) EWC>ADVANCED>BW MGMT>Class Setup, Add a sub-class with budget = 0 and enable bandwidth filter. (4) After click on Apply, it will display under "Enabled classes Search Order". (5) Unfolding tree of root class, can not find the new added sub-class. 9.
static DHCP mapping left. (5) Key in command ipconfig/release on PC1. (6) After PC1 release this IP successfully, check eWC>>Home>>DHCP table, "PC1's MAC-->IP: 192.168.1.200" is still showed on this page. Condition 2: (1) sys romreset (2) EWC>>LAN>>static DHCP, add a static DHCP mapping for PC1. PC1's MAC-->IP: 192.168.1.200 (3) Attach PC1 to ZyWALL LAN port, PC1 can get IP 192.168.1.200. (4) EWC>>LAN>>static DHCP, add another static mapping for some PC, eg, 00:11:22:33:44:55:66-192.168.1.201.
in ewc, all values are correctly set to the device. (3) Login "www.eurodns.com" with the Username=xxx, Password=xxx. Click "My Domains" at the leftward, then click "DNS" icon.You will see "Hostname/Alias" named "test1" bind an IP Address,but this address is not 172.25.17.77.Also in ewc, there is not any log like "Update domain name test1.zyxel.com.es with IP:172.25.17.77 successfully". (4) Do Step (2) in ewc, then check again according to Step (3).
(6) Go to eWC>SECURITY>CONTENT FILTER>EDIT POLICY>EXTERNAL DATABASE Active External Database Service Configuration Select Categories: Search Engines/Portals Click on Apply (7) Under lan pc, visit www.google.cn (8) Then view CF report using URL "http://203.160.254.52?mac=0000AA780145", you will find URL "www.google.cn" in blocked list. In fact, it should be in allowed list. 18. [BUG FIX] SPR ID: 071221273 Symptom: UTM command shows in non UTM products.
22. [BUG FIX] SPR ID: 080114612 Symptom: Dial Backup will be triggered even if traffic redirect works. Condition: Topology: PC--- (LAN) ZyWALL (Dial Backup) ---Internet | (Traffic redirect) | (LAN) ZyWALL_B (WAN) ---Internet (1) Enable A/P mode for ZyWALL70 and make sure WAN2 is connected. (2) Configure traffic redirect on LAN interface to ZyWALL_B. (3) Configure Dial Backup and Budget = always on. (4) Confgure ZyWALL as DNS proxy server for LAN PC. Then disconnect WAN2 and PC tries to access www.google.
25. [BUG FIX] SPR ID: 080115675 Symptom: Back AV/IDP Signature fails. Condition: (1) Register a device with Signature to CNM. In CNM: Configuration Management >> Signature Profile Management >> Backup & Restore click backup button to backup a Signature Profile. (2) Check backup Signature fail and can not configure device any more. 26. [BUG FIX] SPR ID: 080108247 Symptom: Doesn’t support Device Log in CNM Patch1 b2. Condition: (1) For ZyWALL, register this device to the CNM 3.0 Patch1 b2 (3.0.00.61.01).
Enhance Agent to support CNM 3.0 Patch2 (1) Support MAC/IP binding (2) Support VPN AES128/192/256 and DH5 (3) Support DDNS multi service providers (4) Fix FC query memory overwrite issue (5) Change Feature code and version as CNM team request (6) Add 3G alert type (7) Support Logsetting MAC/IP Binding 30. [FEATURE CHANGE] WAS: There were 12 signature categories in IDP. IS: There are 10 signature categories in IDP. Removed the "Porn" and "SPAM" signature category and reorder all the signature categories. 31.
ZyWALL. 36. [BUG FIX] SPR ID:071113829 Symptom: When create My Certificates, and the certificate name include spaces, The certificate can be created successful, the DUT didn't show error message, But this certificate can’t be exported. Condition: (1) Edit eWC>CERTIFICATES>My Certificates, create a certificate as Certificate Name="DUT IP" Host IP Address="192.168.12.
P2P" and click apply. (4) In the search result, we can find P2P signatures only. 41. [BUG FIX] SPR ID: 071204069 Symptom: DUT updates with "use wan ip" option with "Regfish.com" fail when restarting. Condition: (1) Reset device to default rom. (2) In DDNS page, select "www.regfish.com", use "wan ip update" option, fill in the requisite information. (3) Click "apply”, DUT will update successfully. (4) Restart the DUT, guarantee that WAN IP of DUT is changed. (5) DUT updates the domain automatically fails.
Symptom: Log for connectivity check fails Source IP and Destination IP should be NULL when domain name doesn't exist. Device shouldn’t show the Destination IP of the last time ping. Condition: (1) Goto eWC>Network>WAN>General. (2) Enable “Check WAN1 Connectivity”, and let system PING 1.1.1.1 this IP. (3) Log show ping check fail, Source IP= WAN IP, Destination IP=1.1.1.1 (4) Enable "Check WAN1 Connectivity" and let system PING "www.abcdefg123aabbccdd.com" which doesn't exist.
Condition: (1) Doing IXIA stress testing with IDP/AV/AS/CF functionality and device will crash. 49. [BUG FIX] SPR ID: 071206262 Symptom: ZyWALL can’t reply packet on correct WAN interface. Condition: PC(192.168.1.60)--(LAN)DUT--WAN1(192.168.5.33)---Router---PC(192.168.10.33) | | |------WAN2 (192.168.7.33-------| (1) Set WAN=Active/Active mode, WAN1=192.168.5.33, WAN2=192.168.7.33. (2) Policy Route=Active, Source Address=192.168.1.60, Destination Address=0.0.0.
(1) Register with WWW.EuroDNS.COM. (2) Use wireshark to capture the packets when DUT update DDNS. (3) The information of DDNS user agent shows "Allegro-Softeware-WebClient/4.51Zyxel p334/3.40(JJ.6) topping.tang@zyxel.cn\r\n" and the device is ZyWALL, not p334. Modifications in V 4.04(WZ.0)b1 | 11/19/2007 1. [ENHANCEMENT] Add Protocol Anomaly (PA) in IDP. 2. [ENHANCEMENT] Enhance AV CI commands. 2. [ENHANCEMENT] Upgrade ZyXEL IDP solution. 3. [ENHANCEMENT] Add MAC/IP Binding feature. 4.
9. [ENHANCEMENT] Refine GUI layout. (1) eWC>LOGS>Log Settings, add a section for mail schedule. (2) eWC>MAINTENANCE>Diagnostics , add a section for mail schedule. (3) Merge eWC>REPORTS>System & Threat Reports to single item eWC>REPORTS in panel. (4) Refine eWC>REPORTS>E-mail Report layout. (a) Change the wordings in GUI. (b) Add a section for mail schedule. (c) Add the time Collect Statistics since for each section in the mail. (d) Add device name & sending time in the mail subject.
For more detail information, please refer to appendix 14. 13. [FEATURE CHANGE] WAS: When CNM was ON, device's alerts will stop mailing to the configured alert receiver at LogSetting page. IS: No matter CNM is ON or OFF, device's alerts will mail to the configured alert receiver. 14. [BUG FIX] SPR ID: 070725773 Symptom: Socket leakage problem. Condition: (1) WAN configures as PPPoE, idle timeout is 10 sec. (2) Go to SMT 1, configures DDNS, and save them. (3) Do step (2) many times.
18. [BUG FIX] SPR ID: 070927476 Symptom: ZyWALL uses PC MAC address as the source MAC to send ESP/AH packets. Condition: (bridge mode) (NAT router) (router mode) PC1----- (LAN) ZyWALL (WAN) ----VSG-1200----IPSec gateway-------PC2 (1) Build a VPN tunnel between ZyWALL and IPSec gateway. (2) Ping PC2 from PC1. (3) Tunnel can be established, but no PING response. 19. [BUG FIX] SPR ID: 070927494 Symptom: Device Crash when Vantage gets the VPN manual rule with the single local address settings.
(4) In Reports>IDP page, select "Top Entry By Signature Name" and there is no related information. 23. [BUG FIX] SPR ID: 071013726 Symptom: Wrong description with CI "sys update display" Condition: (1) Input CI "sys update display" and console shows "register server address xxxx" and "register server path xxxxx" (2) But the description should be "update server address xxxx" and "update server path xxxxx" 24. [BUG FIX] SPR ID: 071019008 Symptom: WAN will lose the IP address when modify the metric of WAN.
P2002A (1) P2002A unregistered to SIP server (2) Configure SIP Server Address as 192.168.30.114 P2002B (1) P2002B unregistered to SIP server (2) Configure SIP Server Address as 192.168.30.113 Call from P2002B to P2002A, SIP rule's bandwidth can’t be protected. 27. [BUG FIX] SPR ID: 070928582 Symptom: Device fail to register to Vantage server with CNM 3DES encryption key, when key is set via device's GUI.
3. [BUG FIX] SPR ID: 070809666 Symptom: ZyWALL crashes when receive pop3 mail from WAN. Conditions: PC1---(192.168.100.33)router(192.168.1.33)---(LAN)ZyWALL(WAN1)---mailserver (1) (2) (3) (4) Enable Anti-spam WAN1->LAN direction and external DB on ZyWALL. Add a static route (dest 192.168.100.0/24, gateway 192.168.1.33) in ZyWALL. PC1 user uses MS Outlook to receive mails. ZyWALL crashes. 4.
Conditions: (1) Load 4.00 FW and enable "Gambling" category. (2) Upload 4.03 FW and the "Gambling" category is gone. 8. [BUG FIX] SPR ID: 071009535 Symptom: User cannot access "tw.msn.com" website when enable CF>block cookie functionality. Conditions: (1) Enable content filter and block cookie. (2) Access "tw.msn.com" website and you will get ”Bad Request (Invalid Header Name)” in browser. 9. [BUG FIX] SPR ID: 070921355 Symptom: Device crashes when doing the stress testing.
Symptom: Wizard internet access setup has wrong URL link. Conditions: 1. Go to eWC>Home>Wizard>Internet Access setup>Product registration and service activation for free 2. The URL link of registration shouldn't be http://www.zyxel.com, it should be http://www.myzyxel.com. 3. Click this URL to redirect to www.zyxel.com.tw in this wizard window, and then can't back to wizard setup page. Modifications in V 4.03(WZ.0)b3 | 08/30/2007 13.
Add “WIRELESS” group in left panel and move the wireless features (network>wireless card, 3G) into it. Modifications in V 4.03(WZ.0)b1 | 06/29/2007 1. [ENHANCEMENT] Support multiple profiles in the original content filter design. The feature can define different group by IP and each group has its own profile which can (1) Have its own group definition to distinguish with other groups. (2) Restrict web features (Block ActiveX/Java Applet/Cookies/Web Proxy).
(4) ZyWALL switches to Dial Backup. (5) NAT table is full. 8. [ENHANCEMENT] Support IXP425 B1 version CPU. WAS: Support IXP425 A0/B0 version CPU. IS: Support IXP425 A0/B0/B1 version CPU 9. [ENHANCEMENT] SPR ID: 060915885 GUI Enhancement on Firewall page. (1) Add rule number and edit icon in eWC>Default Rules for quick check rule summary.. (2) Change the packet direction to 2 list box for user to select "From" and "To" interface. (3) Add "Any" selection in packet direction.
infected file packet and the following file packet as well. It is safer but downs performance for handling infected files. Wet also fix the line-assembly bug for FTP and HTTP in this enhancement. 15. [ENHANCEMENT] Support user defined Xheader in mail. Note: User can use "%status" and "%score" to display mail status and SPAM score in XHeader. There are four kinds of mail status: (1) Black List (score always is 100) (2) SPAM (3) Phishing (4) Timeout (score always is 0) 16.
Symptom: This kind of URL request such as "http://www.host:80" can not pass through content filter trusted web site. Condition: (1) Enable content filter and website customization. (2) Disable all web traffic except for trusted Web sites. (3) Add the website "http://www.sina.com" into trusted Web site. (3) Browse "http://www.sina.com:80" by Firefox and find it can not be visited. 21. [BUG FIX] ITS#: 14612 Symptom: ZyWALL cannot reply packet on correct WAN interface if the packet from some WAN subnet.
(2) Build VPN2. (3) There will be a large delay in the ping. 24. [BUG FIX] SPR ID: 060627810 Symptom: If the encapsulation type of WAN interface is PPPoE/PPTP, the conflict check will be failed when configuring LAN/DMZ/WLAN interface IP. Condition: (1) Set WAN encapsulation as PPPoE/PPTP, and make sure the device can get the IP correctly. (2) In eWC->NETWORK->LAN->LAN, set "IP Address" to an IP which is the same subnet as WAN interface. (3) Finally the configuration can be saved but it should not. 25.
(5) PC_A enables the Kiwi Syslog Daemon. (6) There is no traffic log sent to kiwi Syslog Daemon anymore. 29. [BUG FIX] SPR ID: 060725664. Symptom: DNS cannot be updated in bridge mode. Condition: (1) Restore default romfile. (2) Switch device to bridge mode (do not set DNS right now). (3) Go to eWC>MAINTENANCE>General page, set the DNS server as 172.23.5.1 and save it. (4) Go to another page and back to this page, you will find the DNS server is 0.0.0.0. 30.
(1) Reset to default factory. (2) Setting a correct PPPoE connection in WAN interface, disable "nailed-up", and idle timer is 20 seconds. (3) Enable firewall, and block all traffic from LAN to WAN. (4) Ping "168.95.1.1" continuously in a LAN side PC, WAN interface still can get IP. (It means WAN interface still can be triggered but the ping packet should be dropped by firewall.) 33. [BUG FIX] SPR ID: 060918066 Symptom: Bridge mode VPN AV can not recognize ZIP file.
P2002(A) --- DUT1(PPPoE) =====VPN TUNNEL===== DUT2 --- P2002(B) (2) Configure as attached file. Test Steps: (1) DUT1 WAN is PPPoE. (2) DUT1 and DUT2 enable SIP ALG. (3) DUT1 and DUT2 build a VPN tunnel. (4) P2002(A) dials P2002(B). Connection is success, but P2002(A) can not hear P2002(B)’s voice; P2002(B) can hear P2002(A). 37. [BUG FIX] SPR ID: 061020683 Symptom: PPPoE and PPTP can't be dropped in SMT24.1. Condition: (1) WAN1 is PPPoE or PPTP. (2) Go to SMT24.1 and click "1" to drop WAN1.
44. [BUG FIX] SPR ID: 070228410 Symptom: ZyWALL BW MGMT class search order shows wrong when moving classes. Condition: (1) Restore romfile(password:fenris120) from SPR, go to Class Setup under WAN1. (2) Add sub-class FTP, bandwidth budget 180k, priority:5, service type:FTP. (3) Add sub-class PC1, bandwidth budget 150k, priority:4, borrow,service type:custom, Source IP:single 192.168.1.37. (4) Can not move class 1 to 2. 45.
|| |WLAN STA denied by WLAN MAC Filter | | |MACAddr:0013026c13a3| --------------------------------------------------------------------------------------------------|| |WLAN STA allowed by WLAN MAC Filter | | |MACAddr:0013026c13a3| --------------------------------------------------------------------------------------------------|| |DHCP server assigns 10.10.101.
Modifications in V 4.02(WZ.1)b1 | 05/15/2007 1. [BUG FIX] SPR ID: 070317140, 070317141, 070317142, 070317143,070322461, 070322462, 070322463 Symptom: LAN PC cannot use all services (http; https; telnet; ssh; ftp) with wan IP. Condition: (1) DUT WAN gets an IP. (2) PC in LAN access DUT's HTTP service through WAN IP, it will fail. (3) Other services(HTTPS, SSL, TELNET, FTP) all are not worked through WAN IP. 2. [BUG FIX] ITS #15979, #15202 Symptom: ZyWALL rebooted at least one time a day.
Topology: (192.168.2.1) (192.168.1.1) wan2(192.168.1.3) wan1(192.168.2.2) pc------------------------Router----------------------------------DUT-------------------------(192.168.1.2) | | --------------------------------------------------------------------(1) Disable firewall on DUT (2) Set DUT WAN on A/A mode. (3) Put a PC on WAN2 subnet, and its IP is same subnet as WAN2 interface. (4) PC ping 192.168.2.2 and it can not receive the reply packets. 6.
Condition: (1) Change ZyWALL to bridge mode. (2) Use the following command to change the WAN speed >ether edit load 2 >ether edit speed 10/full >ether edit save (3) Then the error "Fail to lock read.[record number=128, entry number=0]" shows up. Both LAN users and the device could not communicate with internet. 10. [BUG FIX] SPR ID: 070117842 Symptom: There will be a large latency in VPN1 if an new SA set up.
Sessions 87/10000 CPU 0% (2) See "sysCPUUsage", "sysFlashUsage", "sysRAMUsage" "sysSessionUsage" .in SNMP management software, e.g. SNMPc Network Manager. They are shown like: sysCPUUsage.0=0 sysFlashUsage.0=3 sysRAMUsage.0=30 sysSessionUsage.0=0 and (3) You will find that the format and content shown in eWC>>Home is different From SNMP management software.
============================ task name = dns-proxy, pc = f6f30 tosFree is not in network task... task name = dns-proxy, pc = f6f30 tosFree is not in network task... task name = dns-proxy, pc = f6f30 tosFree is not in network task... task name = dns-proxy, pc = f6f30 ============================ (4) Can’t reproduce 15. [BUG FIX] ITS #16021 Symptom: ZyWALL VPN does not allow two same Local/Remote address rules when remote is dynamic. Condition: (1) Build one VPN rule with local policy 192.168.1.
Condition: (1) Enable CF and external CF. (2) Access www.msn.com from PC (3) You will see some URL end with .gjf or .jpg files in the CF cache. (4) Some MIME type should be ignored in CF query. Modifications in V 4.01(WZ.4)b2 | 03/12/2007 1. [BUG FIX] 070206549, 070206548, 070206547, 070212010 Symptom:”Ping of Death” function work error when set packet length !=1500. Condition: Case 1: (1) Use command “ip icmp death 800” to set the packet length for “Ping of Death” check.
Symptom: Content Filter "Restrict Web Features" is inconsistent behavior on appeared of page when enable or disable "Don't block trusted Web sites". Condition: (1) Enable Content Filter and block ActiveX, Java Applet. (2) Denied Access Message is "page denied!", redirect url is "http://www.zyxel.com". (3) Visit ActiveX or Java Applet web site like as http://dob.tnc.edu.tw/themes/old/showPage.php?s=152&t=5&at=". (4) The "dob.tnc.edu.tw" will be blocked and redirect to www.zyxel.com.
Symptom: DUT will crash sometime. Condition: (1) Enable NAT. (2) Sometimes DUT will crash in customer site. Modifications in V 4.01(WZ.4)b1 | 01/29/2007 1. [BUG FIX] 061102088 Symptom: The MIB OID for UTM AV and IDP does not work. Condition: (1) Reset to defalut romfile. (2) PC installs SNMP software, such as MG-SOFT MIB Browser. (3) Try to get value of OID, 1.3.6.1.4.1.890.1.6.1(the AV/IDP signature version and Sigdate) will fail. 2.
BLOCK”, not “(cache hit)|WEB BLOCK”. 6. [BUG FIX] 061113707 Symptom: Content filter trusted web will be blocked when select "Don't block Java/ActiveX/Cookies/Web proxy to trusted Web sites." Condition: (1) Enable Content filter, enable blocking Active X, Cookie, Java Applet, and Proxy server. (2) Edit web eWC/Content Filter/Customization. Add Trusted Web Site “www.google.com.tw”, “update.microsoft.com”, “www.csie.nctu.edu.tw” to trusted web sites list.
(4) The Dial Backup session between the ZyWALL and ISP is established, ZyWALL got an IP address provided by the ISP, but the PC in LAN can't ping to an Internet host. ZyWALL can receive and transmit the ping request, and can receive reply from remote host, but ZyWALL won't transmit the reply to the PC in LAN. 10. [BUG FIX] 061121145 (ITS#13200) Symptom: Failed to call the SIP phone on DMZ side with Firewall enabled. Condition: (1) Turn on Firewall.
13. [BUG FIX] 061218035 Symptom: Device crashes when you use Anti-Spam function. Condition: (1) Restore default romfile. (2) Register Anti-Spam service. (3) Go to eWC>>ANTI-SPAM>>General page, enable Anti-Spam for all directions, active "Discard SMTP mail.Forward POP3 mail with tag in mail subject". (4) Go to eWC>>ANTI-SPAM>>External DB page, enable External Database, set Threshold= 0. (5) Send a large mail (> 20K) from LAN to WAN, the device will loss mbuf. 14.
(4) Can’t get response from device. 19. [BUG FIX] Symptom: iChat behind ZyWALL can not make a video call with another iChat in WAN. Condition: Topology: iChat_1------ (LAN) ZyWALL (WAN) ------- iChat_2 (1) In router mode Apple Mac iChat_1 made a video call request to iChat_2 on WAN. (2) iChat_1 failed to set up the video call with iChat_2. 20. [BUG FIX] Symptiom: Help info about “domain name” in h_AS_Custom_Edit.html is not consistent with ZyWALL function.
Modifications in V 4.01(WZ.3) | 12/04/2006 Modify for formal release. Modifications in V 4.01(WZ.3)b1 | 11/24/2006 1. [ENHANCEMENT] SPR ID: 061109533 Enlarge mail header size from 1024 to 2048. 2. [BUG FIX] SPR ID: 060711576 Symptom: Content filter is fail when user installs Outpost Firewall. Condition: (1) Install OutpostPro Firewall software. (2) Set "disable all web traffic except for trusted web sites" and enable content filter. (3) Enable Outpost Firewall, user can surf the website as usual.
Topology: P2002A------------+-(LAN)ZW70(WAN)---------P2002B SIP Server--------| (1) Create a port forwarding rule on ZW70 to let SIP traffic of P2002B can be forwarded to SIP server. (2) Dial a phone call from P2002A to P2002B, P2002B can hear the voice of P2002A but P2002A cannot hear the P2002B. 7. [ENHANCEMENT] Symptom: SIP alg enhancement. Additional SIP ALG codes to supports SIP server on LAN or WAN Condition: SIP function has some issues to work correctly.
(3) DeviceA enables AS for WAN->VPN direction. (4) PC receives mail from mail server, mail gets stuck. 12. [ENHANCEMENT] SPR ID: 060331694 Add quick timeout mechanism for UDP sessions. This mechanism can for you to search more games in internet by some game platform. If no this mechanism the number of the game you can search is about NAT session number limited. 13. [BUG FIX] SPR ID: 061101036 Symptom: ZyWALL does not get new rating server list after all rating server has been removed.
Symptom: ZyWALL cannot trigger dial backup. Condition: Topology: PC--(LAN)ZyWALL(dial backup)--Internet (1) Restore default romfile. (2) Set up dial backup. (3) PC sets ZyWALL to be DNS proxy server. (4) PC starts to ping a domain name, but ZyWALL do not trigger dial backup. 17. [BUG FIX] SPR ID: 061005220 Symptom: Device crashes because of mbuf double free in Anti-Spam. Condition: (1) System crashes sometimes on customer site. 18.
TCP 192.168.111.2:50999 66.59.243.66:26397 ACCESS PERMITTED" Engineer Note: The value in default ROM file is "on" in 4.01. 22. [ENHANCEMENT] Wording changed. Out of memory when F/W upload. (1) FTP Was: file size too large. Is: file size too large. Please reboot device, and try again. (2) HTTP/HTTPS Was: disk full! Is: disk full! Please reboot device, and try again. 23.
Condition: (1) In eWC->SECURITY->CONTENT FILTER->General page, enable "Content filter" and block "Java Applet/ActiveX/Cookies/Web Proxy". (2) In eWC->SECURITY->CONTENT FILTER->Customization page, enable "Web site customization" and "Don't block Java/ActiveX/Cookies/Web proxy to trusted Web sites". Add "web.haccpsoft.it" to "Trusted Web Sites". (3) A PC in ZYWALL's LAN side browses "http://web.haccpsoft.it:8080" website.
(1) The configured romfile please refer to SPR. (2) PC1 cannot see PC2 by NetBIOS via VPN tunnel. Note: This problem only happens when policy index is not equal to IKE index. Engineer Note: This problem happens in 4.00 and 4.01. 32. [BUG FIX] SPR:060925632 The firmware of 4.01’s self-assigned-certificate can’t be used in Mozilla-firefox 33. [BUG FIX] SPR ID: 060908449 Symptom: The ZyWALL assigns a used IP to a DHCP client. Condition: Topology ZyWALL(LAN)------PC1,PC2 (1) Let the PC1 get a DHCP IP(192.168.1.
5. [ENHANCEMENT] Add a CI command to turn on or off the LDAP packet parsing in NAT module. Usage: "ip nat service ldap [on|off]" 6. [ENHANCEMENT] Add ALG type on policy route. 7. [BUG FIX] Symptom: ZyWALL WAN fixed 100/full negotiation fail against cisco 3550/2900. Condition: (1) Configure cisco 3550/2900 port to fixed 100/full. (2) Configure ZyWALL WAN to fixed 100/full. (3) ZyWALL WAN can not sync up; remain down. 8. [BUG FIX] Symptom: The DHCP table shows incorrect information.
CDMA.24. Condition: Russia raised this issue that our ZyWALL cannot connect one kind of CDMA terminal RWT FCT CDMA.24, but it is okay when this Terminal connect to P662 and D-Link route. After check, they found when short-circuit the CTR and DTS can make it work (ZyWALL connect to the CDMA) 12. [BUG FIX] Symptom: Device crashes because of memory double free in Content Filter. Condition: (1) Enable Content Filter and Web site customization. (2) After a while, the device will crash sometimes. 13.
1. [BUG FIX] Symptom: Device crashes when upload F/W. Condition: Topology : PC_A == ZyWALL == P1 == PC_B (1) Build tunnel between PC_A and PC_B and sent TFGEN traffic(1M) between PC_A and PC_B. (2) Use eWC to upload F/W from ZyWALL’s WAN and device crashes. Modifications in V4.01(WZ.0)b4 | 07/11/2006 2. [BUG FIX] Symptom: Anti-Spam cannot work in NAT loopback situation. Condition: (1) Put PC1 and PC2 on LAN side of ZyWALL. (2) ZyWALL enables Anti-Spam and disables External Database.
8. [FEATURE CHANGE] WAS: In eWC>HOME page, the memory bar will become red when the percentage of memory usage is over 90%. IS: In eWC>HOME page, the memory bar will become red when the percentage of memory usage is over 95%. 9. [ENHANCEMENT] Enlarge Anti-Spam session number from 15 to 100 10. [ENHANCEMENT] Microsoft cryptographic library supports only odd-sized keys for generating the RSA-modulus. Let the key number of creator primes be odd-size.
15. [BUG FIX] Symptom: Unknown crash. Condition: (1) Restore default romfile. (2) Switch device to Active/Active mode, and confirm WAN1 and WAN2 can work fine. (3) Set WAN2 ping check point to User-defined. (4) After a while, the device sometimes will crash. 16. [BUG FIX] Symptom: IDP Total Sessions Scanned is wrong. Condition: (1) Enable AV, SMTP service and enable all directions. (2) Enable IDP, but disable all traffic direction.
20. [BUG FIX] Symptom: The device will crash when using VPN manual mode. Condition: PC1--ZWA--ZWB--PC2 (1) Add a VPN manual mode rule in both ZWA and ZWB and make sure PC1 can ping PC2 through the VPN tunnel. (2) PC1 ping PC2 continuously. (3) Unplug the physical link in WAN, the VPN traffic will pass through (ZWA). (4) ZWA will crash. 21. [BUG FIX] Symptom: The incorrect data shows on the eWC>THREAT REPORTS>AV. Condition: (1) Enable AV and use Edonkey behind the ZyWALL.
WAS: 19/64MB IS: 19/64 MB (2) Time representation: Modify eWC>home page>Up Time as a running clock. (3) Firmware Version Give eWC>Homepage>Firmware Version a hyperlink to eWC>Maintenance> F/W Upload. (4) Security Services: 1. Give eWC>Homepage>IDP/Anti-Virus Definitions a hyperlink to eWC>IDP> Update. 2. Add eWC>Homepage>IDP/Anti-Virus Expiration Date a hyperlink to eWC>Anti-Virus> Service. 3. Give eWC>Homepage>Anti-Spam Expiration Date a hyperlink to eWC>Registration> Service. 4.
(2) Remove CI command "ipsec swFwScan on|off". 8. [BUG FIX][060502049] Symptom: Device crashes when sends large number of mails. Condition: (1) Enable Anti-SPAM and external database. (2) Enable Bandwidth management in WAN and DMZ. (3) Send and receive large number of mails between DMZ and WAN interface. (4) Device will crash. 9. [BUG FIX] [060516907] Symptom: Traffic can’t pass VPN tunnel after a long while. Condition: Topology: PC1 (192.168.1.33) --- ZW_A (192.168.70.100) ==== VPN tunnel ==== (192.168.
10. [BUG FIX][060517002] Symptom: Some wordings in "eWC->ANTI-VURUS" are not correct. Condition: (1) Go to "eWC->ANTI-VIRUS->General". (2) The wording "POP3 (TCP/UDP 110)” should be ”POP3 (TCP 110)" (3) The wording "SMTP (TCP/UDP 25)” should be ”POP3 (TCP 25)" 11. [BUG FIX][060423782] Symptom: The device can’t enable multiple proposal in IKE rule. Condition: (1) Add an IKE rule using "Preshare key" as authentication type.
15. [BUG FIX][060509567] Symptom: Bridge mode Network Status Bridge Port loss DMZ port. Condition: Bridge mode in GUI Home> Network Status>More> Bridge Port loss DMZ port. 16. [BUG FIX][060509570] Symptom: VPN rule swap fails on phase one ID check. Condition: Topology: (LAN) Bridge_A (WAN)=======(WAN) Bridge_B(LAN) (1) On Bridge_A, add a VPN rule: IKE: Static rule, enable XAUTH and set as client mode. Local ID: Type=DNS Content = d.c.b.a Peer ID: Type=DNS Content = a.b.c.d IPSEC Policy: Local=Single 1.1.1.
Condition: Topology as follows: PC (A) ---- [L]DUT(B)[W] ------- Internet --- HTTP server(D)(66.102.7.104) | | -- [L]Router(C)[W] --- Internet (1) DUT configures a static route that forwarding packets of destination IP 66.102.7.104 through internal link to Router(C). PC (A)’s default route entry is DUT (B). Router (c) is NAT enabled. (2) PC (A) establishes HTTP connection to HTTP server (D). a. SYN Packet: A -> B (LAN) -> C (LAN) -> C (WAN) -> D. b. SYN ACK Packet: D -> C (WAN) -> C (LAN) -> A. c.
22. [BUG FIX][060427214] Symptom: Redundant gateway sometimes can’t be saved if it's in domain name format. Condition: (1) Create an IKE rule with IPSEC HA is enabled. (2) Configure a non-exist domain name as redundant gateway. (3) Let Domain Name Update Timer query this non-exist domain name. It will fail. (4) Try to modify the domain name with a correct one and save it. (5) Several minutes later, users will find the domain name has not been changed; it's still the old one. 23.
Condition: (1) Go to SMT11.1, configure Encapsulation as "PPPoE" or "PPTP". (2) Go to SMT11.1->Edit IP, change "Private" to "Yes". (3) Go to eWC->WAN->WAN1, set IP as static IP address. (4) Go to SMT11.1->Edit IP, the value of "Private" will become "No". 27. [BUG FIX][060426102] Symptom: NAT Many-to-Many Overload rule cannot be set in eWC. Condition: (1) Go to eWC>NAT>Address Mapping page, click "Insert" button. (2) In NAT - ADDRESS MAPPING page, select Type= Many-to-Many Overload.
IKE: Static rule, enable XAUTH and set as client mode. IPSEC Policy: Local=Single 1.1.1.1, Remote=Single 2.2.2.2 (2) On Bridge_B, add two VPN rules: 1. Rule one: IKE: Static rule, enable XAUTH and set as server mode. IPSEC: Local=Single 3.3.3.3, Remote=Single 4.4.4.4 2. Rule two: IKE: Dynamic rule. XATUTH is disabled. IPSEC Policy: Local=Single 1.1.1.1, Remote=Single 2.2.2.2 (3)Dial VPN tunnel from ZyWALL_A to Bridge_B, the VPN tunnel will be successfully built up with Bridge_B’s rule two. 32.
2. [ENHANCEMENT] Add redundant IPSec gateway (IPSec HA). 3. [ENHANCEMENT] IPSec traffic can be managed by security rule (IDP/AV/AS/FW/CF/BM) 4. [FEATURE CHANGE] Was: IPSec auto-build tunnel command can only build tunnels with same secure gateway IP. Is: Users can automatically build VPN tunnels with incremental secure gateway IP addesses. Usage of CLI command: ipsec build in which 5.
(1) "active [yes|no]": Let ZyWALL accept gratuitous ARP request. (2) "forceUpdate [on|off]" If zywall ARP table already had target IP address ARP entry, forceUpdate option will update the exist MAC mapping to new one. 14. [FEATURE CHANGE] WAS: The ZyWALL uses a fixed NTP server list with 10 NTP servers to adjust the system time. IS: Use 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org instead of specific NTP servers to adjust the system time. The pool.ntp.
(6) The default server access of the SNMP and DNS is ALL. Modification (1) The default value for Server access rule is ALL. (2) Under the default setting: You can setup the Menu 15 to forwarding the server to LAN IP address. Thus you can configure the router through the WAN and you don’t need to modify the server management or filter. Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = ALL Secured Client IP = 0.0.0.0 FTP Server: Port = 21 Access = ALL Secured Client IP = 0.0.0.
Appendix 2 Trigger Port Introduction Some routers try to get around this "one port per customer" limitation by using "triggered" maps. Triggered maps work by having the router watch outgoing data for a specific port number and protocol. When the router finds a match, it remembers the IP address of the computer that sent the matching data.
"Incoming Port". If it matches, Prestige will forward the packet to the recorded IP address in the internal table for this port. (This behavior is the same as we did for port forwarding.) (3) The recorded IP in the internal table will be cleared if machine A disconnect from the sessions that matches the "Trigger Port". Notes (1) Trigger events can't happen on data coming from outside the firewall because the NAT router's sharing function doesn't work in that direction.
Appendix 3 Hard-coded packet filter for "NetBIOS over TCP/IP" (NBT) The new set C/I commands is under "sys filter netbios" sub-command. Default values of any direction are “Forward”, and trigger dial is “Disabled”. There are two CI commands: (1) "sys filter netbios disp": It will display the current filter mode.
Appendix 4 Traffic Redirect/Static Route Application Note Why traffic redirect/static route be blocked by ZyWALL ZyWALL is the ideal secure gateway for all data passing between the Internet and the LAN. For some reasons (load balance or backup line), users want traffics be re-routed to another Internet access devices while still be protected by ZyWALL. The network topology is the most important issue. Here is the common example that people misemploy the LAN traffic redirect and static route.
normal function. Figure 5-2 Gateway on alias IP network (2) Gateway on WAN side A working topology is suggested as below. Figure 5-3 Gateway on WAN side Appendix 5 IPSec FQDN support ZyWALL A-------------Router C (with NAT) ------------ZyWALL B (WAN) (WAN) (LAN) (WAN) If ZyWALL A wants to build a VPN tunnel with ZyWALL B by passing through Router C with NAT, A can not see B. It has to secure gateway as C. However, ZyWALL B will send it packet with its own IP and its ID to ZyWALL A.
contents are consistent and they can connect. Basically the story is the same when ID type is IP. If user configures ID content, then ZyWALL will use it as a check. So the ID content also has to match each other. For example, ID type and ID content of incoming packets must match “Peer ID Type” and “Peer ID content”. Or ZyWALL will reject the connection. However, user can leave “ID content” blank if the ID type is IP. ZyWALL will put proper value in it during IKE negotiation.
1. When Local ID Content is blank which means user doesn’t type anything here, during IKE negotiation, my ID content will be “My IP Addr” (if it’s not 0.0.0.0) or local’s WAN IP. 2. When “Peer ID Content” is not blank, ID of incoming packet has to match our setting. Or the connection request will be rejected. 3. When “Secure Gateway IP Addr” is 0.0.0.0 and “Peer ID Content” is blank, system can only check ID type.
ISP(or network). This secondary WAN port can be used in “active-active” load sharing or fail-over configuration providing a highly efficient method for maximizing total network bandwidth. The default mode of the WAN 2 interface is “Active-Passive” or “Fail-Over” mode, that is the secondary WAN will automatically “bring-up” when the first WAN fails. The user can enter eWC/WAN/General page to select WAN to “Active/Active” mode.
Appendix 9 IPSec IP Overlap Support PCA 1.1.1.33 PCC 1.1.2.250 LAN 1.1.1.0/24 WAN ZyWALL B ZyWALL A LAN 1.1.2.0/28 IP Alias 1.1.2.0/24 PCB 1.1.2.250 Figure 1 The ZyWALL uses the network policy to decide if the traffic matches a VPN rule. But if the ZyWALL finds that the traffic whose local address overlaps with the remote address range, it will be confused if it needs to trigger the VPN tunnel or just route this packet. So we provide a CI command “ipsec swSkipOverlapIp” to trigger the VPN rule.
Appendix 10 VPN Local IP Address Limitation PCA 1.1.1.33 PCC 1.1.2.250 LAN 1.1.1.0/24 WAN ZyWALL B ZyWALL A LAN 1.1.2.0/28 IP Alias 1.1.2.0/24 PCB 1.1.2.250 Figure 1 There is a limitation when you configure the VPN network policy to use any Local IP address. When you set the Local address to 0.0.0.0 and the Remote address to include any interface IP of the ZyWALL at the same time, it may cause the traffic related to remote management or DHCP between PCs and the ZyWALL to work incorrectly.
ZyXEL VPN Client Security Gateway: 1.1.1.1 Phase one Authentication method: Preshare Key Remote: 192.168.1.0/24 In example 1, user may wonder why ZyWALL swap to dynamic rule even VPN client only set authentication method as “Preshare Key” not “Preshare Key+XAuth”. The root cause is that currently ZyXEL VPN Cient will send XAuth VID no matter what authentication mode that him set. Because of the XAuth VID, ZyWALL will swap to dynamic rule. This unexpected rule swap result is a limitation of our design.
on forceUpdate, then the ZyWALL gets gratuitous ARP, it will force to update MAC mapping into the ARP table, otherwise if turn off forceUpdate, then the ZyWALL gets gratuitous ARP, it will update MAC mapping into the ARP table only when there is no such MAC mapping in the ARP table. Give an example for its purpose, there is a backup gateway on the network as the picture.
(2)ipsec initContactMode tunnel When the ZyWALL receives a IKE packets with IC, it deletes only one existing tunnel, whose security gateway IP is not only the same as this IKE's one and also its phase 2 ID(network policy) should match. It is suitable when your tunnel is created from a VPN peer to ZyWALL and there are more than two this kind of VPN peers build tunnels behind the same NAT router. Take the picture 2 as example, PC 1, PC2 and PC3 has it's own VPN software to create tunnels with ZW.
Figure 1. But there are still some limitations remain that we need to overcome in the future. When you deploy your SIP server on LAN for SIP service, please make sure that prevent your topology from any case listed as below. (1) When SIP client is on LAN, do not use NAT lookback on SIP server.
Figure 2. (2) Try not use different global IPs for SIP client and SIP server on NAT. Currently, there are still some limitations when use different global IPs for SIP client and SIP server. For instance, in Figure 3, SIP server and a SIP client B are on the same LAN. If we use different global IP for SIP server and the SIP client, the SIP client A which is behind another NAT router will fail to communication with SIP client B. Figure 3.
phone B. Thus will be fail on call setup. This limitation is SIP client related issue, some SIP clients will send ACK request direct to the remote clients, some may send through proxy server. Figure 4. (4) We do not support multiple SIP proxies in the middle of way. We haven’t implemented or take care on this kind topology (Figure 5), so the result is still unknown.
(4) "Update Server" will reply a file list to the PC, the download address of the fill will be "File Server", at the same time "Update Server" will inform that there is a PC located at "WAN1" IP address will get file from you. (5) PC knows the file address and retrieve the file through "WAN2". (6) "File Sever" think the PC's IP should be "WAN1" instead of "WAN2". It rejects the PC's request.
If we set the timeout value as "10 seconds", 5 seconds is not timeout. The device will route the new session to the same interface.
Appendix 16: The mechanism of ZyWALL IPSec policy IP conflict check: ZyWALL classifies traffic to IPSec tunnels according to Network Policies. If there are two Network Policies “conflicted”, it’s not possible for ZyWALL to classify traffic correctly. Two policies will conflict if they satisfy both the following conditions at the same time: (1) IP address range of “Local Network” of two policies overlaps. (2) IP address range of “Remote Network” of two policies overlaps.
Policies under Static IKE rule (configuration) Policies under Dynamic IKE rule (configuration) Runtime policies (IKE negotiation) Policies under Static IKE rule Compare Not compare Not compare (configuration) Policies under Dynamic IKE rule Not compare Not compare Not compare (configuration) Runtime policies Compare Not compare Compare (IKE negotiation) Note: (1) “Compare” means ZyWALL will compare policies in row with policies in column. E.g.
