ZyXEL Confidential ZyXEL Firmware Release Note ZyWALL 5 Release 4.04(XD.3)C0 Date: Author: Project Leader: 404XD3C0.docx Nov.
ZyXEL Confidential ZyXEL ZyWALL 5 Standard Version Release 4.04(XD.3)C0 Release Note Date: Nov. 4, 2008 Supported Platforms: ZyXEL ZyWALL 5 Versions: ZyNOS Version: V4.04(XD.3) | 11/04/2008 Bootbase Version: V1.08 | 01/28/2005 14:47:16 Agent Version: V2.1.7(XD.0)base Note: 1. 2. Restore to Factory Defaults Setting Requirement: No. The setting of ignore triangle route is on in default ROM FILE. Triangle route network topology has potential security risks.
ZyXEL Confidential 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 1300” from autoexec.net by CI command “sys edit autoexec.net”. (Upgrade from 3.62) In previous 3.64 firmware, the VID value of DPD is not correct. VID change will cause current version not work with the wrong value. Please be sure to connect with devices which have updated VID, or the DPD may not work correctly. In SMT menu 24.1, "WCRD" only represents the WLAN card status when you insert WLAN card into the ZyWALL.
ZyXEL Confidential (3) The host can still ping Internet using LAN DHCP address (4) The scenario will continue about 30secs. 3. Because of the memory shortage (ZW5/P1), device have to restart when customer need to upgrade firmware sometimes. Issues [UPnP] 1. Sometimes on screen the “Local Area Connection” icon for UPnP disappears. The icon shows again when restarting PC. [Bandwidth Management] 1. Bandwidth management H.323 service does not support Netmeeting H.323 application. 2.
ZyXEL Confidential PC4(31.33)-Configure as attached romfile. Steps: (1) DUT configures 2 IKE dynamic rules, and each attaches 2 IPSEC rules. (2) PC5 can ping PC3 and PC4 and the associated tunnels are built up. (3) When PC5 ping PC1, it will fail, and log shows ”[ID] : Remote IP [192.168.2.0] / [255.255.255.0] conflicts”. [CNM] 1. DES/3DES encryption key doesn’t unique. 2. Vantage will set incorrect root password to device when hash root password flag enable via ci command: “sys pwdHash on”. 3.
ZyXEL Confidential (4) Reboot the device, sometimes also can’t upgrade the firmware. 404XD3C0.
ZyXEL Confidential Features: Modifications in V 4.04(XD.3) | 11/04/2008 Modify for formal release. Modifications in V 4.04(XD.3)b2 | 10/29/2008 1. [FEATURE CHANGE] WAS: Support URL link to bluecoat. IS: Remove URL link to bluecoat 2. [BUG FIX] SPR ID: 081023046 Symptom: Device often can’t work when its CF buffer reduces to a low value. Condition: (1) ZW70 F/W 4.04(WM.3)b1 can’t work in PQA LAB during several hours. Restart the device, it can work fine.
ZyXEL Confidential 9. [BUG FIX] SPR ID: 080905611 Symptom: After synchronization with same NTP server on PC and ZyWALL, the time on ZyWALL is always 5 seconds later than PC time. Topology: PC------------- (L) ZyWALL (W) ---Internet Condition: (1) Restore to default romfile, login Web page. (2) Edit eWC/MAINTENCE/Time and Date, Time Protocol=NTP(RFC-1305), Time Server Address=”time.stdtime.gov.cn”, then click “Synchronize Now”. (3) PC also synchronizes with the Time Server (“time.stdtime.gov.cn”).
ZyXEL Confidential 12. [BUG FIX] SPR ID: 080825974 Symptom: HTTP Service can't be detected when using http upload. Condition: (1) Enable AV, enable Zip file scan, Active HTTP, select direction WAN->LAN, then Apply. (2) Edit SMT 24.8, set with CI command “av load”, “av config httpPost on”, “av save”. (3) Setup http server on LAN PC. HTTP Upload eicar.com and eicar_com.zip from WAN pc to HTTP Server (you can get these files from http://www.eicar.org/anti_virus_test_file.htm).
ZyXEL Confidential (5) In eWC>ADVANCED>UPnP>Ports, there is only one port mapping rule of uTorrent, of which protocol is UDP. And no TCP port mapping rule appears. In fact, there should be two port mapping rules of uTorrent, one TCP rule and one UDP rule. Modifications in V 4.04(XD.2) | 09/10/2008 Modify for formal release. Modifications in V 4.04(XD.2)b2 | 09/04/2008 1. [BUG FIX] SPR ID: 080827155 Symptom: After flush route table, RIP doesn’t work.
ZyXEL Confidential Condition: Upload the 4.04 pre-version FW, for example,4.04 patch1 and reset to default romfile Update the signature Upload the 4.04 patch 2 FW High and severe IDP signatures ARE NOT LOGGED BY DEFAULT, even update the latest version signature Modifications in V 4.04(XD.2)b1 | 08/20/2008 1. [ENHANCEMENT] Enhance DNS proxy to support random transaction id and random source port. 2. [BUG FIX] SPR ID: 080523448 Symptom: Can't build VPN tunnel after SA lifetime expires.
ZyXEL Confidential (4) When client receives a specific mail, ZW5 would crash. (5) Description of an example mail: The mail body is NULL; the number of bits (including mail subject, “mail to”, and “mail from”) must be 217. 5. [BUG FIX] SPR ID: 080707264 Symptom: When set a port forwarding rule, can't configure LAN server ip 172.20.10.0. Condition: (1) Configure the LAN subnet as 172.20.10.1/16.
ZyXEL Confidential Topology: PC--------- (L) Device (W) --------Internet Condition: (1) Manually appoint the DNS server of PC as the LAN IP of device. (2) Open web page "http://www.doxpara.com/" with IE or Firefox on PC. (3) Click the button "Check My DNS" on the web page, device will crash. 9. [BUG FIX] SPR ID: 080717142 Symptom: White list does not take effect. Condition: Condition 1: (1) Active CF service. (2) Add www.baidu.com, www.sina.
ZyXEL Confidential Condition: (1) Setup PPTP server on Redhat Linux. (2) Create PPTP client on PC with Windows XP OS. (3) Connect PPTP client with PPTP server, sometimes can't connect it. 3. [BUG FIX] SPR ID: 080602091 Symptom: ZyWALL crash as a DNS proxy when the external DNS is unaviable after serveral days Condition: Topology: PC--------- (L) Device (W) --------Internet (1) Reset device's configuration file.
ZyXEL Confidential is checkpoint's WAN IP, the peer ID type is IP and peer ID content is "0.0.0.0". (2) A corresponding rule is configured on Checkpoint. Its local ID content is"0.0.0.0". (3) Dial VPN from ZyWALL 35, fail to build the tunnel for ID content mismatch. 7. [BUG FIX] SPR ID: 080602089 Symptom: Sierra 3G card AC881 can not be detected 8. [BUG FIX] SPR ID: 080602090 Symptom: PX-500 can not get signal and can not connect to ISP Modifications in V 4.04(XD.1)b1 | 05/16/2008 1.
ZyXEL Confidential 3G feature support PX-500 card. 8. [ENHANCEMENT] Modified the ESN parse error for HUAWEI EC360. 9. [FEATURE CHANGE] WAS: When choosing "Use WAN IP Address" as IP Address Update Policy,ZyWALL will send check IP packet to checkip.dyndns.org when interface is up and get any IP address. IS: When choosing "Use WAN IP Address" as IP Address Update Policy,ZyWALL will send check IP packet to checkip.dyndns.org when interface is up and get different IP address with last time. 10.
ZyXEL Confidential Virtual IP 192.168.201.2, private IP 192.168.1.2, remote IP 0.0.0.0 (2) VPN client is Greenbow. (3) After the tunnel is up, the Ping from VPN client and the reply is from the ZW35's WAN IP (172.25.21.24) instead of 192.168.201.2. 13. [BUG FIX] SPR ID: 080217401 Symptom: Cannot recognize service "PCAnywhere_Data(TCP5631)" in firewall rule. Condition: (1) Reset to default romfile. (2) Go to eWC>FIREWALL>Rule Summary, and then insert a new firewall rule.
ZyXEL Confidential 10.1.1.9 10.10.10.0/24 (1) ZWA LAN: 10.1.1.0/24, ZWA as a NAT router ZWB WAN: 10.1.1.21 LAN:10.21.10.0/24, ZWB as a pure router ZWC(DUT) WAN: 10.1.1.9 LAN:10.10.10.0/24, ZWC as a pure router On ZWA goto eWC>SECRITY>FIREWALL Dsiable Allow Asymmetrical Route goto eWC>ADVANCED>STATIC ROUTE, add following static route Name Active Destination Gateway LAN-C Yes 10.10.10.0 / 255.255.255.0 10.1.1.9 LAN-B Yes 10.21.10.0 / 255.255.255.0 10.1.1.
ZyXEL Confidential PC1--(LAN)ZyWALL2+(PPPoE)--Cisco2811(LAN)---PC2 (1) Build VPN from ZyWALL2+ to Cisco2811. (2) Change the RIP item in WAN of ZyWALL2+ and Apply. Then it will try to get the new WAN IP address. (3) Sometimes ZyWALL2+ will use "0.0.0.0" as my IP address during the IKE negotiation. 20. [BUG FIX] SPR ID: 080430427 Symptom: ZyWALL 70 keeps on reboot in 5 minutes to 2 hours when AS is enabled. Condition: Topology: Mail server--(LAN)ZW70(WAN)--internet (1) ZW70 enable AS check for spam mail.
ZyXEL Confidential getonline?type=1&31008201:31008202:" (6) Host on the LAN accesses "www.sina.com.cn". Another cache "ad4.sina.com.cn/sina/ae/ad_src/popup/pops1.html?v; swf;http://d1.sina.com.cn/200712/25/120149_hp-pop.swf" is created. (7) It's impossible to delete the two items except flush all caches. 23. [BUG FIX] SPR ID: 071113864 Symptom: Idle timeout will be changed to 0 while enable Traffic Redirect by GUI Condition: (1) Edit eWC> WAN> WAN1, Set Encapsulation= PPPoE & Idle Timeout= 100.
ZyXEL Confidential (2) eWC>>security->idp,enable idp,protected traffic direction=lan->wan,wan->lan (3) Ftp wan side ftp server successfully. And open http://www.163.com successfully. (4) Edit SMT 24.8, set with CI command "idp tune load" "idp tune config l4Tcpcksum on" "idp tune save" (5) Fail to connect wan's ftp server and fail to open http://www.163.com. 28.
ZyXEL Confidential Modifications in V 4.04(XD.0)b5 | 03/21/2008 1. [BUG FIX] SPR ID: 080313755 Symptom: ZyWALL SMT menu refreshes continually after upgrade firmware from 4.02 to 4.04. Condition: (1) Upload 4.02 firmware to DUT and then reset to factory default. (2) Then Upgrade the firmware to 4.04. (3) The SMT menu refreshes continually and can not be stopped. 2. [BUG FIX] SPR ID: 080312702 Symptom: DDNS hostname has been blocked for abuse. Condition: (1) Use DDNS’s Service Provider= WWW.DynDNS.COM.
ZyXEL Confidential (3) Get information “Remote node [WAN 1] is connected, IP is dd783c36”. (4) The IP is strange. 6. [BUG FIX] SPR ID: 080122128 Symptom: Some action in CF is wrong. Condition: (1) CF>General, disable Unrated Web Pages & When Content Filter Server Is Unavailable (2) Insert a policy, enable external DB, and choose a Category (3) Flush cache (4) Opens a page which will be rated as Unrated, such as "172.25.21.80".
ZyXEL Confidential (1) Rom restores (2) On SMT24.8, input command: sys tos fwSchedule active on (3) In eWC>Firewall, add a rule on LAN to WAN, block TCP & FTP Services during 10:30~10:35. (4) Before 10:30, LAN pc connects WAN side FTP server, and upload a big file. (5) After 10:30, this connection will be dropped. This is right. (6) But after 10:35, when LAN pc tries to connect the FTP server again, some NAT debug info "natFreeSlotByIamt: Iamt Reference ERROR" displayed in SMT.
ZyXEL Confidential can be built successfully. (4) In ZyWALL2, configure IKE rule and IPsec rule correctly except Pre-shared Key. Enable Nailup. Make sure the Tunnel couldn't build successfully. (5) After long time run, ZyWALL_DUT will crash because of IKE SA leak. 5. [BUG FIX] SPR ID: 071023165 Symptom: "send/recv” bytes in syslog are a minus number. Condition: (1) Configure syslog server. (2) Enable REPORTS->SYSTERM REPORTS->Reports.
ZyXEL Confidential cannot edit or delete. Condition: (1) Reset rom. (2) EWC>ADVANCED>BW MGMT>Summary, active bandwidth management on WAN1. (3) EWC>ADVANCED>BW MGMT>Class Setup, Add a sub-class with budget = 0 and enable bandwidth filter. (4) After click on Apply, it will display under "Enabled classes Search Order". (5) Unfolding tree of root class, can not find the new added sub-class. 9.
ZyXEL Confidential (6) After PC1 release this IP successfully, check eWC>>Home>>DHCP table, "PC1's MAC-->IP: 192.168.1.200" is still showed on this page. Condition 2: (1) sys romreset (2) EWC>>LAN>>static DHCP, add a static DHCP mapping for PC1. PC1's MAC-->IP: 192.168.1.200 (3) Attach PC1 to ZyWALL LAN port, PC1 can get IP 192.168.1.200. (4) EWC>>LAN>>static DHCP, add another static mapping for some PC, eg, 00:11:22:33:44:55:66-192.168.1.201. (5) Check eWC>>Home>>DHCP table, "PC1's MAC-->IP: 192.168.1.
ZyXEL Confidential Domains" at the leftward, then click "DNS" icon.You will see "Hostname/Alias" named "test1" bind an IP Address,but this address is not 172.25.17.77.Also in ewc, there is not any log like "Update domain name test1.zyxel.com.es with IP:172.25.17.77 successfully". (4) Do Step (2) in ewc, then check again according to Step (3). Now You will see "Hostname/Alias" named "test1" bind an IP Address 172.25.17.77.In ewc,there is a log "Update domain name test1.zyxel.com.es with IP:172.25.17.
ZyXEL Confidential Enable External Database Content Filtering = selected Matched Web Pages, unselect Block, select Log Enable Report Service = selected (4) Go to eWC>SECURITY>CONTENT FILTER>Policy insert one policy, (5) Go to eWC>SECURITY>CONTENT FILTER>EDIT POLICY>GENERAL, Active this policy, Address Setup = Any.
ZyXEL Confidential Condition: (1) Insert Huawei E630 3G card to ZW2WG or ZW1WG with 4.04 firmware. (2) Device failed to detect E630. 23. [BUG FIX] SPR ID: 080110425 Symptom: DDNS will not update after change the service provider. Condition: (1) Setup the DDNS provider as DynDNS and make sure the WAN IP can be updated. (2) Change the service provider with No-IP and apply it. (3) Check with log and you can find the WAN IP will not update with No-IP service provider. 24.
ZyXEL Confidential Symptom: Some action in CF is wrong Condition: (1) CF/General, disable Unrated Web Pages & When Content Filter Server Is Unavailable (2) Insert a policy, enable external DB, and choose a Category (3) Flush cache (4) LAN pc successfully opens a page which will be rated as unrated, such as “172.25.21.80”. (5) Then open this page again, it is blocked, and we can see URL in cache but no log about this block action. And it shouldn't block it since we didn't select to block unrated web pages.
ZyXEL Confidential Modifications in V 4.04(XD.0)b2 | 01/07/2008 1. [ENHANCEMENT] Support following 3G cards: (1) Huawei EC360. (2) Huawei EC500. (3) Huawei E630. (4) Novatel EX720. (5) Sierra AC580 (CDMA). (6) Sierra AC880. (7) Sierra AC881. 2. [ENHANCEMENT] Enhance VPN: (1) When device be VPN initiator and responder can’t receive device's quick mode last packet, device will receive the last quick mode packet from responder repeatedly. WAS: Device would drop the repeated packet.
ZyXEL Confidential 6. [ENHANCEMENT] Enhance TA agent: (1) Support Lionic IPS for Vantage CNM. (2) Fix crash bug while registering via CNM. 7. [ENHANCEMENT] Enhance Agent to support CNM 3.0 Patch2 (1) Support MAC/IP binding (2) Support VPN AES128/192/256 and DH5 (3) Support DDNS multi service providers (4) Fix FC query memory overwrite issue (5) Change Feature code and version as CNM team request (6) Add 3G alert type (7) Support Logsetting MAC/IP Binding 8.
ZyXEL Confidential 13. [BUG FIX] SPR ID: 071108567 Symptom: PC under WLAN port can’t get IP form DHCP server! Condition: (1) Config one port as WLAN. (2) Config WLAN interface as a DHCP server. (3) Disable firewall. (4) Attach a PC to WLAN port, and then you will find the PC can't get IP from the ZyWALL. 14.
ZyXEL Confidential message "Duplicate MAC Address". 18. [BUG FIX] SPR ID: 071212636 Symptom: We can't search signatures by multiple Type attributes in IDP query page. Condition: (1) Update signature. (2) Goto eWC>Security>IDP>Signature page, click "switch to query view". (3) In query page, select search by "Signature Search by Attributes" + Type file "IM + P2P" and click apply. (4) In the search result, we can find P2P signatures only. 19.
ZyXEL Confidential NULL when domain name doesn't exist. Device shouldn’t show the Destination IP of the last time ping. Condition: (1) Goto eWC>Network>WAN>General. (2) Enable “Check WAN1 Connectivity”, and let system PING 1.1.1.1 this IP. (3) Log show ping check fail, Source IP= WAN IP, Destination IP=1.1.1.1 (4) Enable "Check WAN1 Connectivity" and let system PING "www.abcdefg123aabbccdd.com" which doesn't exist. (5) There is log for ping check fail, but, Source IP =WAN IP, Destination IP=1.1.1.
ZyXEL Confidential eWC>settings>Send Report to = your mail account (5) Generate some IDP, Anti-Virus and Anti-Spam traffics. (6) Clicking on eWC>Reports>E-mail report>Send Report Now. (7) Open the received E-Mail report on outlook 2003, you will find the E-Mail report can't display correctly. 26. [BUG FIX] SPR ID: 071212614 Symptom: Device crashes when doing IXIA stress testing. Condition: (1) Doing IXIA stress testing with IDP/AV/AS/CF functionality and device will crash. 27.
ZyXEL Confidential 3. [ENHANCEMENT] In GUI->WAN->WAN2 page, CDMA system can configure initial string. 4. [ENHANCEMENT] Enhance AV CI commands. 5. [ENHANCEMENT] Upgrade ZyXEL IDP solution. 6. [ENHANCEMENT] Add MAC/IP Binding feature. 7. [ENHANCEMENT] Add profile selection for 3G. (1) "wwan profile" command can be used only when the 3G interface is enabled. (2) User can select which profile setting in 3G card will be used to dial by "wwan profile select [index]".
ZyXEL Confidential "AES192", "AES256" items. 14. [ENHANCEMENT] Support Multiple Dynamic DNS. Add 3 new dynamic DNS providers as follows: (1) NO-IP (2) EuroDynDNS (3) RegFish 15. [ENHANCEMENT] Refine GUI layout. (1) eWC>LOGS>Log Settings, add a section for mail schedule. (2) eWC>MAINTENANCE>Diagnostics , add a section for mail schedule. (3) Merge eWC>REPORTS>System & Threat Reports to single item eWC>REPORTS in panel. (4) Refine eWC>REPORTS>E-mail Report layout. (a) Change the wordings in GUI.
ZyXEL Confidential 18. [FEATURE CHANGE] SPR ID: 070806425 WAS: Some IPSec network policies can be saved even they conflict with each other. IS: Device will check network policies under two conditions: (1) To save a network policy under static IKE rule --> compare with other network policies under static IKE rules. (2) To save a network policy under dynamic IKE rule --> do not compare it. This network policy will be compared with other network policies under static and dynamic rules during IKE negotiation.
ZyXEL Confidential (Bridge mode) PC----- (LAN) ZyWALL_A (WAN) ----ZyWALL_B----Internet PC: 10.0.0.34 ZyWALL_A:192.168.10.40 ZyWALL_B (LAN):10.0.0.1, ip alias: 192.168.10.1 (1) Enable Collect Statistics of ZyWALL_A under system reports. (2) PC visits a web page on the internet. (3) We can’t see the statistics of host IP reports in ZyWALL_A. 24. [BUG FIX] SPR ID: 071107525 Symptom: The 3G Service Provider is "Unknown". Condition: (1) Insert AC850 and enable 3G. (2) The Service Provider is often "Unknown".
ZyXEL Confidential (3) It shows "bwengine on". 29. [BUG FIX] SPR ID: 071023274 Symptom: In eWC>Reports, device cannot show IDP statistics correctly by Signature Name. Condition: (1) Make sure IDP can work and get the latest signature from internet. (2) In eWC>REPORTS>IDP page, enable IDP statistics. (3) Active some IM login attamp(QQ,MSN) and PA signature.(signature name:ASCII-ENCODING & MULTI-SLASH-ENCODING). Test with QQ, MSN and BT and ensure the PA signature hits.
ZyXEL Confidential (3) Then the WAN2 IP address will lose and need to renew to get the IP address. 34. [BUG FIX] SPR ID: 071017898 Symptom: Cannot find IM signatures through Attack type IM in eWC>SECURITY>IDP>Signature. Condition: (1) Register UTM service from eWC>REGISTRATION>Registration. (2) Update signatures from eWC>SECURITY>IDP>Update. (3) Goto eWC>SECURITY>IDP>Signature, select attack type IM, but no IM signatures found. 35.
ZyXEL Confidential Call from P2002B to P2002A, SIP rule's bandwidth can’t be protected. 37. [BUG FIX] SPR ID: 070824666 Symptom: PPP compression can't work on 3G WAN2 Condition: (1)In Russia, we can't remote manage the ZyWALL via 3G WAN2. (2)After verification, the compressed packet can't be handled. 38. [BUG FIX] SPR ID: 070928582 Symptom: Device fail to register to Vantage server with CNM 3DES encryption key, when key is set via device's GUI.
ZyXEL Confidential (3) If you add a policy(policy name: aaa) and repeat step 2 again and it works. (4) Add another policy again(policy name: bbb) and save it. (5) Disable policy aaa and test the unrated functionality for policy bbb. It will fail. 3. [BUG FIX] SPR ID: 070914803 Symptom: Policy route doesn’t work correctly. Conditions: (LAN: 192.168.1.1) (192.168.1.33) ZW_A -------Switch--------PC_A |----(WAN: 192.168.2.33) ZW_B (LAN: 192.168.10.1) -----PC_B (192.168.10.
ZyXEL Confidential Symptom: Device hang when input command "ip cf ob add trust aa.aa". Conditions: (1) Input command "ip cf ob add trust aa.aa" in SMT 24.8 and device hangs. 8. [BUG FIX] SPR ID: 070926450 Symptom: Device cannot receive any packet after several days. Conditions: (1) Restore default romfile. (2) Do not put any host in private network(LAN/DMZ/WLAN) and make sure device can access internet. (3) After few days, device cannot receive packet any more. 9.
ZyXEL Confidential (9) The 3G can’t be dialed anymore and console shows “Dial Fail ***3G budget is overed.” Modifications in V 4.03(XD.0)b3 | 10/02/2007 1. [ENHANCEMENT] Add Vantage CNM device agent – 2.1.6(XD.0) which support Vantage CNM server – version 3.0.00.61.00. 2. [BUG FIX] SPR ID: 070924386 Symptom: CF schedule works abnormal. Condition: (1) Enable CF. In CF>Object, add a Fobidden Website www.google.com. (2) Add a new policy, set IP group as ”Any” and add ”www.google.com” to Forbidden website.
ZyXEL Confidential (10) 3G works only for WAN2. (11) Support Sierra Wireless AirCard AC875 , Huawei E612 / E620 for HSDPA. (12) Support Sierra Wireless AirCard AC595 for EVDO. (13) Support SIM authentication / management on GUI (AC875/AC850/E612/E620) (14) Support 3G card lock status checking / unlock / activation status checking on GUI (AC595) (15) Support Network Type Selection on GUI. (AC875/ AC850) (16) Support manual/auto Service Provider Selection on GUI.
ZyXEL Confidential 17. [FEATURE CHANGE] Add switch on/off user configuration into CF report service. The CLI command is: For projects have multi profile: "ip cf externalDB enableLog [on |off]" For projects do not have multi profile: ip urlfilter webControl enableLog [on |off]" 18.
ZyXEL Confidential (3) SIP connection can be built successfully with Customer's SIP server. (4) But SIP Traffic can't be monitored. 22. [ENHANCEMENT] Add new 3G card support for Option Globe Trotter HSDPA 7.2 . 23. [BUG FIX] SPR ID: 070614811 Symptom: Some formats of logs should be consistent.
ZyXEL Confidential Symptom: We can't change the default route on ZyWALL Condition: (1) Use CI command "ip route status" to make sure default route of WAN1 or WAN2 exist in current route table. (2) Use CI command "ip route drop default" to delete default WAN1 or WAN2 route. (3) We can't delete the default route. 26. [BUG FIX] SPR ID: 070621307, 070621308 Symptom: DHCP has multiple entries for the same PC Condition: (1) Set a PC to DHCP using the default config - PC will have 192.168.1.
ZyXEL Confidential DDNS Log is not readable. Was: DNS update IP:138.188.40.255 (host 1) successfully Is: Update domain name zywall2wg.dyndns.org with IP:138.188.40.255 successfully|DDNS Was: DDNS update error: The hostname specified does not exist.| Code: nohost Is: Update error: The hostname specified does not exist. |DDNS 30. [BUG FIX] SPR ID: 070425178, 070425177 Symptom: The direction message of AS log was truncated. Condition: (1) Enable Anti-Spam. (2) Enable External DB and set "Threshold" as 0.
ZyXEL Confidential Symptom: The tunnel can be built, but pc can't ping peer via the tunnel in NAT over IPSec test case. Topology: (192.168.3.33)pc1---zw5----zw70---pc2(192.168.1.33) Condition: (1) In zw70, set a network policy: One-to-One, Private IP=192.168.1.33, Virtual IP=192.168.101.33, Remote IP=192.168.3.33(Single). (2) In zw5, Local IP=192.168.3.33(Single), Remote IP=192.168.101.33(Single). (3) The pc1 and pc2 can ping each other and the tunnel was built successfully.
ZyXEL Confidential Condition: (1) Enable AV and POP3 all directions. (2) Send a mail and attach 3 infected files from LAN to WAN. (3) LAN PC receives the mail from WAN to LAN. (4) Two files disappear. (5) SMTP also has the same issue. 41. [BUG FIX] SPR ID: 070510451 Symptom: System reboot without information. Condition: (1) Reset to Default ROM file. (2) Enable ALG H.323. (3) Edit web eWC/Firewall/Service, add a custom service rule, Service Name=UDP_100, Port Range=from 100 to 100.
ZyXEL Confidential 45. [BUG FIX] SPR ID: 070514624, 070503096 Symptom: It takes long time to initialize 3G when using AC850. (About 40 seconds). Condition: (1) Insert AC850 3G card, reboot device. (2) Configure 3G parameters in eWC>WAN>WAN2. (3) Reboot device, it takes about 40 seconds to initialize 3G. 46. [BUG FIX] SPR ID: 070514626 Symptom: Audio cannot be passed from WAN to LAN by netmeeting. Condition: (1) Enable all ALG functions. (2) PC in LAN side make a call to PC in WAN side by netmeeting.
ZyXEL Confidential (4) Forbidden web site and Keyword blocking also have this issue. 51. [BUG FIX] SPR ID: 070522106, 070522107, 070522108 Symptom: 3G connection cannot be dropped successfully. Condition: (1) Insert Huawei E612 or E620 or SierraWireless ACs595. (2) Configure 3G parameters and dial up connection. (3) In eWC>HOME, press "Drop" for WAN2 (3G) connection. (4) Connection cannot be dropped. WAN2 status keep continuing down -> init -> down -> init .... 52.
ZyXEL Confidential (1) Go to Content Filter>Customize, create 3 items for Keyword/Forbidden/Keyword. (2) Delete all the items you just added, you will see "Cannot delete this xxx, it is used by profile(s)", but it never been referenced. 58. [BUG FIX] SPR ID: 070525357 Symptom: Can't insert item after deleting some items from Trusted/Forbidden/Keyword in Content Filter>Customization. Condition: (1) Add 3 items with Trusted/Forbidden/Keyword.
ZyXEL Confidential 64. [BUG FIX] SPR ID: 070528395 Symptom: budget control upload cannot work when using AC850 3G card! Condition: (1) Insert AC850 3G card to device. (2) Power on device. (3) Goto eWC>WAN>WAN2 page, configure 3G with “Enable Budget control” “Enable data budget”, choose "Upload" packet direction and save it. (4) PC in LAN accesses internet through 3G, you can see remaining data budget does not decrease at home page of 3G status window. 65.
ZyXEL Confidential "hide detail...". It will not be changed by refreshing page manually or automatically. 70. [BUGF FIX] SPR ID:070531647 Symptom: DDNS function has problem Condition: (1) Edit web> WAN> General, enable Active/Active, Load Balancing Algorithm= None. (2) Edit web> WAN> WAN 1, set to PPPoE mode (3) Edit web> WAN> WAN 2, APN= internet, PIN= 0000, Phone number= *99# (4) Edit web> ADVANCED> DNS> DDNS, active DDNS, set testzywall_1.dyndns.org for WAN 1 and disable HA, set testzywall_2.dyndns.
ZyXEL Confidential (1) Enable wireless card and notebook gets IP. (2) In eWC-->LOGS you can see notebook's MAC address in "Note" and the MAC format is different from other places. 76. [ENHANCEMENT] When the SW595 card in the dormant state and the ZyWALL can't send out packets, the device will guide users to reboot the device to re-init the SW595 card. 77. [BUG FIX] SPR ID: 070515744 Symptom: Remove redundant message in console.
ZyXEL Confidential 82. [BUG FIX] SPR ID: 070517903, 061024791 Symptom: The status of 3G card is "LCP Up" and can’t be dialed anymore. Condition: (1) Connect WAN1 to internet, assign static IP to WAN1. (2) Configure 3G (WAN2), enable nail up. Make sure 3G can be dialed successfully. (3) (3) In WAN>General page, try to change the metric of WAN2 from 1 to 2 and change the metric of WAN1 from 2 to 1. (4) Wait a while.
ZyXEL Confidential Condition: DUT1<------------->DUT2 (Initiator1) | |------>Software VPN client (Initiator2) Responder DUT1 : (1) Edit eWC/VPN , edit IKE proposal=Main , DES , MD5 , DH1 ,My Address =192.168.11.96,Remote gateway Address=0.0.0.0 -IPSec :ESP , DES , SHA-1 , Local address is LAN subnet(192.168.1.0/255.255.255.0) (2) Edit eWC/VPN/Global setting , edit Output idle timer=120sec. Initiator1 : DUT2 : (1) Edit eWC/VPN ,edit IKE proposal=Main , DES , MD5 , DH1 ,Remote gateway Address=192.168.11.
ZyXEL Confidential (2) User Firefox to open eWC>HOME. (3) In 3G WAN Interface Status, you will see 3G Card ESN information is disordered. 93. [BUG FIX] SPR ID: 070607368 Symptom: DMZ can get IP even the firewall DMZ>DMZ is block. Condition: (1) Restore default romfile. (2) Set port 4 as DMZ. (3) Setup DMZ DHCP server. (4) Try to get IP with DMZ port and it works. But with firewall default setting, the DMZ > DMZ is block and PC should not get the IP from DMZ. 94.
ZyXEL Confidential (3) Go to other page, and back to this page, you will see initial string as "at+cgdcont=1,"IP","internetuot;&q". 98. [BUG FIX] SPR ID:070420880 Symptom: DUT doesn't show error message when Firewall ACL Buffer full. Condition: (1) Create many firewall rules and make the firewall rule storage space to 99%.. (2) Edit eWC-> Firewall->Rule Summary, Insert a rule for LAN to LAN and apply. (3) You can find that we can't save the rule.
ZyXEL Confidential IS: Agent will read and write Content Filter configurations from the new ACL data structure directly. 104. [BUG FIX] SPR ID: 070605181 Symptom: On Content Filter/Customization page, Web sites can’t sort. Condition: (1) Add ”a1”,”a6” in trusted web site list and press ’Apply’. (2) Add ”a3” in trusted web site list and press ’Apply’. (3) Refresh the page and the trusted web site will list ”a1”,”a6”,”a3” not ”a1”,”a3”,”a6”. 105.
ZyXEL Confidential Symptom: ZyWALL cannot trigger traffic redirect. Condition: (1) Enable 3G. (2) Enable Traffic Redirect to another Router on LAN. (3) Disable 3G on WAN2 GUI. (4) Try to send traffic to Traffic Redirect Router and it will be failed. (5) You can check the 3G routing metric is 2 by CLI command "ip route status" (6) and all packets will go out via 3G. 112. [BUG FIX] SPR ID: 070612685 Symptom: CPU utilization reaches to 100%. Condition: (1) Set a PC (called PC-A) as syslog server in LAN side.
ZyXEL Confidential (3) Device should prevent to dial in "Limited Service" state. 118. [BUG FIX] SPR ID: 070626599, 070626585 Symptom: Device crashes when change NAT as full feature with SMT. Condition: (1) Input ”sys rn lo 2” ”sys rn nat full_feature” ”sys rn sa” (2) Device crashes. 119. [FEATURE CHANGE] Was: The vendor ID of CF external query is "unique license key". Is: The vendor ID of CF external query is ZYX+LAN MAC. 120.
ZyXEL Confidential CI command: "sys sw850 resetCard" 124. [BUG FIX] SPR ID: 070703106,070704186 Symptom: CF still block website even the time is not in the schedule of profile. Condition: (1) romfile reset and enable the CF service. (2) In default profile, enable the "ActiveX" and save it. (3) In default profile, set the schedule with "everyday from" and make sure the time will "not" match. (4) visit http://dob.tnc.edu.tw/, and select ActiveX, you will see the block message and there is a log. 125.
ZyXEL Confidential (2) Set port 4 as WLAN. (3) Setup WLAN alias 1 as 192.168.103.1. (4) Put PC in port 4 and set IP as 192.168.103.33. (5) Ping "192.168.103.1" or "168.95.1.1" will always fail. 131. [BUG FIX] SPR: 070724579 Symptom: IDP protection over Custom App port failed. Condition: (1) ZyWALL reset to default romfile. (2) Edit web eWC/IDP/General, Enable Intrusion Detection and Prevention = enable, LAN to WAN=active.
ZyXEL Confidential WAS: Device always bypass Vantage CNM UDP port (1864, 1865) when device active Vantage CNM agent. IS: User needs to specify the correct firewall rule to control the Vantage CNM UDP packets. 136. [BUG FIX] SPR: 070628802 Symptom: The Diagnostic report displayed on console was not complete. Condition: (1) Go to eWC>MAINTENANCE>Diagnosis. (2) Enable Diagnosis and Display on Consol = enable. (3) Configure the email settings and save.
ZyXEL Confidential (3) Press "Apply" and Check device error log "sys log errlog display", sometime display “write CF_ACL_buffer fail”. 143. [ENHANCEMENT] 3G card must configure APN or initial string for GSM system. 144. [ENHANCEMENT] Add "network selection" support for "Option GT HSDPA 7.2 READY 3G" card. You can configure it in: (1) eWC->NETWORK->WAN->WAN2. (2) CLI: wwan card serviceProvider change. 145. [BUG FIX] SPR: 070718984 Symptom: Wrong prompted parameter range for Firewall CLI command.
ZyXEL Confidential 152. [BUG FIX] SPR ID: 070702057 Symptom: Device crashed after reset to default romfile. Condition: (1) Before power on the device, plug-in the 3G card (Huawei E612 or Sierra875). (2) After resetting to default configuration, access GUI via http://192.168.1.1 from LAN interface. (3) Device crashed. (4) Both Huawei E612 and Sierra875 has this symptom. 153. [BUG FIX] SPR ID: 070709324 Symptom: It will take about 1 minute when saving the settings in eWC->Network->WAN->WAN2.
ZyXEL Confidential (3) Then disable budget control and save configuration. (4) Then save WAN2 page again, you will see budget reset log, but it's not reasonable since budget control has been disabled. 158. [ENHANCEMENT] Change the wording in home page. WAS: Disable (collect statistics) IS : Disabled (collect statistics) 159. [BUG FIX]SPR ID: 070911459 Symptom: CI command "ip arp force on" does not take effect on WAN 2. Condition: (1) Let WAN 1/WAN 2 active and has traffic on them.
ZyXEL Confidential IS: Find the policy which the IP is matched & the time is in schedule too. 167. [BUG FIX] SPR: 070704151 Symptom: In eWC-->Content Filtering-->Edit Policy, "Address Setup" behavior is not correct. Conditions: (1) Go to eWC-->Content Filtering-->Policy, create a new policy. (2) In "Address Setup", choose address type as "Subnet Address", and input 0.0.0.0 in "Start IP Address" and "Subnet Mask".
ZyXEL Confidential Conditions: After some traffic pass through ZyWALL, it crashes. 163. [BUG FIX] SPR ID: 070917931, 070917932 Symptom: The 3G Service Provider is "Unknown". Condition: (1) Insert AC850 and enable 3G. (2) It's often the Service Provider is "Unknown". 164. [ENHANCEMENT] Update CF wording. (1) Change wording. ("profile" ==> "policy") (2) The CF default policy can be edited. Modifications in V 4.03(XD.0)b1 | 05/04/2007 40.
ZyXEL Confidential CI command: (1) "ls hostBase enable" to enable or disable the feature. (2) "ls hostBase timeout" to set the timeout value. 46. [ENHANCEMENT] Add 5 private SNMP traps for ZyWALL. (1) WAN interface down. (2) WAN IP changes to x.x.x.x. (3) CPU load reaches 100%. (4) ZyWALL switches to Dial Backup. (5) NAT table is full. 47. [ENHANCEMENT] Support IXP425 B1 version CPU. WAS: Support IXP425 A0/B0 version CPU. IS: Support IXP425 A0/B0/B1 version CPU 48.
ZyXEL Confidential size for the software based IDP/AV. 53. [ENHANCEMENT] SPR ID : 060815905,050414612 We change the ZyWALL break mechanism for the infected file. The ZyWALL just breaks the first infected file packet and stop track the file session in the previous mechanism. The old one has better performance, but there is a risk that it couldn't break the file with more than one virus. Now ZyWALL breaks the first infected file packet and the following file packet as well.
ZyXEL Confidential sysFlashUsage.0=3 sysRAMUsage.0=30 sysSessionUsage.0=0 (3) You will find that the format and content shown in eWC>>Home is different from SNMP management software. 59. [BUG FIX] ITS#: 14936 Symptom: This kind of URL request such as "http://www.host:80" can not pass through content filter trusted web site. Condition: (1) Enable content filter and website customization. (2) Disable all web traffic except for trusted Web sites. (3) Add the website "http://www.sina.
ZyXEL Confidential | | PC2 VPN1: ZyWALL35B build a VPN with ZW35A VPN2: ZW5 build a VPN with ZW35A (1) Build the VPN1 and ping PC1 from PC2. (2) Build VPN2. (3) There will be a large delay in the ping. 63. [BUG FIX] SPR ID: 060627810 Symptom: If the encapsulation type of WAN interface is PPPoE/PPTP, the conflict check will be failed when configuring LAN/DMZ/WLAN interface IP. Condition: (1) Set WAN encapsulation as PPPoE/PPTP, and make sure the device can get the IP correctly.
ZyXEL Confidential PPPoE. Condition: (1) Set the WAN encapsulation as PPPoE. (2) In SMT 24.8, enable the ping check feature by "sys rn pingcheck 1". (3) After the device gets IP address and can access the WAN side host. A PC in LAN side ping an Internet host continuously. (4) In eWC->Home, click "Drop" button to drop the PPPoE connection. (5) In the PC, you will see the ping program showing the message "Reply from xxxx: Destination host unreachable". (6) In SMT 24.
ZyXEL Confidential (5) ZWP1 always reconnect tunnel between zw35 and zw70. 71. [BUG FIX] SPR ID: 060731994, 060731995 Symptom: Policy route is failed in a special topology. Condition: Topology: ZyWALL 70 || PC1(192.168.1.33)-----(SWITCH)-----(192.168.2.33)ZyWALL 35(192.168.10.1)-----PC2(192.168.10.33) (1) The device under test is ZyWALL 70, the LAN subnet is 192.168.1.x with a LAN IP alias 192.168.2.x. (2) In ZyWALL 70, there is a policy route rule that will redirect the range 192.168.10.1-192.168.10.
ZyXEL Confidential (5) Keep attacking and reboot the device. (6) Check the centralized log, there be lots of "Common TOS double free" log. 75. [BUG FIX] SPR ID: 060926698 Symptom: The default route learning from LAN side router cannot work. Condition: Topology: PC------(192.168.1.1)DUT(WAN) | ---(192.168.1.100)Router(WAN)----- (Internet) (1) Disconnect WAN cable of DUT, and connect WAN cable of router. (2) DUT and router restore default romfile. (3) Change router's LAN IP as "192.168.1.
ZyXEL Confidential 2. Please refer the rom-file. (2) If PC1 received several mails through AS function, there is a mail stuck. (3) If we set nothing in X-Header field, the AS functions properly. (4) We found the frequency of stuck is dependent on the spam score. A inverse proportion. [BUG FIX] 070212081 Symptom: LAN PC cannot use all services (http; https; telnet; ssh; ftp) with wan ip. Condition: (1) DUT WAN gets an IP. (2) PC in LAN access DUT's HTTP service through WAN IP, it will fail.
ZyXEL Confidential Condition: (1) PC on LAN , mail server on DMZ (2) DUT is SUA only and forward 25 and 110 to DMZ mail server (3) PC use outlook express send mail one by one , one mail on one session,after 20 mails,DUT mail session is 20. Modifications in V4.02(XD.0)b4 | 12/22/2006 1. [BUG FIX] 061113707 Symptom: Content Filter Trust website behavior is not correct. Condition: Content filter trusted web will be blocked when select "Don't block Java/ActiveX/Cookies/Web proxy to trusted Web sites." 2.
ZyXEL Confidential 7. [BUG FIX] 061102070 Symptom: Client can not get IP from DHCP Server even if the pool is not full. Condition: (1) Limit the number of LAN DHCP Server pool to 2. (2) Connect 2 PCs to the ZyWALL LAN, both are DHCP client. Both get one IP from the ZyWALL DHCP Server. (3) Power Cycling ZyWALL. (4) Release the IP from one of the PC. (5) Connect another PC to ZyWALL. (6) The third PC cannot get IP from the ZyWALL DHCP Server. 8.
ZyXEL Confidential (5) Access http://www.tcc.net.tw (6) Check log OK. (7) eWC> Content Filter> Categories, unblock when Matched Web Pages. (8) Again to access http://www.tcc.net.tw (9) Check log should be displayed ”www.tcc.net.tw: Business/Economy(cache hit)|WEB FORWARD” not ”207.226.177.50(cache hit)|WEB FORWARD”. 14. [BUG FIX] 061122298 Symptom: AV can not detect EiCar. Condition: Topology: PC1 --- [LAN]DUT[WAN/Public IP] --- CHT ISP (1) Restore default romfile. (2) Register DUT AV function.
ZyXEL Confidential (4) Go to eWC>ANTI-SPAM>External DB page, enable External Database, set Threshold= 0. (5) Send a large mail (> 20K) from LAN to WAN, the device will loss mbuf. 20. [BUG FIX] 061206370 Symptom: In ZW2WG, beta user responses that we should show the web block count on Home page. Condition: (1) The user has registrated and activated the CF service. (2) But in eWC>Home>Security Services, the "Web Site Blocked" is always showed "Not Supported". 21.
ZyXEL Confidential (1) WAN>Active/Passive Mode (2) Edit web eWC/WAN2 - APN=internet or vibo - PIN=0000 or 1234 - Phone number=*99# - Enable Nailed-Up (3) Confiure device using WAN1 interface. (4) Click HOME page each time, log will be show ”3G signal strength is refreshed (58%).” (5) CLI>sys cpu display, sometimes CPU loading will be up to 100%. Modifications in V4.02(XD.0)b3 | 11/14/2006 1. [BUG FIX] 061025917 Symptom: Content filter log is not correct.
ZyXEL Confidential IP=192.168.1.33,Global Start IP=192.168.10.33 (2) Click ”Apply” button, ”Local End IP” value will be show ”90.x.x.x”. 7. [BUG FIX] 061026934 Symptom: VPN aggressive mode doesn’t work. Condition: VPN aggressive mode tunnel can not be dialed successfully 8. [BUG FIX] 061027997 Symptom: AS doesn’t work via VPN tunnel. Condition: Enable AS, mail client will be timeout via VPN tunnel. 9. [BUG FIX] 061027067 Symptom: Device crashes.
ZyXEL Confidential Address=0.0.0.0 ZW70(Branch) (1) Edit web eWC/VPN, add gateway policy, Name=IKE1, Remote Gateway Address=DUT1 WAN IP address, Pre-Shared Key=12345678 (2) Edit web eWC/VPN, add network policy for IKE1, Active=enable, Name=IPSec1, Local Address Type=Subnet, Local Network/Starting IP Address=192.168.2.0,Local Network/End IP Address=255.255.255.0, Remote Address Type=Single, Remote Network/Starting IP Address=0.0.0.0. PC can not access http://dob.tnc.edu.tw/themes/old/showPage.
ZyXEL Confidential 6. [BUG FIX] Symptom: zywall 5 WAN fixed 100/full negotiation fail against cisco 3550/2900. Condition: (1) Configure cisco 3550/2900 port to fixed 100/full. (2) Configure zywall 5 WAN to fixed 100/full. (3) Zywall 5 WAN can not sync up; remain down. 7. [BUG FIX] Symptom: The DHCP table shows incorrect information. Condition: (1) Set the ZyWALL's DHCP IP Pool Starting Address is 192.168.102.146. (2) Add a DHCP static IP 192.168.102.22 for a PC on the LAN.
ZyXEL Confidential (3)Block LAN to LAN packet from Firewall. (4)Make LAN to LAN heavy traffic. 12. [BUG FIX] Symptom: Trace route fails to get response from our device. Condition: Topology: PC-----(LAN)ZW70(WAN) (1) On PC, try trace route a host(www.yahoo.com). (2) Trace route cannot get response from our device. 13. [BUG FIX] Symptom: Device crashes (software watchdog wakes up by NAT). Condition: (1) Restore default romfile. (2) After a while, the device will crash sometimes. 14.
ZyXEL Confidential Symptom: Upload firmware by eWC will cause CPU load 100%. Condition: (1) Use GUI to upload firmware will cause CPU 100%. (2) It will be successful, but need more than 1 minute. 4. [BUG FIX] Symptom: There should be a progress page when upload F/W by eWC. Condition: (1) Goto eWC>Maintenance to upload F/W. (2) ZyWALL should show a progress page, but it is not. (3) ZyWALL should display login page after reboot, but it is not. Modifications in V4.01(XD.0)b3 | 06/25/2006 1.
ZyXEL Confidential (6) Device will crash immediately. 9. [BUG FIX] Symptom: ZyWALL WLAN & DMZ ports cannot work in dynamic VLAN ports. Condition: (1) Restore default romfile. (2) Set Port Roles as 1>LAN, 2>LAN, 3>DMZ, 4>WLAN. (3) Set DMZ IP as 10.10.2.1/24, DHCP as None. (4) Set Wireless Card bridge to WLAN. (5) Unplug wireless card and reboot device. (6) PC connects to DMZ port, IP is 10.10.2.100/24 and gateway is 10.10.2.1, and the PC ping 10.10.2.1 will fail. 10.
ZyXEL Confidential server list. (3) The ZyWALL will always use one of built-in time servers to adjust time daily, but the ZyWALL should use user configured time server to do daily time adjustment. 15. [BUG FIX] Symptom: The IDP should work when the traffic is "from VPN to LAN". Condition: Topology PCB-------ZYWALL----tunnel-----ZYWALL--------PCA (1) Build a tunnel between PCA and PCB. (2) Enable IDP and check the direction of "From VPN to LAN" and download a file "eicar.com" by HTTP.
ZyXEL Confidential Change wording of one category name in external content filtering. Was: Streaming Media/MP3 Is: Streaming Media/MP3/P2P 3. [FEATURE CHANGE] WAS: In SMT 24.8, "ipsec adjTcpMss auto" will let the "IPSec adjust TCP MSS" switch to auto mode. IS: "ipsec adjTcpMss 0" will change to auto mode. 4. [ENHANCEMENT] (1) System Resources: 1. Some memory, which is used by running features and system process, has gone in system resource bar. Add back this part of memory in the bar. 2.
ZyXEL Confidential 6. [ENHANCEMENT] Change the Anti-Spam wording in log. WAS: "Mail Parser buffer is overflow!" IS: "AS checking bypassed as a mail header line exceeds 1024 characters!" 7. [ENHANCEMENT] (1) Remove the eWC check box: Enable Firewall for VPN traffic. (2) Remove CI command "ipsec swFwScan on|off". 8. [BUG FIX] Symptom: Device crashes when sends large number of mails. Condition: (1) Enable Anti-SPAM and external database. (2) Enable Bandwidth management in WAN and DMZ.
ZyXEL Confidential 11. 12. 13. 14. 15. (1) Go to "eWC->ANTI-VIRUS->General". (2) The wording "POP3 (TCP/UDP 110)” should be ”POP3 (TCP 110)" (3) The wording "SMTP (TCP/UDP 25)” should be ”POP3 (TCP 25)" [BUG FIX] Symptom: The device can’t enable multiple proposal in IKE rule. Condition: (1) Add an IKE rule using "Preshare key" as authentication type. (2) Add another IKE rule using "Certificate" as authentication type, different preshare key and enable the multiple proposals.
ZyXEL Confidential Local ID: Type=DNS Content = a.a.a.a Peer ID: Type=DNS Content = b.b.b.b IPSEC: Local=Single 3.3.3.3, Remote=Single 4.4.4.4 2. Rule two: IKE: Dynamic rule, enable XATUH and set as server mode. Local ID: Type=DNS Content = d.c.b.a Peer ID: Type=DNS Content = a.b.c.d IPSEC Policy: Local=Single 1.1.1.1, Remote=Single 2.2.2.2 (3) Dial VPN tunnel from Bridge_A to Bridge_B, the VPN tunnel will fail to build up by phase one ID mismatch. 16.
ZyXEL Confidential 19. 20. 21. 22. 23. (4) Disable Firewall. (5) PC1 ftp to PC2, and then PC2 ftp to PC1. (6) PC2 disconnects ftp session and then reconnects to PC1 will be fail, while PC1 ftp session still connected. [BUG FIX] Symptom: GUI popup java script error in eWC>NAT>NAT Overview Condition: (1) Go to eWC>NAT>NAT, change Max concurrent session per host to 500 and press key "Enter". (2) ZyWALL popup java script error. (3) The status bar shows "spSave () fail with Error -6103".
ZyXEL Confidential 24. 25. 26. 27. 28. 29. Global Start IP= 4.4.4.4 Global End IP= 5.5.5.5 (3) Click "Apply" button, then ZyWALL crashes. [BUG FIX] Symptom: Change WAN IP in GUI, the "Private" option in SMT11.1->Edit IP will be set as "NO". Condition: (1) Go to SMT11.1, configure Encapsulation as "PPPoE" or "PPTP". (2) Go to SMT11.1->Edit IP, change "Private" to "Yes". (3) Go to eWC->WAN->WAN1, set IP as static IP address. (4) Go to SMT11.1->Edit IP, the value of "Private" will become "No".
ZyXEL Confidential IKE: Static rule, enable XAUTH and set as client mode. IPSEC Policy: Local=Single 1.1.1.1, Remote=Single 2.2.2.2 (2) On Bridge_B, add two VPN rules: 1. Rule one: IKE: Static rule, enable XAUTH and set as server mode. IPSEC: Local=Single 3.3.3.3, Remote=Single 4.4.4.4 2. Rule two: IKE: Dynamic rule. XATUTH is disabled. IPSEC Policy: Local=Single 1.1.1.1, Remote=Single 2.2.2.
ZyXEL Confidential 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. addesses. Usage of CLI command: ipsec build in which [ENHANCEMENT] Add direction matrix setting in Firewall/AV/AS/IDP. [ENHANCEMENT] Chage weighting of Anti SPAM servers based on average time and fail rate. [ENHANCEMENT] (1) Add CI command to see the runtime data for AntiSpam.
ZyXEL Confidential provide different NTP server to clients. 15. [ENHANCEMENT] Device will detect if Turbo Card is instered or not to determine the NAT and TOS session number. Without Turbo Card inserted, device will recover NAT and TOS session number to 6000. Modifications in V4.00(XD.8) | 03/16/2006 Modify for formal release. Modifications in V 4.00(XD.8)b1 | 03/10/2006 16. [ENHANCEMENT] Support Green Product Turbo Card 17.
ZyXEL Confidential 6. 7. 8. Add a CI command "ip arp ackGratuitous", let ZyWALL to support gratuitous ARP request and update MAC mapping on ARP table for the sender of this ARP request. There are two subcommands under "ackGratuitous": (1) "active [yes|no]": Let ZyWALL accept gratuitous ARP request. (2) "forceUpdate [on|off]" If zywall ARP table already had target IP address ARP entry, forceUpdate option will update the exist MAC mapping to new one.
ZyXEL Confidential (2) "sys md5 " Input a string, it will output the md5 code. [ENHANCEMENT] Add CI command, "ipsc swSkipPPTP [on/off]", to let all traffic pass through VPN tunnel setting not to apply on PPTP traffics. 5. [ENHANCEMENT] ZyNOS adds device local port conflict protection. ZyWALL will avoid port 1029 as local port. 6. [FEATURE CHANGE] WAS: The DDNS of ZyWALL will not update IP when the ZyWALL's WAN IP is static.
ZyXEL Confidential IKE: Nail-up is ON Local: Subnet Type 192.168.167.0/24 Peer: Subnet Type 192.168.1.0/24 (2) On ZW70, set a Dynamic VPN rule with policy as below: Local: Subnet Type 192.168.1.0/24 Peer: Any (3) PC1 ping ZW B's LAN IP. Ping result is OK. (4) Reboot ZW A. (5) Check ZW A eWC SA monitor page, we can see a new VPN tunnel was successfully built up. (6) PC1 ping ZW B's LAN IP again. Ping result is fail. 12. [BUG FIX] Symptom: Anti Spam cannot work in NAT loopback situation.
ZyXEL Confidential Modifications in V4.00(XD.4) | 12/15/2005 Modify for formal release. Modifications in V4.00(XD.4)b1| 12/13/2005 1. [BUG FIX] 051202307 Symptom: DUT can not block infected zip file. Condition: (1) Use I.E. browser to get http://www.vx.netlux.org. (2). DUT can not block the infected zip file, which extended file name is not “zip”. 2. [BUG FIX] 051208573 Symptom: User updated some version signature, IDP/AV configuration may be lost. Condition: (1) If user updated 1.
ZyXEL Confidential WAN:10.0.0.3 LAN:192.168.169.0/24 6. 7. 8. 9. VPN settings: Branch_A Local IP address 192.168.167.0/24 Remote IP address 192.168.168.0~192.168.169.255 Headquarter (1) Local IP address 192.168.168.0~192.168.169.255 Remote IP address 192.168.167.0/24 (2) Local IP address 192.168.167.0~192.168.168.255 Remote IP address 192.168.169.0/24 Branch_B Local IP address 192.168.169.0/24 Remote IP address 192.168.167.0~192.168.168.255.
ZyXEL Confidential 10. 11. 12. 13. 14. different subnet with the mail client. Condition: Topology: Mail Server(192.168.12.123/24)---Internet----Device(192.168.11.9/23)----PC(192.168.12. 163/24) (1) Change the device to Bridge Mode, IP = 192.168.11.9, Mask = 255.255.254.0, Gateway = 192.168.10.11, DNS = 168.95.1.1. (2) Edit web eWC/Anti Spam, Enable Anti Spam = Enable. (3) Edit web eWC/Anti Spam/External DB Enable, threshold = 0. (4) PC can't send the mail to MailServer.
ZyXEL Confidential PC1----------(LAN)ZW35A(WAN)===Internet===(WAN)ZW35B(LAN)--------PC2 192.168.1.1/24 | 192.168.2.1/24 (1) On ZW35A, set a Static VPN rule with policy as below: Local: Subnet Type 192.168.1.0/24 Peer: Single Type 0.0.0.0 (2) On ZW35B, set a Dynamic VPN rule with policy as below: Local: Single Type 0.0.0.0 Peer: Any (3) Under the setting, we expect all PC1's traffic to PC2 will go through VPN tunnel to ZW35B first then to PC2. (4) But it doesn't work. Modifications in V4.00(XD.
ZyXEL Confidential 6. [BUG FIX] 051018403 Symptom: PPTP (GRE) cannot pass through NAT. Condition: PPTP Server(192.168.1.33)--(LAN:192.168.1.1)DUT(WAN:192.168.11.100)--PC(192.168.1 1.200) (1) Add PPTP Server(192.168.1.33) as Default Server in Port Forwarding (2) Firewall is disabled. (3) PC(192.168.11.200) can not dial in PPTP on 192.168.11.100 7. [BUG FIX] 051014198, 051014199, 051014200 Symptom: Use registration wizard to enable service, and last page wording error.
ZyXEL Confidential (4) ZyWALL memory leaks. 5. [BUG FIX] 050922955 Symptom: After updating signature, sometimes the server IP address is incorrect in centralized log. Condition: (1) In SMT 24.8, type "sys update signatureUpdate". (2) After updating signature, type "sys log dis". (3) Sometimes you can see a signature update log with incorrect server IP "127.0.0.1". 6. [ENHANCEMENT] In eWC->FIREWALL->EDIT RULE page, we added the limitation on the number of source ip address and destination ip address.
ZyXEL Confidential DUT2 to DUT1, it should show W to L logs, but it show W to W logs. Condition: PC1-------LAN DUT1 WAN-------PQA LAB-----------WAN DUT2 LAN (1) Set with CI commend ”sys romr|y” (2) Edit web eWC/WAN/WAN1,My WAN IP Address =172.202.77.121,My WAN IP Subnet Mask=255.255.0.0 ,Gateway IP Address=172.202.77.1 (3) Edit NAT port forwarding default server = 192.168.1.33, then ping from DUT2 to DUT1, it should show W to L logs, but it show W to W logs.
ZyXEL Confidential (2) Change DUT to bridge mode without configure DNS server. (3) PC1 on LAN open a website, and IE would show “block (DNS resolving failed)” (4) DUT crashed. Modifications in V4.00(XD.1)b1| 09/12/2005 1. [ENHANCEMENT] Add CI command "ip urlfiler bypass [LAN/DMZ/WAN] [ON/OFF]" to let traffic matches LAN->LAN, DMZ->DMZ or WAN->WAN directions can be bypassed content filtering. NOTE: (1) This is a runtime CI command, user can add it into autoexec.net.
ZyXEL Confidential (5) ZyWALL sends [HASH][DEL] to 2nd VPN peer only every 2 minutes which is output Idle time-out timer. 7. [BUG FIX] 050907311 Symptom: Bridge mode VPN can’t work if configure by Wizard. Condition: (1) Configure bridge mode VPN with wizard. (2) Dial VPN rule and it always fail. 8. [BUG FIX] 050907308 Symptom: Device will hang forever when editing firewall custom service Condition: (1) Enable firewll and add custom service, service name=test1, IP protocol=TCP/UDP , port range=2222-2223.
ZyXEL Confidential (2) Try (1) more times and sometimes cannot be resolved. 4. [BUG FIX] 050819842 Symptom: ZyWALL 5 will crash when upload firmware via GUI. Condition (1) Upload a very large file via GUI. (2) Device will crash. 5. [BUG FIX] 050823954 Symptom: The IPSec rule swap without configuring ID Content will fail (XAUTH case). Condition: (1) Add one static IPSec rule with XAuth (Rule one). (2) Add one dynamic IPSec rule with XAuth. Keep the "Peer ID Content" and "Local ID Content" unchanged "0.0.0.
ZyXEL Confidential (1) Restore default romfile. (2) Configure the two IPSec rules shown as follow: Rule A: local: 0.0.0.0 remote: 192.168.3.33 Rule B: local: 192.168.70.94 remote: 192.168.3.33 These two IPSec rules conflict and we should add check for it. 9. [BUG FIX] 050823946, 050819858, 050820885 Symptom: The UPnP discovery mechanism cannot work normally. Condition: (1) Disable the UPnP function. (2) Reboot device. (3) Enable the UPnP function. (4) The XP network place cannot show the UPnP icon. 10.
ZyXEL Confidential 7. [BUG FIX] 050727161 Symptom: Output idle timer should not be disabled. Condition: In eWC->VPN->Global Setting page and SMT 24.8, we should not allow users to set output idle timer = 0. 8. [FEATURE CHANGE] In SMT 24.1, Wording change: CARD -> WCRD. 9. [BUG FIX] 050728301, 050728302, 050728303 Symptom: Execute SMT 24.1->Press Command->”9-Reset Counters”, device will crash. Condition: (1) Insert turbo card. (2) Execute SMT 24.
ZyXEL Confidential second security gateway can't update automatically. Condition: PC1 ---- ZW5_1 (wan)----Internet ---- (wan) ZW5_2 ---- PC2 (1) ZW5_1 configuration: - Set WAN Encapsulation = PPPoE mode. - Set DDNS & active it. - Create 2 IKE & 2 ipsec, both security gateway are IP address. (2) ZW5_2 configuration: - Set WAN Encapsulation = Ethernet/ Static IP. - Set DNS server= 168.95.1.1. - Create 2 IKE & 2 ipsec, both security gateway are domain.
ZyXEL Confidential (2) Download signature to device and restart. (3) In ”eWC->IDP->General”, enable IDP and activate all interface. (4) In CI command, type (4.1) idp tune load (4.2) idp tune con l7Httpasm on (4.3) idp tune save (5) In ”eWC->Content Filter->General”, enable content filter. (6) In ”eWC->Content Filter->Customization”, enable customization and add a forbidden web site ”www.zyxel.com”. (7) Access http://www.zyxel.com from a LAN PC. (8) Device crashes. 21.
ZyXEL Confidential (2) Enable LOGS->Reports "Collect Statistics" and "Send Raw Traffic Statistics to Syslog Server for Analysis". (3) A LAN PC uses IE to connect to "www.google.com". (4) Set "Statistics Report"->"Report type" is Web Site hits, and we cannot find any data. 6. [BUG FIX] 050701007 Symptom: After displaying the log by CI, you will see the logs related to Anti-spam are broken. Condition: (1) Enable Anti-Spam and send a Email(not spam mail) through the ZyWALL.
ZyXEL Confidential (1) In eWC>Firewall>Rule Summary page, click "Insert" button, then click IE "Back" button. (2) Click "Insert" button again, and set one rule then "Apply". (3) Rule Summary page have an additional null record rule. 12. [BUG FIX] 050708444, 050708443 Symptom: When IDP/AV service expired, the expiration day displayed incorrect format in eWC/AV/Update page. Condition: (1) Device IDP/AV service expired. (2) The expiration day displayed incorrect format in eWC>IDP and AV>Update. 13.
ZyXEL Confidential network status field in SMT menu 24.1 indicates the wireless card status. Wording "WLAN" indicates the WLANZONE channel status. 20. [FEATURE CHANGE] When the device sends registration information to MyZyXEL.com server, the router should send 3 digit country number. 21. [BUG FIX] 050713682 Symptom: The router should filter the country code when it is "0". Condition: (1) In SMT 24.8, type "sys myZyxelCom register 123456 123456 1234@1.2.3.4 0" (the country code is 0 which is invalid).
ZyXEL Confidential (2) GUI Memory bar will become red when the memory usage percentage is larger than 90% 33. [ENHANCEMENT] (1) Change signature version format from 001.001 to 1.001 in the eWC->IDP/AV->Update page (2) After signature updated, GUI shows "Get signature success". It should be "Get signature successfully." (3) We should provide users hidden CI commands for clearing signature files. These CI commands are "idp/av clearAllSig".
ZyXEL Confidential 36. [ENHANCEMENT] Add centralized logs for signature updating events and errors. 37. [ENHANCEMENT] Add a centralized log when WAN ping check fails. 38. [FEATURE CHANGE] Change signature numbers displayed in "eWC->IDP->Signature" page. 39. [ENHANCEMENT] Display IDP action in centralized log. 40. [BUG FIX] 050715787, 050715788, 050715789. Symptom: In eWC "HOME" page , "System Time" display error. Condition: (1) Go to eWC>HOME Page.
ZyXEL Confidential 2. [ENHANCEMENT] Support small font size on ZyWALL GUI. 3. [ENHANCEMENT] Replace the Cerberian logo by Blue Coat in Content Filter blocked page. 4. [ENHANCEMENT] Support Turbo Card (external IDP/AV signature search accelerator) 5. [ENHANCEMENT] Add ARP probe for DHCP server. (1) Change probe type by CI command "sys probeType [icmp | arp]". (2) Default type is "ICMP". (3) ARP probe only works when you use arp probe type and dhcp mode should be "Server".
ZyXEL Confidential 17. [ENHANCEMENT] Add sequence number and SPI in log for ESP / AH packets. 18. [ENHANCEMENT] DHCP log shows the hostname. 19. [ENHANCEMENT] Add VPN over Bridge feature. 20. [ENCHANCEMENT] Add MyZyxel.Com and Registration features. 21. [ENHANCEMENT] Add Firewall Custom Service enhancements. Modifications are listed below: (1) Allow user to configure ICMP type and code in Firewall ACL. (2) Allow user to configure IP protocol in Firewall ACL. (3) Add "Any IP Protocol" in default service.
ZyXEL Confidential to have a rule check after users click "Apply" button. It reduces the refresh time and it is more convenient for the users. 27. [ENCHANCEMENT] (1) Enhance WLAN to be an independent interface so that traffic passes through WLAN can be handled by firewall. (2) WLAN can be bound to LAN or DMZ for user’s chosen. (3) DHCP sever can be applied on LAN, DMZ and WLAN. 28. [ENHANCEMENT] In order to solve ZW5 available memory is not enough for 4.
ZyXEL Confidential (3) In ZWB, SMT 24.8, type "ipsec sho sa", the "input idle count" in "INBOUND" will be decreasing, it works correctly. (4) Now, In PC1, ping PC2 from PC1 with one packet then stop the traffic in the tunnel. (5) In ZWB, SMT 24.8, type "ipsec sho sa", the "input idle count" in "INBOUND" stay unchanged. (6) The input idle timeout mechanism will not work anymore. 5. [BUG FIX] Symptom: Output idle timer doesn’t work correctly.
ZyXEL Confidential Modifications in V 3.64(XD.2)b2 | 05/25/2005 1. [BUG FIX] 050414592 Symptom: Dynamic rule with more than two initiators has problem. Condition: 1. ZyWALL 5 as responder has one dynamic rule and use XAUTH. 2. Two initiators (two devices or two vpn clients..). 3. Dial one of them, the packets can be transmitted through the tunnel correctly. 4. Dial the second, only one of them can work correctly. 2. [BUG FIX] Symptom: Trigger dial fail in dial backup. Condition: 1.
ZyXEL Confidential 1. Restore default romfile. 2. WAN is configured as PPTP, and nail-up, and WAN is connected. 3. Configure Dial backup, and is always-on. 4. Unplug the WAN, and WAN is disconnected, and Dial backup is connected. 5. Plug in the WAN line again, and PPTP is connected, get an IP. 6. Go to eWC->DNS->DHCP page, DNS from ISP is none; if PC DNS is ZyWALL, it cannot browse to the internet. 7.
ZyXEL Confidential Condition: 1. ZyWALL 5 as responder has one dynamic rule and use XAUTH. 2. Two initiators (two devices or two vpn clients..). 3. Dial one of them, the packets can be transmitted through the tunnel correctly. 4. Dial the second, only one of them can work correctly. 2. [BUG FIX] Symptom: Trigger dial fail in dial backup. Condition: 1. Restore default rom file. 2. Setup dial backup account and phone number, make sure it can work. 3. Put a PC in router's LAN and ping 168.95.1.1 continually.
ZyXEL Confidential 4. Unplug the WAN, and WAN is disconnected, and Dial backup is connected. 5. Plug in the WAN line again, and PPTP is connected, get an IP. 6. Go to eWC->DNS->DHCP page, DNS from ISP is none; if PC DNS is ZyWALL, it cannot browse to the internet. 7. [BUG FIX] 050502038 Symptom: Daylight Saving problem: Current Time is faster 2 hours than Taiwan during daylight saving. Condition: 1. Restore default romfile. 2. Go to eWC->Maintenance->TimeAndDate. and the problem happened only when 3.
ZyXEL Confidential IP”, Port: 500. (4) After a period time, DUT’s LAN & WAN both deathed that all traffic can’t go out. 3. [BUG FIX] 050203206 Symptom: In bridge mode, after device synchronized the defined NTP server, the result displayed failed. Condition: (1) PC(192.168.1.33) --- DUT(192.168.1.254) --- NAT(192.168.12.106) --Internet. (2) In eWC/Maintenance/Time and Date, get from Time Server: Time Protocol=NTP (RFC 1305), Time Server Address= a.ntp.alphazed.net, then clicked "Synchronize Now" button.
ZyXEL Confidential P2000W----DUT---Internat---DUT---P2000W (2) P2000W and P2000W can not talk to each other in P2P mode. 8. [BUG FIX] 050217478 Symptom: Netbios packet cannot pass through VPN tunnel . Condition: (1) Configure a VPN tunnel as follows: 1.1 local subnet mask is 192.168.1.1/255.255.0.0. 1.2 remote subnet mask is 192.169.1.1/255.255.0.0. 1.3 Enable ”Netbois pass through” in local and remote gateway. 1.4 PC A(Local)------ZyWALLA------ZyWALLB---PC B(Remote)192.168.1.1/24 192.169.1.
ZyXEL Confidential 13. 14. 15. 16. 17. 18. exceeds the max. number of session per host, but Max. Concurrent Sessions Per Host (Historical high since last startup: 286), it’s not reach 300. [BUG FIX] 050407161 Symptom: PC cannot ping remote secure gateway's LAN IP via VPN tunnel Condition: PC A (1.33) – (1.1)ZW5 --- LAB ---- ZW70 (2.1) ----(2.33) PC B (1) Add a VPN rule(ZW5), and in IPsec rule Local Network select Subnet Address, Starting IP is 192.168.1.0 / 255.255.255.0.
ZyXEL Confidential 19. 20. 21. 22. 23. 24. (1) Dos command ”ping 192.168.1.1 -l 2000” (2) User can not see ”ping of death” consolidation log on eWC/LOGS page (3) Bridge mode only. [BUG FIX] 050303203 Symptom: DNS inverse query causes memory leak. Condition: (1) Set A PC on the ZyWALL LAN site. (2) The DNS server of the PC sets to the ZyWALL. (3) The PC sends DNS inverse query continually (ex: 140.113.23.1), the system will generate memory leak.
ZyXEL Confidential 25. 26. 27. 28. 29. (4) PC A also can ftp to DMZ ZW10W. (5) Check Picture [ZW5]Firewall W2D item 3->1 [BUG FIX] 050420986 Symptom: External content filter cannot work. Condition (1) Enable external content filter. (2) Use external content filter for a long time. (3) System cannot create socket anymore and external content filter cannot work. (4) Use CI command "ip ping 168.95.1.1", there will be a message "Can't create socket' in console.
ZyXEL Confidential Modifications in V3.64(XD.0) | 03/04/2005 Modify for formal release. Modifications in V3.64(XD.0)b4 | 02/23/2005 1. [BUG FIX] Symptom: In PPPoE/PPTP mode, BWM can not classify the traffic of FTP, H323, SIP. 2. [BUG FIX] Symptom: Bandwidth Management, Priority based, FTP transfer speed slow down until to disconnect .
ZyXEL Confidential 5. (3) Edit web eWC/VPN, add gateway policy, Name=IKE2, Remote Gateway Address=0.0.0.0, Pre-Shared Key=12345678, Enable Extended Authentication=enable, Client Mode/User Name=dut1, Client Mode/Password=dut1 (4) Edit web eWC/VPN,add gateway policy, Name=IKE3, Remote Gateway Address=0.0.0.0, Pre-Shared Key=12345678, Enable Extended Authentication=enable, Server Mode=enable (5) Edit web eWC/VPN, add network policy for IKE1, Active=enable, Name=IPSec1, Local Network/Starting IP Address=192.
ZyXEL Confidential Modifications in V3.64(XD.0)b2 | 01/31/2005 1. [BUG FIX] Symptom: The name of Domain name does not check properly in SMT 1. Condition: (1) In SMT 1->Edit Dynamic DNS->Edit Host, fill the record 1’s ”domain name” with ”xxx.dyndns.org”. and record 2’s ”domain name” with ”xxx.dyndns.org ”. (the domain name of record 2 contains a space at the end) (2) The domain should not contain space, we should have a filter to check this.
ZyXEL Confidential Symptom: The CI command ”ip nat service irc” may display strange Enable state. Condition: (1) Execute ”ip nat service irc he_is_good”. (2) Execute ”ip nat service irc 0”. (3) Execute ”ip nat service irc he_is_bad”. After Step 3, you will see that a strange Enable state, e.g., ”IRC enable = 12”. 9. [BUG FIX] Symptom: The eWC>Firewall>Rule Summary>EDIT RULE page might be corrupted. Condition: (1) Go to eWC>Firewall>Rule Summary. (2) Add or Edit a firewall rule.
ZyXEL Confidential 16 17 18 19. Condition: (1) Use following topology to test. WiFi A–(L)ZW35(W)----Internet(SIP server)---(W)ZW5(L)----WiFi B (2) Both zywall reset to default romfile. (3) In SMT 24.8 CI command, both type “ip alg enable ALG_SIP” to enable SIP ALG. (4) WiFi A make a phone call to WiFi B, voice communication works fine. (5) Terminate the phone call,then WiFi B make a phone call to WiFi A, voice communication fail. (6) Fail status: WiFi A can hear voice, but WiFi B can't.
ZyXEL Confidential 20. 21. 22. 23. inactive. Rule 2 is active and encapsulation is Tunnel. (3) PC A ping PC B, check SA Monitor, ZW70 tunnel had been built up but no tunnel is up in ZW5, vice versa. (4) If PC B ping PC A this time, tunnel can be built up in both sides and traffic can be transferred. [BUG FIX] Symptom: LAN static DHCP can save the same data. Condition: (1) Restore default rom file. (2) In GUI>LAN>Static DHCP, add two record as MAC: 01:01:01:01:01:01, IP: 192.168.1.
ZyXEL Confidential 24. 25. 26. 27. 28. 29. 30. (5) However, when out of schedule about 5 minutes, device still cannot send traffic out. [ENHANCEMENT] Add "Session Table is Full!" log message, when tos session is full. [BUG FIX] Symptom: Wireless CI command “wlan active 100” can be save.(The value should be 1 or 0) Condition: (1) Plug in B120 and reboot router. (2) Use "wlan active 100" and it can be save. (3) Go to smt3-5, router will crash.
ZyXEL Confidential 31. [BUG FIX] Symptom: Save a legal VPN gateway policy but the ZyWALL shows an error message. Condition: (1) GO to eWC>VPN>GATEWAY POLICY – EDIT (2) Save a GATEWAY POLICY whose name = GW, My Address = www.abc.com.tw, Remote Gateway Address = www.cde.com.tw and Pre-Shared Key = 12345678 (3) GO to eWC>VPN>NETWORK POLICY - EDIT (4) Save a NETWORK POLICY whose name = NW, Active = Yes, Starting IP Address = 192.168.1.33, Starting IP Address = 192.168.2.
ZyXEL Confidential 37. 38. 39. 40. (4) It has the same problem when changing interface from "LAN" to "DMZ" if we do the same action. [BUG FIX] Symptom: In bridge mode, SIP traffic cannot be managed by BWM. Condition: SIP Phone1 ----- (LAN)ZyWALL(WAN) ------ SIP Phone2 (1) Change router to Bridge Mode. (2) Enable BWM, and add a SIP filter at WAN interface. (3) SIP Phone1 call SIP Phone2.
ZyXEL Confidential 41. 42. 43. 44. 45. 46. 47. (4) Set DUT’s system name by SNMP tool "MG-SOFT MIB browser". (5) There is no response from DMZ anymore. [BUG FIX] Symptom: BM filter cannot be deleted via CI command. Condition: (1) On eWC->BW MGMT->Class Setup, create 3 classes on LAN interface. all classes have filter enabled. (2) Go to SMT 24.
ZyXEL Confidential (1) Enable Firewall, setup a WAN2LAN firewall rule for H.323 service (2) Enable NAT port forwarding for port 1720(H.323) to PC 192.168.1.33 (3) PC1 and PC2 use Netmeeting, PC2 call PC1. (4) Netmeeting application traffic will be blocked by Firewall, you will see a lot of Firewall blocked log in Centralized LOG. 48. [BUG FIX] Symptom: After VPN tunnel is established, user will see DPD packet while traffic still can be transferred through tunnel.
ZyXEL Confidential entry #[number] ?" 7. [ENHANCEMENT] DNS adds CI command "ip dns system cache flush". 8. [ENHANCEMENT] eWC>LOGS>Reports>Report Type>”LAN IP Address” renamed as ”Host IP Address” 9. [ENHANCEMENT] In eWC>DNS>System>Address Record, add Wildcard. 10. [ENHANCEMENT] Add length checking of DNS(Peer ID Type) content in VPN. 11.
ZyXEL Confidential 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. (2) Add a JavaScript Global function to avoid filling any character in the specific fields on both IE and Netscape. (allow number only) [ENHANCEMENT] Add a "Log" check box for "VPN connectivity check". in eWC>VPN>NETWORK POLICY>EDIT. [FEATURE CHANGE] Modify CI command "ip arp add" from hidden to visible. [ENHANCEMENT] For single WAN, the WAN cannot receive an IP from DHCP server with the same subnet with other interfaces.
ZyXEL Confidential name, the log will show MAC address instead of nothing. 36. [ENHANCEMENT] (1) In eWC>CONTENT FILTER>Cache, if users click Action/URL/Remaining Time to sort the cache entries, the page will not jump to the top of this page before it refreshes. (2) By using Firefox/Netscape in eWC>CONTENT FILTER>Cache, if useres click Action/URL/Remaing Time to sort the cache entries, the page will refresh immediately. 37.
ZyXEL Confidential Condition: 1. Enable firewall. 2. Display TOS sessions. 3. A lot of long timeout UDP sessions. 4. [BUG FIX] Symptom: ZyWALL crashes very often in bridge mode. Condition: 1. Switch to bridge mode. 2. Enable Firewall. 3. ZyWALL crashes very often. 5. [ENHANCEMENT] Enhance "cnm keepalive" ci command. Add "cnm keepalive 0" command to stop sending of keepalive packet to Vantage. 6. [BUG FIX] Symptom: Symptom: FTP from WAN to LAN does not work. Condition: 1.
ZyXEL Confidential 1. Create and dial up a VPN tunnel via Vantage. 2. Delete this active rule in Vantage. 3. Vantage server will have exception. 13. [BUG FIX] Symptom: eWC will fill the "Connection ID/Name" field with "C:1" when the fetch data is empty. Condition: 1. In eWC, set "Connection ID/Name" as empty in PPTP mode and apply it. 2. Go go another page and go back the WAN page, the "Connection ID/Name" field is filled with "C:1" even we set the field as empty. Modifications in V3.62(XD.
ZyXEL Confidential 7. 8. 9. 10. 11. 12. 13. 2). Add a URL to "trusted web sites". 3). In "eWC->CONTENT FILTER-Customization>, select "Block Web sites which contain these keywords". 4). In "eWC->CONTENT FILTER->Categories", select the category which the URL belongs to. 5). Access the trusted URL. 6). The URL will not be blocked. [BUG FIX] Symptom: System crash by memory leak. Condition: 1). Enable bandwidth management. 2). Into eWC->Bandwidth Management->Monitor and wait for a period time. 3).
ZyXEL Confidential 14. 15. 16. 17. 18. 19. 20. Symptom: MSN Messenger's "Ask for Remote Assistance" function causes system crash. Condition: 1. Enable UPnP. 2. Set PC(A) and router(B) in intranet and PC(C) connects to LAN port of router(B). 3. Test MSN Messenger's "Ask for Remote Assistance" function from PC(A) to PC(C). 4. After PC(C) accepts the PC(A) request by "Ask for Remote Assistance" then the device will crash. [BUG FIX] Symptom: System out of memory. Condition: 1.
ZyXEL Confidential 21. 22. 23. 24. 25. 26. 27. 28. Condition: 1. enter SMT24.10, configure time server. 2. open daylight saving, configure the start time and end time so that current time is within the daylight saving time. 3. after writing to rom file, router ask you to calibrate the system clock, answer yes. 4. If system failed to connect time server, system time will add one hour, every time you enter smt 24.1,system time add 1 hour automatically.
ZyXEL Confidential 4. Command for ALG enable/disable and sip timeout. 29. [BUG FIX] Symptom: Sometimes the ZyWALL reboots by software watchdog. Condition: 1.Put the ZyWALL on the network for a long time. 2.Sometimes the ZyWALL will reboot by software watchdog. 30. [BUG FIX] Symptom: XAUTH with rule swap doesn’t work. Condition: 1. In initiator, set up a VPN rule with XAUTH in client mode. 2. In responder, there are three VPN rules: a. Rule 1 is XAUTH off. b. Rule 2 is XAUTH with client mode. c.
ZyXEL Confidential (2) Browse EwcÆFirewallÆRule Summary (3) The ZyWALL might crash or hang. Modifications in V3.62(XD.0)b4 | 04/27/2004 1. [FEATURE CHANGE] Remove Policy Route feature from ZyWALL 5 because Policy Route is not defined in product specification. 2. [FEATURE CHANGE] Maximum concurrent VPN tunnel number is changed from 5 to 10. 3.
ZyXEL Confidential kbps and Scheduler = Priority-Based (2) In eWCÆBW MGMTÆClass Setup, Adds two sub-classes under WAN1 root class. Where WAN1-1 : Bandwidth Budget = 200, Priority = 7(higher than WAN1-2), and “Borrow bandwidth from parent class” is selected; WAN1-2 : Bandwidth Budget = 500, Priority = 1, “Borrow bandwidth from parent class” is also selected.
ZyXEL Confidential (4) The telnet connection fails. 12. [BUG FIX] Symptom: System crashes. Condition: Configure device by eWC sometimes cause crash. 13. [BUG FIX] Symptom: In bridge mode ZyWALL at eWCÆBridge, Bridge IP address settings can not be saved successfully. Condition: (1) Switch the ZyWALL to bridge mode. (2) Go to eWCÆBridge page.
ZyXEL Confidential Condition: (1) Log in ZyWALL eWC, and go to eWCÆLAN. (2) Deliberately configure the LAN IP address as within the WAN subnet. (3) Click Apply, then the status will show an error message indicating address conflict. (4) The ZyWALL will then automatically break the current eWC HTTP session. To access the ZyWALL, users have to log in again. 4. [BUG FIX] Symptom: Router will crash when entering SMT menu 3.5 Condition: (1) Insert WLAN card.
ZyXEL Confidential configuration is not available when the ZyWALL is not a DHCP server for its LAN hosts. Condition: (1) Log onto eWC, and go to eWCÆLAN. Uncheck the "DHCP Server" option to stop ZyWALL from being a DHCP server to its LAN hosts. (2) Go to eWCÆHOMEÆWIZARDÆInternet Access. The System DNS Servers configuration is not available in the wizard. 12. [ENHANCEMENT] The ZyWALL 5 Firewall GUI are enhanced as follows.
ZyXEL Confidential Modifications in V3.62(XD.0)b1 | 03/11/2004 First Release. 404XD3C0.
ZyXEL Confidential Appendix 1 Remote Management Enhancement (Add SNMP & DNS Control) New function (1) You can change the server port. (2) You can set the security IP address for each type of server. (3) You can define the rule for server access. (WAN only/LAN only, None, ALL). (4) The secure IP and port of the SNMP server is read only (5) The port of the SNMP and DNS server is read only. (6) The default server access of the SNMP and DNS is ALL.
ZyXEL Confidential Appendix 2 Trigger Port Introduction Some routers try to get around this "one port per customer" limitation by using "triggered" maps. Triggered maps work by having the router watch outgoing data for a specific port number and protocol. When the router finds a match, it remembers the IP address of the computer that sent the matching data.
ZyXEL Confidential internal table for this port. (This behavior is the same as we did for port forwarding.) (3) The recorded IP in the internal table will be cleared if machine A disconnect from the sessions that matches the "Trigger Port". Notes (1) Trigger events can't happen on data coming from outside the firewall because the NAT router's sharing function doesn't work in that direction. (2) Only one computer can use a port or port range at a time on a given real (ISP assigned) IP address. 404XD3C0.
ZyXEL Confidential Appendix 3 Hard-coded packet filter for "NetBIOS over TCP/IP" (NBT) The new set C/I commands is under "sys filter netbios" sub-command. Default values of any direction are “Forward”, and trigger dial is “Disabled”. There are two CI commands: (1) "sys filter netbios disp": It will display the current filter mode.
ZyXEL Confidential Appendix 4 Traffic Redirect/Static Route Application Note Why traffic redirect/static route be blocked by ZyWALL ZyWALL is the ideal secure gateway for all data passing between the Internet and the LAN. For some reasons (load balance or backup line), users want traffics be re-routed to another Internet access devices while still be protected by ZyWALL. The network topology is the most important issue.
ZyXEL Confidential Figure 4-2 Gateway on alias IP network (2) Gateway on WAN side A working topology is suggested as below. Figure 5-3 Gateway on WAN side Appendix 5 IPSec FQDN support ZyWALL A-------------Router C (with NAT) ------------ZyWALL B (WAN) (WAN) (LAN) (WAN) If ZyWALL A wants to build a VPN tunnel with ZyWALL B by passing through Router C with NAT, A can not see B. It has to secure gateway as C. However, ZyWALL B will send it packet with its own IP and its ID to ZyWALL A.
ZyXEL Confidential Basically the story is the same when ID type is IP. If user configures ID content, then ZyWALL will use it as a check. So the ID content also has to match each other. For example, ID type and ID content of incoming packets must match “Peer ID Type” and “Peer ID content”. Or ZyWALL will reject the connection. However, user can leave “ID content” blank if the ID type is IP. ZyWALL will put proper value in it during IKE negotiation.
ZyXEL Confidential 1. When Local ID Content is blank which means user doesn’t type anything here, during IKE negotiation, my ID content will be “My IP Addr” (if it’s not 0.0.0.0) or local’s WAN IP. 2. When “Peer ID Content” is not blank, ID of incoming packet has to match our setting. Or the connection request will be rejected. 3. When “Secure Gateway IP Addr” is 0.0.0.0 and “Peer ID Content” is blank, system can only check ID type.
ZyXEL Confidential Appendix 8 IPSec IP Overlap Support PCA 1.1.1.33 PCC 1.1.2.250 LAN 1.1.1.0/24 WAN ZyWALL B ZyWALL A LAN 1.1.2.0/28 IP Alias 1.1.2.0/24 PCB 1.1.2.250 Figure 1 The ZyWALL uses the network policy to decide if the traffic matches a VPN rule. But if the ZyWALL finds that the traffic whose local address overlaps with the remote address range, it will be confused if it needs to trigger the VPN tunnel or just route this packet.
ZyXEL Confidential Appendix 9 VPN Local IP Address Limitation PCA 1.1.1.33 PCC 1.1.2.250 LAN 1.1.1.0/24 WAN ZyWALL B ZyWALL A LAN 1.1.2.0/28 IP Alias 1.1.2.0/24 PCB 1.1.2.250 Figure 1 There is a limitation when you configure the VPN network policy to use any Local IP address. When you set the Local address to 0.0.0.
ZyXEL Confidential ZyXEL VPN Client Security Gateway: 1.1.1.1 Phase one Authentication method: Preshare Key Remote: 192.168.1.0/24 In example 1, user may wonder why ZyWALL swap to dynamic rule even VPN client only set authentication method as “Preshare Key” not “Preshare Key+XAuth”. The root cause is that currently ZyXEL VPN Cient will send XAuth VID no matter what authentication mode that him set. Because of the XAuth VID, ZyWALL will swap to dynamic rule.
ZyXEL Confidential ARP, it will update MAC mapping into the ARP table only when there is no such MAC mapping in the ARP table. Give an example for its purpose, there is a backup gateway on the network as the picture. One day, the gateway shuts down and the backup gateway is up, the backup gateway is set a static IP as original gateway's IP, it will broadcast a gratuitous ARP to ask who is using this IP.
ZyXEL Confidential (2)ipsec initContactMode tunnel When the ZyWALL receives a IKE packets with IC, it deletes only one existing tunnel, whose security gateway IP is not only the same as this IKE's one and also its phase 2 ID(network policy) should match. It is suitable when your tunnel is created from a VPN peer to ZyWALL and there are more than two this kind of VPN peers build tunnels behind the same NAT router.
ZyXEL Confidential In this scenario, we should have a mechanism to ensure that the second session should follow the first session's path to avoid this kind of problem. That's why we add this feature. How does this feature work? (1) PC sends a request to "Update Server" through "WAN1".
ZyXEL Confidential Appendix 14: The mechanism of ZyWALL IPSec policy IP conflict check: ZyWALL classifies traffic to IPSec tunnels according to Network Policies. If there are two Network Policies “conflicted”, it’s not possible for ZyWALL to classify traffic correctly. Two policies will conflict if they satisfy both the following conditions at the same time: (1) IP address range of “Local Network” of two policies overlaps. (2) IP address range of “Remote Network” of two policies overlaps.
ZyXEL Confidential Policies under Static IKE rule (configuration) Policies under Dynamic IKE rule (configuration) Runtime policies (IKE negotiation) Policies under Static IKE rule Compare Not compare Not compare (configuration) Policies under Dynamic IKE rule Not compare Not compare Not compare (configuration) Runtime policies Compare Not compare Compare (IKE negotiation) Note: (1) “Compare” means ZyWALL will compare policies in row with policies in column. E.g.