ZyXEL Firmware Release Note ZyWALL 70 Release 4.03(WM.
ZyXEL ZyWALL 70 Standard Version Release 4.03(WM.1)C0 Release Note Date: Jan 31, 2008 Supported Platforms: ZyXEL ZyWALL 70 Versions: ZyNOS Version: V4.03(WM.1) | 01/31/2008 BootBase : V1.10 | 07/31/2006 Agent Version: V2.1.6(WM.0)base Notes: 1. 2. Restore to Factory Defaults Setting Requirement: No. The setting of ignore triangle route is on in default ROM FILE. Triangle route network topology has potential security crisis.
11. In previous 3.64 firmware, the VID value of DPD is not correct. VID change will cause current version doesn’t work with the wrong value. Please be sure to connect with devices which has updated VID, or the DPD may not work correctly. 12. In SMT menu 24.1, "WCRD" only represents the WLAN card status when you insert WLAN card into the ZyWALL. If you insert TRUBO card, you will see " WCRD" is always down. 13.
(3) The host can still ping Internet using LAN DHCP address. (4) The scenario will continue about 30secs. 3. When device is writing flash, all the interrupt/service will be stopped. (Firmware upload and signature update for full version will take tens of seconds) 4. Because of the memory shortage (ZW5/P1), device have to restart when customer need to upgrade firmware sometimes. Issues [ALG] 1. H323 does not support the server in LAN topology. 2.
(2) On DUT1 enable Firewall, and set Drop for VPN to LAN, then add a firewall rule of VPN to LAN: Source address = 192.168.2.33 Destination Address = 192.168.1.33 Selected Service = Any (ICMP) Action for matched Packets = Permit. (3) Can’t ping 192.168.1.33 from 192.168.2.33 and you can find “Unsupported/out-of-order ICMP: ICMP (Echo Reply)” log on log page. Note: (1) Here, PC1’s GW is DUT1’s LAN IP. With the ICMP reply packet, the destination IP is 192.168.2.33.
Condition: (1) Input “google” in Keyword Blocking of Customization. (2) Visit http://info.zyxel.com.tw in LAN PC. The web site is opened successfully. But there is a Keyword Blocking log say “info.zyxel.com.tw: Keyword blocking” (see attached file). (3) Visit other web site is normal. (4) This problem is also existed in 4.01 Patch 2 C0 too. 6. Keyword blocking has functioned even if “Web site customization” was disabled. Condition: (1) Enable Content Filter.
[MISC] 1. The DMZ TxPkts counter increment at about 1 pkt/min even without any Ethernet cables ever connected. 2. In eWC->Statistics, Tx data for Dial Backup is not correct. 3. ZyWALL does not support WAN 1/WAN 2 on the same sub-net. (For Multiple WAN products) 4. The function of new CI command ”sys rn pingDrop” doesn’t work. SPR ID: 070503103 5. Traffic is blocking. SPR ID: 070404256 [CNM] 1. DES/3DES encryption key doesn’t unique. 2.
Enlarge the length of "User Name" in E-mail Report, Log Settings and Diagnostics from 31 to 63. 4. [ENHANCEMENT] SPR ID: 071114968 Free established TOS according to firewall schedule policy. 5. [ENHANCEMENT] SPR ID: 070614815 Modified DDNS Log is not readable. (1) View DDNS Log in LOGS>>View Log. (2) DDNS Log is not readable, for example: 2007-05-07 17:44:52 DDNS update IP:138.188.40.255 (host 1) successfully Was: DNS update IP:138.188.40.255 (host 1) successfully Is: Update domain name zywall2wg.dyndns.
(bridge mode) (NAT router) (router mode) PC1------(LAN)ZyWALL(WAN)----VSG-1200----IPSec gateway----PC2 (1) Build a VPN tunnel between ZyWALL and IPSec gateway. (2) Ping PC2 from PC1. (3) Tunnel can be established, but no PING response. 10. [BUG FIX] SPR ID: 070809666 Symptom: ZyWALL crashes when receive pop3 mail from WAN. Condition: PC1-----(192.168.100.33)router(192.168.1.33)----(LAN)ZyWALL(WAN1)----mailserver (1) Enable Anti-spam WAN1->LAN direction and external DB on ZyWALL.
Symptom: ZyWALL doesn't forward "no such name" response to DNS client. Condition: (1) Configure ZyWALL as DNS server on PC. (2) PC resolves a nonexistent domain name, and it will wait response until timeout. 13. [BUG FIX] SPR ID: 071109671 Symptom: ZyWALL can not record system report based on IP address which is not in the same subnet of ZyWALL itself. Topology: (bridge mode) PC-----(LAN)ZyWALL5(WAN)----ZyWALL70----Internet PC:10.0.0.34 ZyWALL5:192.168.10.40 ZyWALL70(LAN):10.0.0.1, ip alias:192.168.10.
(6) Then, you will find PC2 can’t ping PC4. 15. [BUG FIX] SPR ID: 070911459 Symptom: CI command "ip arp force on" does not take effect on WAN 2. Condition: (1) Let WAN 1/WAN 2 active and has traffic on them. (2) CI command "ip arp status" to show that the timer of ARP entry would not decrease due to the existence of the traffic. (3) Use CI command "ip arp force on" to force the system to decrease timers of those WAN ARP entries periodically.
Symptom: The "Up Time" shown on the Port Statistics and Home page are quite different when the ZyWALL uptime is more than 100 hours. Condition: (1) Let ZyWALL WAN1 uptime be more than 300 hours. (2) Go to eWC>HOME page, the "Up Time" is "4:00:00". (3) Click "Port Statistics" button, the WAN1 "Up time" of pop-up window is "300.00.00". 19. [BUG FIX] SPR ID: 070614811 Problem Symptom: Some formats of logs should be consistent.
21. [BUG FIX] SPR ID: 071114943 Symptom: ZyWALL cannot reply packet on correct WAN interface. Condition: (192.168.1.60) (192.168.10.33) PC-------(LAN)DUT---WAN1(192.168.5.33)-----Router----PC | | |----WAN2(192.168.7.33)--------| (1) Set WAN=Active/Active mode, WAN1=192.168.5.33,WAN2=192.168.7.33. (2) Policy Route=Active, Source Address=192.168.1.60, Destination Address=0.0.0.0, Gateway=WAN2, Use another interface when the specified WAN interface is not available.
23. [BUG FIX] SPR ID: 071115021 Symptom: When adding a new sub-class with bandwidth budget = 0, can save, but Can not edit or delete. Condition: (1) Reset rom (2) eWC>ADVANCED>BW MGMT>Summary, active bandwidth management on WAN1 (3) eWC>ADVANCED>BW MGMT>Class Setup, Add a sub-class with budget = 0 and enable bandwidth filter (4) After click on Apply, it will display under "Enabled classes Search Order" (5) Unfolding tree of root class, can not find the new added sub-class 24.
(b) Input PC2 IP 192.168.4.33. (c) Enable all plug-in with default settings (Even dangerous plug-in are enabled). (d) Scan from the local host. (e) Scan Now. (3) When scan finished, ZyWALL will hung. (4) Another easier way to reproduce the hang is that send the attached packet by Sniffer. 27. [BUG FIX] SPR ID: 071120328 Symptom: Log for connectivity check fail Source IP and Destination IP should be NULL when domain name doesn't exist. Shouldn't show the Destination IP of the last time ping.
"ip cf externalDB exDblogserver 220.128.56.
(4) ZyWALL crashes. 4. [BUG FIX] SPR ID: 070914803 Symptom: Dial Backup will be dialed in Active/Active mode even when two WAN interfaces are up. Conditions: (1) Enable Active/Active mode and LB algorithm = "None". (2) Edit a correct Dial Backup configuration, enable "Always On" and then apply. (3) Make sure WAN1 and WAN2 are both up, after that, Dial Backup will be dailed and we can see three WANs in eWC>Home. 5.
(1) Enable content filter and block cookie. (2) Access "tw.msn.com" website and you will get ”Bad Request (Invalid Header Name)” in browser. 9. [BUG FIX] SPR ID: 070921355 Symptom: Device crashes when doing the stress testing. Conditions: PC_A == [LAN]ZyWALL_A[WAN] == [WAN]ZyWALL_B[LAN] == PC_B (1) (2) (3) (4) (5) Enable all UTM functionality. Build up a VPN tunnel for PC_A and PC_B. Upload a zip file from PC_A to PC_B. PC_A and PC_B send a lot of UDP packet to each other.
14. [BUG FIX] SPR ID: 070905185 Symptom: ZyWALL crashes when testing content filter. Conditions: (1). Restore default romfile and Enable CF. (2). Enable external DB in default policy. (3). Enable "Gambling" in default policy. (4). Set schedule in default policy with "Every day" + "01:01" and "02:02" (the schedule will not match current time) (5). PC in LAN access "www.gambling.com" and device crashes. 15. [ENHANCEMENT] (1). Change wording for CF. ("profile" ==> "policy") (2).
** 3G card (only for USB dongle) can be removed if WAN2 is disabled. (For ZyWALL 5H only) ** Support Bandwidth Management for USB serial type 3G card. (AC875/AC595/E612/E620) 2. [BUG FIX] ITS: 17038 Symptom: No port forwarding table for Dial backup on Multi-WAN product. 3. [ENHANCEMENT] 1. Add the support of SCEP via an RA. 2. Add automatic polling mechanism. 4. [BUG FIX] SPR ID: 070507196 ITS #:17884 Symptom: PC in WLAN IP Alias Subnet_B can visit internet although block all WLAN->WAN traffic in Firewall.
Condition: The NAT setup of WAN 1 is full feature, and NAT setup of WAN 2 is SUA. Can't see the site on the public DMZ from Internet 1. Set LAN to 192.168.1.1/24, DMZ to a public subnet. 2. Add a static route to let PC3 can routing to PC2 from WAN1. 3. WAN1 and WAN2 all active and have public IP addresses. 4. Set WAN1 NAT to Full Feature and modify the first defaul NAT rule to: # Local Start IP Local End IP Global Start IP Global End IP Type 1 192.168.1.1 192.168.1.254 0.0.0.0 N/A M-1 5.
WAS: --------------------------------------------------------------------------------------------------|#| Time | Message |Source|Destination| Note | --------------------------------------------------------------------------------------------------|| |WLAN STA Association | | |MACAddr:0013026c13a3| --------------------------------------------------------------------------------------------------|| |WLAN STA Association Again | | |MACAddr:0013026c13a3| --------------------------------------------------------
|| | |Kurt-I6400(00:13:02:88:79:59) | | | --------------------------------------------------------------------------------------------------- 13. [ENHANCEMENT] SPR ID: ITS #14868 Add CI "sys log mail port" to change the port number which ZyWALL Email logs to SMTP server. Note: (1) "sys log mail port" without port number. Show SMTP port number current used. (2) "sys log mail port [port number]" Set SMTP port number to argument [port number]. The valid port number is between 1 to 65535. 14.
17. [BUG FIX] SPR ID: 070411473, 070411474, 070411475, 070411476 ITS #: 16872 Symptom: VPN traffic stops between two gateways. Condition: Topology: (192.168.100.0/24) PC1--(LAN) ZyWALL 5-----+ +--- ZyWALL 70(LAN)----PC2 | | ----+--+--+---| ZyWALL 35 (DMZ)| |(LAN) (Safenet) | | PC3-------------+ +---------------PC4 (10.10.10.0/24) (192.168.10.0/24) (1) Reset ZyWALL5/35/70 ROM file. (2) Configure the DMZ IP(10.10.10.1/24) and LAN(192.168.10.0/24) for ZyWALL35, LAN IP 192.168.100.0/24 as ZyWALL70’s LAN.
Was: DDNS update error: The hostname specified does not exist.| Code: nohost Is: Update error: The hostname specified does not exist. |DDNS 20. [BUG FIX] IITS: 17038 (For 3G product only) Symptom & Condition: The port forwarding table of a disabled 3G-WAN 2 will be binded to the dial backup. Condition: 1. Use ZyWALL device as the test device. ZyWALL is with the 3G-WAN 2 interface. 2. Setup different port forwarding tables on WAN 1 and WAN 2 interface. 3. Don't install or active 3G-WAN 2. 4.
. [ENHANCEMENT] SPR ID: ITS #:18000 Add a hidden CI command "ipsec maxIkePskLength [31|32]" to turn on 32-byte PSK. After turn on 32-byte PSK, the user can save a 32-byte length IPSec Pre-share key. 32-byte PSK only can be used in ASCII format. Modifications in V 4.03(WM.0)b1 | 05/04/2007 1. [ENHANCEMENT] Support multiple profiles in the original content filter design.
(1) WAN interface down. (2) WAN IP changes to x.x.x.x. (3) CPU load reaches 100%. (4) ZyWALL switches to Dial Backup. (5) NAT table is full. 8. [ENHANCEMENT] Support IXP425 B1 version CPU. WAS: Support IXP425 A0/B0 version CPU. IS: Support IXP425 A0/B0/B1 version CPU 9. [ENHANCEMENT] SPR ID: 060915885 GUI Enhancement on Firewall page. (1) Add rule number and edit icon in eWC>Default Rules for quick check rule summary..
The ZyWALL just breaks the first infected file packet and stop track the file session in the previous mechanism. The old one has better performance, but there is a risk that it couldn't break the file with more than one virus. Now ZyWALL breaks the first infected file packet and the following file packet as well. It is safer but downs performance for handling infected files. Wet also fix the line-assembly bug for FTP and HTTP in this enhancement. 15. [ENHANCEMENT] Support user defined Xheader in mail.
from SNMP management software. 20. [BUG FIX] ITS#: 14936 Symptom: This kind of URL request such as "http://www.host:80" can not pass through content filter trusted web site. Condition: (1) Enable content filter and website customization. (2) Disable all web traffic except for trusted Web sites. (3) Add the website "http://www.sina.com" into trusted Web site. (3) Browse "http://www.sina.com:80" by Firefox and find it can not be visited. 21.
VPN1: ZW35B build a VPN with ZW35A VPN2: ZW5 build a VPN with ZW35A (1) Build the VPN1 and ping PC1 from PC2. (2) Build VPN2. (3) There will be a large delay in the ping. 24. [BUG FIX] SPR ID: 060627810 Symptom: If the encapsulation type of WAN interface is PPPoE/PPTP, the conflict check will be failed when configuring LAN/DMZ/WLAN interface IP. Condition: (1) Set WAN encapsulation as PPPoE/PPTP, and make sure the device can get the IP correctly.
Syslog Server for Analysis". (4) Go to eWC>LOGS>Log Settings page, activate "Syslog" and setup the syslog server IP as PC_A. (5) PC_A enables the Kiwi Syslog Daemon. (6) There is no traffic log sent to kiwi Syslog Daemon anymore. 29. [BUG FIX] SPR ID: 060725664. Symptom: DNS cannot be updated in bridge mode. Condition: (1) Restore default romfile. (2) Switch device to bridge mode (do not set DNS right now). (3) Go to eWC>BRIDGE>Bridge, set the DNS server as 172.23.5.1 and save it.
WAN. Condition: (1) Reset to default factory. (2) Setting a correct PPPoE connection in WAN interface, disable "nailed-up", and idle timer is 20 seconds. (3) Enable firewall, and block all traffic from LAN to WAN. (4) Ping "168.95.1.1" continuously in a LAN side PC, WAN interface still can get IP. (It means WAN interface still can be triggered but the ping packet should be dropped by firewall.) 33. [BUG FIX] SPR ID: 060918066 Symptom: Bridge mode VPN AV can not recognize ZIP file.
Condition: Topology: P2002(A) --- DUT1(PPPoE) =====VPN TUNNEL===== DUT2 --- P2002(B) (1) DUT1 WAN is PPPoE. (2) DUT1 and DUT2 enable SIP ALG. (3) DUT1 and DUT2 build a VPN tunnel. (4) P2002(A) dials P2002(B). Connection is success, but P2002(A) can not hear P2002(B)’s voice; P2002(B) can hear P2002(A). 37. [BUG FIX] SPR ID: 061020683 Symptom: PPPoE and PPTP can't be dropped in SMT24.1. Condition: (1) WAN1 is PPPoE or PPTP. (2) Go to SMT24.1 and click "1" to drop WAN1. (3) But WAN1 is still alive.
(2) Enable Web site customization in the Customization page. (3) Add Forbidden Web Site or Keyword Blocking. (4) Access the Web Page which should be blocked. (5) You can see the blocked page but there is no blocked log in the Logs page. 3. [BUG FIX] #ITS 14936 Symptom: This kind of URL request such as "http://www.host:80" can not pass through content filter trusted web site. Condition: (1) Enable content filter and website customization. (2) Disable all web traffic except for trusted Web sites.
(3) Device's WAN can't dial up because incorrect login name and password. (4) Device crash after 2 minutes. 9. [BUG FIX] 070208756 Symptom: Device crash. Condition: (1) Configure device via Vantage. (2) Reset device to default setting. Then register to Vantage again. (3) Start synchronizes all setting from Vantage to device. (4) Device crash sometimes. 10. [BUG FIX] Symptom: DUT will carsh when some URL longer than specific array. Condition: (1) Enable Content Filter and External DB.
(1) Setup one VPN between ZW5 and ZW70. (2) Enable the AV and IDP in ZW5, and enable the zip file scan in AV. (3) PC1 start FTP and HTTP download one 50Mbps ZIP file. (4) About 3 minutes, PC1 can not ping PC2 and can not access Internet. 4. [ENHANCEMENT] (1) Support direct ACK/BYE sip request. (2) Support different global IP address for SIP clients and SIP server. Note: Please refer to the appendix 14, we solve the limitation about item 2 and 3. 5.
time. 8. [BUG FIX] 061128584, 061128585 (ITS#13932) Symptom: Device crashes by hardware watchdog. Condition: Topology: (a) PC --- [LAN]ZyWALL[WAN] --- HTTP server (b) HTTP server --- [LAN] ZyWALL [WAN] --- PC (1) Restore default romfile. (2) When the PC connects to HTTP server (http://www.alektogroup.com) by ZyWALL, the ZyWALL will crash sometimes. 9. [BUG FIX] ITS#12880 Symptom: ZyWALL configured to establish Dial Backup with CDMA ISP through RWT FCT CDMA, but does not work.
(1) In router mode, enable content filter and set the block message but leave the Redirect URL blank. (2) Enable external database content filtering and block matched web pages. (3) Select search engines/portals categories. (4) Open the http://www.sina.com.cn in Firefox and MSIE7.0. The block message cannot be shown completely in MSIE7.0 and nothing in Firefox. 12. [BUG FIX] 061122298, 061122299, 061122300, 061107323 Symptom: Sometimes DUT cannot detect eicar AV.
'cnm encrymode '. IS: Change cnm encryption mode with one CLI: 'cnm encry ' 17. [BUG FIX] 070105291 Symptom: DUT reboot. Condition: (1) Set DUT WAN as PPPoE connection (2) Enable H323 alg (3) Firewall forward H323 protocol from WAN1 to LAN (4) DUT forward 1720 port from WAN1 to LAN (5) Make a H323 connection from WAN to LAN using OpenH323 software, DUT can reboot. 18. [BUG FIX] Symptom: Ping DMZ IP from PC in DMZ. You can’t get response Condition: (1) Set LAN IP and add two IP Alias.
(3) When WAN2 is down, using "ip ro st" to show route table, the static route disappears, the traffic goes to some destination will go through WAN1. (4) After WAN2 is up again, the static route won't come back, the traffic to destination A still goes through WAN1. 23. [ENHANCEMENT] Support IXP425 B1 version CPU. WAS: Support IXP425 A0/B0 version CPU IS: Support IXP425 A0/B0/B1 version CPU 24.
Condition: (1) Let ZyWALL WAN1 uptime be more than 300 hours. (2) Go to eWC>HOME page, the "Up Time" is "4:00:00". (3) Click "Port Statistics" button, the WAN1 "Up time" of pop-up window is "300.00.00". 5. [BUG FIX] SPR ID: 060420608 Symptom: Two SIP clients cannot talk to each other when both of them are in LAN. Condition: Topology: SIP Client_A -------(LAN) ZyWALL (WAN)----------SIP Server SIP Clinet_B ------| (1) Two SIP clients register on SIP server which is in the WAN.
Symptom: Multiple PPPoE cannot use the same PPPoE session ID. Condition: Topology: ZyWALL [WAN1] --- PPPoE [WAN2] --- PPPoE (1) Set ZyWALL's WAN1 & WAN2 encapsulations are PPPoE, and connect to different PPPoE servers. (2) The WAN1 & WAN2 will get same PPPoE session ID sometimes, this will confuse PPPoE packet flow. 11. [BUG FIX] SPR ID: 060928848, 060928863 Symptom: Mail gets stuck when using VPN + PPPoE Condition: Topology: DeviceA(PPPoE) --- DeviceB --- PC(192.168.2.33) | Mail Server(192.168.70.
15. [BUG FIX] SPR ID: 060822272 Symptom: ZyWALL will not mail its LOG if the IP specified on the One-To-One Public IP. Condition: Topology: Mail Server-----------(DMZ)ZyWALL(WAN) 192.168.2.33 192.168.2.1 10.0.0.1 10.0.0.2 (1) Restore to default romfile. (2) Set NAT type to full feature. (3) Build a one-to-one rule for mail server in DMZ. Local IP Global IP 192.168.2.33 <-> 10.0.0.2 (4) In the LOG setting, set mail server IP to 10.0.0.2.
break the file with more than one virus. Now ZyWALL breaks the first infected file packet and the following file packet as well. It is safer but downs performance for handling infected files. We also fix the line-assembly bug for FTP and HTTP in this enhancement. 20. [ENHANCEMENT] SPR ID: 060809590, 060809591, 060809592. The Anti-Spam will modify the server response string ""250[ -]PIPELINING" to "250[ -]PIPE******". Because ZyWALL does not the SMTP PIPELINING function. 21.
26. [BUG FIX] SPR ID: 060809598 Symptom: PC can not access the web server (www.fapa.com.pl) via our ZyWALL. Condition: PC---(LAN)ZyWALL(WAN)---internet (1) Get a ZyWALL with default romfile. (2) Let PC try to access www.fapa.com.pl. (3) PC can not access the web server. (4) It is OK without ZyWALL. Special case packet flow: Client(PC) Server(www.fapa.com.pl) SYN -> <- ACK = 0 <- SYN, ACK = 1 ACK = 1 -> HTTP Get -> 27.
30. [BUG FIX] SPR ID: 060831744 Symptom: PC cannot ping WLAN interface IP. Condition: Topology: PC1(10.0.0.1)----(10.0.0.2)(WAN)ZyWALL(WLAN)(192.168.7.1) (1) Restore default ROM file. (2) Disable firewall feature. (3) In SMT 24.8, type "ip nat routing 2 1". (4) Set WLAN interface IP as "192.168.7.1". (5) Set NAT to "Full Feature" mode. (6) PC1 generates a PING packet to "192.168.7.1". (7) There is no response from "192.168.7.
Support 60 categories in content filtering. New categories: ""Hacking", Phishing", "Spyware/Malware Sources", "Spyware Effects/Privacy Concerns", "Open Image/Media Search", "Social Networking", "Online Storage", "Remote Access Tools", "Peer-to-Peer", "Streaming Media/MP3s" and "Proxy Avoidance". 2. [ENHANCEMENT] Add second time schedule setting in content filtering. 3. [ENHANCEMENT] Enhance the CI command "ip ifconfig". (1) Add a new argument "mss" to configure the MSS value.
Symptom: The packet will be dropped if the device does not have the ARP entry of the receiver of this packet. Condition: (1) Clear ARP table by "CI>ip arp flush". (2) Send a ping to 168.95.1.1, but the PC will not get a response in the first ICMP Echo Request. (3) After the first ping, the rest of pings can get responses. 10. [BUG FIX] Symptom: PPTP can not pass through ZyWALL from time to time.
PC-----(LAN)ZW70(WAN) (1) On PC, try trace route a host(www.yahoo.com). (2) Trace route cannot get response from our device. 15. [BUG FIX] Symptom: Device crashes (software watchdog wakes up by NAT). Condition: (1) Restore default romfile. (2) After a while, the device will crash sometimes. 16. [BUG FIX] Symptom: Backuping the configuration of AntiVirus is too slow. Condition: (1) In eWC->SECURITY->ANTI-VIRUS->Backup & Restore, click "Backup" button to backup the AntiVirus configuration.
2. 3. (5) When the PC1 is sending mails will cause mail stuck until timeout. [BUG FIX] Symptom: Upload firmware by eWC will cause CPU load 100%. Condition: (1) Use GUI to upload firmware will cause CPU 100%. (2) It will be successful, but need more than 1 minute. [BUG FIX] Symptom: There should be a progress page when upload F/W by eWC. Condition: (1) Goto eWC>Maintenance to upload F/W. (2) ZyWALL should show a progress page, but it is not. (3) ZyWALL should display login page after reboot, but it is not.
10. [ENHANCEMENT] (3) In eWC>HOME page, show MAC address in Network Status Table. [060606360] (4) Change ZyWALL eWC refresh pages to consistent with HOME page. [060606359] 11. [BUG FIX] Symptom: Device will crash in bridge mode AV testing. Condition: PC(mail client)----(LAN)DUT(WAN)----Mail Server (5) In bridge mode, enable AV and activate SMTP from LAN to WAN direction. (6) Disable Outlook SMTP authentication in PC. (7) PC on LAN and sent out Microsoft Outlook testing mail.
Anti-Virus can detect viruses. (4) In eWC>REPORTS>THREAT REPORTS, Total Sessions Scanned of IDP will count number. But it should not. 16. [BUG FIX] Symptom: ZyWALL crashes if you try to backup Configuration AV or IDP. Condition: (1) Go to eWC>Security>ANTI-VIRUS(or IDP)>Backup & Restore page. (2) Click Backup or Restore button. (3) System will crash sometimes. 17. [BUG FIX] Symptom: The ZyWALL should use user configured time server to do daily time adjustment. Condition: (1) Reboot the ZyWALL, set 'abc.abc.
The detect virus name shows ’Unknown Signature’ and the Occurrence is very big, even is a negative number. 21. [BUG FIX] Symptom: Sometimes we cannot login ZyWALL by HTTP or HTTPS after enabling the password hash function. Condition: (1) Enable password hash function in SMT 24.8, "sys pwdHash on". (2) After the convert of password, we can never login by HTTP or HTTPS. Modifications in V 4.01(WM.0)b2 | 05/22/2006 1. [FEATURE CHANGE] The multicast AH or ESP packet will not pass to the VPN module in ZyWALL.
WC>Registration> Service. (5) Interfaces 1. Give each eWC>interface a hyperlink to link to the corresponding configuration page.
(192.168.70.200)ZW_B --- (192.168.2.33)PC2 (1) VPN configuration on ZW_A: IKE 1: Secure gateway: 192.168.70.200 Enable XAUTH client SA lifetime = 180 seconds Policy 1: Local network: 1.1.1.1/24 Remote network: 2.2.2.2/24 Enable Nail up SA lifetime = 28800 seconds Policy 2: Local network: 192.168.1.33/24 Remote network: 192.168.2.33/24 SA lifetime = 180 seconds (2) VPN configuration on ZW_B: IKE 1: Secure gateway: 192.168.70.100 Enable XAUTH server SA lifetime = 180 seconds Policy 1: Local network: 2.2.2.
12. [BUG FIX][060515863] Symptom: In eWC>HOME>Network Status>more page, wireless cannot get correct port status. Condition: (1) Insert G-110 wireless card. (2) Switch device to bridge mode. (3) Go to eWC>HOME>Network Status>more page. (4) The "Port Status" of Wireless Card is 100M/Full, but SMT is 54M. (5) The "Port Status" of WLAN Interface has no any information. 13. [BUG FIX][060427219] Symptom: In PPTP encapsulation, enable VPN, AV and AS, PC can not receive the mail via VPN tunnel.
Peer ID: Type=DNS Content = a.b.c.d IPSEC Policy: Local=Single 1.1.1.1, Peer=Single 2.2.2.2 (2) On Bridge_B, add two VPN rules: 1. Rule one: IKE: Static rule, XAUTH is disabled. Local ID: Type=DNS Content = a.a.a.a Peer ID: Type=DNS Content = b.b.b.b IPSEC: Local=Single 3.3.3.3, Remote=Single 4.4.4.4 2. Rule two: IKE: Dynamic rule, enable XATUH and set as server mode. Local ID: Type=DNS Content = d.c.b.a Peer ID: Type=DNS Content = a.b.c.d IPSEC Policy: Local=Single 1.1.1.1, Remote=Single 2.2.2.
Condition: Topology: PC1 (192.168.1.33)------(LAN)ZyWALL(WAN:192.168.70.175)-----PC2(192.168.70.176) (1) Reset to default romfile. (2) Go to eWC>WAN>WAN1, set WAN IP Address=192.168.70.175. (3) Go to eWC>NAT>Port Triggering>WAN1 Interface>Index 1, set Name=ftp, Incoming Start Port=21, incoming End Port=110, Trigger Start Port=21,Trigger End Port=21. (4) Disable Firewall. (5) PC1 ftp to PC2, and then PC2 ftp to PC1.
123456789.123456789.123456789.123456789.123456789.123456789.123". (3) While applying the setting, VPN Rules page shows incorrect domain name. 24. [BUG FIX][060420654] Symptom: Wireless client still can scan wireless network after disabled wireless card. Condition: (1) Plug in G100/G110 wireless card. (2) Go to eWC/Network/Wireless Card/Wireless Card, enable wireless card and set ESSID as "testWlan". (2) Wireless Client can scan the "testWlan" network by Odyssey tool. (3) Disable wireless card.
(1) Go to eWC>NAT>NAT overview, change Max concurrent sessions per host to 500. (2) Use BluePortScan to do port scan. (3) Historical high session per host is 501. 29. [BUG FIX][060423784] Symptom: Anti-Spam cannot work in NAT loop back situation. Condition: (1) Put PC1 and PC2 on LAN side of ZyWALL. (2) ZyWALL enables Anti-Spam and disables External Database. (3) PC2 installs the Merak Mail Server. (4) PC1 uses the outlook express to send mail to itself by the mail server of PC2.
(2) Click Reset button, ZyWALL pup up JavaScript error. 33. [BUG FIX][060425022] Symptom: Device crash (Soft watchdog starts up.) Condition: (1) Firewall+NAT+AV+IDP+AS+AS black list+LB (2) LAN has a mail client、mail server;DMZ has a mail client、2 mail server; WLAN has a mail client. All of them are on IxLoad (3) Run IxLoad 10 minutes,device crash 34. [BUG FIX][060418336] Symptom: Traffic can’t go out after use the tfgen tool. Condition: (1) Restore default rom file.
1. Support "*" to indicate match any character 0 or more times. 2. It is case-insensitive. 3. The maximum length of the email and subject fields is 63 characters. 8. [ENHANCEMENT] Add PKCS12 for ZyNOS. 9. [ENHANCEMENT] WLAN Zone enhancement. (1) ZyWALL has an independent WLAN Zone interface, no matter WLAN card. (2) WLAN card is not the independent WLAN interface. (3) WLAN card can be bridged to LAN, DMZ and WLAN Zone interface. 10. [ENHANCEMENT] support WLAN in "ip nat routing" CI command.
Appendix 1 Remote Management Enhancement (Add SNMP & DNS Control) New function (1) You can change the server port. (2) You can set the security IP address for each type of server. (3) You can define the rule for server access. (WAN only/LAN only, None, ALL). (4) The secure IP and port of the SNMP server is read only (5) The port of the SNMP and DNS server is read only. (6) The default server access of the SNMP and DNS is ALL. Modification (1) The default value for Server access rule is ALL.
Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = ALL Secured Client IP = 0.0.0.0 FTP Server: Port = 21 Access = ALL Secured Client IP = 0.0.0.0 SSH Server: Port = 22 Access = ALL Secured Client IP = 0.0.0.0 Web Server: Port = 80 Access = ALL Secured Client IP = 0.0.0.0 SNMP server: Port = 161 Access = ALL Secured Client IP = 0.0.0.0 DNS server: Port = 53 Access = ALL Secured Client IP = 0.0.0.
Appendix 2 Trigger Port Introduction Some routers try to get around this "one port per customer" limitation by using "triggered" maps. Triggered maps work by having the router watch outgoing data for a specific port number and protocol. When the router finds a match, it remembers the IP address of the computer that sent the matching data.
"Incoming Port". If it matches, Prestige will forward the packet to the recorded IP address in the internal table for this port. (This behavior is the same as we did for port forwarding.) (3) The recorded IP in the internal table will be cleared if machine A disconnect from the sessions that matches the "Trigger Port". Notes (1) Trigger events can't happen on data coming from outside the firewall because the NAT router's sharing function doesn't work in that direction.
Appendix 3 Hard-coded packet filter for "NetBIOS over TCP/IP" (NBT) The new set C/I commands is under "sys filter netbios" sub-command. Default values of any direction are “Forward”, and trigger dial is “Disabled”. There are two CI commands: (1) "sys filter netbios disp": It will display the current filter mode.
Appendix 4 Traffic Redirect/Static Route Application Note Why traffic redirect/static route be blocked by ZyWALL ZyWALL is the ideal secure gateway for all data passing between the Internet and the LAN. For some reasons (load balance or backup line), users want traffics be re-routed to another Internet access devices while still be protected by ZyWALL. The network topology is the most important issue. Here is the common example that people misemploy the LAN traffic redirect and static route.
normal function. Figure 5-2 Gateway on alias IP network (2) Gateway on WAN side A working topology is suggested as below. Figure 5-3 Gateway on WAN side Appendix 5 IPSec FQDN support ZyWALL A-------------Router C (with NAT) ------------ZyWALL B (WAN) (WAN) (LAN) (WAN) If ZyWALL A wants to build a VPN tunnel with ZyWALL B by passing through Router C with NAT, A can not see B. It has to secure gateway as C. However, ZyWALL B will send it packet with its own IP and its ID to ZyWALL A.
contents are consistent and they can connect. Basically the story is the same when ID type is IP. If user configures ID content, then ZyWALL will use it as a check. So the ID content also has to match each other. For example, ID type and ID content of incoming packets must match “Peer ID Type” and “Peer ID content”. Or ZyWALL will reject the connection. However, user can leave “ID content” blank if the ID type is IP. ZyWALL will put proper value in it during IKE negotiation.
1. When Local ID Content is blank which means user doesn’t type anything here, during IKE negotiation, my ID content will be “My IP Addr” (if it’s not 0.0.0.0) or local’s WAN IP. 2. When “Peer ID Content” is not blank, ID of incoming packet has to match our setting. Or the connection request will be rejected. 3. When “Secure Gateway IP Addr” is 0.0.0.0 and “Peer ID Content” is blank, system can only check ID type.
ISP(or network). This secondary WAN port can be used in “active-active” load sharing or fail-over configuration providing a highly efficient method for maximizing total network bandwidth. The default mode of the WAN 2 interface is “Active-Passive” or “Fail-Over” mode, that is the secondary WAN will automatically “bring-up” when the first WAN fails. The user can enter eWC/WAN/General page to select WAN to “Active/Active” mode.
Appendix 9 IPSec IP Overlap Support PCA 1.1.1.33 PCC 1.1.2.250 LAN 1.1.1.0/24 WAN ZyWALL B ZyWALL A LAN 1.1.2.0/28 IP Alias 1.1.2.0/24 PCB 1.1.2.250 Figure 1 The ZyWALL uses the network policy to decide if the traffic matches a VPN rule. But if the ZyWALL finds that the traffic whose local address overlaps with the remote address range, it will be confused if it needs to trigger the VPN tunnel or just route this packet. So we provide a CI command “ipsec swSkipOverlapIp” to trigger the VPN rule.
Appendix 10 VPN Local IP Address Limitation PCA 1.1.1.33 PCC 1.1.2.250 LAN 1.1.1.0/24 WAN ZyWALL B ZyWALL A LAN 1.1.2.0/28 IP Alias 1.1.2.0/24 PCB 1.1.2.250 Figure 1 There is a limitation when you configure the VPN network policy to use any Local IP address. When you set the Local address to 0.0.0.0 and the Remote address to include any interface IP of the ZyWALL at the same time, it may cause the traffic related to remote management or DHCP between PCs and the ZyWALL to work incorrectly.
ZyXEL VPN Client Security Gateway: 1.1.1.1 Phase one Authentication method: Preshare Key Remote: 192.168.1.0/24 In example 1, user may wonder why ZyWALL swap to dynamic rule even VPN client only set authentication method as “Preshare Key” not “Preshare Key+XAuth”. The root cause is that currently ZyXEL VPN Cient will send XAuth VID no matter what authentication mode that him set. Because of the XAuth VID, ZyWALL will swap to dynamic rule. This unexpected rule swap result is a limitation of our design.
on forceUpdate, then the ZyWALL gets gratuitous ARP, it will force to update MAC mapping into the ARP table, otherwise if turn off forceUpdate, then the ZyWALL gets gratuitous ARP, it will update MAC mapping into the ARP table only when there is no such MAC mapping in the ARP table. Give an example for its purpose, there is a backup gateway on the network as the picture.
(2)ipsec initContactMode tunnel When the ZyWALL receives a IKE packets with IC, it deletes only one existing tunnel, whose security gateway IP is not only the same as this IKE's one and also its phase 2 ID(network policy) should match. It is suitable when your tunnel is created from a VPN peer to ZyWALL and there are more than two this kind of VPN peers build tunnels behind the same NAT router. Take the picture 2 as example, PC 1, PC2 and PC3 has it's own VPN software to create tunnels with ZW.
Figure 1. But there are still some limitations remain that we need to overcome in the future. When you deploy your SIP server on LAN for SIP service, please make sure that prevent your topology from any case listed as below. (1) When SIP client is on LAN, do not use NAT lookback on SIP server.
Figure 2. (2) Try not use different global IPs for SIP client and SIP server on NAT. Currently, there are still some limitations when use different global IPs for SIP client and SIP server. For instance, in Figure 3, SIP server and a SIP client B are on the same LAN. If we use different global IP for SIP server and the SIP client, the SIP client A which is behind another NAT router will fail to communication with SIP client B. Figure 3.
phone B. Thus will be fail on call setup. This limitation is SIP client related issue, some SIP clients will send ACK request direct to the remote clients, some may send through proxy server. Figure 4. (4) We do not support multiple SIP proxies in the middle of way. We haven’t implemented or take care on this kind topology (Figure 5), so the result is still unknown.
(4) "Update Server" will reply a file list to the PC, the download address of the fill will be "File Server", at the same time "Update Server" will inform that there is a PC located at "WAN1" IP address will get file from you. (5) PC knows the file address and retrieve the file through "WAN2". (6) "File Sever" think the PC's IP should be "WAN1" instead of "WAN2". It rejects the PC's request.
If we set the timeout value as "10 seconds", 5 seconds is not timeout. The device will route the new session to the same interface.