ZyXEL Firmware Release Note ZyWALL 70 Release 4.04(WM.
ZyXEL ZyWALL 70 Standard Version Release 4.04(WM.4)C0 Release Note Date: Mar. 24, 2009 Supported Platforms: ZyXEL ZyWALL 70 Versions: ZyNOS Version: V4.04(WM.4) | 03/24/2009 BootBase: V1.11 | 02/24/2009 Agent Version: V2.1.7(WM.0)base Notes: 1. 2. Restore to Factory Defaults Setting Requirement: No. The setting of ignore triangle route is on in default ROM FILE. Triangle route network topology has potential security risks.
11. In previous 3.64 firmware, the VID value of DPD is not correct. VID change will cause current version not work with the wrong value. Please be sure to connect with devices which have updated VID, or the DPD may not work correctly. 12. In SMT menu 24.1, "WCRD" only represents the WLAN card status when you insert WLAN card into the ZyWALL. If you insert TRUBO card, you will see " WCRD" is always down. 13.
3. 4. When device is writing flash, all the interrupt/service will be stopped. (Firmware upload and signature update for full version will take tens of seconds) Because of the memory shortage (ZW5/P1), device have to restart when customer need to upgrade firmware sometimes. Issues [ALG] 1. H323 does not support the server in LAN topology. 2.
Action for matched Packets = Permit. (3) Can’t ping 192.168.1.33 from 192.168.2.33 and you can find “Unsupported/out-of-order ICMP: ICMP (Echo Reply)” log on log page. Note: (1) Here, PC1’s GW is DUT1’s LAN IP. With the ICMP reply packet, the destination IP is 192.168.2.33. In PC1, the packet will match the default GW (192.168.1.2) and change the destination MAC as DUT's LAN MAC.
(3) Visit other web site is normal. (4) This problem is also existed in 4.01 Patch 2 C0 too. 6. Keyword blocking has functioned even if “Web site customization” was disabled. Condition: (1) Enable Content Filter. (2) Add google into Customization>>Keyword Blocking. Keep “Web site customization” was disabled. (3) PC in LAN visit www.google.com will be blocked there are blocked log (see attached picture). (4) This problem does NOT exist in “Forbidden Web Site List”. (5) This problem is exited in 4.
3. 4. 5. 6. 7. 8. subnet as WAN to device. [Condition] (1). Let device register to Vantage. (2). Vantage set Dial Backup to enable. (3). Vantage set Dial Backup Fixed IP in the same subnet as WAN to device. (4). Device will crash after writing above settings. Vantage will set incorrect root password to device when hash root password flag enable via ci command: “sys pwdHash on”. Vantage server can’t check IP conflict with WAN on the following pages. LAN, WLAN, DMZ, Static Route and Dial Backup.
Features: Modifications in V 4.04(WM.4) | 03/24/2009 Modify for formal release. Modifications in V 4.04(WM.4)b2 | 03/17/2009 1. [BUG FIX] SPR ID: 090305574 Symptom: PC1 gets request timeout when doing nslookup using ZyWALL A as the DNS proxy. Topology: PC1----(L)ZyWALL-------A(W)tunnel------(W)ZyWALL B(L)---DNS Server Condition: (1) Build VPN tunnel between ZyWALL A and ZyWALL B. (2) Configure ZyWALL A as DNS Server of PC1. (3) On ZyWALL A, edit web eWC/DNS, add a new NS record before the first record.
6. [BUG FIX] SPR ID: 081124085 Symptom: ZyWALL tranfer avidp signature type error. Condition: (1) register and activate service from wizard; (2) Go to myzyxel.com server.you will find like the log: “ [INFO ] 2008-11-04 16:57:37-[Source IP]: 61.50.179.26 [Action]: service_trial [Mac]: 0019CB90C429 [LK]: T-CF0002*T-ZAS001*T-ZAVID1 [CF Unique Key Flow]: true [FW]: 4.04 [Sig]: ZAVLIPS [SKU]:CFRT=1&CFTT=30&ISUT = 90 & ZAVT = 90 & ZSIG = ZAVLIPS” (3) Currently, ZYNOS devices do not support ZAVLIPS service yet.
(5) If firewall is disabled, problem disappeared 10. [BUG FIX] SPR ID: 090121708 Symptom: Fail to build VPN tunnel after SA lifetime expires. Topology: PC-------------(L)NAT router(W)-----(L)DUT(W)---Internet (ZyXEL VPN Client) Condition: (1)Get ZyXEL VPN client from ftp://ftp. zyxel.com/ZyWALL_IPSec_VPN_Client/software/ZyWALL IPSec VPN Client _2.0.204.61.07. zip (2) ZyXEL VPN client build VPN tunnel with DUT using NAT traversal.
4. [FEATURE CHANGE] WAS: The SA monitor in IPSec Algorithm column shows info like “ESP AES--SHA1”, and CI “ipsec show sa” could only show encryption algorithm like AES. IS: The SA monitor in IPSec Algorithm column shows info like “ESP AES128--SHA1”, and CI “ipsec show sa” could show encryption algorithm like AES128. 5. [FEATURE CHANGE] WAS: “Anti-Spam Trial” is allowed to be registered and used IS: “Anti-Spam Trial” is not allowed to be registered 6.
3CX Phone A------------- (L)ZyWALL (W)------------- 3CX Phone B----SIP Server Condition: ZyWALL: (1) Set with CI command "sys romr|y" (2) Set with CI command "ip alg enable SIP_ALG" (3) Set firewall=disabled 3CX Phone A: (1) 3CX Phone A registered to SIP server. 3CX Phone B: (1) 3CX Phone B registered to SIP server When 3CX phone A calls another 3CX phone B, the console display some information: memcpy size is different from malloc size !!! tszie=00000323 mszie=00000324 10.
12. [BUG FIX] SPR ID: 080827212 Symptom: The background color of DNS system needs to be consistent. Condition: (1) Enter page eWC>ADVANCED>DNS, Name Server Record (2) Check rows of Name Server Record, the background color is inconsistent in the last line. 13. [BUG FIX] SPR ID: 080925987 Symptom: An UPnP rule is lost when uTorrent 1.8 is used. Topology: PC-----ZyWALL-----Internet Condition: (3) Switch on UPnP of ZyWALL. (4) Open uTorrent 1.8 to download some files.
6. Then turn on the power, the DUT crash Condition (2): 1. Configure DUT's DNS server as an unreachable one. 2. Attach Spirent Avalanche to DUT LAN, configure DUT as it's DNS server 3. Start the Spirent Avalanche to generate lots DNS queries to DUT. 4. After a while, DUT will hang and reboot itself. 3.
user-defined DNS server, confirm NO default server. (9) Configure ZyWALL works as DNS proxy. (10) Enter command in Linux shell: "date;host www.noexist2345.com;date"will display like following after 10seconds later: Fri Mar 21 17:30:40 CST 2008 ;;connection timed out;no servers could be reached Fri Mar 21 17:30:40 CST 2008 4. [BUG FIX] SPR ID: 080718237 Symptom: ZyWALL 5 crashes when customer tries to receive some specific mails.
Select Allow users to make configuration changes through UPnP Select Allow UPnP to pass through Firewall Server IP Address = 172.20.10.0 (3) Click on Apply. (4) After the vista PC comes out of "sleep mode", (5) ZyWALL 2 Plus stops to respond SSDP discovery packets. 7. [BUG FIX] SPR ID: 080710742 Symptom: High and severe signatures ARE NOT LOGGED BY DEFAULT! Then alert cannot work correctly. Condition: (1) Go to eWC>Security>IDP>Backup & Restore, click "reset" to default setting.
Modifications in V 4.04(WM.1) | 06/26/2008 Modify for formal release. Modifications in V 4.04(WM.1)b2 | 06/18/2008 1. [BUG FIX] SPR ID: 080602026 Symptom: ZyWALL crashed when upgrading IDP signature. Condition: (1) Enable IDP, select all directions check. (2) Use IDP test tool to test ZyWALL (3) Do IDP signature upgrading, ZyWALL will crash during upgrading 2. [BUG FIX] SPR ID: 080606478 Symptom: can't build PPTP tunnel through ZyWALL.
it should be show”device channel filter enet0 inDev 1 2 3 4,” (2)”device channel filter enet0 display” the display info should not include”Output Device Filter Sets=255 255 255 255” 5. [BUG FIX] SPR ID: 080528753 Symptom: in UTM report, the word”module” under system information should be changed to”model” Condition: (1)Enable report mail function (2)Click”send mail now” (3)The word”module” in report about system information should be changed to ”model” 6.
will send check IP packet to checkip.dyndns.org when interface is up and get any IP address. IS: When choosing "Use WAN IP Address" as IP Address Update Policy,ZyWALL will send check IP packet to checkip.dyndns.org when interface is up and get different IP address with last time. 6. [BUG FIX] SPR ID: 071224370 Symptom: There's ping response delay when use a domain name as smtp server in log setting. Condition: PC--- (LAN) ZyWALL35 (WAN1) ------Internet (1) Set smtp.163.
Condition: (1) Reset to default romfile. (2) Go to eWC>FIREWALL>Rule Summary, then insert a new firewall rule. (3) In eWC>FIREWALL - EDIT RULE, fill in "Rule Name" and select service "PCAnywhere_Data(TCP5631)" to "Selected Service(s)" column. (4) Click "Apply". (5) In eWC>FIREWALL>Rule Summary, you can see the service change to "Any(TCP)". 10. [BUG FIX] SPR ID: 080221670 Symptom: CI command "ip nat incikeport" had been removed in firmware 4.03. Condition: (1) Disable the engineer debug flag by "ATEN".
Dsiable Allow Asymmetrical Route goto eWC>ADVANCED>STATIC ROUTE, add following static route Name Active Destination Gateway LAN-C Yes 10.10.10.0 / 255.255.255.0 10.1.1.9 LAN-B Yes 10.21.10.0 / 255.255.255.0 10.1.1.21 On ZWB goto eWC>ADVANCED>STATIC ROUTE, add following static route Name Active Destination Gateway LAN-B Yes 10.10.10.0 / 255.255.255.0 10.1.1.9 On ZWC goto eWC>ADVANCED>STATIC ROUTE, add following static route Name Active Destination Gateway LAN-C Yes 10.21.10.0 / 255.255.255.0 10.1.1.
address is not available. Condition: Topology: PC1--(LAN)ZyWALL2+(PPPoE)--Cisco2811(LAN)---PC2 (1) Build VPN from ZyWALL2+ to Cisco2811. (2) Change the RIP item in WAN of ZyWALL2+ and Apply. Then it will try to get the new WAN IP address. (3) Sometimes ZyWALL2+ will use "0.0.0.0" as my IP address during the IKE negotiation. 17. [BUG FIX] SPR ID: 080430427 Symptom: ZyWALL 70 keeps on reboot in 5 minutes to 2 hours when AS is enabled.
(4) On eWC>SECURITY>CONTENT FILTER>Policy, enable External DB for "policy", and enable "Select All Categories". (5) A cache will be created when LAN host accesses "webpresence.qq.com/ getonline?type=1&31008201:31008202:" (6) Host on the LAN accesses "www.sina.com.cn". Another cache "ad4.sina.com.cn/sina/ae/ad_src/popup/pops1.html?v; swf;http://d1.sina.com.cn/200712/25/120149_hp-pop.swf" is created. (7) It's impossible to delete the two items except flush all caches. 20.
(5) Fail to connect wan's ftp server and fail to open http://www.163.com. 24. [BUG FIX] SPR ID: 080318065 Symptom: ZyWALL 70 crash in PQA lab with CF enabled Condition: (1) eWC>>Registration, Register and active CF license. (2) eWC>>Security>>Content Filter, enable Content Filter, enable External DB. (3) PC on LAN, begins to run "thunder 5"(latest version) (4) ZyWALL will crash each time PC begins to run "thunder 5" 25.
Enlarge the length of "User Name" in E-mail Report, Log Settings and Diagnostics from 32 to 64. 2. [ENHANCEMENT] Add CI for changing the CF log server hyperlink manually. 3. [BUG FIX] SPR ID: 080110436 Symptom: ZyWALL with 4.03 can’t track WEB and some other protocols properly on log. Condition: (1) Add device in VRPT. (2) Enable "Send Raw Traffic Statistics to Syslog Server for Analysis" in eWC>>REPORTS>>Traffic Statistics. (3) Go to eWC>>LOGS>>Log Settings, set Syslog Server to VRPT server IP.
7. [BUG FIX] SPR ID: 080203080 Symptom: Token can’t be correctly set to the device. Condition: (1) For ZyWALL (4.04 patch0 b3), register this device to the CNM 3.0 Patch2 b2 (3.0.00.61.02b2). (2) Go to page of Device Configuration > Advanced > DNS > DDNS, selected Service Provider=WWW.REGFISH.COM, Username=ZyXEL_Sec_PM, Password=zyxelsecpm, Token=f791246515820be8521997385cdca106, Domain Name=zyxelsecpm.org, Wildcard=true, WAN Interface=WAN1, IP Address Update Policy=Use User-Defined, IP Address=172.25.17.
Add "www.cerberian.com" and "sitereview.cwfservice.net" website into default trust domain. 3. [BUG FIX] SPR ID: 071022070 Symptom: When WAN restores connection, dial backup still will be triggered. Condition: (1) Let WAN1 down and dial backup up (2) LAN PC downloads a file from WAN (3) During downloading, let WAN1 up (4) Then you will find ZyWALL still dial modem up three or more times 4.
PC1 with Nessus ---- (LAN) ZyWALL (DMZ) ----PC2 (192.168.4.33) Condition: (1) Install Tenable Nessus 3 (you can get it at www.nessus.org) in PC1. Updates it's plug-in. (2) PC1 starts Nessus by the following steps: (a) Start Scan Task. (b) Input PC2 IP 192.168.4.33. (c) Enable all plug-in with default settings (Even dangerous plug-in are enabled). (d) Scan from the local host. (e) Scan Now. (3) When scan finished, ZyWALL will hung. 7.
(1) Reset rom of ZyWALL. (2) Add a LAN to WAN firewall permit rule, select DNS service, Enable Log Packet Information When Matched. (3) EWC>SECURITY>FIREWALL>Threshold, Enable DoS Attack Protection on LAN. (4) Configured LAN DNS Server (192.168.1.38) as DNS proxy to forward DNS request to DNS server (172.25.5.1). (5) Set PC DNS server as 192.168.1.38, ping some internet domains. For example, ping www.google.cn.
12. [BUG FIX] SPR ID: 080109327 Symptom: Device crash when use ISS scan device. Condition: (1)Use ISS scans device and device crashes. 13. [BUG FIX] SPR ID: 080108262 Symptom: The usage of CLI "ipsec pingCheckDropEnable" shows inconsistent explanation. Condition: (1) Go to SMT 24.8. (2) Type CLI "ipsec pingCheckDropEnable". (3) It shows "Usage: ipsec pingCheckEnable on/off". It should be "Usage: ipsec pingCheckDropEnable on/off" 14.
(2) Enable content filter. Then enable external Database Content Filtering. Enable log for unrated web pages but disable block for it. (3) Create a policy which enables external Database service. (4) Browse the web site "www.3dwuxi.com", there's no logs about unrated web sites in the log page. 17. [BUG FIX] SPR ID: 080114605 Symptom: ZyWALL can't send allowed CF log to CF report server Topology: PC---- (LAN) ZyWALL (WAN) ---- CF report server Condition1: (1) Register CF service on alpha.myzyxel.
Source Interface=LAN Source Starting IP Address=192.168.1.31 Source Ending IP Address=192.168.1.60 Starting Port=20, Ending Port=21 Gateway / WAN Interface=WAN2 Use another interface when the specified WAN interface is not available=disable (4) When disconnect WAN2, PC (192.168.1.40) still can use FTP software to upload file to the public FTP server by WAN1. It seems not match policy route. 20. [BUG FIX] SPR ID: 080110425 Symptom: DDNS will not update after change the service provider.
(4) LAN pc successfully opens a page which will be rated as unrated, such as “172.25.21.80”. (5) Then open this page again, it is blocked, and we can see URL in cache but no log about this block action. And it shouldn't block it since we didn't select to block unrated web pages. 24. [BUG FIX] SPR ID: 080122111 Symptom 1: log about CF>Customization is wrong Condition 1: (1) CONTENT FILTER/EDIT POLICY/CUSTOMIZATION, enable Keyword Blocking, and fill “baidu” in Keyword List (2) Flush the cache in CF.
WAS: Device would drop the repeated packet. Is: Device will resend the last IKE quick mode packet. (2) WAS: Only when VPN HA is enabled, device will drop the tunnel if VPN ping check packet retries reaches its limitation. IS: If the following CI command is ON, then device will drop the tunnel if VPN ping check packet retries reaches its limitation. If the command is OFF, device will behave like WAS case.
Condition: (1) Input invalid CI with “sys mbuf dis cn” and device crashes. 33. [BUG FIX] SPR ID: 070726881 Symptom: ZyWALL doesn't forward "no answer section" to DNS client. Condition: (1) Configure ZyWALL as DNS Server on Linux PC. (2) Execute "host -t MX www.playboy.com" (3) PC waits the response until timeout. (4) If DNS server is not ZyWALL, PC gets response immediately. 34. [BUG FIX] SPR ID: 080102005 Symptom: ZyWALL doesn't forward "no such name" response to DNS client.
38. [BUG FIX] SPR ID: 071203015 Symptom: The error message was shown incorrect in Remote Management page. Condition: (1) Go to eWC>ADVANCED>REMOTE MGMT>SSH. (2) Input value 23 into Server Port field. (3) The status displayed "signature select successful" instead of "This port conflicts with the other server port". 39. [BUG FIX] SPR ID: 071120338 Symptom: The static DHCP rule can’t be saved under special condition. Condition: (1) Add a static DHCP rule at the end of the DHCP table.
43. [BUG FIX] SPR ID: 071205212 Symptom: Change WAN port speed in bridge mode error. Condition: (1) Reset default rom of the device, change it to bridge mode. (2) Enter SMT menu 24.8. (3) Using command to change WAN port speed. ether edit load 2 ether edit speed 10/full ether edit save (4) All traffic from LAN to WAN will be blocked. 44. [BUG FIX] SPR ID: 071113835 Symptom: Diagnostic mail "collect from/to" time is wrong, mail report "collect since" time is wrong when report of the feature is disabled.
matched. 47. [BUG FIX] SPR ID: 071212549 Symptom: When ZyWALL sends E-mail report via OpenVMS, the E-Mail can’t display correctly. Some source codes of the E-Mail reports will display on GUI. Topology: ZyWALL (WAN) ---openVMS (mail server) ---exchange server---outlook 2003(mail client) Condition: (1) Enable eWC>Reports>Traffic Statistics. (2) Enable eWC>Reports>IDP. (3) Enable eWC>Reports>Anti-Virus. (4) Enable eWC>Reports>E-mail report, configure following items: eWC>E-Mail Settings>Mail server = mail.
50. [BUG FIX] SPR ID:071211538 Symptom: The content of the mail sent by Diagnostic service is mess. Condition: (1) Enable Traffic Statistics. (2) Enable E-mail Report, and configure the E-mail Setting. Select the Reporting Frequency by Hourly. (3) Enable Diagnostics and configure CPU usage 5. Select Diagnostics Frequency by Hourly. (4) Reboot the DUT. The content of Diagnostic mail will be messed. 51.
6. [ENHANCEMENT] Provide a ci command "sys tos allow_FinPshAck [on|off]" to allow or block packet with FIN, PSH, and ACK flag. Default is off, that is to say, blocking packet with FIN, PSH, and ACK flag. 7. [ENHANCEMENT] Device support Diffie-Hellman DH5 (length 192). For VPN configure, (1) GATEWAY POLICY page, key group adds DH5 element. (2) NETWORK POLICY page, Perfect Forward Secrecy (PFS) adds DH5 element. 8. [ENHANCEMENT] Device support AES192 & AES256.
Is: ZyWALL can be managed by CNM Vantage Server (SGMP and TR069) and Vantage Access (TR069 only) Below items have been verified with Vantage Access: (1) Inform and Inform Response (Registration). (2) Periodic Inform. (3) Connection Request. (This needs to open a Dynamic Firewall Rule .) (4) Get MethodListRPC, Get Name PRC, Get Value RPC, and Get Attribute RPC. 12. [FEATURE CHANGE] WAS: There is a customer service "VPN_NAT_T (UDP: 4500)" in firewall service.
(2) Add a DNS record with empty Domain name. (3) CNM agent returns -22051 and set fail. 17. [BUG FIX] SPR ID: 071109669 Symptom: ZyWALL can’t record system report based on IP address which is not in the same subnet of ZyWALL itself. Condition: Topology: (Bridge mode) PC----- (LAN) ZyWALL_A (WAN) ----ZyWALL_B----Internet PC: 10.0.0.34 ZyWALL_A:192.168.10.40 ZyWALL_B (LAN):10.0.0.1, ip alias: 192.168.10.1 (1) Enable Collect Statistics of ZyWALL_A under system reports. (2) PC visits a web page on the internet.
Symptom: There is no log for connectivity check fail Condition: (1) Go to eWC-->Network-->WAN-->General (2) Enable "Check WAN 1 Connectivity", and let system PING "www.aabbccddeeff.com" which doesn't exist. (3) There is no connectivity check fail log. 22. [BUG FIX] SPR ID: 071023276 Symptom: IDP CI "idp commonDebug display" show inconsistent information. Condition: (1) In SMT 24.8, type CI "idp commonDebug display", there will be "bwengine off".
Condition: (1) Register UTM service from eWC>REGISTRATION>Registration. (2) Update signatures from eWC>SECURITY>IDP>Update. (3) Goto eWC>SECURITY>IDP>Signature, select attack type IM, but no IM signatures found. 27. [BUG FIX] SPR ID: 071011647 Symptom: Bandwidth Management cannot control SIP P2P traffic. Condition: LAN: 192.168.1.1 WAN: 192.168.30.113 P2002A----------------------- ZyWALL -------------------P2002B 192.168.1.39 192.168.30.
Condition: (1) Go to eWC>CERTIFICATES>MY CERTIFICATE>DETAILS page and you will find the property field is gone. Modifications in V4.03(WM.0) | 11/07/2007 Modify for formal release. Modifications in V 4.03(WM.0)b4 | 10/29/2007 1. [ENHANCEMENT] Add Vantage CNM device agent – 2.1.6(WM.0) which support Vantage CNM server – version 3.0.00.61.00. 2. [BUG FIX] SPR ID: 070924386 Symptom: CF schedule works abnormal. Condition: (1) Enable CF. In CF>Object, add a Fobidden Website ”www.google.com”.
(1) Restore default romfile. (2) In CF, enable ”Unrated Website Page -- Block” and save it. You will find that it cannot save. (3) If you add a policy(policy name: aaa) and repeat step 2 again and it works. (4) Add another policy again(policy name: bbb) and save it. (5) Disable policy aaa and test the unrated functionality for policy bbb. It will fail. 6. [BUG FIX] SPR ID: 070914803 Symptom: Policy route doesn’t work correctly. Conditions: (LAN: 192.168.1.1) (192.168.1.
(6) After few hours(it may take several days), device crashes. 10. [BUG FIX] SPR ID: 071015779 Symptom: Device hang when input command "ip cf ob add trust aa.aa". Conditions: (1) Input command "ip cf ob add trust aa.aa" in SMT 24.8 and device hangs. 11. [BUG FIX] SPR ID: 071017888 Symptom: Missing help page in VPN>Network Policy>Edit>Port Forwarding Rules. Conditions: (1) Go to eWC>VPN>Network Policy>Edit>Port Forwarding Rules page, click help page and you will find there is no help page in it. 12.
16. [FEATURE CHANGE] (1). Remove CF chedule “Active” field in CF>Policy>Schedule page. (2). Change CF rom convert behavior as, (2.1) If old rom file is configured, there will be one/two policy created. (2.2) If old rom file is not configured, there will be no policy created. (3). Refine CF GUI/CI/CLI code. Modifications in V 4.03(WM.0)b2 | 08/28/2007 1. [ENHANCEMENT] (For 3G product only) Add new 3G cards support and some 3G-function enhancements.
Topology: subnet A---(WLAN) ZW (WAN)---Internet (WALN Alias) | subnet_B Condition: 1. Enable Firewall and block WLAN->WAN and log them. 2. Set up WLAN IP 192.168.7.1, WLAN IP Alias1 192.168.8.1, WLAN IP Alias2 192.168.9.1. 3. PC( 192.168.7.33) in WLAN ping www.baidu.com can be blocked by ZyWALL(See Log). 4. PC( 192.168.8.33 or 192.168.9.33) in WLAN IP Alias ping www.baidu.com successful and no log (See Log). 5. [ENHANCEMENT] (For 3G product only) Add new 3G cards support for Huawei E220 3G USB card. 6.
Condition: (1) Restore romfile (password:fenris120) from SPR, go to Class Setup under WAN1. (2) Add sub-class FTP, bandwidth budget 180k, priority:5, service type:FTP. (3) Add sub-class PC1, bandwidth budget 150k, priority:4, borrow,service type:custom, Source IP:single 192.168.1.37. (4) Cannot move class 1 to 2. 9.
|MACAddr:0013026c13a3| --------------------------------------------------------------------------------------------------|| |DHCP server assigns 10.10.101.
Symptom: Can't change the default route on ZyWALL Condition: (1) Using ci command "ip route status" to make sure default route of WAN1 or WAN2 exist in current route table. (2) Using ci command "ip route drop default" to delete default WAN1 or WAN2 route. (3) Can’t delete the default route. 15. [BUG FIX] SPR ID: 070621307, 070621308 Symptom: DHCP has multiple entries for the same PC Condition: 1). Set a PC to DHCP using the default config - PC will have 192.168.1.3 2).
(1) Reset ZyWALL5/35/70 ROM file. (2) Configure the DMZ IP(10.10.10.1/24) and LAN(192.168.10.0/24) for ZyWALL35, LAN IP 192.168.100.0/24 as ZyWALL70’s LAN. (3) Build the Gateway-to-Gateway VPN between ZyWALL35 and ZyWALL70 with the both LAN IP, then PC2 ping PC4, at this moment, it should be okay. (4) Configure the Dynamic VPN rule in the ZyWALL5 with the Local IP as PC1.
21. [BUG FIX] ITS #14567 Symptom: IPSec tunnel cannot be built. Condition: ZyWALL-----NAT Router-----Fortinet 200 (1) Create a VPN tunnel with Fortinet. (2) Enable NAT-Traversal. (3) Dial up this VPN tunnel but failed. 22. [FEATURE CHANGE] For GUI->VPN Global Setting page, VPN skip overlapped check box changes to radio boxes and changes the description according to technical writer suggestion. 23.
(5) Decide when the profile works by schedule. (6) Provide the information about which profile a packet belongs to in the log. 31. [ENHANCEMENT] Add NAT over IPSEC feature for ZyWALL. 32. [ENHANCEMENT] Design an Anti-Spam wizard GUI for helping users quickly configure the direction to check mail traffic. 33. [ENHANCEMENT] SPR ID: 060616955. Customized port for ZyNOS 4.03 feature, it supports FTP, H323 and SIP protocols (ALG) now.
38. [ENHANCEMENT] (1) In eWC>VPN>VPN Rules (IKE) page, add an Active/Inactive hyperlink in every network policy. (2) In eWC>VPN>GATEWAY POLICY-EDIT page, add Edit/Delete icons of "Associated Network Policies". 39. [ENHANCEMENT] SPR ID:060906253 Extend the length of Anti Spam Xtag from 23 to 47. 40. [ENHANCEMENT] SPR ID: 060807425 Enhancement of GUI Home page. (1) Add a link for Intrusion Detected/Virus Detected/Spam Mail Detected/Web Site Blocked to connect to its corresponding web page.
(2) The enhancement can also work in Linux. 45. [ENHANCEMENT] Add direction information in logs of Anti-Virus, IDP and Firewall Attack. 46. [ENHANCEMENT] SPR ID: 060522258 If users let "Redirect URL" in Content Filter be blank, the blocking page will be displayed on the forbidden object only. 47. [BUG FIX] SPR ID: 060705202 Symptom: The format and content of "System Resources" is shown different in eWC>>Home and SNMP management software. Condition: (1) See "System Resources" in eWC>>Home.
50. [BUG FIX] SPR ID: 070123093,070123094,070123095 Symptom: Memory leak when doing IDP CLI operation. Condition: (1)CI> idp sig load 12345 (2)Repeating (1). Memory leak!! 51. [BUG FIX] ITS#: 15003 Symptom: There will be a large latency in VPN1 if an new SA set up.
(1) In eWC>AV>Signature>Switch to query view: select Signature Search by Attributes, Severe, DDOS and click search. (2) Click ordering by name. Check the result. (3) Do step (2) again and you will find the ordering is not right. 54. [BUG FIX] SPR ID: 060707351 Symptom: Can't enter SMT menu 4. Condition: (1) In SMT menu 4, delete ISP's name. Save it. (2) In SMT menu 11, edit ISP's name as "WAN". Save it. (3) We can't enter SMT menu 4 anymore. 55. [BUG FIX] SPR ID: 060714836, 060714837, 060714838.
/------(W)ZW35(L)----PC2 PC1-----(L)DUT(W)----| \------(W)ZW70(L)----PC3 (1) Create one VPN tunnel for PC1 and PC2 (2) Redundant Remote Gateway = ZW70 (3) Enable Nailed-Up for DUT, ZW35 and ZW70. (4) DUT always reconnect tunnel between ZW35 and ZW70. 59. [BUG FIX] SPR ID: 060731994, 060731995 Symptom: Policy route is failed in a special topology. Condition: Topology: ZyWALL 70 || PC1(192.168.1.33)-----(SWITCH)-----(192.168.2.33)ZyWALL 35(192.168.10.1)-----PC2(192.168.10.
62. [BUG FIX] SPR ID: 060914870 Symptom: There will be lots of "Common TOS double free" log by SYN flooding tool. Condition: (1) Reset to default factory. (2) Change the device to bridge mode. (3) Set a firewall rule for port 21 in WAN to LAN direction. (4) The PC in WAN side uses SYN flooding tool (destination port is 21) to attack a PC in LAN side. (5) Keep attacking and reboot the device. (6) Check the centralized log, there be lots of "Common TOS double free" log. 63.
Modifications in V 4.02(WM.0)b1 | 03/21/2007 Convert firmware version to 4.02. Modifications in V 4.01(WM.4) | 03/20/2007 Modify for formal release. Modifications in V 4.01(WM.4)b2 | 03/12/2007 1. [BUG FIX] 070206549 Symptom:”Ping of Death” function work error when set packet length !=1500. Condition: Case 1: (1) Use command “ip icmp death 800” to set the packet length for “Ping of Death” check. (2) On LAN pc, use DOS command “ping 192.168.1.
appeared of page when enable or disable "Don't block trusted Web sites". Condition: (1) Enable Content Filter and block ActiveX, Java Applet. (2) Denied Access Message is "page denied!", redirect url is "http://www.zyxel.com". (3) Visit ActiveX or Java Applet web site like as http://dob.tnc.edu.tw/themes/old/showPage.php?s=152&t=5&at=". (4) The "dob.tnc.edu.tw" will be blocked and redirect to www.zyxel.com. (5) Enable customization, enable "Don't block Java/ActiveX/Cookies/Web proxy to trusted Web sites.
Condition: (1) Enable NAT. (2) Sometimes DUT will crash in customer site. 12. [ENHANCEMENT] Add Vantage CNM device agent – 2.1.4(WM.0) which supported with Vantage CNM server -- version 2.3.01.61.00. Modifications in V 4.01(WM.4)b1 | 01/29/2007 2. [BUG FIX] 061102088 Symptom: The MIB OID for UTM AV and IDP does not work. Condition: (1) Reset to defalut romfile. (2) PC installs SNMP software, such as MG-SOFT MIB Browser. (3) Try to get value of OID, 1.3.6.1.4.1.890.1.6.
(7) Again to access http://www.tcc.net.tw (8) Log should be displayed as “www.tcc.net.tw: Business/Economy(cache hit)|WEB BLOCK”, not “(cache hit)|WEB BLOCK”. 7. [BUG FIX] 061113707 Symptom: Content filter trusted web will be blocked when select "Don't block Java/ActiveX/Cookies/Web proxy to trusted Web sites." Condition: (1) Enable Content filter, enable blocking Active X, Cookie, Java Applet, and Proxy server. (2) Edit web eWC/Content Filter/Customization. Add Trusted Web Site “www.google.com.
(3) WAN1 & WAN2 down, Dial Backup is up. (4) The Dial Backup session between the ZyWALL and ISP is established, ZyWALL got an IP address provided by the ISP, but the PC in LAN can't ping to an Internet host. ZyWALL can receive and transmit the ping request, and can receive reply from remote host, but ZyWALL won't transmit the reply to the PC in LAN. 11. [BUG FIX] 061121145 (ITS#13200) Symptom: Failed to call the SIP phone on DMZ side with Firewall enabled. Condition: (1) Turn on Firewall.
14. [BUG FIX] 061218035 Symptom: Device crashes sometimes when you use Anti-Spam function. Condition: (1) Restore default romfile. (2) Register Anti-Spam service. (3) Go to eWC>>ANTI-SPAM>>General page, enable Anti-Spam for all directions, active "Discard SMTP mail.Forward POP3 mail with tag in mail subject". (4) Go to eWC>>ANTI-SPAM>>External DB page, enable External Database, set Threshold= 0. (5) Send a large mail (> 20K) from LAN to WAN, the device will loss mbuf. 15.
(3) PC connects to devcie’s DMZ port and ping device’s DMZ IP. (4) Can’t get response from device. 20. [BUG FIX] Symptom: iChat behind ZyWALL can not make a video call with another iChat in WAN. Condition: Topology: iChat_1------ (LAN) ZyWALL (WAN) ------- iChat_2 (1) In router mode Apple Mac iChat_1 made a video call request to iChat_2 on WAN. (2) iChat_1 failed to set up the video call with iChat_2. 21. [BUG FIX] Symptiom: Help info about “domain name” in h_AS_Custom_Edit.
it. Modifications in V 4.01(WM.3) | 12/04/2006 Modify for formal release. Modifications in V 4.01(WM.3)b1 | 11/24/2006 1. [ENHANCEMENT] SPR ID: 061109533 Enlarge mail header size from 1024 to 2048. 2. [BUG FIX] SPR ID: 060711576 Symptom: Content filter is fail when user installs Outpost Firewall. Condition: (1) Install OutpostPro Firewall software. (2) Set "disable all web traffic except for trusted web sites" and enable content filter. (3) Enable Outpost Firewall, user can surf the website as usual.
Topology: P2002A------------+-(LAN)ZW70(WAN)---------P2002B SIP Server--------| (1) Create a port forwarding rule on ZW70 to let SIP traffic of P2002B can be forwarded to SIP server. (2) Dial a phone call from P2002A to P2002B, P2002B can hear the voice of P2002A but P2002A cannot hear the P2002B. 7. [ENHANCEMENT] Symptom: SIP alg enhancement. Additional SIP ALG codes to supports SIP server on LAN or WAN Condition: SIP function has some issues to work correctly.
(3) DeviceA enables AS for WAN->VPN direction. (4) PC receives mail from mail server, mail gets stuck. 12. [ENHANCEMENT] SPR ID: 060331694 Add quick timeout mechanism for UDP sessions. This mechanism can for you to search more games in internet by some game platform. If no this mechanism the number of the game you can search is about NAT session number limited. 13. [BUG FIX] SPR ID: 061101036 Symptom: ZyWALL does not get new rating server list after all rating server has been removed.
Symptom: ZyWALL cannot trigger dial backup. Condition: Topology: PC--(LAN)ZyWALL(dial backup)--Internet (1) Restore default romfile. (2) Set up dial backup. (3) PC sets ZyWALL to be DNS proxy server. (4) PC starts to ping a domain name, but ZyWALL do not trigger dial backup. 17. [BUG FIX] SPR ID: 061005220 Symptom: Device crashes because of mbuf double free in Anti-Spam. Condition: (1) System crashes sometimes on customer site. 18.
TCP 192.168.111.2:50999 66.59.243.66:26397 ACCESS PERMITTED" Engineer Note: The value in default ROM file is "on" in 4.01. 22. [ENHANCEMENT] Wording changed. Out of memory when F/W upload. (1) FTP Was: file size too large. Is: file size too large. Please reboot device, and try again. (2) HTTP/HTTPS Was: disk full! Is: disk full! Please reboot device, and try again. 23.
Condition: (1) In eWC->SECURITY->CONTENT FILTER->General page, enable "Content filter" and block "Java Applet/ActiveX/Cookies/Web Proxy". (2) In eWC->SECURITY->CONTENT FILTER->Customization page, enable "Web site customization" and "Don't block Java/ActiveX/Cookies/Web proxy to trusted Web sites". Add "web.haccpsoft.it" to "Trusted Web Sites". (3) A PC in ZYWALL's LAN side browses "http://web.haccpsoft.it:8080" website.
(1) The configured romfile please refer to SPR. (2) PC1 cannot see PC2 by NetBIOS via VPN tunnel. Note: This problem only happens when policy index is not equal to IKE index. Engineer Note: This problem happens in 4.00 and 4.01. 32. [BUG FIX] SPR:060925632 The firmware of 4.01’s self-assigned-certificate can’t be used in Mozilla-firefox 33. [BUG FIX] SPR ID: 060908449 Symptom: The ZyWALL assigns a used IP to a DHCP client. Condition: Topology ZyWALL(LAN)------PC1,PC2 (1) Let the PC1 get a DHCP IP(192.168.1.
5. [ENHANCEMENT] Add a CI command to turn on or off the LDAP packet parsing in NAT module. Usage: "ip nat service ldap [on|off]" 6. [ENHANCEMENT] Add ALG type on policy route. 7. [BUG FIX] Symptom: ZyWALL WAN fixed 100/full negotiation fail against cisco 3550/2900. Condition: (1) Configure cisco 3550/2900 port to fixed 100/full. (2) Configure ZyWALL WAN to fixed 100/full. (3) ZyWALL WAN can not sync up; remain down. 8. [BUG FIX] Symptom: The DHCP table shows incorrect information.
Symptom: ZyWALL serial cannot connect one CDMA terminal RWT FCT CDMA.24. Condition: Russia raised this issue that our ZyWALL cannot connect one kind of CDMA terminal RWT FCT CDMA.24, but it is okay when this Terminal connect to P662 and D-Link route. After check, they found when short-circuit the CTR and DTS can make it work (ZyWALL connect to the CDMA) 12. [BUG FIX] Symptom: Device crashes because of memory double free in Content Filter. Condition: (1) Enable Content Filter and Web site customization.
Modifications in V4.01(WM.0)b5 | 07/31/2006 1. [BUG FIX] Symptom: Device crashes when upload F/W. Condition: Topology : PC_A == ZyWALL == P1 == PC_B (1) Build tunnel between PC_A and PC_B and sent TFGEN traffic(1M) between PC_A and PC_B. (2) Use eWC to upload F/W from ZyWALL’s WAN and device crashes. 2. [BUG FIX] Symptom: PC in LAN side sometimes can get IP address from DHCP server in WAN side after downgrading from v4.01 with bootbase v1.09 to previous firmware version. Condition: (1) With bootbase v1.
5. [FEATURE CHANGE] Change some wordings which contain "fail back" in GUI and log. Was: "Fail back ****". Is: "Fall back ****". 6. [FEATURE CHANGE] In eWC>BW MGMT>Class Setup page, change wording: WAS: "filter, to filter, (filter number)", "Filter class Search Order" IS: "class, to class, (class number)", "Enabled classes Search Order" 7. [FEATURE CHANGE] WAS: In eWC>HOME page, the memory bar will become red when the percentage of memory usage is over 90%.
(5) Unplug wireless card and reboot device. (6) PC connects to DMZ port, IP is 10.10.2.100/24 and gateway is 10.10.2.1, and the PC ping 10.10.2.1 will fail. 13. [BUG FIX] Symptom: The eWC>Firewall>Default Rule page will popup JavaScript error in router mode. Condition: (1) Go to eWC>FIREWALL>Default Rule page. (2) Click Reset button, ZyWALL pop-ups a JavaScript error. 14. [BUG FIX] Symptom: Unknown crash. Condition: (1) Restore default romfile.
adjustment. 18. [BUG FIX] Symptom: The IDP should work when the traffic is "from VPN to LAN". Condition: Topology PCB-------ZYWALL----tunnel-----ZYWALL--------PCA (1) Build a tunnel between PCA and PCB. (2) Enable IDP and check the direction of "From VPN to LAN" and download a file "eicar.com" by HTTP. (3) The IDP doesn’t detect the virus. (4) But IDP works when you choose ’From LAN to VPN’. 19. [BUG FIX] Symptom: The device will crash when using VPN manual mode.
3. [FEATURE CHANGE] WAS: In SMT 24.8, "ipsec adjTcpMss auto" will let the "IPSec adjust TCP MSS" switch to auto mode. IS: "ipsec adjTcpMss 0" will change to auto mode. 4. [ENHANCEMENT] (1) System Resources: 1. Some memory, which is used by running features and system process, has gone in system resource bar. Add back this part of memory in the bar. 2. Give a space between number and MB. WAS: 19/64MB IS: 19/64 MB (2) Time representation: Modify eWC>home page>Up Time as a running clock.
5. [ENHANCEMENT] Support dual multiple WAN devices for IPSec HA scenario. 6. [ENHANCEMENT] Change the Anti-Spam wording in log. WAS: "Mail Parser buffer is overflow!" IS: "AS checking bypassed as a mail header line exceeds 1024 characters!" 7. [ENHANCEMENT] (1) Remove the eWC check box: Enable Firewall for VPN traffic. (2) Remove CI command "ipsec swFwScan on|off". 8. [BUG FIX][060502049] Symptom: Device crashes when sends large number of mails. Condition: (1) Enable Anti-SPAM and external database.
SA lifetime = 180 seconds Policy 1: Local network: 2.2.2.2/24 Remote network: 1.1.1.1/24 SA lifetime = 28800 seconds Policy 2: Local network: 192.168.2.33/24 Remote network: 192.168.1.33/24 SA lifetime = 180 seconds (3) PC1 ping PC2 (4) After a while the Policy 2 can’t be established anymore. 10. [BUG FIX][060517002] Symptom: Some wordings in "eWC->ANTI-VURUS" are not correct. Condition: (1) Go to "eWC->ANTI-VIRUS->General".
(3) In ZW5, enable AS. (4) PC2 can’t receive the mail from PC1. 14. [BUG FIX][060424803] Symptom: ZyWALL crashes after changing MAC address. Condition: (1) Take a registered device and reboot it. (2) After device boot up, use CLI "sys my serviceR" to refresh the registration. (3) When you get the "Service refresh successfully" message, use the CLI "sys atwz 0000aazzzzzz" (Change the MAC address you want) to change the MAC address. (4) Device will crash when rebooting. 15.
Topology: PC1 (mail client) --- ZW5 (PPTP) === VPN tunnel === ZW70 ---- PC2 (mail server) (1) Establish VPN tunnel between ZW5 and ZW70. (2) ZW5's WAN is PPTP, enable AS. (3) ZW70's WAN can be any encapsulation type, disable AS. (4) PC1 receives mail from PC2 but it fails. 18. [BUG FIX][060503068] Symptom: Asymmetrical route cannot work. Condition: Topology as follows: PC (A) ---- [L]DUT(B)[W] ------- Internet --- HTTP server(D)(66.102.7.104) | | -- [L]Router(C)[W] --- Internet 1.
(2) ZyWALL popup java script error. (3) The status bar shows "spSave () fail with Error -6103". 21. [BUG FIX][060502036] Symptom: The eWC>DNS>DHCP cannot get WAN2 DNS. Condition: (1) Restore default romfile. (2) WAN2 connects to DHCP server and gets IP and DNS successfully. (3) Go to eWC>DNS>DHCP page, the IP field cannot get WAN2 DNS. 22. [BUG FIX][060427214] Symptom: Redundant gateway sometimes can’t be saved if it's in domain name format. Condition: (1) Create an IKE rule with IPSEC HA is enabled.
Local End IP= 3.3.3.3 Global Start IP= 4.4.4.4 Global End IP= 5.5.5.5 (3) Click "Apply" button, then ZyWALL crashes. 26. [BUG FIX][060424869] Symptom: Change WAN IP in GUI, the "Private" option in SMT11.1->Edit IP will be set as "NO". Condition: (1) Go to SMT11.1, configure Encapsulation as "PPPoE" or "PPTP". (2) Go to SMT11.1->Edit IP, change "Private" to "Yes". (3) Go to eWC->WAN->WAN1, set IP as static IP address. (4) Go to SMT11.1->Edit IP, the value of "Private" will become "No". 27.
31. [BUG FIX][060420625] Symptom: VPN can be successfully built up with wrong IPSec rule. Condition: Topology: (LAN) ZyWALL_A (WAN)=======(WAN) Bridge_B (LAN) (1) On ZyWALL A, add a VPN rule: IKE: Static rule, enable XAUTH and set as client mode. IPSEC Policy: Local=Single 1.1.1.1, Remote=Single 2.2.2.2 (2) On Bridge_B, add two VPN rules: 1. Rule one: IKE: Static rule, enable XAUTH and set as server mode. IPSEC: Local=Single 3.3.3.3, Remote=Single 4.4.4.4 2. Rule two: IKE: Dynamic rule. XATUTH is disabled.
Modifications in V 4.01(WM.0)b1 | 04/24/2006 1. [ENHANCEMENT] (1) Add UTM reports for IDP/AV/AS. (2) Change linkage from GUI>Logs>Reports to GUI>UTM Reports>System Reports. (3) Re-layout UTM Home GUI for ZyWALL 4.01. 2. [ENHANCEMENT] Add redundant IPSec gateway (IPSec HA). 3. [ENHANCEMENT] IPSec traffic can be managed by security rule (IDP/AV/AS/FW/CF/BM) 4. [FEATURE CHANGE] Was: IPSec auto-build tunnel command can only build tunnels with same secure gateway IP.
Consolidate "Router reply ICMP packet" log. (1) Router reply ICMP packet: ICMP(Port Unreachable). (2) Router reply ICMP packet: ICMP(Host Unreachable). 13. [ENHANCEMENT] Add a CI command "sys arp ackGratuitous", let ZyWALL to support gratuitous ARP request and update MAC mapping on ARP table for the sender of this ARP request. There are two subcommands under "ackGratuitous": (1) "active [yes|no]": Let ZyWALL accept gratuitous ARP request.
New function (1) You can change the server port. (2) You can set the security IP address for each type of server. (3) You can define the rule for server access. (WAN only/LAN only, None, ALL). (4) The secure IP and port of the SNMP server is read only (5) The port of the SNMP and DNS server is read only. (6) The default server access of the SNMP and DNS is ALL. Modification (1) The default value for Server access rule is ALL.
Appendix 2 Trigger Port Introduction Some routers try to get around this "one port per customer" limitation by using "triggered" maps. Triggered maps work by having the router watch outgoing data for a specific port number and protocol. When the router finds a match, it remembers the IP address of the computer that sent the matching data.
"Incoming Port". If it matches, Prestige will forward the packet to the recorded IP address in the internal table for this port. (This behavior is the same as we did for port forwarding.) (3) The recorded IP in the internal table will be cleared if machine A disconnect from the sessions that matches the "Trigger Port". Notes (1) Trigger events can't happen on data coming from outside the firewall because the NAT router's sharing function doesn't work in that direction.
Appendix 3 Hard-coded packet filter for "NetBIOS over TCP/IP" (NBT) The new set C/I commands is under "sys filter netbios" sub-command. Default values of any direction are “Forward”, and trigger dial is “Disabled”. There are two CI commands: (1) "sys filter netbios disp": It will display the current filter mode.
Appendix 4 Traffic Redirect/Static Route Application Note Why traffic redirect/static route be blocked by ZyWALL ZyWALL is the ideal secure gateway for all data passing between the Internet and the LAN. For some reasons (load balance or backup line), users want traffics be re-routed to another Internet access devices while still be protected by ZyWALL. The network topology is the most important issue. Here is the common example that people misemploy the LAN traffic redirect and static route.
normal function. Figure 5-2 Gateway on alias IP network (2) Gateway on WAN side A working topology is suggested as below. Figure 5-3 Gateway on WAN side Appendix 5 IPSec FQDN support ZyWALL A-------------Router C (with NAT) ------------ZyWALL B (WAN) (WAN) (LAN) (WAN) If ZyWALL A wants to build a VPN tunnel with ZyWALL B by passing through Router C with NAT, A can not see B. It has to secure gateway as C. However, ZyWALL B will send it packet with its own IP and its ID to ZyWALL A.
contents are consistent and they can connect. Basically the story is the same when ID type is IP. If user configures ID content, then ZyWALL will use it as a check. So the ID content also has to match each other. For example, ID type and ID content of incoming packets must match “Peer ID Type” and “Peer ID content”. Or ZyWALL will reject the connection. However, user can leave “ID content” blank if the ID type is IP. ZyWALL will put proper value in it during IKE negotiation.
1. When Local ID Content is blank which means user doesn’t type anything here, during IKE negotiation, my ID content will be “My IP Addr” (if it’s not 0.0.0.0) or local’s WAN IP. 2. When “Peer ID Content” is not blank, ID of incoming packet has to match our setting. Or the connection request will be rejected. 3. When “Secure Gateway IP Addr” is 0.0.0.0 and “Peer ID Content” is blank, system can only check ID type.
ISP(or network). This secondary WAN port can be used in “active-active” load sharing or fail-over configuration providing a highly efficient method for maximizing total network bandwidth. The default mode of the WAN 2 interface is “Active-Passive” or “Fail-Over” mode, that is the secondary WAN will automatically “bring-up” when the first WAN fails. The user can enter eWC/WAN/General page to select WAN to “Active/Active” mode.
Appendix 9 IPSec IP Overlap Support PCA 1.1.1.33 PCC 1.1.2.250 LAN 1.1.1.0/24 WAN ZyWALL B ZyWALL A LAN 1.1.2.0/28 IP Alias 1.1.2.0/24 PCB 1.1.2.250 Figure 1 The ZyWALL uses the network policy to decide if the traffic matches a VPN rule. But if the ZyWALL finds that the traffic whose local address overlaps with the remote address range, it will be confused if it needs to trigger the VPN tunnel or just route this packet. So we provide a CI command “ipsec swSkipOverlapIp” to trigger the VPN rule.
Appendix 10 VPN Local IP Address Limitation PCA 1.1.1.33 PCC 1.1.2.250 LAN 1.1.1.0/24 WAN ZyWALL B ZyWALL A LAN 1.1.2.0/28 IP Alias 1.1.2.0/24 PCB 1.1.2.250 Figure 1 There is a limitation when you configure the VPN network policy to use any Local IP address. When you set the Local address to 0.0.0.0 and the Remote address to include any interface IP of the ZyWALL at the same time, it may cause the traffic related to remote management or DHCP between PCs and the ZyWALL to work incorrectly.
ZyXEL VPN Client Security Gateway: 1.1.1.1 Phase one Authentication method: Preshare Key Remote: 192.168.1.0/24 In example 1, user may wonder why ZyWALL swap to dynamic rule even VPN client only set authentication method as “Preshare Key” not “Preshare Key+XAuth”. The root cause is that currently ZyXEL VPN Cient will send XAuth VID no matter what authentication mode that him set. Because of the XAuth VID, ZyWALL will swap to dynamic rule. This unexpected rule swap result is a limitation of our design.
on forceUpdate, then the ZyWALL gets gratuitous ARP, it will force to update MAC mapping into the ARP table, otherwise if turn off forceUpdate, then the ZyWALL gets gratuitous ARP, it will update MAC mapping into the ARP table only when there is no such MAC mapping in the ARP table. Give an example for its purpose, there is a backup gateway on the network as the picture.
(2)ipsec initContactMode tunnel When the ZyWALL receives a IKE packets with IC, it deletes only one existing tunnel, whose security gateway IP is not only the same as this IKE's one and also its phase 2 ID(network policy) should match. It is suitable when your tunnel is created from a VPN peer to ZyWALL and there are more than two this kind of VPN peers build tunnels behind the same NAT router. Take the picture 2 as example, PC 1, PC2 and PC3 has it's own VPN software to create tunnels with ZW.
Figure 1. But there are still some limitations remain that we need to overcome in the future. When you deploy your SIP server on LAN for SIP service, please make sure that prevent your topology from any case listed as below. (1) When SIP client is on LAN, do not use NAT lookback on SIP server.
Figure 2. (2) Try not use different global IPs for SIP client and SIP server on NAT. Currently, there are still some limitations when use different global IPs for SIP client and SIP server. For instance, in Figure 3, SIP server and a SIP client B are on the same LAN. If we use different global IP for SIP server and the SIP client, the SIP client A which is behind another NAT router will fail to communication with SIP client B. Figure 3.
phone B. Thus will be fail on call setup. This limitation is SIP client related issue, some SIP clients will send ACK request direct to the remote clients, some may send through proxy server. Figure 4. (4) We do not support multiple SIP proxies in the middle of way. We haven’t implemented or take care on this kind topology (Figure 5), so the result is still unknown.
(4) "Update Server" will reply a file list to the PC, the download address of the fill will be "File Server", at the same time "Update Server" will inform that there is a PC located at "WAN1" IP address will get file from you. (5) PC knows the file address and retrieve the file through "WAN2". (6) "File Sever" think the PC's IP should be "WAN1" instead of "WAN2". It rejects the PC's request.
If we set the timeout value as "10 seconds", 5 seconds is not timeout. The device will route the new session to the same interface.
Appendix 16: The mechanism of ZyWALL IPSec policy IP conflict check: ZyWALL classifies traffic to IPSec tunnels according to Network Policies. If there are two Network Policies “conflicted”, it’s not possible for ZyWALL to classify traffic correctly. Two policies will conflict if they satisfy both the following conditions at the same time: (1) IP address range of “Local Network” of two policies overlaps. (2) IP address range of “Remote Network” of two policies overlaps.
(2) Process runtime policy sent from remote gateway during IKE negotiation Policies under Static IKE rule (configuration) Policies under Dynamic IKE rule (configuration) Runtime policies (IKE negotiation) Policies under Static IKE rule Compare Not compare Not compare (configuration) Policies under Dynamic IKE rule Not compare Not compare Not compare (configuration) Runtime policies Compare Not compare Compare (IKE negotiation) Note: (1) “Compare” means ZyWALL will compare policies in row with policies in