ZyXEL Communications 10 Series, Reference Manual

Page 1: ...ZyWALL 10 100 Series Internet Security Gateway Reference Guide Versions 3 52 3 60 and 3 61 March 2003 ...

Page 2: ...ermission of ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products de...

Page 3: ...adio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or reloca...

Page 4: ...that the compliance with the above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by the supplier Any repairs or alterations made by the user to this equipment or equipment malfunctions may give the telecommunications company cause to request the user to disconnect the equi...

Page 5: ...ditions NOTE Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser To obtain th...

Page 6: ...LAR MAIL support zyxel com tw 886 3 578 3942 www zyxel com www europe zyxel com WORLDWIDE sales zyxel com tw 886 3 578 2439 ftp europe zyxel com ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan support zyxel com 1 714 632 0882 800 255 4101 www zyxel com NORTH AMERICA sales zyxel com 1 714 632 0858 ftp zyxel com ZyXEL Communications Inc 1650 Miraloma A...

Page 7: ...1 Setting up Your Computer s IPAddress 1 1 Chapter 2 Triangle Route 2 1 Chapter 3 The Big Picture 3 1 Chapter 4 Wireless LAN and IEEE 802 11 4 1 Chapter 5 Wireless LAN With IEEE 802 1x 5 1 Chapter 6 PPPoE 6 1 Chapter 7 PPTP 7 1 Chapter 8 IP Subnetting 8 1 Command and Log Information II Chapter 9 Command Interpreter 9 1 Chapter 10 Firewall Commands 10 1 Chapter 11 NetBIOS Filter Commands 11 1 Chapt...

Page 8: ...ZyWALL 10 100 Series Internet Security Gateway viii Table of Contents Index A ...

Page 9: ...D5 Challenge Authentication 5 2 Diagram 6 1 Single PC per Modem Hardware Configuration 6 1 Diagram 6 2 ZyWALL as a PPPoE Client 6 2 Diagram 7 1 Transport PPP frames over Ethernet 7 1 Diagram 7 2 PPTP Protocol Overview 7 2 Diagram 7 3 Example Message Exchange between PC and an ANT 7 3 Diagram 11 1 NetBIOS Display Filter Settings Command Without DMZ Example 11 2 Diagram 11 2 NetBIOS Display Filter S...

Page 10: ...t 3 8 5 Chart 8 10 Subnet 4 8 6 Chart 8 11 Eight Subnets 8 6 Chart 8 12 Class C Subnet Planning 8 7 Chart 8 13 Class B Subnet Planning 8 7 Chart 10 1 Firewall Commands 10 1 Chart 11 1 NetBIOS Filter Default Settings 11 2 Chart 13 1 System Error Logs 13 1 Chart 13 2 System Maintenance Logs 13 1 Chart 13 3 UPnP Logs 13 2 Chart 13 4 Content Filtering Logs 13 2 Chart 13 5 Attack Logs 13 2 Chart 13 6 A...

Page 11: ...ist of Charts xi Chart 13 11 Sample IPSec Logs During Packet Transmission 13 15 Chart 13 12 RFC 2408 ISAKMP Payload Types 13 16 Chart 13 13 Log Categories and Available Settings 13 17 Chart 14 1 Brute Force Password Guessing Protection Commands 14 1 ...

Page 12: ...d Documentation Support Disk Refer to the included CD for support documents Read Me First or Quick Start Guide The Read Me First or Quick Start Guide is designed to help you get up and running right away It contains a detailed easy to follow connection diagram default settings handy checklists and information on setting up your network and configuring for Internet access SMT User s Guide This manu...

Page 13: ...troke is in Arial font and enclosed in square brackets for instance ENTER means the Enter or carriage return key ESC means the escape key and SPACE BAR means the space bar UP and DOWN are the up and down arrow keys Mouse action sequences are denoted using a comma For example click the Apple icon Control Panels and then Modem means first click the Apple icon then point your mouse pointer to Control...

Page 14: ......

Page 15: ...ormation I Part I General Information This part provides background information about setting up your computer s IP address triangle route how functions are related wireless LAN 802 1x PPPoE PPTP and IP subnetting ...

Page 16: ......

Page 17: ...ows 3 1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure ...

Page 18: ... click OK If you need TCP IP a In the Network window click Add b Select Protocol and then click Add c Select Microsoft from the list of manufacturers d Select TCP IP from the list of network protocols and then click OK If you need Client for Microsoft Networks a Click Add b Select Client and then click Add c Select Microsoft from the list of manufacturers d Select Client for Microsoft Networks fro...

Page 19: ...ss automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields 2 Click the DNS Configuration tab If you do not know your DNS information select Disable DNS If you know your DNS information select Enable DNS and type the information in the fields below you may not need to fill them all in ...

Page 20: ... Add 4 Click OK to save and close the TCP IP Properties window 5 Click OK to close the Network window Insert the Windows CD if prompted 6 Turn on your ZyWALL and restart your computer when prompted Verifying Your Computer s IP Address 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your ...

Page 21: ... IP Address 1 5 1 For Windows XP click start Control Panel In Windows 2000 NT click Start Settings Control Panel 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dial up Connections 3 Right click Local Area Connection and then click Properties ...

Page 22: ... tab in Win XP and click Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically If you have a static IP address click Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields Click Advanced ...

Page 23: ...pe an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of transmission hops clear ...

Page 24: ...ate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them 8 Click OK to close the Internet Protocol TCP IP Properties window 9 Click OK to close the Local Area Connection Properties window 10 Turn on your ZyWALL and restart your computer if prompted Verifying Your Computer s IP Address 1 Click Start All Programs Accessories and then Comma...

Page 25: ...our Computer s IP Address 1 9 1 Click the Apple menu Control Panel and double click TCP IP to open the TCP IP Control Panel 2 Select Ethernet built in from the Connect via list 3 For dynamically assigned settings select Using DHCP Server from the Configure list ...

Page 26: ... in the Subnet mask box Type the IP address of your ZyWALL in the Router address box 5 Close the TCP IP Control Panel 6 Click Save if prompted to save changes to your configuration 7 Turn on your ZyWALL and restart your computer if prompted Verifying Your Computer s IP Address Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Pre...

Page 27: ...lect Using DHCP from the Configure list 4 For statically assigned settings do the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyWALL in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyWALL and restart your computer if prompted Verifying Your Comput...

Page 28: ......

Page 29: ...ng data packets between two Ethernet devices Some companies have more than one alternate route to one or more ISPs If the LAN and ISP s are in the same subnet the triangle route problem may occur The steps below describe the triangle route problem Step 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN Step 2 The ZyWALL reroutes the SYN pack...

Page 30: ...e logical LAN interfaces with the ZyWALL being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning network traffic must pass through the ZyWALL to your LAN The following steps describe such a scenario Step 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN Step 2 The ZyWALL reroutes the packe...

Page 31: ...de A second solution to the triangle route problem is to put all of your network gateways on the WAN side as the following figure shows This ensures that all incoming network traffic passes through your ZyWALL to your LAN Therefore your LAN is protected Diagram 2 4 Gateways on the WAN Side ...

Page 32: ......

Page 33: ...s Internet Security Gateway The Big Picture 3 1 Chapter 3 The Big Picture The following figure gives an overview of how filtering the firewall VPN and NAT are related Diagram 3 1 Big Picture Filtering Firewall VPN and NAT ...

Page 34: ...ZyWALL 10 100 Series Internet Security Gateway The Big Picture 3 2 ...

Page 35: ... s profile on a handheld or notebook computer upon entering a patient s room 3 It allows flexible workgroups a lower total cost of ownership for workspaces that are frequently reconfigured 4 It allows conference room users access to the network as they move from meeting to meeting getting up to date access to information and the ability to communicate decisions while on the go 5 It provides campus...

Page 36: ...ng very high frequencies just below visible light in the electromagnetic spectrum to carry data Ad hoc Wireless LAN Configuration The simplest WLAN configuration is an independent Ad hoc WLAN that connects a set of computers with wireless nodes or stations STA which is called a Basic Service Set BSS In the most basic form a wireless LAN connects a set of computers with wireless adapters Any time t...

Page 37: ...ess Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood Multiple Access Points can provide wireless coverage for an entire building or campus All communications between stations or between a station and a wired network client go through the Access Point The Extended Service Set ESS shown in the next figure consists of...

Page 38: ...ity Gateway The Big Picture 4 4 could be any type of network it is almost invariably an Ethernet LAN Mobile nodes can roam between Access Points and seamless campus wide coverage is possible Diagram 4 2 ESS Provides Campus Wide Coverage ...

Page 39: ...ith current computer speed Deployment Issues with IEEE 802 11 User account management has become a network administrator s nightmare in a corporate environment as the IEEE 802 11b standard does not provide any central user account management User access control is done through manual modification of the MAC address table on the access point Although WEP data encryption offers a form of data securi...

Page 40: ...sible Authentication Protocol RFC 2486 that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients RADIUS Server Authentication Sequence The following figure depicts a typical wireless network with a remote RADIUS server for user authentication using EAPOL EAP Over LAN Diagram 5 1 Sequences for EAP MD5 Challenge Authentication Client com...

Page 41: ...up services using PPP Benefits of PPPoE PPPoE offers the following benefits 1 It provides you with a familiar dial up networking DUN user interface 2 It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users For GSTN PSTN ISDN the switching fabric is already in place 3 It allows the ISP to use the existing dial up mode...

Page 42: ...unnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is between the modem and the AC as opposed to all the way to the ISP However the PPP negotiation is between the PC and the ISP ZyWALL as a PPPoE Client When using the ZyWALL as a PPPoE client the PCs on the LAN see only Ethernet...

Page 43: ...n is that it requires one separate ATM VC per destination Diagram 7 1 Transport PPP frames over Ethernet PPTP and the ZyWALL When the ZyWALL is deployed in such a setup it appears as a PC to the ANT In Windows VPN or PPTP Pass Through feature the PPTP tunneling is created from Windows 95 98 and NT clients to an NT server in a remote location The pass through feature allows users on the network to ...

Page 44: ...al up capability The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS The PPTP user is unaware of the tunnel between the PAC and the PNS Diagram 7 2 PPTP Protocol Overview Microsoft includes PPTP as a part of the Windows OS In Microsoft s implementation the PC and hence the ZyWALL is the PNS that requests the PAC the ANT to place an outgoing call over AAL5 t...

Page 45: ... Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE General Routing Encapsulation RFC 1701 1702 The individual calls within a tunnel are distinguished using the Call ID field in the GRE header ...

Page 46: ......

Page 47: ...ave a 1 in the left most bit and a 0 in the next left most bit In a class B address the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three octets make up the network number and the last octet is the host ID Class D addresses begin with 1 1 1 0 Class D addresses a...

Page 48: ...IRST OCTET DECIMAL Class A 00000000 to 01111111 0 to 127 Class B 10000000 to 10111111 128 to 191 Class C 11000000 to 11011111 192 to 223 Class D 11100000 to 11101111 224 to 239 Subnet Masks A subnet mask is used to determine which bits are part of the network number and which bits are part of the host ID using a logical AND operation A subnet mask has 32 bits each bit of the mask corresponds to a ...

Page 49: ...ting a followed by the number of bits in the mask after the address For example 192 1 1 0 25 is equivalent to saying 192 1 1 0 with mask 255 255 255 128 The following table shows all possible subnet masks for a class C address using both notations Chart 8 4 Alternative Subnet Mask Notation SUBNET MASK IP ADDRESS SUBNET MASK 1 BITS LAST OCTET BIT VALUE 255 255 255 0 24 0000 0000 255 255 255 128 25 ...

Page 50: ...net Chart 8 5 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask 255 255 255 128 Subnet Mask Binary 11111111 11111111 11111111 10000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 127 Highest Host ID 192 168 1 126 Chart 8 6 Subnet 2 NETWORK NUMBER LAST OCTET BIT VALUE IP Address...

Page 51: ... 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits giving 26 2 or 62 hosts for each subnet all 0 s is the subnet itself all 1 s is the broadcast address on the subnet Chart 8 7 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowes...

Page 52: ...0 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Example Eight Subnets Similarly use a 27 bit mask to create 8 subnets 001 010 011 100 101 110 The following table shows class C IP address last octet values for each subnet Chart 8 11 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2...

Page 53: ...e subnet mask also determines which bits are part of the network number and which are part of the host ID A class B address has two host ID octets available for subnetting and a class A address has three host ID octets see Chart 8 1 available for subnetting The following table is a summary for class B subnet planning Chart 8 13 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS N...

Page 54: ...ubnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 9 255 255 255 128 25 512 126 10 255 255 255 192 26 1024 62 11 255 255 255 224 27 2048 30 12 255 255 255 240 28 4096 14 13 255 255 255 248 29 8192 6 14 255 255 255 252 30 16384 2 15 255 255 255 254 31 32768 1 ...

Page 55: ...Command and Log Information II Part II Command and Log Information This part provides information on the command interpreter interface firewall and NetBIOS commands and logs and password protection ...

Page 56: ......

Page 57: ...he unit and possibly render it unusable Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are enclosed in angle brackets The optional fields in a command are enclosed in square brackets The symbol means or For example sys filter netbios config type on off means that you must specify the type of...

Page 58: ......

Page 59: ...irewall This command returns the previously saved firewall settings config save firewall This command saves the current firewall settings D Di is sp pl la ay y config display firewall This command shows the of all the firewall settings including e mail attack and the sets rules config display firewall set set This command shows the current configuration of a set including timeout values name defau...

Page 60: ... This command sets the IP address to which the e mail messages are sent config edit firewall e mail return addr e mail address This command sets the source e mail address of the firewall e mails config edit firewall e mail email to e mail address This command sets the e mail address to which the firewall e mails are sent config edit firewall e mail policy full hourly daily weekly This command sets...

Page 61: ...nables or disables the immediate sending of DOS attack notification e mail messages config edit firewall attack block yes no Set this command to yes to block new traffic after the tcp max incomplete threshold is exceeded Set it to no to delete the oldest half open session when traffic exceeds the tcp max incomplete threshold config edit firewall attack block minute 0 255 This command sets the numb...

Page 62: ...pened sessions config edit firewall attack tcp max incomplete 0 255 This command sets the threshold of half open TCP sessions with the same destination where the ZyWALL starts dropping half open sessions to that destination S Se et ts s config edit firewall set set name desired name This command sets a name to identify a specified set Config edit firewall set set default permit forward block This ...

Page 63: ...e TCP connection remain open before considering it closed Config edit firewall set set log yes no This command sets whether or not the ZyWALL creates logs for packets that match the firewall s default rule set R Ru ul le es s Config edit firewall set set rule rule permit forward block This command sets whether packets that match this rule are dropped or allowed through Config edit firewall set set...

Page 64: ...fic from a particular subnet defined by IP address and subnet mask config edit firewall set set rule rule srcaddr range start ip address end ip address This command sets a rule to have the ZyWALL check for traffic from this range of addresses config edit firewall set set rule rule destaddr single ip address This command sets the rule to have the ZyWALL check for traffic with this individual destin...

Page 65: ...is range config edit firewall set set rule rule UDP destport single port This command sets a rule to have the ZyWALL check for UDP traffic with this destination address You may repeat this command to enter various non consecutive port numbers config edit firewall set set rule rule UDP destport range start port end port This command sets a rule to have the ZyWALL check for UDP traffic with a destin...

Page 66: ...s Internet Security Gateway 10 8 Firewall Commands Chart 10 1 Firewall Commands FUNCTION COMMAND DESCRIPTION config delete firewall set set rule rule This command removes the specified rule in a firewall configuration set ...

Page 67: ...tBIOS filters to do the following filters for DMZ are not available on all models Allow or disallow the sending of NetBIOS packets from the LAN to the WAN Allow or disallow the sending of NetBIOS packets from the WAN to the LAN Allow or disallow the sending of NetBIOS packets from the LAN to the DMZ Allow or disallow the sending of NetBIOS packets from the WAN to the DMZ Allow or disallow the send...

Page 68: ...are as follows Chart 11 1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE LAN to WAN This field displays whether NetBIOS packets are blocked or forwarded from the LAN to the WAN Forward WAN to LAN This field displays whether NetBIOS packets are blocked or forwarded from the WAN to the LAN Forward LAN to DMZ This field displays whether NetBIOS packets are blocked or forwarded from the LAN ...

Page 69: ...S packets are blocked or forwarded from the DMZ to the WAN Forward IPSec Packets This field displays whether NetBIOS packets sent through a VPN connection are blocked or forwarded Forward Trigger dial This field displays whether NetBIOS packets are allowed to initiate calls Disabled means that NetBIOS packets are blocked from initiating calls Disabled NetBIOS Filter Configuration Syntax sys filter...

Page 70: ...ent through a VPN connection For type 7 use on to allow NetBIOS packets to initiate dial backup calls Use off to block NetBIOS packets from initiating dial backup calls Example commands Command sys filter netbios config 0 on This command blocks LAN to WAN NetBIOS packets Command sys filter netbios config 1 off This command forwards WAN to LAN NetBIOS packets Command sys filter netbios config 6 on ...

Page 71: ...ilable ZyWALL boot module commands as shown in the next screen ATBAx allows you to change the console port speed The x denotes the number preceding the colon to give the console port speed following the colon in the list of numbers that follows for example ATBA3 will give a console port speed of 9 6 Kbps ATSE displays the seed that is used to generate a password to turn on the debug flag in the fi...

Page 72: ...rea ATDUx y dump memory contents from address x for length y ATRBx display the 8 bit value of address x ATRWx display the 16 bit value of address x ATRLx display the 32 bit value of address x ATGO x run program at addr x or boot router ATGR boot router ATGT run Hardware Test Program ATRTw x y z RAM test level w from address x to y z iterations ATSH dump manufacturer related data in ROM ATDOx y dow...

Page 73: ...ime calibration failed The router failed to get information from the time server DHCP client gets s A DHCP client got a new IP address from the DHCP server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an IP address to a client SMT Login Successfully Someone has logged on to the router s SMT interface SMT Login Fail Someone has failed ...

Page 74: ...e firewall Chart 13 4 Content Filtering Logs CATEGORY LOG MESSAGE DESCRIPTION URLFOR IP Domain Name The ZyWALL allows access to this IP address or domain name and forwarded traffic addressed to the IP address or domain name URLBLK IP Domain Name The ZyWALL blocked access to this IP address or domain name due to a forbidden keyword All web traffic is disabled except for trusted domains untrusted do...

Page 75: ...attack land ICMP type d code d The firewall detected an ICMP land attack see the section on ICMP messages for type and code details ip spoofing WAN TCP The firewall detected a TCP IP spoofing attack on the WAN port ip spoofing WAN UDP The firewall detected an UDP IP spoofing attack on the WAN port ip spoofing WAN IGMP The firewall detected an IGMP IP spoofing attack on the WAN port ip spoofing WAN...

Page 76: ...ZyWALL did not have a default route ip spoofing no routing entry IGMP The firewall detected an IGMP IP spoofing attack while the ZyWALL did not have a default route ip spoofing no routing entry ESP The firewall detected an ESP IP spoofing attack while the ZyWALL did not have a default route ip spoofing no routing entry GRE The firewall detected a GRE IP spoofing attack while the ZyWALL did not hav...

Page 77: ... the listed ACL set and the ZyWALL blocked or forwarded it according to the ACL set s configuration Firewall default policy GRE set d GRE access matched the default policy of the listed ACL set and the ZyWALL blocked or forwarded it according to the ACL set s configuration Firewall default policy OSPF set d OSPF access matched the default policy of the listed ACL set and the ZyWALL blocked or forw...

Page 78: ...ded it according to the rule s configuration Firewall rule match set d rule d Access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule s configuration Firewall rule NOT match TCP set d rule d TCP access did not match the listed firewall rule and the ZyWALL logged it Firewall rule NOT match UDP set d rule d UDP access did not match the listed firewall rul...

Page 79: ...ilter default policy DROP Access matched a default filter policy denied LAN IP and the ZyWALL dropped the packet to block access Filter default policy FORWARD TCP access matched a default filter policy Access was allowed and the router forwarded the packet Filter default policy FORWARD UDP access matched a default filter policy Access was allowed and the router forwarded the packet Filter default ...

Page 80: ... Access was allowed and the router forwarded the packet Filter match FORWARD set d rule d Access matched the listed filter rule Access was allowed and the router forwarded the packet Filter match FORWARD set d rule d Access matched the listed filter rule denied LAN IP Access was allowed and the router forwarded the packet set d With firewall messages this is the number of the ACL policy set and de...

Page 81: ...rresponding echo request Router sent ICMP response packet type d code d The router sent an ICMP response packet This packet automatically bypasses the firewall See the section on ICMP messages for type and code details Chart 13 7 ACL Setting Notes ACL SET NUMBER DIRECTION DESCRIPTION 1 LAN to WAN ACL set 1 for packets traveling from the LAN to the WAN 2 WAN to LAN ACL set 2 for packets traveling f...

Page 82: ...eachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don t Fragment DF 5 Source route failed 4 Source Quench 0 A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network 5 Redirect 0 Redirect datagrams for the N...

Page 83: ...Information Request 0 Information request message 16 Information Reply 0 Information reply message Chart 13 9 Sys log LOG MESSAGE DESCRIPTION Mon dd hr mm ss hostname src srcIP srcPort dst dstIP dstPort msg msg note note This message is sent by the RAS when this syslog is generated The messages and notes are defined in this appendix s other charts VPN IPSec logs To view the IPSec and IKE connectio...

Page 84: ...08 02 24 Recv KE NONCE 006 01 Jan 08 02 26 Send ID HASH 007 01 Jan 08 02 26 Recv ID HASH 008 01 Jan 08 02 26 Phase 1 IKE SA process done 009 01 Jan 08 02 26 Start Phase 2 Quick Mode 010 01 Jan 08 02 26 Send HASH SA NONCE ID ID 011 01 Jan 08 02 26 Recv HASH SA NONCE ID ID 012 01 Jan 08 02 26 Send HASH Clear IPSec Log y n Index Date Time Log 001 01 Jan 08 08 07 Recv Main Mode request from 192 168 10...

Page 85: ...the connection already but the IKE key exchange has not finished yet Duplicate requests with the same cookie The ZyWALL has received multiple requests from the same peer but it is still processing the first IKE packet from that peer No proposal chosen The parameters configured for Phase 1 or Phase 2 negotiations don t match Please check all protocols and settings for these phases For example one p...

Page 86: ...due to a network error Too many errors Deleting SA The ZyWALL deletes an SA when too many errors occur Phase 1 ID type mismatch The ID type of an incoming packet does not match the local s peer ID type Phase 1 ID content mismatch The ID content of an incoming packet does not match the local s peer ID content No known phase 1 ID type found The ID type of an incoming packet does not match any known ...

Page 87: ...DESCRIPTION WAN IP changed to IP If the ZyWALL s WAN IP changes all configured My IP Addr are changed to b 0 0 0 0 If this field is configured as 0 0 0 0 then the ZyWALL will use the current ZyWALL WAN IP address static or dynamic to set up the VPN tunnel Cannot find IPSec SA The ZyWALL cannot find a phase 2 SA that corresponds with the SPI of an inbound packet from the peer the packet is dropped ...

Page 88: ...lays Please refer to the RFC for detailed information on each type Chart 13 12 RFC 2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE SA Security Association PROP Proposal TRANS Transform KE Key Exchange ID Identification CER Certificate CER_REQ Certificate Request HASH Hash SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID ...

Page 89: ...ries and Available Settings LOG CATEGORIES AVAILABLE PARAMETERS access 0 1 2 3 attack 0 1 2 3 error 0 1 2 3 ike 0 1 2 3 ipsec 0 1 2 3 javablocked 0 1 2 3 mten 0 1 upnp 0 1 urlblocked 0 1 2 3 urlforward 0 1 Use 0 to not record logs for that category 1 to record only logs for that category 2 to record only alerts for that category and 3 to record both logs and alerts for that category Use the sys lo...

Page 90: ...ogs display access time source destination notes message 0 11 11 2002 15 10 12 172 22 3 80 137 172 22 255 255 137 ACCESS BLOCK Firewall default policy UDP set 8 1 11 11 2002 15 10 12 172 21 4 17 138 172 21 255 255 138 ACCESS BLOCK Firewall default policy UDP set 8 2 11 11 2002 15 10 11 172 17 2 1 224 0 1 60 ACCESS BLOCK Firewall default policy IGMP set 8 3 11 11 2002 15 10 11 172 22 3 80 137 172 2...

Page 91: ...on Commands COMMAND DESCRIPTION sys pwderrtm This command displays the brute force guessing password protection settings sys pwderrtm 0 This command turns off the password s protection from brute force guessing The brute force password guessing protection is turned off by default sys pwderrtm N This command sets the password protection to block all access attempts for N a number from 1 to 60 minut...

Page 92: ......

Page 93: ...Index III Part III Index This part provides an Index of key terms ...

Page 94: ......

Page 95: ...mer Support vi D Direct Sequence Spread Spectrum 4 2 Disclaimer ii Distribution System 4 3 DS See Distribution System DSSS See Direct Sequence Spread Spectrum E e g See Syntax Conventions Encapsulation PPP over Ethernet 6 1 Enter See Syntax Conventions ESS See Extended Service Set Extended Service Set 4 3 F FCC iii FHSS See Frequency Hopping Spread Spectrum Frequency Hopping Spread Spectrum 4 2 H ...

Page 96: ...t Card xii PPTP 7 1 R Read Me First xii Related Documentation xii Repairs v Replacement v Return Material Authorization Number v RF signals 4 2 S Select See Syntax Conventions Service v Subnet Masks 8 2 Subnetting 8 2 Support Disk xii Syntax Conventions xiii T Trademarks ii Triangle 2 1 Triangle Route Solutions 2 2 W Warranty v Wireless LAN 4 1 Benefits 4 1 WLAN See Wireless LAN www zyxel com v Z ...