ZyXEL Communications ATP200, User Manual

Page 1: ...Default Login Details User s Guide ZyWALL ATP Series Copyright 2018 Zyxel Communications Corporation LAN Port IP Address https 192 168 1 1 User Name admin Password 1234 Version 4 32 Edition 2 11 2018 ...

Page 2: ...d by the Zyxel Device Related Documentation Quick Start Guide The Quick Start Guide shows how to connect the Zyxel Device and access the Web Configurator wizards See the wizard real time help for information on configuring each screen It also contains a connection diagram and package contents list CLI Reference Guide The CLI Reference Guide explains how to use the Command Line Interface CLI to con...

Page 3: ... Product labels screen names field labels and field choices are all in bold font A right angle bracket within a screen name denotes a mouse click For example Configuration Network Interface Ethernet means you first click Configuration in the navigation panel then Network then the Interface sub menu and finally the Ethernet tab to get to that screen Icons Used in Figures Figures in this user guide ...

Page 4: ...26 NAT 332 Redirect Service 340 ALG 346 UPnP 353 IP MAC Binding 362 Layer 2 Isolation 367 DNS Inbound LB 371 IPnP 377 IPSec VPN 379 SSL VPN 415 L2TP VPN 421 BWM Bandwidth Management 426 Web Authentication 441 Security Policy 470 Application Patrol 496 Content Filter 505 Anti Malware 524 Botnet Filter 533 IDP 537 Sandboxing 554 Email Security 556 SSL Inspection 567 Object 579 Device HA 675 Cloud CN...

Page 5: ...Contents Overview ZyWALL ATP Series User s Guide 5 Diagnostics 777 Packet Flow Explore 794 Shutdown 801 Troubleshooting 802 ...

Page 6: ... 3 Navigation Panel 36 1 4 4 Tables and Lists 43 Chapter 2 Initial Setup Wizard 47 2 1 Initial Setup Wizard Screens 47 2 1 1 Internet Access Setup WAN Interface 47 2 1 2 Internet Access Ethernet 48 2 1 3 Internet Access PPPoE 49 2 1 4 Internet Access PPTP 51 2 1 5 Internet Access L2TP 53 2 1 6 Internet Access Setup Second WAN Interface 55 2 1 7 Internet Access Congratulations 56 2 1 8 Date and Tim...

Page 7: ...d Finish 81 4 3 7 VPN Advanced Wizard Scenario 82 4 3 8 VPN Advanced Wizard Phase 1 Settings 83 4 3 9 VPN Advanced Wizard Phase 2 85 4 3 10 VPN Advanced Wizard Summary 86 4 3 11 VPN Advanced Wizard Finish 88 4 4 VPN Settings for Configuration Provisioning Wizard Wizard Type 89 4 4 1 Configuration Provisioning Express Wizard VPN Settings 89 4 4 2 Configuration Provisioning VPN Express Wizard Config...

Page 8: ...P Table Screen 109 5 2 7 Number of Login Users Screen 110 5 2 8 Current Login User 111 5 2 9 VPN Status 111 5 2 10 SSL VPN Status 111 5 3 The Advanced Threat Protection Screen 112 Part II Technical Reference 113 Chapter 6 Monitor 114 6 1 Overview 114 6 1 1 What You Can Do in this Chapter 114 6 2 The Port Statistics Screen 116 6 2 1 The Port Statistics Graph Screen 117 6 3 Interface Status Screen 1...

Page 9: ... 6 26 The SSL Screen 158 6 27 The L2TP over IPSec Screen 158 6 28 The Content Filter Screen 159 6 29 The App Patrol Screen 161 6 30 The Anti Malware Screen 162 6 31 The IDP Screen 164 6 32 The Email Security Screens 166 6 32 1 Email Security Summary 166 6 32 2 The Email Security Status Screen 168 6 33 The Botnet Filter Screen 170 6 34 The Sandboxing Screen 171 6 35 The SSL Inspection Screens 172 6...

Page 10: ...mic Channel Selection 203 8 7 2 Load Balancing 204 Chapter 9 Interfaces 205 9 1 Interface Overview 205 9 1 1 What You Can Do in this Chapter 205 9 1 2 What You Need to Know 205 9 1 3 What You Need to Do First 210 9 2 Port Role 210 9 3 Ethernet Summary Screen 211 9 3 1 Ethernet Edit 213 9 3 2 Proxy ARP 228 9 3 3 Virtual Interfaces 229 9 3 4 References 230 9 3 5 Add Edit DHCPv6 Request Release Optio...

Page 11: ... 295 Chapter 10 Routing 299 10 1 Policy and Static Routes Overview 299 10 1 1 What You Can Do in this Chapter 299 10 1 2 What You Need to Know 300 10 2 Policy Route Screen 301 10 2 1 Policy Route Edit Screen 303 10 3 IP Static Route Screen 308 10 3 1 Static Route Add Edit Screen 308 10 4 Policy Routing Technical Reference 310 10 5 Routing Protocols Overview 310 10 5 1 What You Need to Know 311 10 ...

Page 12: ...rview 340 13 1 1 HTTP Redirect 340 13 1 2 SMTP Redirect 340 13 1 3 What You Can Do in this Chapter 341 13 1 4 What You Need to Know 341 13 2 The Redirect Service Screen 343 13 2 1 The Redirect Service Edit Screen 344 Chapter 14 ALG 346 14 1 ALG Overview 346 14 1 1 What You Need to Know 346 14 1 2 Before You Begin 349 14 2 The ALG Screen 349 14 3 ALG Technical Reference 351 Chapter 15 UPnP 353 15 1...

Page 13: ...ite List Screen 368 17 3 1 Add Edit White List Rule 369 Chapter 18 DNS Inbound LB 371 18 1 DNS Inbound Load Balancing Overview 371 18 1 1 What You Can Do in this Chapter 371 18 2 The DNS Inbound LB Screen 372 18 2 1 The DNS Inbound LB Add Edit Screen 373 18 2 2 The DNS Inbound LB Add Edit Member Screen 375 Chapter 19 IPnP 377 19 1 IPnP Overview 377 19 1 1 What You Can Do in this Chapter 377 19 2 I...

Page 14: ...obal Setting Screen 419 Chapter 22 L2TP VPN 421 22 1 Overview 421 22 1 1 What You Can Do in this Chapter 421 22 1 2 What You Need to Know 421 22 2 L2TP VPN Screen 422 22 2 1 Example L2TP and Zyxel Device Behind a NAT Router 424 Chapter 23 BWM Bandwidth Management 426 23 1 Overview 426 23 1 1 What You Can Do in this Chapter 426 23 1 2 What You Need to Know 426 23 2 The Bandwidth Management Configur...

Page 15: ... Security Policy Control Add Edit Screen 481 25 5 Anomaly Detection and Prevention Overview 482 25 5 1 The Anomaly Detection and Prevention General Screen 483 25 5 2 Creating New ADP Profiles 484 25 5 3 Traffic Anomaly Profiles 485 25 5 4 Protocol Anomaly Profiles 488 25 6 The Session Control Screen 491 25 6 1 The Session Control Add Edit Screen 492 25 7 Security Policy Example Applications 493 Ch...

Page 16: ...28 2 Anti Malware Screen 526 28 2 1 Anti Malware Black List or White List Add Edit 529 28 3 Anti Malware Signature Searching 530 28 4 Anti Malware Technical Reference 531 Chapter 29 Botnet Filter 533 29 1 Overview 533 29 1 1 What You Can Do in this Chapter 533 29 2 Botnet Filter Screen 533 Chapter 30 IDP 537 30 1 Overview 537 30 1 1 What You Can Do in this Chapter 537 30 1 2 What You Need To Know ...

Page 17: ...Do in this Chapter 567 33 1 2 What You Need To Know 567 33 1 3 Before You Begin 568 33 2 The SSL Inspection Profile Screen 568 33 2 1 Apply to a Security Policy 569 33 2 2 Add Edit SSL Inspection Profiles 572 33 3 Exclude List Screen 573 33 4 Certificate Update Screen 575 33 5 Install a CA Certificate in a Browser 576 Chapter 34 Object 579 34 1 Zones Overview 579 34 1 1 What You Need to Know 579 3...

Page 18: ...633 34 8 2 The Schedule Screen 633 34 8 3 The Schedule Group Screen 636 34 9 AAA Server Overview 638 34 9 1 Directory Service AD LDAP 638 34 9 2 RADIUS Server 638 34 9 3 ASAS 639 34 9 4 What You Need To Know 639 34 9 5 Active Directory or LDAP Server Summary 641 34 9 6 RADIUS Server Summary 644 34 10 Auth Method Overview 647 34 10 1 Before You Begin 647 34 10 2 Example Selecting a VPN Authenticati...

Page 19: ...89 37 1 Overview 689 37 1 1 What You Can Do in this Chapter 689 37 2 Host Name 690 37 3 USB Storage 690 37 4 Date and Time 691 37 4 1 Pre defined NTP Time Servers List 694 37 4 2 Time Server Synchronization 694 37 5 Console Port Speed 695 37 6 DNS Overview 696 37 6 1 DNS Server Address Assignment 696 37 6 2 Configuring the DNS Screen 696 37 6 3 IPv6 Address Record 700 37 6 4 PTR Record 700 37 6 5 ...

Page 20: ...lnet Using SSH Examples 727 37 9 Telnet 728 37 9 1 Configuring Telnet 728 37 9 2 Service Control Rules 730 37 10 FTP 730 37 10 1 Configuring FTP 730 37 10 2 Service Control Rules 732 37 11 SNMP 732 37 11 1 SNMPv3 and Security 733 37 11 2 Supported MIBs 734 37 11 3 SNMP Traps 734 37 11 4 Configuring SNMP 734 37 11 5 Add SNMPv3 User 737 37 11 6 Service Control Rules 737 37 12 Authentication Server 7...

Page 21: ...ement Screen 771 39 3 3 Firmware Upgrade via USB Stick 774 39 4 The Shell Script Screen 774 Chapter 40 Diagnostics 777 40 1 Overview 777 40 1 1 What You Can Do in this Chapter 777 40 2 The Diagnostics Screens 777 40 2 1 The Diagnostics Collect Screen 778 40 2 2 The Diagnostics Collect on AP Screen 779 40 2 3 The Diagnostics Files Screen 780 40 3 The Packet Capture Screen 781 40 3 1 The Packet Capt...

Page 22: ...Chapter 42 Shutdown 801 42 1 Overview 801 42 1 1 What You Need To Know 801 42 2 The Shutdown Screen 801 Chapter 43 Troubleshooting 802 43 1 Resetting the Zyxel Device 814 43 2 Getting More Troubleshooting Help 814 Appendix A Customer Support 815 Appendix B Product Features 821 Appendix C Legal Information 825 Index 833 ...

Page 23: ...23 PART I User s Guide ...

Page 24: ...ailable for your Zyxel Device see Configuration Licensing Registration Service for services available for your Zyxel Device For Zyxel Devices that already have firmware version 4 25 or later you have to register your Zyxel Device and activate the corresponding service at myZyxel through your Zyxel Device For Zyxel Devices upgrading to firmware version 4 25 or later you may skip registering your Zy...

Page 25: ...e label at the back of the Zyxel Device s for details Figure 1 myZyxel Login 1 2 1 Grace Period SecuReporter and service licenses have a 15 day grace period after a license expires Services will continue to work in this period during which you will receive notifications to renew your license s New license s are valid for 1 year from the date of purchase 1 2 2 Applications These are some Zyxel Devi...

Page 26: ...outing You may also create IPv6 policy routes and IPv6 objects The Zyxel Device can also route IPv6 packets through IPv4 networks using different tunneling methods Figure 3 Applications IPv6 Routing VPN Connectivity Set up VPN tunnels with other companies branch offices telecommuters and business travelers to provide secure access to your network AS is an Authentication Server in the below figure ...

Page 27: ...etwork so he can access network resources in the same way as if he were part of the internal network Figure 5 SSL VPN With Full Tunnel Mode User Aware Access Control Set up security policies to restrict access to sensitive information and shared resources based on the user who is trying to access it In the following figure user A can access both the Internet and an internal file server User B has ...

Page 28: ...you can balance the traffic loads between them Figure 7 Applications Multiple WAN Interfaces 1 3 Management Overview You can manage the Zyxel Device in the following ways Web Configurator The Web Configurator allows easy Zyxel Device setup and management using an Internet browser This User s Guide provides information about the Web Configurator Figure 8 Managing the Zyxel Device Web Configurator ...

Page 29: ... CloudCNM screen see Section 37 15 on page 743 to enable and configure management of the Zyxel Device by a Central Network Management system Management Authentication Managers must be authenticated with a username and password using one of Local Zyxel Device authentication An external RADIUS server An external LDAP server Certificates 1 4 Web Configurator In order to use the Web Configurator you m...

Page 30: ...keep this setting The Login screen appears 3 Type the user name default admin and password default 1234 4 Click Login After you log in for the first time using the default user name and password you must change the default admin password in the Update Admin Info screen Enter a new password of from 1 to 64 characters In Configuration Object User Group Setting you can enable Password Complexity to r...

Page 31: ...e to proceed Note If you are using an Internet Explorer browser the Terms of Use will be downloaded automatically 6 The Network Risk Warning screen displays any unregistered or disabled security services If your Zyxel Device is not registered you will see a prompt to register it Select how often to display the screen and click OK ...

Page 32: ...ections in the Update Admin Info screen If you change the default password the Login screen appears after you click Apply If you click Ignore the Installation Setup Wizard opens if the ZyWALL is using its default configuration otherwise the dashboard appears Router enable Router Router configure terminal Router config Router config service register _setremind after 10 days after 180 days after 30 ...

Page 33: ... bar icons in the upper right corner provide the following functions A C B Table 3 Title Bar Web Configurator Icons LABEL DESCRIPTION Logout Click this to log out of the Web Configurator Help Click this to open the help page for the current screen Forum Click this to go to the forum website for product discussions About Click this to display basic information about the Zyxel Device Site Map Click ...

Page 34: ...s Click this to check which configuration items reference an object CLI Click this to open a popup window that displays the CLI commands sent by the Web Configurator to the Zyxel Device Table 4 About LABEL DESCRIPTION Current Version This shows the firmware version of the Zyxel Device Released Date This shows the date yyyy mm dd and time hh mm ss when the firmware is released OK Click this to clos...

Page 35: ...t Figure 12 Reference The fields vary with the type of object This table describes labels that can appear in this screen Table 5 Reference LABEL DESCRIPTION Type Select an object type to see the services Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is...

Page 36: ...lowing sections introduce the Zyxel Device s navigation panel menus and their screens Service This is the type of setting that references the selected object Click a service s name to display the service s configuration screen in the main window Priority If it is applicable this field lists the referencing configuration item s position in its list otherwise N A displays Name This field identifies ...

Page 37: ...ummary Displays general interface information and packet statistics Traffic Statistics Traffic Statistics Collect and display traffic statistics Session Monitor Session Monitor Displays the status of all current sessions Login Users Login Users Lists the users currently logged into the Zyxel Device IGMP Statistics IGMP Statistics Collect and display IGMP statistics DDNS Status DDNS Status Displays...

Page 38: ...the most wireless traffic usage Single Station Lists wireless traffic usage for an associated wireless station Detected Device Detected Device Display information about suspected rogue APs VPN Monitor IPSec IPSec Displays and manages the active IPSec SAs SSL SSL Lists users currently logged into the VPN SSL client portal You can also log out individual users and delete related session information ...

Page 39: ...d load balancing settings Firmware Update the firmware on APs connected to your Zyxel Device MON Profile Rogue Friendly AP List Configure how the Zyxel Device monitors rogue APs Auto Healing Auto Healing Enable auto healing to extend the wireless service coverage area of the managed APs when one of the APs fails RTLS Real Time Location System Use the managed APs as part of an Ekahau RTLS to track ...

Page 40: ...ancing Configure DNS Load Balancing IPnP IPnP Enable IPnP on the Zyxel Device and the internal interface s VPN IPSec VPN VPN Connection Configure IPSec tunnels VPN Gateway Configure IKE tunnels Concentrator Combine IPSec VPN connections into a single secure network Configuration Provisioning Set who can retrieve VPN rule settings from the Zyxel Device using the Zyxel Device IPSec VPN Client SSL VP...

Page 41: ... IDP settings Create import or export custom signatures Sandboxing Sandboxing Enable sandboxing and specify the actions the Zyxel Device takes when malicious or suspicious files are detected SSL Inspection Profile Decrypt HTTPS traffic for Security Service inspection Create SSL Inspection template s of settings to apply to a traffic flow using a security policy Exclude List Configure services to b...

Page 42: ...e and configure management of the Zyxel Device by a Central Network Management system SecuReporter Enable SecuReporter logging and access the SecuReporter security analytics portal that collects and analyzes logs from your Zyxel Device in order to identify anomalies alert on potential internal external threats and report on network usage System Host Name Host Name Configure the system and domain n...

Page 43: ... current firmware version and upload firmware Reboot with your choice of firmware Shell Script Manage and run shell script files for the Zyxel Device Diagnostics Diagnostics Collect Collect on AP Files Collect diagnostic information Packet Capture Capture packets for analysis CPU Memory Status View CPU and memory usage statistics System Log Connect a USB device to the Zyxel Device and archive the ...

Page 44: ... do Sort in ascending or descending reverse alphabetical order Select which columns to display Group entries by field Show entries in groups Filter by mathematical operators or or searching for text Figure 16 Common Table Column Options Select a column heading cell s right border and drag to re size the column Figure 17 Resizing a Table Column Select a column heading and drag and drop it to change...

Page 45: ...or select it and click Edit to open a screen where you can modify the entry s settings In some tables you can just click a table entry and edit it directly in the table For those types of tables small red triangles display for table entries with changes that you have not yet applied Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so...

Page 46: ... entries displays next to a list of selected entries you can often just double click an entry to move it from one list to the other In some lists you can also use the Shift or Ctrl key to select multiple entries and then use the arrow button to move them to the other list Figure 21 Working with Lists ...

Page 47: ...e the corresponding service at myZyxel through your Zyxel Device This chapter provides information on configuring the Web Configurator s Initial Setup Wizard See the feature specific chapters in this User s Guide for background information Click the double arrow in the upper right corner to display or hide the help Click Logout to exit the Initial Setup Wizard or click Next to continue the wizard ...

Page 48: ...which this interface and Internet connection belong IP Address Assignment Select Auto if your ISP did not assign you a fixed IP address Select Static if the ISP assigned a fixed IP address Figure 23 Internet Access 2 1 2 Internet Access Ethernet This screen is read only if you set the previous screen s IP Address Assignment field to Auto If you set the previous screen s IP Address Assignment field...

Page 49: ...erface you re using for the WAN connection on the Zyxel Device should be orange If your Zyxel Device was not able to obtain an IP address check that your Internet access information uses DHCP as the WAN connection type If it fails again check with your Internet service provider or administrator for correct WAN settings If your Zyxel Device was not able to use the IP address entered check that you ...

Page 50: ...lds display if you selected static IP address assignment The Domain Name System DNS maps a domain name to an IP address and vice versa Enter a DNS server s IP address es The DNS server is extremely important because without it you must know the IP address of a computer before you can access it The Zyxel Device uses these in the order you specify here to resolve domain names for VPN DDNS and the ti...

Page 51: ...n be up to 31 characters long Type the Password associated with the user name Use up to 64 ASCII characters except the and This field can be blank Re type your password in the next field to confirm it Select Nailed Up if you do not want the connection to time out Otherwise type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPTP server 2 1 4 2 PPTP Co...

Page 52: ...ice versa Enter a DNS server s IP address es The DNS server is extremely important because without it you must know the IP address of a computer before you can access it The Zyxel Device uses these in the order you specify here to resolve domain names for VPN DDNS and the time server Leave the field as 0 0 0 0 if you do not want to configure DNS servers 2 1 4 4 Possible Errors Check that you re us...

Page 53: ...only MSCHAP V2 Your Zyxel Device accepts MSCHAP V2 only Type the User Name given to you by your ISP You can use alphanumeric and _ characters and it can be up to 31 characters long Type the Password associated with the user name Use up to 64 ASCII characters except the and This field can be blank Select Nailed Up if you do not want the connection to time out Otherwise type the Idle Timeout in seco...

Page 54: ... server s IP address es The DNS server is extremely important because without it you must know the IP address of a computer before you can access it The Zyxel Device uses these in the order you specify here to resolve domain names for VPN DDNS and the time server Leave the field as 0 0 0 0 if you do not want to configure DNS servers 2 1 5 4 Possible Errors Check that you re using the correct L2PT ...

Page 55: ...L2TP Encapsulation 2 1 6 Internet Access Setup Second WAN Interface If you selected I have two ISPs after you configure the First WAN Interface you can configure the Second WAN Interface The screens for configuring the second WAN interface are similar to the first see Section 2 1 1 on page 47 ...

Page 56: ...You have set up your Zyxel Device to access the Internet A screen displays with your settings Click Connection Test to check that you can access the Internet If you cannot click Back and confirm that you entered the settings correctly If you have check that you got the correct settings from your ISP or network administrator Figure 29 Internet Access Summary ...

Page 57: ...and whether Daylight Savings is in effect in that time zone If your Zyxel Device cannot get the correct date and time it may not able to connect to a time server Check that the Zyxel Device has Internet access then click Sync Now Figure 30 Date and Time Settings 2 1 9 Register Device Click the Register button in this screen to register your device at portal myzyxel com Note The Zyxel Device must b...

Page 58: ...yxel Device s serial number and LAN MAC address to register it at myZyxel if you have not already done so Refer to the label at the back of the Zyxel Device s for details Figure 32 myZyxel Login Click Refresh or use the Configuration Licensing Registration screen to update your Zyxel Device registration status ...

Page 59: ...ention to use signatures for Intrusion Detection and Prevention attacks Geo Enforcer to access a database of country to IP address mappings Sandboxing to specify the actions the Zyxel Device takes when malicious or suspicious files are detected Managed AP Service to manage more APs than the default for your Zyxel Device when the AP controller is enabled Click Refresh and wait a few moments for the...

Page 60: ... or disable the following features in this screen Botnet Filter Use this feature to detect and block connection attempts to or from the C C server or known botnet IP addresses Anti Malware Use this feature to protect your connected network from virus spyware infection IDP Use this feature to detect malicious or suspicious packets and respond instantaneously ...

Page 61: ... Patrol Use this feature to manage the use of various applications on the network Email Security Use this feature to mark or discard spam unsolicited commercial or junk email Figure 36 Service Settings 2 1 12 Wireless Settings AP Controller The Zyxel Device can act as an AP Controller that can manage APs in the same network as the Zyxel Device Select Yes if you want your Zyxel Device to manage APs...

Page 62: ...s option if you want to hide the SSID in the outgoing beacon frame A wireless client then cannot obtain the SSID through scanning using a site survey tool Enable Intra BSS Traffic Blocking Select this option if you want to prevent crossover traffic from within the same SSID Wireless clients can still access the wired network but cannot communicate with each other For Built in Wireless AP Only Brid...

Page 63: ...yWALL ATP Series User s Guide 63 Figure 39 Remote Management HTTPS is added to the Default_Allow_WAN_to_ZyWALL rule in Object Service Service Group screen when you enable Remote Management Figure 40 Object Service Service Group HTTPS ...

Page 64: ...1 ATP200 Front Panel Figure 42 ATP500 Front Panel Figure 43 ATP800 Front Panel The following table describes the front panel LEDs Table 10 LED Descriptions LED COLOR STATUS DESCRIPTION PWR Off The Zyxel Device is turned off Green On The Zyxel Device is turned on Red On There is a hardware component failure Shut down the device wait for a few minutes and then restart the device If the LED turns red...

Page 65: ...ps Green Off There is no connection on this port On This port has a successful 10 100 Mbps link Blinking The Zyxel Device is sending or receiving packets on this port at 10 100 Mbps Table 11 Front Panel Ports LABEL DESCRIPTION RESET Press the button in for about 5 seconds or until the SYS LED starts to blink then release it to return the Zyxel Device to the factory defaults password is 1234 LAN IP...

Page 66: ... port to manage the Zyxel Device using CLI commands You will be prompted to enter your user name and password See the Command Reference Guide for more information about the CLI When configuring using the console port you need a computer equipped with communications software configured to the following parameters Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off Power Use the inc...

Page 67: ...sides and 20 cm in the rear Use a 2 Phillips screwdriver to install the screws Note Failure to use the proper screws may damage the unit 1 Align one bracket with the holes on one side of the Zyxel Device and secure it with the included bracket screws smaller than the rack mounting screws 2 Attach the other bracket in a similar fashion 3 After attaching both mounting brackets position the Zyxel Dev...

Page 68: ...Zyxel Device with the connection cables 3 Use the holes on the bottom of the Zyxel Device to hang the Zyxel Device on the screws Wall mount the Zyxel Device horizontally The Zyxel Device s side panels with ventilation slots should not be facing up or down as this position is less safe Figure 47 Wall Mounting 3 3 Default Zones Interfaces and Ports The default configurations for zones interfaces and...

Page 69: ... PORT INTERFACE P1 P2 P3 P4 P5 P6 P7 P8 ATP500 ge1 ge2 ge3 ge4 ge5 ge6 ge7 ge8 ATP200 sfp wan wan lan1 lan1 lan1 lan1 Table 14 Default Physical Port Interface Mapping ATP800 PORT INTERFACE P1 P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 P12 P13 P14 ATP800 ge1 ge2 ge3 ge4 ge5 ge6 ge7 ge8 ge9 ge10 ge11 ge12 ge13 ge14 Table 15 Default Zone Interface Mapping ZONE INTERFACE WAN LAN1 LAN2 DMZ OPT NO DEFAULT ZONE ATP...

Page 70: ...o open a wizard to set up a WAN Internet connection This wizard creates matching ISP account settings in the Zyxel Device if you use PPPoE or PPTP See Section 4 2 on page 71 VPN Setup Use VPN Setup to configure a VPN Virtual Private Network rule for a secure connection to another computer or network Use VPN Settings for Configuration Provisioning to set up a VPN rule that can be retrieved with the...

Page 71: ...e Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen Use these screens to configure an interface to connect to the Internet Click Next Figure 49 WAN Interface Quick Setup Wizard 4 2 1 Choose an Ethernet Interface Select a WAN interface names vary by model that you want to configure for a WAN connection and click Next ...

Page 72: ...TP for a dial up connection according to the information from your ISP Figure 51 WAN Interface Setup Step 2 The screens vary depending on what encapsulation type you use Refer to information provided by your ISP to know what to enter in each field Leave a field blank if you don t have that information Note Enter the Internet access information exactly as your ISP gave it to you 4 2 3 Configure WAN...

Page 73: ...assign you a fixed IP address Select Static if you have a fixed IP address and enter the IP address subnet mask gateway IP address optional and DNS server IP address es 4 2 4 ISP and WAN and ISP Connection Settings Use this screen to configure the ISP and WAN interface settings This screen is read only if you select Ethernet and set the IP Address Assignment to Auto If you set the IP Address Assig...

Page 74: ...Chapter 4 Quick Setup Wizards ZyWALL ATP Series User s Guide 74 Figure 54 WAN and ISP Connection Settings PPTP Figure 55 WAN and ISP Connection Settings PPPoE ...

Page 75: ...SCHAP only MSCHAP V2 Your Zyxel Device accepts MSCHAP V2 only User Name Type the user name given to you by your ISP You can use alphanumeric and _ characters and it can be up to 31 characters long Password Type the password associated with the user name above Use up to 64 ASCII characters except the and This field can be blank Retype to Confirm Type your password again for confirmation Nailed Up S...

Page 76: ...ternet connection will belong IP Address This field is read only when the WAN interface uses a dynamic IP address If your WAN interface uses a static IP address enter it in this field IP Subnet Mask If your WAN interface uses Ethernet encapsulation with a static IP address enter the subnet mask in this field Gateway IP Address Type the IP address of the Ethernet device connected to this WAN port F...

Page 77: ...Address Assignment This field displays whether the WAN IP address is static or dynamic Auto IP Address This field displays the current IP address of the Zyxel Device WAN interface selected in this wizard IP Subnet Mask This field displays the subnet mask of the Zyxel Device WAN interface selected in this wizard Gateway IP Address This field displays the IP address of the Ethernet device connected ...

Page 78: ... VPN Settings for L2TP VPN Settings sets up a L2TP VPN rule that the Zyxel Device IPSec L2TP VPN client can retrieve Figure 59 VPN Setup Wizard Welcome 4 3 2 VPN Setup Wizard Wizard Type Choose Express to create a VPN rule with the default phase 1 and phase 2 settings to connect to another ZLD based Zyxel Device using a pre shared key Choose Advanced to change the default settings and or use certi...

Page 79: ...o existing enterprise authentication systems Scenario Rule Name Type the name used to identify this VPN connection and VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Select the scenario that best describes your intended VPN connection The figure on the left of the screen changes to match the scena...

Page 80: ...e the same password Use 8 to 31 case sensitive ASCII characters or 8 to 31 pairs of hexadecimal 0 9 A F characters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a computer on your network that can use the tunnel You can also specify a subnet This must match...

Page 81: ...ote IPSec device that can use the tunnel If this field displays Any only the remote IPSec device can initiate the VPN connection Copy and paste the Configuration for Secure Gateway commands into another ZLD based Zyxel Device s command line interface to configure it to serve as the other end of this VPN tunnel You can also use a text editor to save these commands as a shell script file with a zysh...

Page 82: ...er s Guide 82 Figure 64 VPN Express Wizard Finish Click Close to exit the wizard 4 3 7 VPN Advanced Wizard Scenario Click the Advanced radio button as shown in Figure 60 on page 78 to display the following screen Figure 65 VPN Advanced Wizard Scenario ...

Page 83: ...nsitive Select the scenario that best describes your intended VPN connection The figure on the left of the screen changes to match the scenario you select Site to site The remote IPSec device has a static IP address or a domain name This Zyxel Device can initiate the VPN tunnel Site to site with Dynamic Peer The remote IPSec device has a dynamic IP address Only the remote IPSec device can initiate...

Page 84: ...e same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput AES128 uses a 128 bit key an...

Page 85: ...ansport is not Encryption Algorithm 3DES and AES use encryption The longer the AES key the higher the security this may affect throughput Null uses no encryption Authentication Algorithm MD5 gives minimal security and SHA512 gives the highest security MD5 Message Digest 5 and SHA Secure Hash Algorithm are hash algorithms used to authenticate packet data The stronger the algorithm the slower it is ...

Page 86: ...ires 4 3 10 VPN Advanced Wizard Summary This is a read only summary of the VPN tunnel settings Figure 68 VPN Advanced Wizard Summary Rule Name Identifies the VPN connection and the VPN gateway Secure Gateway IP address or domain name of the remote IPSec device Pre Shared Key VPN tunnel password Certificate The certificate the Zyxel Device uses to identify itself when setting up the VPN tunnel Loca...

Page 87: ...he stronger the algorithm the slower it is MD5 gives minimal security SHA1 gives higher security SHA256 gives the highest security Key Group This displays the Diffie Hellman DH key group used DH5 is more secure than DH1 or DH2 although it may affect throughput DH1 uses a 768 bit random number DH2 uses a 1024 bit 1Kb random number DH5 uses a 1536 bit random number Phase 2 Active Protocol This displ...

Page 88: ...Device s command line interface Click Save to save the VPN rule 4 3 11 VPN Advanced Wizard Finish Now the rule is configured on the Zyxel Device The Phase 1 rule settings appear in the VPN IPSec VPN VPN Gateway screen and the Phase 2 rule settings appear in the VPN IPSec VPN VPN Connection screen Figure 69 VPN Wizard Finish Click Close to exit the wizard ...

Page 89: ...lowing settings AH active protocol NULL encryption SHA512 authentication A subnet or range remote policy Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre shared key Choose Advanced to change the default settings and or use certificates instead of a pre shared key in the VPN rule Figure 70 VPN Settings for Configuration Provisioning Express Wizard W...

Page 90: ...tended Authentication Protocol EAP authentication and IKEv1 supports X Auth EAP is important when connecting to existing enterprise authentication systems Rule Name Type the name used to identify this VPN connection and VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Application Scenario Only the R...

Page 91: ...s or 8 to 31 pairs of hexadecimal 0 9 A F characters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a computer on your network You can also specify a subnet This must match the remote IP address configured on the remote IPSec device Remote Policy IP Mask Any...

Page 92: ...vice that can be accessed using the tunnel Remote Policy Any displays in this field because it is not configurable in this wizard The Configuration for Secure Gateway displays the configuration that the Zyxel Device IPSec VPN Client will get from the Zyxel Device Click Save to save the VPN rule 4 4 4 VPN Settings for Configuration Provisioning Express Wizard Finish Now the rule is configured on th...

Page 93: ...N for Configuration Provisioning Express Wizard Finish Click Close to exit the wizard 4 4 5 VPN Settings for Configuration Provisioning Advanced Wizard Scenario Click the Advanced radio button as shown in the screen shown in Figure 70 on page 89 to display the following screen ...

Page 94: ... connecting to existing enterprise authentication systems Rule Name Type the name used to identify this VPN connection and VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Application Scenario Only the Remote Access Server Role is allowed in this wizard It allows incoming connections from the Zyxel ...

Page 95: ... and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput AES128 uses a 128 bit key and is faster than 3DES AES192 uses a 192 bit key and AES256 uses a 256 bit key Authent...

Page 96: ...iates the IKE SA A short SA life time increases security but renegotiation temporarily disconnects the VPN tunnel Perfect Forward Secrecy PFS Disabling PFS allows faster IPSec setup but is less secure Select DH1 DH2 or DH5 to enable PFS DH5 is more secure than DH1 or DH2 although it may affect throughput DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Grou...

Page 97: ...ard It allows incoming connections from the Zyxel Device IPSec VPN Client Pre Shared Key VPN tunnel password Local Policy IP address and subnet mask of the computers on the network behind your Zyxel Device that can use the tunnel Remote Policy Any displays in this field because it is not configurable in this wizard Phase 1 Negotiation Mode This displays Main or Aggressive Main encrypts the ZyWALL ...

Page 98: ...llman DH key group used DH5 is more secure than DH1 or DH2 although it may affect throughput DH1 uses a 768 bit random number DH2 uses a 1024 bit 1Kb random number DH5 uses a 1536 bit random number Phase 2 Active Protocol This displays ESP compatible with NAT or AH Encapsulation This displays Tunnel compatible with NAT or Transport Encryption Algorithm This displays the encryption method used The ...

Page 99: ...N IPSec VPN VPN Connection screen Enter the IP address of the Zyxel Device in the Zyxel Device IPSec VPN Client to get all these VPN settings automatically from the Zyxel Device Figure 79 VPN for Configuration Provisioning Advanced Wizard Finish Click Close to exit the wizard 4 5 VPN Settings for L2TP VPN Settings Wizard Use VPN Settings for L2TP VPN Settings to set up an L2TP VPN rule Click Confi...

Page 100: ...Figure 81 VPN Settings for L2TP VPN Settings Wizard L2TP VPN Settings Rule Name Type the name used to identify this L2TP VPN connection and L2TP VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive My Address interface Select one of the interfaces from the pull down menu to apply the L2TP VPN rule ...

Page 101: ...irst DNS Server Optional Enter the first DNS server IP address in the field Leave the filed as 0 0 0 0 if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it Second DNS Server Optional Enter the second DNS server IP address in the field Leave the filed as 0 0 0 0 if you do not want to configure DNS servers If...

Page 102: ...y displays in this field because it is not configurable in this wizard It allows incoming connections from the L2TP VPN Client Pre Shared Key L2TP VPN tunnel password My Address Interface This displays the interface to use on your Zyxel Device for the L2TP tunnel IP Address Pool This displays the IP address pool used to assign to the L2TP VPN clients Click Save to complete the L2TP VPN Setting and...

Page 103: ...P VPN Setting Wizard Completed Figure 84 VPN Settings for L2TP VPN Settings Wizard Finish Now the rule is configured on the Zyxel Device The L2TP VPN rule settings appear in the Configuration VPN L2TP VPN screen and also in the Configuration VPN IPSec VPN VPN Connection and VPN Gateway screen ...

Page 104: ...P Table Screen on page 109 Number of Login Users Screen on page 110 Current Login User on page 111 VPN Status on page 111 SSL VPN Status on page 111 The Advanced Threat Protection Screen on page 112 5 2 The General Screen The Dashboard screen displays when you log into the Zyxel Device or click Dashboard in the navigation panel The dashboard displays general device information system status system...

Page 105: ...er your cursor over a connected interface or slot Name This field displays the name of each interface Status This field displays the current status of each interface or device installed in a slot The possible values depend on what type of interface it is Inactive The Ethernet interface is disabled Down The Ethernet interface does not have any physical ports associated with it or the Ethernet inter...

Page 106: ...management IP address if it is a backup Table 17 Dashboard continued LABEL DESCRIPTION Table 18 Dashboard Device Information LABEL DESCRIPTION System Name This field displays the name used to identify the Zyxel Device on any network Click the link and open the Host Name screen where you can edit and make changes to the system and domain name Serial Number This field displays the serial number of t...

Page 107: ...nfiguration This occurs when the Zyxel Device starts for the first time or you intentionally reset the Zyxel Device to the system default settings Fallback to lastgood configuration The Zyxel Device was unable to apply the startup config conf configuration file and fell back to the lastgood conf configuration file Fallback to system default configuration The Zyxel Device was unable to apply the la...

Page 108: ...of transmission or reception Time The x axis shows the time period over which the transmission or reception occurred Table 21 Dashboard The Lastest Logs LABEL DESCRIPTION This is the entry s rank in the list of alert logs Time This field displays the date and time the log was created Priority This field displays the severity of the log Category This field displays the type of log generated Message...

Page 109: ...sage icon that takes you to a chart of the Zyxel Device s recent memory usage Flash Usage This field displays what percentage of the Zyxel Device s onboard flash memory is currently being used USB Storage Usage This field shows how much storage in the USB device connected to the Zyxel Device is in use Active Sessions This field shows how many sessions established and non established that pass thro...

Page 110: ...iption you configured shows here This field is blank for dynamic DHCP entries Reserve If this field is selected this entry is a static DHCP entry The IP address is reserved for the MAC address If this field is clear this entry is a dynamic DHCP entry The IP address is assigned to a DHCP client To create a static DHCP entry using an existing dynamic DHCP entry select this field and then click Apply...

Page 111: ...r accounts the Zyxel Device uses If the user type is ext user external user this field will show its external group information when you move your mouse over it If the external user matches two external group objects both external group object names will be shown Force Logout Click this icon to end a user s session Table 24 Dashboard Number of Login Users LABEL DESCRIPTION Table 25 Dashboard VPN S...

Page 112: ...mber of scanned traffic The number of the scanned connections for botnet filtering The number of the scanned files for sandboxing The number of the scanned connections for IDP The number of the scanned emails for email security The number of the scanned sites for content filtering Top 5 applications that are used the most Top 5 URLs that are detected the most Botnet filtering reports Sandboxing re...

Page 113: ...113 PART II Technical Reference ...

Page 114: ...Binding screen Section 6 9 on page 128 to view a list of devices that have received an IP address from Zyxel Device interfaces with IP MAC binding enabled Use the System Status Login Users screen Section 6 6 on page 126 to look at a list of the users currently logged into the Zyxel Device Use the System Status Cellular Status screen Section 6 10 on page 129 to check your mobile broadband connectio...

Page 115: ...itor L2TP over IPSec screen see Section 6 27 on page 158 to display and manage the Zyxel Device s connected L2TP VPN sessions Use the Security Statistics Content Filter screen Section 6 28 on page 159 to start or stop data collection and view content filter statistics Use the Security Statistics App Patrol screen see Section 6 29 on page 161 to start or stop data collection and view virus statisti...

Page 116: ...ys the physical port number Status This field displays the current status of the physical port Down The physical port is not connected Speed Duplex The physical port is connected This field displays the port speed and duplex setting Full or Half TxPkts This field displays the number of packets transmitted from the Zyxel Device on the physical port since it was last connected RxPkts This field disp...

Page 117: ...dow to be automatically updated Refresh Now Click this to update the information in the window right away Port Selection Select the number of the physical port for which you want to display graphics Switch to Grid View Click this to display the port statistics as a table bps The y axis represents the speed of transmission or reception time The x axis shows the time period over which the transmissi...

Page 118: ...Each field is described in the following table Table 28 Monitor System Status Interface Summary LABEL DESCRIPTION Interface Status If an Ethernet interface does not have any physical ports associated with it its entry is displayed in light gray text Name This field displays the name of each interface If there is an Expand icon plus sign next to the name click this to look at the status of virtual ...

Page 119: ...displays the zone to which the interface is assigned IP Addr Netmask This field displays the current IP address and subnet mask assigned to the interface If the IP address and subnet mask are 0 0 0 0 the interface is disabled or did not receive an IP address and subnet mask via DHCP If this interface is a member of an active virtual router this field displays the IP address it is currently using T...

Page 120: ... interface is enabled but not connected Speed Duplex The Ethernet interface is enabled and connected This field displays the port speed and duplex setting Full or Half For cellular mobile broadband interfaces see Section 6 12 on page 134 the Web Help for the status that can appear For the auxiliary interface Inactive The auxiliary interface is disabled Connected The auxiliary interface is enabled ...

Page 121: ...server Click Connect to try to connect a PPPoE PPTP interface If the interface cannot use one of these ways to get or to update its IP address this field displays n a Interface Statistics This table provides packet statistics for each interface Refresh Click this button to update the information in the screen Name This field displays the name of each interface If there is a Expand icon plus sign n...

Page 122: ...e Hits displays the most visited Web sites and how many times each one has been visited Country displays the countries with the most traffic and the amount of traffic for each one Each type of report has different information in the report below Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statistics and update the report displa...

Page 123: ... The maximum number of domain names in this report is indicated in Table 30 on page 123 Hits This field displays how many hits the Web site received The Zyxel Device counts hits by counting HTTP GET packets Many Web sites have HTTP GET references to other Web sites and the Zyxel Device counts these as hits too The count starts over at zero if the number of hits passes the hit count limit See Table...

Page 124: ...Session Monitor The following table describes the labels in this screen Table 31 Monitor System Status Session Monitor LABEL DESCRIPTION View Select how you want the established sessions that passed through the Zyxel Device to be displayed Choices are sessions by users display all active sessions grouped by user sessions by services display all active sessions grouped by service or protocol sessio...

Page 125: ... use these buttons to forcibly terminate selected TCP UDP connections Select one or multiple connections and then click Clear click Clear All to terminate all connections displayed Cleared sessions display in the Log View Log screen This field is the rank of each record The names are sorted by the name of user in active session You can use the pull down menu on the right to choose sorting method U...

Page 126: ...l account of time the account authenticated by an external server can use to log into the Zyxel Device or access the Internet through the Zyxel Device This shows unlimited for an administrator account Type This field displays the way the user logged in to the Zyxel Device IP Address This field displays the IP address of the computer used to log in to the Zyxel Device Country The Internet Assigned ...

Page 127: ...ed for this user login A displays if accounting is not enabled for this login RADIUS Profile Name This field displays the name of the RADIUS profile used to authenticate the login through the captive portal N A displays for logins that do not use the captive portal and RADIUS server authentication Refresh Click this button to update the information in the screen Table 32 Monitor System Status Logi...

Page 128: ...Status DDNS Status LABEL DESCRIPTION Update Click this to have the Zyxel Device update the profile to the DDNS server The Zyxel Device attempts to resolve the IP address for the domain name This field is a sequential value and it is not associated with a specific DDNS server Profile Name This field displays the descriptive profile name for this entry Domain Name This field displays each domain nam...

Page 129: ...hich devices it has assigned an IP address This field is a sequential value and it is not associated with a specific IP MAC binding entry IP Address This is the IP address that the Zyxel Device assigned to a device Host Name This field displays the name used to identify this device on the network the computer name The Zyxel Device learns these from the DHCP client requests MAC Address This field d...

Page 130: ...his to display more information on your mobile broadband such as the signal strength IMEA ESN and IMSI This is only available when the mobile broadband device attached and activated on your Zyxel Device Refer to Section 6 10 1 on page 132 This field is a sequential value and it is not associated with any interface Extension Slot This field displays where the entry s cellular card is located Connec...

Page 131: ...ntered an incorrect device code Device unlocked You entered the correct device code and unlocked a CDMA2000 mobile broadband device Get dev info fail The Zyxel Device cannot get cellular device information Get dev info ok The Zyxel Device succeeded in retrieving mobile broadband device information Searching network The mobile broadband device is searching for a network Get signal fail The mobile b...

Page 132: ...ies depending on the mobile broadband card you inserted and could be UMTS UMTS HSDPA GPRS or EDGE when you insert a GSM mobile broadband card or 1xRTT EVDO Rev 0 or EVDO Rev A when you insert a CDMA mobile broadband card Signal Quality This displays the strength of the signal The signal strength mainly depends on the antenna output power and the distance between your Zyxel Device and the service p...

Page 133: ...h mainly depends on the antenna output power and the distance between your Zyxel Device and the service provider s base station Device Manufacturer This shows the name of the company that produced the mobile broadband device Device Model This field displays the model name of the cellular card Device Firmware This shows the software version of the mobile broadband device Device IMEI ESN IMEI Intern...

Page 134: ...N If the field displays 0 the Zyxel Device ignores the Internal Port value and forwards requests on all external port numbers that are otherwise unmapped to the Internal Client Protocol This field displays the protocol of the NAT mapping rule TCP or UDP Internal Port This field displays the port number on the Internal Client to which the Zyxel Device should forward incoming connection requests Int...

Page 135: ...ilesystem This field displays what file system the USB storage device is formatted with This field displays Unknown if the file system of the USB storage device is not supported by the Zyxel Device such as NTFS Speed This field displays the connection speed the USB storage device supports Status Ready you can have the Zyxel Device use the USB storage device Click Remove Now to stop the Zyxel Devic...

Page 136: ...d For Zyxel Devices that support Port Role if ports 3 to 5 are grouped together and there is a connection to P5 only the Zyxel Device will display P3 as the interface port number even though there is no connection to that port Model Name This field displays the model name of the discovered device System Name This field displays the system name of the discovered device Firmware Version This field d...

Page 137: ...cessing the website Figure 111 Monitor System Status FQDN Object The following table describes the fields in the previous screen Table 41 Monitor System Status FQDN Object LABEL DESCRIPTION IPv4 FQDN Object Cache List You must first configure IPv4 FQDN objects in Configuration Object Address Geo IP in the IPv4 Address Configuration field FQDN Object Select a previously created object from the drop...

Page 138: ...the Zyxel Device holds IP address FQDN object mapping in its cache The mapping is updated when the TTL Time To Live setting expires Refresh Click this button to update the information in the screen Table 41 Monitor System Status FQDN Object LABEL DESCRIPTION Table 42 Monitor Wireless AP Information AP List LABEL DESCRIPTION Config AP Select an AP and click this to change the selected AP s group ra...

Page 139: ...s N A not applicable only when the AP disconnects from the Zyxel Device and the information is unavailable as a result Group This displays the name of the AP group to which the AP belongs Station This field displays the station count information Recent On line Time This field displays the latest date and time that the AP was logged on Registration This field displays the registration information o...

Page 140: ... adapter and or through a PoE switch injector using IEEE 802 3at PoE plus The PoE device that supports IEEE 802 3at PoE Plus can supply power of up to 30W per Ethernet port Limited the AP receives power through a PoE switch injector using IEEE 802 3af PoE even when it is also connected to a power source using a power adaptor The PoE device that supports IEEE 802 3af PoE can supply power of up to 1...

Page 141: ...Monitor Wireless AP Information AP List More Information LABEL DESCRIPTION Configuration Status This displays whether or not any of the AP s configuration is in conflict with the Zyxel Device s settings for the AP Non Support If any of the AP s configuration conflicts with the Zyxel Device s settings for the AP this field displays which configuration conflicts It displays n a if none of the AP s c...

Page 142: ...ys the model name of the discovered device System Name This field displays the system name of the discovered device Firmware Version This field displays the firmware version of the discovered device Port Description This field displays the first internal port on the discovered device Internal is an interface type displayed in the Network Interface Ethernet Edit screen For example if P1 and P2 are ...

Page 143: ... Series User s Guide 143 6 15 2 AP List Config AP Select an AP and click the Config AP button in the Monitor Wireless AP Information AP List table to display this screen Figure 114 Monitor Wireless AP Information AP List Config AP ...

Page 144: ...ile Select a profile from the list If no profile exists you can create a new one through the Create new Object menu Override Group Output Power Setting Select this option to overwrite the AP output power setting with the setting you configure here Output Power Set the output power of the AP Override Group SSID Setting Select this option to overwrite the AP SSID profile setting with the setting you...

Page 145: ...cy Band This field displays the WLAN frequency band using the IEEE 802 11 a b g n standard of 2 4 or 5 GHz Channel ID This field displays the WLAN channels using the IEEE 802 11 protocols Tx Power This shows the radio s output power in dBm Station This field displays the station count information Rx This field displays the total number of bytes received by the radio Tx This field displays the tota...

Page 146: ...the radio belongs Antenna This indicates the antenna orientation for the radio Wall or Ceiling This shows N A if the AP does not allow you to adjust coverage depending on the orientation of the antenna for each radio using the web configurator or a physical switch Table 46 Monitor Wireless AP Information Radio List LABEL DESCRIPTION ...

Page 147: ...ows you to view detailed information about a selected radio s SSID s wireless traffic and wireless clients for the preceding 24 hours To access this window select an entry and click the More Information button in the Radio List screen Figure 116 Monitor Wireless AP Information Radio List More Information ...

Page 148: ...SSID Security Mode This displays the security mode in which the SSID is operating Forwarding Mode This field indicates the forwarding mode Local Bridge or Tunnel associated with the SSID profile VLAN This displays the VLAN ID associated with the SSID Traffic Statistics This graph displays the overall traffic information about the radio over the preceding 24 hours y axis This axis represents the am...

Page 149: ...y Station Number select the measure unit in GB or MB to display the graph Traffic Usage This graph displays the overall traffic information about the top five or top ten wireless traffic for the preceding 24 hours y axis The y axis represents the amount of traffic in megabytes gigabytes x axis The x axis represents the time over which wireless traffic flows transmitting from to the AP Station Coun...

Page 150: ...usage and wireless stations Usage by Select the measure unit in GB or MB to display the graph Traffic Usage This graph displays the overall traffic information about the AP you specified for the preceding 24 hours y axis The y axis represents the amount of traffic in megabytes gigabytes x axis The x axis represents the time over which wireless traffic flows transmitting from to the AP Station Coun...

Page 151: ...criptive name of the managed AP to which this managed AP is connected wirelessly SSID Name This indicates the name of the wireless network SSID the managed AP uses to associated with another managed AP Signal Strength Before the slash this shows the signal strength the uplink AP a root AP or a repeater receives from this managed AP in repeater mode After the slash this shows the signal strength th...

Page 152: ... DESCRIPTION This is the SSID s index number in this list SSID This indicates the name of the wireless network to which the client is connected A single AP can have multiple SSIDs or networks 2 4GHz This shows the number of wireless clients which are currently connected to the SSID using the 2 4 GHz frequency band Click the number to go to the Station Info Station List screen See Section 6 22 on p...

Page 153: ...SSID Name This field displays the SSID names of the station Security Mode This field displays the security mode the station is using Signal Strength This field displays the signal strength of the station Channel This field displays the number of the channel used by the station to connect to the network Band This field displays the frequency band which is currently being used by the station IP Addr...

Page 154: ...Single Station to display this screen Table 53 Monitor Wireless Station Info Top N Stations LABEL DESCRIPTION View Select this to view the top five or top ten traffic statistics of the wireless stations Usage by Select the measure unit in GB or MB to display the graph Traffic Usage This graph displays the overall traffic information about the stations for the preceding 24 hours y axis This axis re...

Page 155: ...he Configuration Wireless AP Management screen in order to detect other wireless devices in its vicinity Figure 124 Monitor Wireless Detected Device Table 54 Monitor Wireless Station Info Single Station LABEL DESCRIPTION Station Selection Select this to view the traffic statistics of the wireless station Usage by Select the measure unit in GB or MB to display the graph Traffic Usage This graph dis...

Page 156: ...managing friendly APs see the Configuration Wireless MON Mode screen This is the station s index number in this list Status This indicates the detected device s status Device This indicates the detected device s network type such as infrastructure or ad hoc Role This indicates the detected device s role such as friendly or rogue MAC Address This indicates the detected device s MAC address SSID Nam...

Page 157: ...es for an IPSec SA and click Search to find it You can use a keyword or regular expression Use up to 30 alphanumeric and _ characters See Section on page 157 for more details Search Click this button to search for an IPSec SA that matches the information you specified above Disconnect Select an IPSec SA and click this button to disconnect it Connection Check Select an IPSec SA and click this butto...

Page 158: ... VPN sessions Table 57 Monitor VPN Monitor SSL LABEL DESCRIPTION Disconnect Select a connection and click this button to terminate the user s connection and delete corresponding session information from the Zyxel Device Refresh Click Refresh to update this screen This field is a sequential value and it is not associated with a specific SSL User This field displays the account user name used to est...

Page 159: ...nnection and click this button to disconnect it Refresh Click Refresh to update this screen This field is a sequential value and it is not associated with a specific L2TP VPN session User Name This field displays the remote user s user name Hostname This field displays the name of the computer that has this L2TP VPN connection with the Zyxel Device Assigned IP This field displays the IP address th...

Page 160: ...Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen to its last saved settings Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statistics and update the report display Web Request Statistics Total Submit File This field displays the number of web pages that the Zyxel Device s content fil...

Page 161: ...he content filtering custom service configuration Restricted Web Features This is the number of web pages to which the ZyWALL limited access or removed cookies due to the content filtering custom service s restricted web features configuration Forbidden Web Sites This is the number of web pages to which the Zyxel Device did not allow access because they matched the content filtering custom service...

Page 162: ... Data KB This is how much of the application s traffic the Zyxel Device has discarded without notifying the client in kilobytes This traffic was dropped because it matched an application policy set to drop Rejected Data KB This is how much of the application s traffic the Zyxel Device has discarded and notified the client that the traffic was rejected in kilobytes This traffic was rejected because...

Page 163: ...es that the Zyxel Device has detected Select Source IP to list the source IP addresses from which the Zyxel Device has detected the most virus infected files Select Destination IP to list the most common destination IP addresses for virus infected files that Zyxel Device has detected Select Source IPv6 to list the source IPv6 addresses from which the Zyxel Device has detected the most virus infect...

Page 164: ...tistics display as follows when you display the top entries by destination IP Figure 133 Monitor Security Statistics Anti Malware Summary Destination IP The statistics display as follows when you display the top entries by destination IPv6 Figure 134 Monitor Security Statistics Anti Malware Destination IPv6 6 31 The IDP Screen Click Monitor Security Statistics IDP Summary to display the following ...

Page 165: ...for intrusion characteristics Total Packet Dropped The Zyxel Device can detect and drop malicious packets from network traffic This field displays the number of packets that the Zyxel Device has dropped Total Packet Reset The Zyxel Device can detect and drop malicious packets from network traffic This field displays the number of packets that the Zyxel Device has reset Top Entries By Use this fiel...

Page 166: ...n you display the entries by Signature Name The signature ID is a unique value given to each intrusion detected Type This column displays when you display the entries by Signature Name It shows the categories of intrusions Severity This column displays when you display the entries by Signature Name It shows the level of threat that the intrusions may pose Source IP This column displays when you di...

Page 167: ...n start time displays Apply Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen to its last saved settings Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statistics and update the report display Email Summary Total Mails Scanned This field displays the number of emails that the Zyxel De...

Page 168: ...ce allowed because they exceeded the maximum number of email sessions that the email security feature can check at a time You can see the Zyxel Device s threshold of concurrent email sessions in the Email Security Status screen Use the Email Security Summary screen to set whether the Zyxel Device forwards or drops sessions that exceed this threshold Mail Sessions Dropped This is how many email ses...

Page 169: ...clears the concurrent mail session scanning bar s historical high Mail Scan Statistics These are the statistics for the service the Zyxel Device uses These statistics are for when the Zyxel Device actually queries the service servers This is the entry s index number in the list Service This displays the name of the service Total Queries This is the total number of queries the Zyxel Device has sent...

Page 170: ...e displays Apply Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen to its last saved settings Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statistics and update the report display IP Scanned This field displays the total number of the IP addresses that are scanned IP Hit Count This ...

Page 171: ... and a new collection start time displays Apply Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen to its last saved settings Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statistics and update the report display Total This field displays the total number of files that the Zyxel Devic...

Page 172: ...onth day and hour minute second All of the statistics are erased if you restart the Zyxel Device or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen to its last saved settings Refresh Click this button to update the report display Flush Data Click this button to di...

Page 173: ...ows the number of SSL sessions passed Table 67 Monitor Security Statistics SSL Inspection Summary continued LABEL DESCRIPTION Table 68 Monitor Security Statistics SSL Inspection Certificate Cache List LABEL DESCRIPTION Certificate Cache List Add to Exclude list Select and item in the list and click this icon to add the common name CN to the Exclude List This field is a sequential value and it is n...

Page 174: ...isplay in red Regular logs display in black Click a column s heading cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order The Web Configurator saves the filter settings if you leave the View Log screen and return to it later Server Name Indication Server Name Indication SNI is the domain name entered in the browser FTP client etc to begin ...

Page 175: ...ority or higher Choices are any emerg alert crit error warn notice and info from highest priority to lowest priority This field is grayed out if the Category is Debug Log Source Address This displays when you show the filter Type the source IP address of the incoming packet that generated the log message Do not include the port in this filter Destination Address This displays when you show the fil...

Page 176: ...pdate the information in the screen Clear Click this button to clear the whole log regardless of what is currently displayed on the screen This field is a sequential value and it is not associated with a specific log message Time This field displays the time the log message was recorded Priority This field displays the priority of the log message It has the same range of values as the Priority fie...

Page 177: ...sage s you want to view You can also view All Logs at one time or you can view the Debug Log Priority This displays when you show the filter Select the priority of log messages to display The log displays the log messages with this priority or higher Choices are any emerg alert crit error warn notice and info from highest priority to lowest priority This field is read only if the Category is Debug...

Page 178: ...s displays when you show the filter Select the priority of log messages to display The log displays the log messages with this priority or higher Choices are any emerg alert crit error warn notice and info from highest priority to lowest priority This field is read only if the Category is Debug Log Category This field displays the log that generated the log message It is the same value used in the...

Page 179: ... Service for the subscription services that your Zyxel Device supports Zyxel offers two types of security packs for your Zyxel Device The subscription services you can use on the Zyxel Device vary depending on the security pack license you purchase See the table below for services available in each pack You can purchase an iCard and enter its license key at myZyxel to extend a service Table 71 Sec...

Page 180: ...ble to access myZyxel Click Configuration Licensing Registration in the navigation panel to open the screen as shown next Click on the icon to go to the OneSecurity website where there is guidance on configuration walkthrough and other information Figure 146 Configuration Licensing Registration 7 1 3 Service Screen Use this screen to display the status of your service registrations and upgrade lic...

Page 181: ...is field displays whether a service license is enabled at myZyxel Activated or not Not Activated or expired Expired It displays the remaining Grace Period if your license has Expired It displays Not Licensed if there isn t a license to be activated for this service Default displays for quantity based licenses when the Zyxel Device is currently using the allowed free number without a license For ex...

Page 182: ...ns are not over written when you download new signatures Note The Zyxel Device does not have to reboot when you upload new signatures 7 2 2 The Signature Screen Click Configuration Licensing Signature Update to display the following screen Figure 148 Configuration Licensing Signature Update The following table describes the labels in this screen Table 73 Configuration Licensing Signature Update LA...

Page 183: ...ect a time when your network is not busy for minimal interruption Table 73 Configuration Licensing Signature Update continued LABEL DESCRIPTION Table 74 Configuration Licensing Signature Update Schedule Auto Update LABEL DESCRIPTION Auto Update Select this check box to have the Zyxel Device automatically check for new signatures regularly at the time and day specified You should select a time when...

Page 184: ...all of the APs connected to the Zyxel Device Use the MON Mode screen Section 8 4 on page 197 to assign APs either to the rogue AP list or the friendly AP list Use the Auto Healing screen Section 8 5 on page 200 to extend the wireless service coverage area of the managed APs when one of the APs fails Use the RTLS screen Section 8 6 on page 200 to allow managed APs with battery powered Wi Fi tags be...

Page 185: ...el Device is located installed The available channels vary depending on the country you selected Registration Type Select Manual to add each AP to the Zyxel Device for management or Always Accept to automatically add APs to the Zyxel Device for management If you select Manual then go to Monitor Wireless AP Information AP List select an AP to be managed and then click Add to Mgnt AP List That AP wi...

Page 186: ...ode The AP LEDs stay lit after the AP is ready This button is not available if the selected AP doesn t support suppression mode This field is a sequential value and it is not associated with any entry IP Address This field displays the IP address of the AP MAC Address This field displays the MAC address of the AP Model This field displays the AP s hardware model information It displays N A not app...

Page 187: ... Series User s Guide 187 8 3 1 1 Edit AP List Select an AP and click the Edit button in the Configuration Wireless AP Management table to display this screen Figure 152 Configuration Wireless AP Management Mgnt AP List Edit AP List ...

Page 188: ...r APs in repeater mode to form a ZyMesh to extend its wireless network Repeater AP means the radio can establish a wireless connection with other APs in either root AP or repeater mode Note To prevent bridge loops do NOT set both radios on a managed AP to Repeater AP mode Note The root AP and repeater AP s in a ZyMesh must use the same country code and AP radio profile settings in order to communi...

Page 189: ...SSID profiles with an AP radio SSID Profile Indicates which SSID profile is associated with this radio profile Override Group VLAN Setting Select this option to overwrite the AP VLAN setting with the setting you configure here Force Overwrite VLAN Config Select this to have the Zyxel Device change the AP s management VLAN to match the configuration in this screen Management VLAN ID Enter a VLAN ID...

Page 190: ...configured on the managed AP s with the one s you specified below Primary Controller Specify the IP address of the primary AP controller if you set Override Type to Manual Secondary Controller Specify the IP address of the secondary AP controller if you set Override Type to Manual Fall back to Primary Controller when possible Select this option to have the managed AP s change back to associate wit...

Page 191: ...te You cannot remove a group with which an AP is associated DCS Now Select one or multiple groups and click this button to use DCS Dynamic Channel Selection to allow the APs in the group s to automatically find a less used channel in an environment where there are many APs and there may be interference Note You should have enabled DCS in the applied AP radio profile before the APs can use DCS Note...

Page 192: ...s Guide 192 8 3 3 1 Add Edit AP Group Click Add or select an AP group and click the Edit button in the Configuration Wireless AP Management AP Group table to display this screen Figure 155 Configuration Wireless AP Management AP Group Add Edit ...

Page 193: ... s in a ZyMesh must use the same country code and AP radio profile settings in order to communicate with each other Note Ensure you restart the managed AP after you change its operating mode Radio 1 2 AP Profile Select an AP profile from the list If no profile exists you can create a new one through the Create new Object menu Radio 1 2 Profile Select a monitor profile from the list If no profile e...

Page 194: ...select it and click Inactivate This is the port s index number in this list Status This displays whether or not the port is activated Port This shows the name of the physical Ethernet port on the managed AP PVID This shows the port s PVID A PVID Port VLAN ID is a tag that adds to incoming untagged frames received on a port so that the frames are forwarded to the VLAN group that the tag defines VLA...

Page 195: ...clients connected to the AP when it becomes overloaded If you do not enable this option then the AP simply delays the connection until it can afford the bandwidth it requires or it transfers the connection to another AP within its broadcast radius The disassociation priority is determined automatically by the Zyxel Device and is as follows Idle Timeout Devices that have been idle the longest will ...

Page 196: ... the AP must upgrade or downgrade its firmware to be the same version as the AP firmware on the Zyxel Device and reboot The Zyxel Device should always have the latest AP firmware so that APs don t have to downgrade firmware in order to be managed All new APs are supported Use Check to see if the Zyxel Device has the latest AP firmware Use Apply to have the Zyxel Device download the latest AP firmw...

Page 197: ...ck Success This displays the date and time the last check for new firmware was made and whether the check is in progress checking was successful success or has failed fail Check Click this button to have the Zyxel Device display the latest AP firmware version available on the firmware server Apply AP Firmware Due to space limitations the Zyxel Device only downloads and keeps AP firmware for APs it...

Page 198: ...d AP out of quarantine An unquarantined AP has normal access to the network This field is a sequential value and it is not associated with any interface Containment This field indicates the selected AP s containment status Role This field indicates whether the selected AP is a rogue ap or a friendly ap To change the AP s role click the Edit button MAC Address This field indicates the AP s radio MA...

Page 199: ...ble 82 Configuration Wireless MON Mode continued LABEL DESCRIPTION Table 83 Configuration Wireless MON Mode Add Edit Rogue Friendly LABEL DESCRIPTION MAC Enter the MAC address of the AP you want to add to the list A MAC address is a unique hardware identifier in the following hexadecimal format xx xx xx xx xx xx where xx is a hexadecimal number separated by colons Description Enter up to 60 charac...

Page 200: ...ESCRIPTION Enable Auto Healing Select this option to turn on the auto healing feature Save Current State Click this button to have all manged APs immediately scan their neighborhoods three times in a row and update their neighbor lists to the AP controller Zyxel Device Auto Healing Interval Set the time interval in minutes at which the managed APs scan their neighborhoods and report the status of ...

Page 201: ...n this Chapter Use the RTLS screen Section 8 6 3 on page 202 to use the managed APs as part of an Ekahau RTLS Real Time Location Service to track the location of Ekahau Wi Fi tags 8 6 2 Before You Begin You need At least three APs managed by the Zyxel Device the more APs the better since it increases the amount of information the Ekahau RTLS Controller has for calculating the location of the tags ...

Page 202: ...te 8549 UDP Ekahau T201 location update 8550 TCP Ekahau T201 tag maintenance protocol and Ekahau RTLS Controller user interface 8552 UDP Ekahau Location Protocol 8553 UDP Ekahau Maintenance Protocol 8554 UDP Ekahau T301 firmware update 8560 TCP Ekahau Vision web interface 8562 UDP Ekahau T301W firmware update 8569 UDP Ekahau TZSP Listener Port Table 86 Configuration Wireless RTLS LABEL DESCRIPTION...

Page 203: ...n the 2 4 GHz spectrum each channel from 1 to 13 is broken up into discrete 22 MHz segments that are spaced 5 MHz apart Channel 1 is centered on 2 412 GHz while channel 13 is centered on 2 472 GHz Figure 162 An Example Three Channel Deployment Three channels are situated in such a way as to create almost no interference with one another if used exclusively 1 6 and 11 When an AP broadcasts on any o...

Page 204: ...nt neighboring AP If he still connects to the AP regardless of the delay then the AP may boot other people who are already connected in order to associate with the new connection Load balancing by traffic level limits the number of connections to the AP based on maximum bandwidth available If you are uncertain as to the exact number of wireless connections you will have then choose this option By ...

Page 205: ...9 4 on page 233 for PPPoE PPTP or L2TP Internet connections Use the Cellular screens Section 9 5 on page 240 to configure settings for interfaces for Internet connections through an installed mobile broadband card Use the Tunnel screens Section 9 6 on page 249 to configure tunnel interfaces to be used in Generic Routing Encapsulation GRE IPv6 in IPv4 and 6to4 tunnels Use the VLAN screens Section 9...

Page 206: ...on between Ethernet or VLAN interfaces at the layer 2 data link MAC address level Unlike port groups bridge interfaces can take advantage of some security features in the Zyxel Device You can also assign an IP address and subnet mask to the bridge PPP interfaces support Point to Point Protocols PPP ISP accounts are required for PPPoE PPTP L2TP interfaces Cellular interfaces are for mobile broadban...

Page 207: ...a sequential number You can specify the number after the colon if you use the CLI to set up a virtual interface Relationships Between Interfaces In the Zyxel Device interfaces are usually created on top of other interfaces Only Ethernet interfaces are created directly on top of the physical ports or port groups The relationships between interfaces are explained in the following table Bandwidth res...

Page 208: ...ten as 2001 db8 1a2b 15 0 0 1a2f 0 Any number of consecutive blocks of zeros can be replaced by a double colon A double colon can only appear once in an IPv6 address So 2001 0db8 0000 0000 1a2f 0000 0000 0015 can be written as 2001 0db8 1a2f 0000 0000 0015 2001 0db8 0000 0000 1a2f 0015 2001 db8 1a2f 0 0 15 or 2001 db8 0 0 1a2f 15 Prefix and Prefix Length Similar to an IPv4 subnet mask IPv6 uses an...

Page 209: ...ombines the prefix and the interface ID generated from its own Ethernet MAC address to form a complete IPv6 address When IPv6 is enabled on a device its interface automatically generates a link local address beginning with fe80 When the Zyxel Device s WAN interface is connected to an ISP with a router and the Zyxel Device is set to automatically obtain an IPv6 network prefix from the router for th...

Page 210: ...the Configuration System IPv6 screen to enable IPv6 support on the Zyxel Device first 9 2 Port Role To access this screen click Configuration Network Interface Port Role Use the Port Role screen to set the Zyxel Device s flexible ports as part of the lan1 lan2 ext wlan ext lan or dmz interfaces This creates a hardware connection between the physical ports at the layer 2 data link MAC address level...

Page 211: ...d IPv6 in the Configuration System IPv6 screen you can also configure Ethernet interfaces used for your IPv6 networks on this screen To access this screen click Configuration Network Interface Ethernet Unlike other types of interfaces you cannot create new Ethernet interfaces nor can you delete any of them If an Ethernet interface does not have any physical ports assigned to it the Ethernet interf...

Page 212: ...ttings Remove To remove a virtual interface select it and click Remove The Zyxel Device confirms you want to remove it before doing so Activate To turn on an interface select it and click Activate Inactivate To turn off an interface select it and click Inactivate Create Virtual Interface To open the screen where you can create a virtual Ethernet interface select an Ethernet interface and click Cre...

Page 213: ...nd both versions Select the broadcasting method used by RIP 2 packets The Zyxel Device can use subnet broadcasting or multicasting With OSPF you can use Ethernet interfaces to do the following things Enable and disable OSPF in the underlying physical port or port group Select the area to which the interface belongs Override the default link cost and authentication method for the selected area Sele...

Page 214: ...es on behalf of hosts that the Zyxel Device discovered on its IGMP enabled interfaces The Zyxel Device acts as a proxy for its hosts Refer to the following figure DS Downstream traffic US Upstream traffic R Router MS Multicast Server Enable IGMP Upstream US on the Zyxel Device interface that connects to a router R running IGMP that is closer to the multicast server MS Enable IGMP Downstream on the...

Page 215: ...Chapter 9 Interfaces ZyWALL ATP Series User s Guide 215 Figure 168 Configuration Network Interface Ethernet Edit External Type ...

Page 216: ...Chapter 9 Interfaces ZyWALL ATP Series User s Guide 216 Configuration Network Interface Ethernet Edit External Type ...

Page 217: ...Chapter 9 Interfaces ZyWALL ATP Series User s Guide 217 Figure 169 Configuration Network Interface Ethernet Edit Internal Type Configuration Network Interface Ethernet Edit Internal Type ...

Page 218: ...Chapter 9 Interfaces ZyWALL ATP Series User s Guide 218 Figure 170 Configuration Network Interface Ethernet Edit OPT ...

Page 219: ... DESCRIPTION IPv4 IPv6 View IPv4 View IPv6 View Use this button to display both IPv4 and IPv6 IPv4 only or IPv6 only configuration fields Show Advanced Settings Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields Create New Object Click this button to create a DHCPv6 lease or DHCPv6 request object that you may use for the DHCPv6 settings in this s...

Page 220: ...only This is the MAC address that the Ethernet interface uses Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment These IP address fields configure an IPv4 IP address on the interface itself If you change this IP address on the interface you may also need to change a relate...

Page 221: ...rface if you want to use a static IP address This field is optional The prefix length indicates what the left most part of the IP address is the same for all computers in the network that is the network address Gateway Enter the IPv6 address of the default outgoing gateway using colon hexadecimal notation Metric Enter the priority of the gateway if any on this interface The Zyxel Device decides wh...

Page 222: ...traffic load Note Make sure you also enable this option in the DHCPv6 clients to make rapid commit work Information Refresh Time Enter the number of seconds a DHCPv6 client should wait before refreshing information retrieved from DHCPv6 Request Address This field is available if you set this interface to DHCPv6 Client Select this to get an IPv6 IP address for this interface from the DHCP server Cl...

Page 223: ...at can move through this interface If a larger packet arrives the Zyxel Device discards the packet and sends an error message to the sender to inform this Hop Limit Enter the maximum number of network segments that a packet can cross before reaching the destination When forwarding an IPv6 packet IPv6 routers are required to decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Li...

Page 224: ...heck These fields appear when Interface Properties is External or General The interface can regularly check the connection to the gateway you specified to make sure it is still available You specify how often the interface checks the connection how long to wait for a response before the attempt is a failure and how many consecutive failures are required before the Zyxel Device stops routing to the...

Page 225: ...s must also be blank In this case the Zyxel Device can assign every IP address allowed by the interface s IP address and subnet mask except for the first address network address last address broadcast address and the interface s IP address First DNS Server Second DNS Server Third DNS Server Specify the IP addresses up to three DNS servers for the DHCP clients to use Use one of the following ways t...

Page 226: ...to use specific IP addresses Enable Logs for IP MAC Binding Violation Select this option to have the Zyxel Device generate a log if a device connected to this interface attempts to use an IP address that is bound to another device s MAC address Static DHCP Table Configure a list of static IP addresses the Zyxel Device assigns to computers connected to the interface Otherwise the Zyxel Device assig...

Page 227: ...d the underscore and it can be up to 16 characters long MD5 Authentication ID This field is available if the Authentication is MD5 Type the ID for MD5 authentication The ID can be between 1 and 255 MD5 Authentication Key This field is available if the Authentication is MD5 Type the password for MD5 authentication The password can consist of alphanumeric characters and the underscore and it can be ...

Page 228: ... IPv4 CIDR for example 192 168 1 1 24 or an IPv4 Range for example 192 168 1 2 192 168 1 100 as the target IP address The Zyxel Device answers external ARP requests only if they match one of these inputted target IP addresses For example if the IPv4 Address is 192 168 1 5 then the Zyxel Device will answer ARP requests coming from the WAN only if it contains 192 168 1 5 as the target IP address Sel...

Page 229: ... example security policies that apply to the underlying interface automatically apply to the virtual interface as well Like other interfaces virtual interfaces have an IP address subnet mask and gateway used to make routing decisions However you have to manually specify the IP address and subnet mask virtual Table 92 Interface Edit Add Proxy ARP LABEL DESCRIPTION Interface Name This identifies the...

Page 230: ...e Properties Interface Name This field is read only It displays the name of the virtual interface which is automatically derived from the underlying Ethernet interface VLAN interface or bridge interface Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment IP Address Enter th...

Page 231: ...ct one object field and click OK to save it Click Cancel to exit without saving the setting Table 94 References LABEL DESCRIPTION Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This i...

Page 232: ...of the selected DHCP option If you selected User Defined in the Option field enter a number for the option This field is mandatory Type This is the type of the selected DHCP option If you selected User Defined in the Option field select an appropriate type for the value that you will enter in the next field Only advanced users should configure User Defined Misconfiguration could result in interfac...

Page 233: ...HCP header has been used for DHCP options The minimum length of the value is 1 SIP Server 120 This option carries either an IPv4 address or a DNS domain name to be used by the SIP client to locate a SIP server VIVC 124 Vendor Identifying Vendor Class option A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running the softw...

Page 234: ...ce to use Each ISP account specifies the protocol PPPoE or PPTP or L2TP as well as your ISP account information If you change ISPs later you only have to create a new ISP account not a new PPPoE PPTP L2TP interface You should not have to change any network policies You do not set up the subnet mask or gateway PPPoE PPTP L2TP interfaces are interfaces between the Zyxel Device and only one computer ...

Page 235: ...vice confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Connect To connect an interface select it and click Connect You might use this in testing the interface or to manually establish the connection for a Dial on Demand PPPoE PPTP interface Disconnect To disconnect an interface sel...

Page 236: ...Chapter 9 Interfaces ZyWALL ATP Series User s Guide 236 Figure 179 Configuration Network Interface PPP Add ...

Page 237: ...PPTP L2TP connection should always be up Clear this to have the Zyxel Device establish the PPPoE PPTP L2TP connection only when there is traffic You might use this option if a lot of traffic needs to go through the interface or it does not cost extra to keep the connection up all the time Dial on Demand Select this to have the Zyxel Device establish the PPPoE PPTP L2TP connection only when there i...

Page 238: ...or more information To use prefix delegation you must Create at least one DHCPv6 request object before configuring this table The external interface must be a DHCPv6 client You must configure the DHCPv6 request options using a DHCPv6 request object with the type of prefix delegation Assign the prefix delegation to an internal interface and enable router advertisement on that interface Add Click th...

Page 239: ...This is reserved for future use Enter the maximum amount of traffic in kilobits per second the Zyxel Device can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum size of each data packet in bytes that can move through this interface If a larger packet arrives the Zyxel Device divides it into smaller fragments Allowed values a...

Page 240: ...ice and non voice data and provides broadband Internet access to mobile devices 4G 4G is the fourth generation of the mobile telecommunications technology and a successor of 3G Both the WiMAX and Long Term Evolution LTE standards are the 4G candidate systems 4G only supports all IP based packet switched telephony services and is required to offer Gigabit speed access Note The actual data rate you ...

Page 241: ...r digital radio CDMA2000 1xRTT 1 times Radio Transmission Technology is the core CDMA2000 wireless air interface standard It is also known as 1x 1xRTT or IS 2000 and considered to be a 2 5G or 2 75G technology 2 75G Packet switched Enhanced Data rates for GSM Evolution EDGE Enhanced GPRS EGPRS etc 3G Packet switched UMTS Universal Mobile Telecommunications System a third generation 3G wireless sta...

Page 242: ...d click References to open a screen that shows which settings use the entry See Section 9 3 4 on page 230 for an example This field is a sequential value and it is not associated with any interface Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive The connect icon is lit when the interface is connected and dimmed when it is disconnected Name ...

Page 243: ...llular Configuration This screen displays after you select the slot that contains the mobile broadband device in the previous pop up window Update Now If the latest version number is greater than the current version number then click this button to download the latest list of supported mobile broadband dongle devices to the Zyxel Device Apply Click Apply to save your changes back to the Zyxel Devi...

Page 244: ...Chapter 9 Interfaces ZyWALL ATP Series User s Guide 244 Figure 181 Configuration Network Interface Cellular Add Edit ...

Page 245: ...es before the Zyxel Device automatically disconnects from the ISP s server Zero disables the idle timeout ISP Settings Profile Selection Select Device to use one of the mobile broadband device s profiles of device settings Then select the profile use Profile 1 unless your ISP instructed you to do otherwise Select Custom to configure your device settings yourself APN This field is read only if you ...

Page 246: ...ication enter an arbitrary number Retype to Confirm Type the PIN code again to confirm it Interface Parameters Egress Bandwidth Enter the maximum amount of traffic in kilobits per second the Zyxel Device can send through the interface to the network Allowed values are 0 1048576 This setting is used in WAN load balancing and bandwidth management Ingress Bandwidth This is reserved for future use Ent...

Page 247: ...which gateway to use based on this priority The lower the number the higher the priority If two or more gateways have the same priority the Zyxel Device uses the one that was configured first Device Settings Band Selection This field appears if you selected a mobile broadband device that allows you to select the type of network to use Select the type of mobile broadband service for your mobile bro...

Page 248: ...month If the date you selected is not available in a month such as 30th or 31st the Zyxel Device resets the budget on the last day of the month Reset time and data budget counters This button is available only when you enable budget control in this screen Click this button to reset the time and data budgets immediately The count starts over with the mobile broadband connection s full configured mo...

Page 249: ...Pv6 networks over an IPv4 network an IPv6 over IPv4 tunnel has to be used Figure 183 IPv6 over IPv4 Network On the Zyxel Device you can either set up a manual IPv6 in IPv4 tunnel or an automatic 6to4 tunnel The following describes each method Log Select None to not create a log when the Zyxel Device takes this action Log to create a log or Log alert to create an alert log If you select Log or Log ...

Page 250: ...4 tunneling you do not need to configure a policy route for a 6to4 tunnel Through your properly pre configuring the destination router s IP address in the IP address assignments to hosts the Zyxel Device can automatically forward 6to4 packets to the destination they want to go A 6to4 relay router is required to route 6to4 packets to a native IPv6 network if the packet s destination do not match yo...

Page 251: ...ick Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate References Select an entry and click References to open a screen that shows which settings use...

Page 252: ...in IPv4 or 6to4 This field also displays the interface s IPv4 IP address and subnet mask if it is a GRE tunnel Otherwise it displays the interface s IPv6 IP address and prefix length My Address This is the interface or IP address uses to identify itself to the remote gateway The Zyxel Device uses this as the source for the packets it tunnels to the remote gateway Remote Gateway Address This is the...

Page 253: ...n the following table Table 103 Network Interface Tunnel Add Edit LABEL DESCRIPTION Show Advanced Settings Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields General Settings Enable Select this to enable this interface Clear this to disable this interface Interface Properties ...

Page 254: ...ority If two or more gateways have the same priority the Zyxel Device uses the one that was configured first 6to4 Tunnel Parameter This section is available if you are configuring a 6to4 tunnel which encapsulates IPv6 to IPv4 packets 6to4 Prefix Enter the IPv6 prefix of a destination network The Zyxel Device forwards IPv6 packets to the hosts in the matched network If you enter a prefix starting w...

Page 255: ...e failures are required before the Zyxel Device stops routing to the gateway The Zyxel Device resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the Zyxel Device regularly ping the gateway you specify to make sure it i...

Page 256: ...e switches are connected to the router If one switch has enough connections for the entire network the network does not need switches A and B Traffic inside each VLAN is layer 2 communication data link layer MAC addresses It is handled by the switches As a result the new switch is required to handle traffic inside VLAN 2 Traffic is only broadcast inside each VLAN not each physical network Traffic ...

Page 257: ...en VLAN interfaces but it does not route traffic within a VLAN interface All traffic for each VLAN interface can go through only one Ethernet interface though each Ethernet interface can have one or more VLAN interfaces Note Each VLAN interface is created on top of only one Ethernet interface Otherwise VLAN interfaces are similar to other interfaces in many ways They have an IP address subnet mask...

Page 258: ...pen the screen where you can create a virtual interface select an interface and click Create Virtual Interface References Select an entry and click References to open a screen that shows which settings use the entry See Section 9 3 4 on page 230 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed wh...

Page 259: ...Chapter 9 Interfaces ZyWALL ATP Series User s Guide 259 Figure 191 Configuration Network Interface VLAN Add Edit ...

Page 260: ...Chapter 9 Interfaces ZyWALL ATP Series User s Guide 260 ...

Page 261: ...work like the Internet The Zyxel Device automatically adds this interface to the default WAN trunk For general the rest of the screen s options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface Interface Name This field is read only if you are editing an existing VLAN interface Enter the number of the VLAN interface You ca...

Page 262: ...or more gateways have the same priority the Zyxel Device uses the one that was configured first Enable IGMP Support Select this to allow the Zyxel Device to act as an IGMP proxy for hosts connected on the IGMP downstream interface IGMP Upstream Enable IGMP Upstream on the interface which connects to a router running IGMP that is closer to the multicast server IGMP Downstream Enable IGMP Downstream...

Page 263: ...interface then enter 1111 0 0 0 1 128 in this field Address This field displays the combined IPv6 IP address for this interface Note This field displays the combined address after you click OK and reopen this screen DHCPv6 Setting DHCPv6 Select N A to not use DHCPv6 Select Client to set this interface to act as a DHCPv6 client Select Server to set this interface to act as a DHCPv6 server which ass...

Page 264: ...From DHCPv6 Select this to have the Zyxel Device indicate to hosts to obtain network settings such as prefix and DNS settings through DHCPv6 Clear this to have the Zyxel Device indicate to hosts that DHCPv6 is not available and they should use the prefix in the router advertisement message Advertised Hosts Get Other Configuration From DHCPv6 Select this to have the Zyxel Device indicate to hosts t...

Page 265: ... here which keeps the same prefix length 48 as the delegated prefix Address This is the final network prefix combined by the delegated prefix and the suffix Note This field displays the combined address after you click OK and reopen this screen Interface Parameters Egress Bandwidth Enter the maximum amount of traffic in kilobits per second the Zyxel Device can send through the interface to the net...

Page 266: ... Enter the IP address from which the Zyxel Device begins allocating IP addresses If you want to assign a static IP address to a specific computer click Add Static DHCP If this field is blank the Pool Size must also be blank In this case the Zyxel Device can assign every IP address allowed by the interface s IP address and subnet mask except for the first address network address last address broadc...

Page 267: ...e the Zyxel Device enforce links between specific IP addresses and specific MAC addresses for this VLAN This stops anyone else from manually using a bound IP address on another device connected to this interface Use this to make use only the intended users get to use specific IP addresses Enable Logs for IP MAC Binding Violation Select this option to have the Zyxel Device generate a log if a devic...

Page 268: ...e the same authentication method that they use Choices are Same as Area use the default authentication method in the area None disable authentication Text authenticate OSPF routing information using a plain text password MD5 authenticate OSPF routing information using MD5 encryption Text Authentication Key This field is available if the Authentication is Text Type the password for text authenticat...

Page 269: ...wers external ARP requests only if they match one of these inputted target IP addresses For example if the IPv4 Address is 192 168 1 5 then the Zyxel Device will answer ARP requests coming from the WAN only if it contains 192 168 1 5 as the target IP address Select an existing entry and click Remove to delete that entry Related Setting Configure WAN TRUNK Click WAN TRUNK to go to a screen where yo...

Page 270: ...e broadcasts the packet on ports 1 3 and 4 If computer B responds to computer A bridge X records the source address 0B 0B 0B 0B 0B 0B and port 4 in the table It also looks up 0A 0A 0A 0A 0A 0A in the table and sends the packet to port 2 accordingly Bridge Interface Overview A bridge interface creates a software bridge between the members of the bridge interface It also becomes the Zyxel Device s i...

Page 271: ... are automatically added to or remove from a bridge interface when the underlying interface is added or removed 9 8 1 Bridge Summary This screen lists every bridge interface and virtual interface created on top of bridge interfaces If you enabled IPv6 in the Configuration System IPv6 screen you can also configure bridge interfaces used for your IPv6 network on this screen To access this screen cli...

Page 272: ...To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Create Virtual Interface To open the screen where you can create a virtual interface select an interface and click Create Virtual Interface References Select an entry and click References to open a screen that shows which settings use the entry See Section 9 3 4 on page 230 for an exampl...

Page 273: ...Chapter 9 Interfaces ZyWALL ATP Series User s Guide 273 Figure 193 Configuration Network Interface Bridge Add Edit ...

Page 274: ...figuration Network Interface Bridge Add Edit LABEL DESCRIPTION IPv4 IPv6 View IPv4 View IPv6 View Use this button to display both IPv4 and IPv6 IPv4 only or IPv6 only configuration fields Show Advanced Settings Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields ...

Page 275: ...mote management anti malware and application patrol Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long Member Configuration Available This field displays Ethernet interfaces and VLAN interfaces that can become part of the bridge interface An interface is not available in the following situation...

Page 276: ... IPv6 router in the network Link Local address This displays the IPv6 link local address and the network prefix that the Zyxel Device generates itself for the interface IPv6 Address Prefix Length Enter the IPv6 address and the prefix length for this interface if you want to use a static IP address This field is optional The prefix length indicates what the left most part of the IP address is the s...

Page 277: ... this if you want the DUID is generated from the interface s default MAC address Customized DUID If you want to use a customized DUID enter it here for the interface Enable Rapid Commit Select this to shorten the DHCPv6 message exchange process from four to two steps This function helps reduce heavy network traffic load Note Make sure you also enable this option in the DHCPv6 clients to make rapid...

Page 278: ...ould use for the Zyxel Device This helps hosts to choose their default router especially when there are multiple IPv6 router in the network Note Make sure the hosts also support router preference to make this function work MTU The Maximum Transmission Unit Type the maximum size of each IPv6 data packet in bytes that can move through this interface If a larger packet arrives the Zyxel Device divide...

Page 279: ...e Zyxel Device can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum size of each data packet in bytes that can move through this interface If a larger packet arrives the Zyxel Device divides it into smaller fragments Allowed values are 576 1500 Usually this value is 1500 DHCP Setting DHCP Select what type of DHCP service the...

Page 280: ...ect Custom Defined and enter the IP address Lease time Specify how long each computer can use the information especially the IP address before it has to request the information again Choices are infinite select this if IP addresses never expire days hours and minutes select this to enter how long IP addresses are valid Extended Options This table is available if you selected DHCP server Configure ...

Page 281: ...g to wait for a response before the attempt is a failure and how many consecutive failures are required before the Zyxel Device stops routing to the gateway The Zyxel Device resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp t...

Page 282: ...ad Balancing Add Click Add to create an IPv4 Address an IPv4 CIDR for example 192 168 1 1 24 or an IPv4 Range for example 192 168 1 2 192 168 1 100 as the target IP address The Zyxel Device answers external ARP requests only if they match one of these inputted target IP addresses For example if the IPv4 Address is 192 168 1 5 then the Zyxel Device will answer ARP requests coming from the WAN only ...

Page 283: ...en where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate References Select an entry and click References to open a screen that shows which settings use the entry This field i...

Page 284: ...nfigure IP address assignment and interface parameters for VTI Note You should have created a VPN tunnel for a VPN Tunnel Interface scenario first To access this screen click the Add or Edit icon in Network Interface VTI The following screen appears Figure 196 Configuration Network Interface VTI Add ...

Page 285: ...ct as an IGMP proxy for hosts connected on the IGMP downstream interface IGMP Upstream Enable IGMP Upstream on the interface which connects to a router running IGMP that is closer to the multicast server IGMP Downstream Enable IGMP Downstream on the interface which connects to the multicast hosts Interface Parameters Egress Bandwidth Enter the maximum amount of traffic in kilobits per second the Z...

Page 286: ...lect None to disable OSPF in this interface Priority Enter the priority between 0 and 255 of this interface when the area is looking for a Designated Router DR or Backup Designated Router BDR The highest priority interface identifies the DR and the second highest priority interface identifies the BDR Set the priority to zero if the interface can not be the DR or BDR Link Cost Enter the cost betwee...

Page 287: ...never the interface s connection is up Use the Trunk summary screen Section 9 11 on page 290 to view the list of configured trunks and which load balancing algorithm each trunk uses Use the Add Trunk screen Section 9 11 1 on page 291 to configure the member interfaces for a trunk and the load balancing algorithm the trunk uses Use the Add System Default screen Section 9 11 2 on page 293 to configu...

Page 288: ...ld use for a session In the load balancing section a session may refer to normal connection oriented UDP or SNMP2 traffic The available bandwidth you configure on the Zyxel Device refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to the bandwidth an interface is currently using Least Load First The least load first algorithm uses the current or recent outbound ba...

Page 289: ...nterface with a smaller weight For example in the figure below the configured available bandwidth of WAN1 is 1M and WAN2 is 512K You can set the Zyxel Device to distribute the network traffic between the two interfaces by setting the weight of wan1 and wan2 to 2 and 1 respectively The Zyxel Device assigns the traffic of two sessions to wan1 and one session s traffic to wan2 in each round of 3 new ...

Page 290: ...c of new sessions that exceed this limit to the secondary WAN interface Figure 199 Spillover Algorithm Example 9 11 The Trunk Summary Screen Click Configuration Network Interface Trunk to open the Trunk screen The Trunk Summary screen lists the configured trunks and the load balancing algorithm that each is configured to use Figure 200 Configuration Network Interface Trunk ...

Page 291: ...xternal interfaces Default Trunk Selection Select whether the Zyxel Device is to use the default system WAN trunk or one of the user configured WAN trunks as the default trunk for routing traffic from internal interfaces to external interfaces User Configuration System Default The Zyxel Device automatically adds all external interfaces into the pre configured system default SYSTEM_DEFAULT_WAN_TRUN...

Page 292: ...end network traffic through the first interface in the group member list until there is enough traffic that the second interface needs to be used and so on Load Balancing Index es This field is available if you selected to use the Least Load First or Spillover method Select Outbound Inbound or Outbound Inbound to set the traffic to which the Zyxel Device applies the load balancing method Outbound ...

Page 293: ...e weights of the different member interfaces form a ratio This ratio determines how much traffic the Zyxel Device assigns to each member interface The higher an interface s weight is relative to the weights of the interfaces the more sessions that interface should handle Ingress Bandwidth This is reserved for future use This field displays with the least load first load balancing algorithm It disp...

Page 294: ...face needs to be used and so on The table lists the trunk s member interfaces This table is read only This column displays the priorities of the group s interfaces The order of the interfaces in the list is important since they are used in the order they are listed Member This column displays the name of the member interfaces Mode This field displays Active if the Zyxel Device always attempt to us...

Page 295: ...an also let the IP address and subnet mask be assigned by an external DHCP server on the network In this case the interface is a DHCP client Virtual interfaces however cannot be DHCP clients You have to assign the IP address and subnet mask manually Spillover This field displays with the spillover load balancing algorithm Specify the maximum bandwidth of traffic in kilobits per second 1 1048576 to...

Page 296: ... Ingress bandwidth sets the amount of traffic the Zyxel Device allows in through the interface from the network At the time of writing the Zyxel Device does not support ingress bandwidth management If you set the bandwidth restrictions very high you effectively remove the restrictions The Zyxel Device also restricts the size of each data packet The maximum number of bytes in each packet is called ...

Page 297: ...ss is 9 9 9 1 and subnet mask is 255 255 255 0 the starting IP address in the pool is 9 9 9 2 and the pool size is 253 Subnet mask The interface provides the same subnet mask you specify for the interface See IP Address Assignment on page 295 Gateway The interface provides the same gateway you specify for the interface See IP Address Assignment on page 295 DNS servers The interface provides IP add...

Page 298: ... up virtual private networks VPN in unsecured TCP IP environments It sets up two sessions 1 The first one runs on TCP port 1723 It is used to start and manage the second one 2 The second one uses Generic Routing Encapsulation GRE RFC 2890 to transfer information between the computers PPTP is convenient and easy to use but you have to make sure that firewalls support both PPTP sessions Layer 2 Tunn...

Page 299: ...e policy route to connect to services offered by your ISP behind router R2 You create another policy route to communicate with a separate network behind another router R3 connected to the LAN Figure 204 Example of Policy Routing Topology Note You can generally just use policy routes You only need to use static routes if you have a large network with multiple routers where you use RIP or OSPF to pr...

Page 300: ...tiple paths NAT The Zyxel Device performs NAT by default for traffic going to or from the WAN interfaces A routing policy s SNAT allows network administrators to have traffic received on a specified interface use a specified IP address as the source IP address Note The Zyxel Device automatically uses SNAT for traffic it routes from internal interfaces to external interfaces For example LAN to WAN ...

Page 301: ...evice will not conflict with the DSCP mapping The DSCP value determines the forwarding behavior the PHB Per Hop Behavior that each packet gets across the DiffServ network Based on the marking rule different kinds of traffic can be marked for different kinds of forwarding Resources can then be allocated according to the DSCP values and the configured policies 10 2 Policy Route Screen Click Configur...

Page 302: ...d packets that match a policy route according to the policy route instead of sending the packets directly to a connected network Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and cli...

Page 303: ...usually best effort traffic The af entries stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ for more details Service This is the name of the service object any means all services Source Port This is the name of a service object The Zyxel Device applies the policy route to the packets...

Page 304: ...Chapter 10 Routing ZyWALL ATP Series User s Guide 304 Figure 206 Configuration Network Routing Policy Route Add Edit IPv4 Configuration ...

Page 305: ...eria User Select a user name or user group from which the packets are sent Incoming Select where the packets are coming from any an interface a tunnel an SSL VPN or the Zyxel Device itself For an interface a tunnel or an SSL VPN you also need to select the individual interface VPN tunnel or SSL VPN connection Source Address Select a source IP address object including geographic address and FQDN gr...

Page 306: ...T address object first Select VPN Tunnel to route the matched packets via the specified VPN tunnel Select Trunk to route the matched packets through the interfaces in the trunk group based on the load balancing algorithm Select Interface to route the matched packets through the specified outgoing interface to a gateway which is connected to the interface Gateway This field displays when you select...

Page 307: ...se as the source IP address es of the packets that match this route Healthy Check Use this part of the screen to configure a route connectivity check and disable the policy if the interface is down Disable policy route automatically while Interface link down Select this to disable the policy if the interface is down or disabled This is available for Interface and Trunk in the Type field above Enab...

Page 308: ...Use the IPv4 Configuration section for IPv4 network settings Use the IPv6 Configuration section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network Both sections have similar fields as described below Add Click this to create a new static route Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remov...

Page 309: ... Length field Subnet Mask Enter the IP subnet mask here Prefix Length Enter the number of left most digits in the destination IP address which indicates the network prefix Enter in the Destination IP field and 0 in this field if you want to send all traffic to the gateway or interface specified in the Gateway IP or Interface field Gateway IP Select the radio button and enter the IP address of the ...

Page 310: ... not using among the policy routes that require more bandwidth When you enable maximize bandwidth usage the Zyxel Device first makes sure that each policy route gets up to its bandwidth allotment Next the Zyxel Device divides up an interface s available bandwidth bandwidth that is unbudgeted or unused by the policy routes depending on how many policy routes require more bandwidth and on their prio...

Page 311: ... routing protocol and like most such protocols it uses hop count to decide which route is the shortest Unfortunately it also broadcasts its routes asynchronously to the network and converges slowly Therefore RIP is more suitable for small networks up to 15 routers In the Zyxel Device you can configure two sets of RIP settings before you can use it in an interface First the Authentication field spe...

Page 312: ... for text authentication The key can consist of alphanumeric characters and the underscore and it can be up to 16 characters long MD5 Authentication ID This field is available if the Authentication is MD5 Type the ID for MD5 authentication The ID can be between 1 and 255 MD5 Authentication Key This field is available if the Authentication is MD5 Type the password for MD5 authentication The passwor...

Page 313: ...em AS is divided into one or more areas Each area represents a group of adjacent networks and is identified by a 32 bit ID In OSPF this number may be expressed as an integer or as an IP address There are several types of areas The backbone is the transit area that routes packets between other areas All other areas are connected to the backbone A normal area is a group of adjacent networks A normal...

Page 314: ...ted through Link State Advertisements LSA Each router uses the link state database and the Dijkstra algorithm to compute the least cost paths to network destinations Like areas each router has a unique 32 bit ID in the OSPF AS and there are several types of routers Each type is really just a different role and it is possible for one router to play multiple roles at one time An internal router IR o...

Page 315: ...ther If a router is directly connected to several groups it might be a DR in one group a BDR in another group and neither in a third group all at the same time Virtual Links In some OSPF AS it is not possible for an area to be directly connected to the backbone In this case you can create a virtual link through an intermediate area to logically connect the area to the backbone This is illustrated ...

Page 316: ...able describes the labels in this screen See Section 10 7 2 on page 317 for more information as well Table 128 Configuration Network Routing Protocol OSPF LABEL DESCRIPTION OSPF Router ID Select the 32 bit ID the Zyxel Device uses in the OSPF AS Default the first available interface IP address is the Zyxel Device s ID User Defined enter the ID in IP address format in the field that appears when yo...

Page 317: ... Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so References Select an entry and click References to open a screen that shows which settings use the entry Click Refresh to update information on this screen This field i...

Page 318: ...tion Key This field is available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters and the underscore and it can be up to 16 characters long MD5 Authentication ID This field is available if the Authentication is MD5 Type the default ID for MD5 authentication in the area The ID can be between 1 and 255 MD5 Authentication Key This ...

Page 319: ...he associated Authentication Type field to Same as Area As a result you only have to update the authentication information for the area to update the authentication type used by these interfaces and virtual links Alternatively you can override the default in any interface or virtual link by selecting a specific authentication method Please see the respective interface sections for more information...

Page 320: ...on information for the area to update the authentication type used by these interfaces and virtual links Alternatively you can override the default in any interface or virtual link by selecting a specific authentication method Please see the respective interface sections for more information None uses no authentication Text uses a plain text password that is sent over the network not very secure M...

Page 321: ...Configuration Object Service Service Group 2 Select the Default_Allow_WAN_To_ZyWALL rule and click Edit 3 Move BGP from Available to Member 4 Click OK Figure 219 Allow BGP to the Zyxel Device 10 8 2 Configuring the BGP Screen Use this screen to configure BGP information about the Zyxel Device and its peer BGP routers Click Configuration Network Routing BGP to open the following screen ...

Page 322: ...ng BGP routers supported by the Zyxel Device is 5 Add Click this to configure BGP criteria for a new peer BGP router Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so This field is a sequential value and it is not assoc...

Page 323: ...BGP route Apply Click this button to save your changes to the Zyxel Device Reset Click this button to return the screen to its last saved settings Table 131 Configuration Network Routing Protocol BGP continued LABEL DESCRIPTION Table 132 Configuration Network Routing Protocol BGP LABEL DESCRIPTION IP Address Type the IP address of the interface on the peer BGP router AS Number Type a number from 1...

Page 324: ...long Weight Specify a weight value for all routes learned from this peer BGP router in the specified network The route with the highest weight gets preference Keepalive Time Keepalive messages are sent by the Zyxel Device to a peer BGP router to inform it that the BGP connection between the two is still active The Keepalive Time is the interval between each Keepalive message sent by the Zyxel Devi...

Page 325: ...e CE in Configuration Network Routing BGP Note The Zyxel Device can only belong to one AS at a time 2 Configure the AS number and BGP criteria of the peer BGP routers PE in the neighboring AS in Configuration Network Routing BGP Add Neighbors Note The maximum number of neighboring BGP routers supported by the Zyxel Device is 5 3 Configure the network for BGP routes in the neighboring AS Note You m...

Page 326: ...te You must have a public WAN IP address to use Dynamic DNS You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the Zyxel Device When registration is complete the DNS service provider gives you a password or key At the time of writing the Zyxel Device supports the following DNS service providers See the listed websites for detail...

Page 327: ...e Name This field displays the descriptive profile name for this entry DDNS Type This field displays which DDNS service you are using Domain Name This field displays each domain name the Zyxel Device can route Primary Interface IP This field displays the interface to use for updating the IP address mapped to the domain name followed by how the Zyxel Device determines the IP address for the domain ...

Page 328: ...edit the configuration of an existing domain name Click Configuration Network DDNS and then an Add or Edit icon to open this screen Figure 224 Configuration Network DDNS Add Apply Click this button to save your changes to the Zyxel Device Reset Click this button to return the screen to its last saved settings Table 134 Configuration Network DDNS continued LABEL DESCRIPTION ...

Page 329: ...ut the first character cannot be a number This value is case sensitive This field is read only when you are editing an entry DDNS Type Select the type of DDNS service you are using Select User custom to create your own DDNS service and configure the DYNDNS Server URL and Additional DDNS Options fields below HTTPS Select this to encrypt traffic using SSL port 443 including traffic with username and...

Page 330: ... DDNS server Custom IP This field is only available when the IP Address is Custom Type the IP address to use for the domain name Backup Binding Address Use these fields to set an alternate interface to map the domain name to when the interface specified by the Primary Binding Interface settings is not available Interface Select the interface to use for updating the IP address mapped to the domain ...

Page 331: ...ain the DynDNS server delivers the mail to you See www dyndns org for more information about this service DYNDNS Server This field displays when you select User custom from the DDNS Type field above Type the IP address of the server that will host the DDSN service URL This field displays when you select User custom from the DDNS Type field above Type the URL that can be used to access the server t...

Page 332: ...n the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet Figure 226 Multiple Servers Behind NAT Example 12 1 1 What You Can Do in this Chapter Use the NAT screens see Section 12 2 on page 333 to view and manage the list of NAT rules...

Page 333: ...te Login Protocol 23 TCP Telnet 25 TCP Simple Mail Transfer Protocol SMTP 42 UDP Host Name Server Nameserv 43 TCP WhoIs 53 TCP UDP Domain Name System DNS 67 UDP BOOTP DHCP server 68 UDP BOOTP DHCP client 69 UDP Trivial File Transfer Protocol TFTP 79 TCP Finger 80 TCP HTTP 110 TCP POP3 119 TCP Newsgroup NNTP 123 UDP Network Time Protocol NTP 135 TCP UDP RPC Locator service 137 TCP UDP NetBIOS Name ...

Page 334: ...d click Remove The Zyxel Device confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the num...

Page 335: ...k if there is no restriction on the original destination port Internal Port This field displays the new destination port s for the packet This field is blank if there is no restriction on the original destination port Apply Click this button to save your changes to the Zyxel Device Reset Click this button to return the screen to its last saved settings Table 137 Configuration Network NAT continued...

Page 336: ... interface User Defined Select this to manually enter an IP address in the User Defined field For example you could enter a static public IP assigned by the ISP without having to create a virtual interface for it Host address select a host address object to use the IP address it specifies The list also includes address objects based on interface IPs So for example you could select an address objec...

Page 337: ...r the end of the range of translated destination ports if this NAT rule forwards the packet The original port range and the mapped port range must be the same size Enable NAT Loopback Enable NAT loopback to allow users connected to any interface instead of just the specified Incoming Interface to use the NAT rule s specified External IP address to access the Internal IP device For users connected ...

Page 338: ...mple a LAN user s computer at IP address 192 168 1 89 queries a public DNS server to resolve the SMTP server s domain name xxx LAN SMTP com in this example and gets the SMTP server s mapped public IP address of 1 1 1 1 Figure 229 LAN Computer Queries a Public DNS Server The LAN user s computer then sends traffic to IP address 1 1 1 1 NAT loopback uses the IP address of the Zyxel Device s LAN inter...

Page 339: ...e matches the original destination address 1 1 1 1 If the SMTP server replied directly to the LAN user without the traffic going through NAT the source would not match the original destination address which would cause the LAN user s computer to shut down the session Figure 231 LAN to LAN Return Traffic 192 168 1 21 LAN 192 168 1 89 Source 192 168 1 89 SMTP NAT Source 192 168 1 1 SMTP 192 168 1 21...

Page 340: ...he a policy route allows it to access the Internet to get them from a server Proxy server A then forwards the response to the client Figure 232 HTTP Redirect Example 13 1 2 SMTP Redirect SMTP redirect forwards the authenticated client s SMTP message to a SMTP server that handles all outgoing email messages In the following example SMTP server A is connected to the lan2 interface in the LAN2 zone W...

Page 341: ...application layer gateway between the private network and the Internet or other networks It also keeps hackers from knowing internal IP addresses A client connects to a web proxy server each time he she wants to access the Internet The web proxy provides caching service to allow quick access and reduce network usage The proxy checks its local cache for the requested web resource first If it is not...

Page 342: ... forward HTTP traffic from proxy server A to the Internet SMTP Simple Mail Transfer Protocol SMTP is the Internet s message transport standard It controls the sending of email messages between servers Email clients also called email applications then use mail server protocols such as POP Post Office Protocol or IMAP Internet Message Access Protocol to retrieve email Email clients also generally us...

Page 343: ...MTP redirect rule for each incoming interface Figure 234 Configuration Network Redirect Service The following table describes the labels in this screen Table 139 Configuration Network Redirect Service LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry sele...

Page 344: ...oup This is the user account or user group name to which this rule is applied Interface This is the interface on which the request must be received Source Address This is the name of the source IP address object from which the traffic should be sent If any displays the rule is effective for every source Server This is the IP address of the HTTP proxy server or the SMTP server to which the matched ...

Page 345: ...ber This value is case sensitive Criteria User Select the user account or user group name to which this rule is applied Interface Select the interface on which the request must be received for the Zyxel Device to forward it to the specified server Source Address Select the name of the source IP address object from which the traffic should be sent Select any for the rule to be effective for every s...

Page 346: ... SIP signaling 1 and audio 2 sessions between SIP clients A and B and the SIP server Figure 236 SIP ALG Example The ALG feature is only needed for traffic that goes through the Zyxel Device s NAT 14 1 1 What You Need to Know Application Layer Gateway ALG NAT and Security Policy The Zyxel Device can function as an Application Layer Gateway ALG to allow certain NAT un friendly applications such as S...

Page 347: ...ons between H 323 devices A and B Figure 237 H 323 ALG Example SIP ALG SIP phones can be in any zone including LAN DMZ WAN and the SIP server and SIP clients can be in the same network or different networks The SIP server cannot be on the LAN It must be on the WAN or the DMZ There should be only one SIP server total on the Zyxel Device s private networks Any other SIP servers must be on the WAN So...

Page 348: ...P addresses For example you configure the security policy and NAT to allow LAN IP address A to receive calls from the Internet through WAN IP address 1 You also use a policy route to have LAN IP address A make calls out through WAN IP address 1 Configure another policy route to have H 323 or SIP calls from LAN IP addresses B and C go out through WAN IP address 2 Even though only LAN IP address A c...

Page 349: ...Begin You must also configure the security policy and enable NAT in the Zyxel Device to allow sessions initiated from the WAN 14 2 The ALG Screen Click Configuration Network ALG to open the ALG screen Use this screen to turn ALGs off or on configure the port numbers to which they apply and configure SIP ALG time outs Note If the Zyxel Device provides an ALG for a service you must enable the ALG in...

Page 350: ... payload You do not need to use this if you have a SIP device or server that will modify IP addresses and port numbers embedded in the SIP data payload Enable Configure SIP Inactivity Timeout Select this option to have the Zyxel Device apply SIP media and signaling inactivity time out limits These timeouts will take priority over the SIP session time out Expires value in a SIP registration respons...

Page 351: ... s NAT Enabling the H 323 ALG also allows you to use the application patrol to detect H 323 traffic and manage the H 323 traffic s bandwidth see Chapter 26 on page 496 Enable H 323 Transformations Select this to have the Zyxel Device modify IP addresses and port numbers embedded in the H 323 data payload You do not need to use this if you have a H 323 device or server that will modify IP addresses...

Page 352: ... to passive in order to have the connection go through the second interface VoIP clients usually re register automatically at set intervals or the users can manually force them to re register FTP File Transfer Protocol FTP is an Internet file transfer service that operates on the Internet and over TCP IP networks A system running the FTP server accepts commands from a system running an FTP client ...

Page 353: ...han UPnP IGD and mainly designed for small home networks It allows a client behind a NAT router to retrieve the router s public IP address and port number and make them known to the peer device with which it wants to communicate The client can automatically configure the NAT router to create a port mapping to allow the peer to contact it 15 2 What You Need to Know UPnP hardware is identified as an...

Page 354: ...environments When a UPnP or NAT PMP device joins a network it announces its presence with a multicast message For security reasons the Zyxel Device allows multicast messages on the LAN only All UPnP enabled or NAT PMP enabled devices may communicate freely with each other without additional configuration Disable UPnP or NAT PMP if this is not your intention 15 3 UPnP Screen Use this screen to enab...

Page 355: ... NAT PMP application to open the web configurator s login screen without entering the Zyxel Device s IP address although you must still enter the password to access the web configurator Allow UPnP or NAT PMP to pass through Firewall Select this check box to allow traffic from UPnP enabled or NAT PMP enabled applications to bypass the security policy Clear this check box to have the security policy...

Page 356: ...ed Sharing Settings 3 Select Turn on network discovery and click Save Changes Network discovery allows your computer to find other computers and devices on the network and other computers on the network to find your computer This makes it easier to share files and printers ...

Page 357: ...on your computer and the Zyxel Device 15 4 2 1 Auto discover Your UPnP enabled Network Device 1 Click start and Control Panel Double click Network Connections An icon displays under Internet Gateway 2 Right click the icon and select Properties Figure 242 Network Connections 3 In the Internet Connection Properties window click Settings to see the port mappings there were automatically created Figur...

Page 358: ...Advanced Settings Add Note When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically 5 Select Show icon in notification area when connected option and click OK An icon displays in the system tray Figure 246 System Tray Icon 6 Double click on the icon to display your current Internet connection status ...

Page 359: ...the web based configurator on the Zyxel Device without finding out the IP address of the Zyxel Device first This comes helpful if you do not know the IP address of the Zyxel Device Follow the steps below to access the web configurator 1 Click Start and then Control Panel 2 Double click Network Connections 3 Select My Network Places under Other Places ...

Page 360: ...evice displays under Local Network 5 Right click on the icon for your Zyxel Device and select Invoke The web configurator login screen displays Figure 249 Network Connections My Network Places 6 Right click on the icon for your Zyxel Device and select Properties A properties window displays with basic information about the Zyxel Device ...

Page 361: ...Chapter 15 UPnP ZyWALL ATP Series User s Guide 361 Figure 250 Network Connections My Network Places Properties Example ...

Page 362: ...address 192 168 1 27 and use static DHCP to assign it to Tim s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 192 168 1 27 with another MAC address Figure 251 IP MAC Binding Example 16 1 1 What You Can Do in this Chapter Use the Summary and Edit screens Section 16 2 on page 363 to bind IP addresses to MAC addresses Use the Exempt...

Page 363: ...work IP MAC Binding Summary The following table describes the labels in this screen Table 143 Configuration Network IP MAC Binding Summary LABEL DESCRIPTION Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This fie...

Page 364: ...and subnet mask Enable IP MAC Binding Select this option to have this interface enforce links between specific IP addresses and specific MAC addresses This stops anyone else from manually using a bound IP address on another device connected to this interface Use this to make use only the intended users get to use specific IP addresses Enable Logs for IP MAC Binding Violation Select this option to ...

Page 365: ...h the Zyxel Device assigns the entry s IP address Description This helps identify the entry OK Click OK to save your changes back to the Zyxel Device Cancel Click Cancel to exit this screen without saving Table 144 Configuration Network IP MAC Binding Edit continued LABEL DESCRIPTION Table 145 Configuration Network IP MAC Binding Edit Add LABEL DESCRIPTION Interface Name This field displays the na...

Page 366: ...an entry or select it and click Edit to modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so This is the index number of the IP MAC binding list entry Name Enter a name to help identify this entry Start IP Enter the first IP address in a range of IP addresses for which the Zyxel Device does not apply IP MAC...

Page 367: ...the Vlan1 The IP address of network printer C is added to the white list With this setting the connected AP then cannot communicate with the PC D but can access the network printer C server B wireless client A and the Internet Figure 256 Layer 2 Isolation Application 17 1 1 What You Can Do in this Chapter Use the General screen Section 17 2 on page 367 to enable layer 2 isolation on the Zyxel Devi...

Page 368: ...Enable Layer2 Isolation Select this option to turn on the layer 2 isolation feature on the Zyxel Device Note You can enable this feature only when the security policy is enabled Member List The Available list displays the name s of the internal interface s on which you can enable layer 2 isolation To enable layer 2 isolation on an interface you can double click a single entry to move it or use the...

Page 369: ... Select this option to turn on the white list on the Zyxel Device Note You can enable this feature only when the security policy is enabled Add Click this to add a new rule Edit Click this to edit the selected rule Remove Click this to remove the selected rule Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a se...

Page 370: ...ayer 2 Isolation White List Add Edit LABEL DESCRIPTION Enable Select this option to turn on the rule Host IP Address Enter an IPv4 address associated with this rule Description Specify a description for the IP address associated with this rule Enter up to 60 characters spaces and underscores allowed OK Click OK to save your changes back to the Zyxel Device Cancel Click Cancel to exit this screen w...

Page 371: ...query message and responds to it with the WAN2 s IP address 2 2 2 2 because the WAN2 has the least load at that moment Another Internet host B also sends a DNS query message to ask where www example com is The Zyxel Device responds to it with the WAN1 s IP address 1 1 1 1 since WAN1 has the least load this time Figure 260 DNS Load Balancing Example 18 1 1 What You Can Do in this Chapter Use the In...

Page 372: ...is to enable DNS load balancing Configuration Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an en...

Page 373: ...he Zyxel Device uses for this DNS load balancing rule Weighted Round Robin Each member interface is assigned a weight An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight For example if the weight ratio of wan1 and wan2 interfaces is 2 1 the Zyxel Device chooses wan1 for 2 sessions traffic and wan2 for 1 session s traffic in each round of ...

Page 374: ...mends DNS request hosts to keep the DNS entry in their caches before removing it Enter 0 to have the Zyxel Device not recommend this so the DNS request hosts will follow their DNS server s TTL setting Query From Setting IP Address Select the name of an P address object including geographic address object of a computer or a DNS server which makes the DNS queries upon which to apply this rule DNS se...

Page 375: ...rface which is handling the least amount of incoming traffic Select Least Load Total to have the Zyxel Device choose the member interface which is handling the least amount of outgoing and incoming traffic Failover IP Address Enter an alternate IP address with which the Zyxel Device will respond to a DNS query message when the load balancing algorithm cannot find any available interface Add Click ...

Page 376: ...s Static dynamically assigned Dynamic or obtained from a DHCP server DHCP Client as well as the IP address and subnet mask Weight This field is available if you selected Weighted Round Robin for the load balancing algorithm Specify the weight of the member interface An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight IP Address Same as Mo...

Page 377: ... IPnP feature does not apply to a computer using either a dynamic IP address or a static IP address that is in the same subnet as the Zyxel Device s IP address Note You must enable NAT to use the IPnP feature The following figure depicts a scenario where a computer is set to use a static private IP address in the corporate environment In a residential house where a Zyxel Device is installed you ca...

Page 378: ...ure on the Zyxel Device Note You can enable this feature only when the security policy is enabled Member List The Available list displays the name s of the internal interface s on which you can enable IPnP To enable IPnP on an interface you can double click a single entry to move it or use the Shift or Ctrl key to select multiple entries and click the right arrow button to add to the Member list T...

Page 379: ...PSec VPN connections into one secure network Here local Zyxel Device X uses an IPSec VPN tunnel to remote peer Zyxel Device Y to connect the local A and remote B networks Figure 266 IPSec VPN Example Internet Key Exchange IKE IKEv1 and IKEv2 The Zyxel Device supports IKEv1 and IKEv2 for IPv4 and IPv6 traffic IKE Internet Key Exchange is a protocol used in setting up security associations that allo...

Page 380: ... and IKEv1 supports X Auth EAP is important when connecting to existing enterprise authentication systems IKEv2 always uses NAT traversal and Dead Peer Detection DPD but they can be disabled in IKEv1 using Zyxel Device firmware the default is on Configuration payload includes the IP address pool in the VPN setup data is supported in IKEv2 off by default but not in IKEv1 Narrowed is supported in IK...

Page 381: ... see Section 20 2 1 on page 386 to manage the Zyxel Device s VPN gateways A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings phase 1 settings You can also activate and deactivate each VPN gateway Use the VPN Concentrator screens see Section 20 4 on page 401 to combine several IPSec VPN connections into a single secure network Use the Configuration Provi...

Page 382: ... data with a computer in network B Inside networks A and B the data is transmitted the same way data is normally transmitted in the networks Between routers X and Y the data is protected by tunneling encryption authentication and other security features of the IPSec SA The IPSec SA is secure because routers X and Y established the IKE SA first ...

Page 383: ...hind the remote IPSec router This Zyxel Device must have a static IP address or a domain name Only the remote IPSec router can initiate the VPN tunnel Choose this to allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in users You don t specify the addresses of the client IPSec routers or the remote policy This creates a dynamic IPSec ...

Page 384: ...s in server mode you should set up the authentication method AAA server first The authentication method specifies how the Zyxel Device authenticates the remote IPSec router In a VPN gateway the Zyxel Device and remote IPSec router can use certificates to authenticate each other Make sure the Zyxel Device and the remote IPSec router will trust each other s certificates 20 2 The VPN Connection Scree...

Page 385: ...the Zyxel Device automatically obtain source and destination addresses for all dynamic IPSec rules Ignore Don t Fragment setting in packet header Select this to fragment packets larger than the MTU Maximum Transmission Unit that have the Don t Fragment bit in the IP header turned on When you clear this the Zyxel Device drops packets larger than the MTU that have the Don t Fragment bit in the heade...

Page 386: ...on Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive The connect icon is lit when the interface is connected and dimmed when it is disconnected Name This field displays the name of the IPSec SA VPN Gateway This field displays the VPN gateway in use for this VPN connection Gateway IP Version This field displays what IP version the associated V...

Page 387: ...Chapter 20 IPSec VPN ZyWALL ATP Series User s Guide 387 Figure 271 Configuration VPN IPSec VPN VPN Connection Add Edit ...

Page 388: ...re TCP or UDP packets that enable a computer to connect to and communicate with a LAN It may sometimes be necessary to allow NetBIOS packets to pass through IPSec SAs in order to allow local computers to find computers on the remote network and vice versa MSS Adjustment Select Custom Size to set a specific number of bytes for the Maximum Segment Size MSS meaning the largest amount of data in a sin...

Page 389: ...c tunnel Policy Enforcement Clear this to allow traffic with source and destination IP addresses that do not match the local and remote policy to use the VPN tunnel Leave this cleared for free access between the local and remote networks Selecting this restricts who can use the VPN tunnel The Zyxel Device drops traffic with source and destination IP addresses that do not match the local and remote...

Page 390: ...H RFC 2402 provides integrity authentication sequence integrity replay resistance and non repudiation but not encryption If you select AH you must select an Authentication algorithm ESP RFC 2406 provides encryption and the same services offered by AH but its authentication is weaker If you select ESP you must select an Encryption algorithm and Authentication algorithm Both AH and ESP increase proc...

Page 391: ...dom number DH2 enable PFS and use a 1024 bit random number DH5 enable PFS and use a 1536 bit random number DH14 enable PFS and use a 2048 bit random number PFS changes the root key that is used to generate encryption keys for each IPSec SA The longer the key the more secure the encryption but also the longer it takes to encrypt and decrypt information Both routers must use the same DH key group PF...

Page 392: ... address range SNAT Destination Select the address object that represents the original destination address or select Create Object to configure a new one This is the address object for the remote network SNAT Select the address object that represents the translated source address or select Create Object to configure a new one This is the address object for the local network The size of the origina...

Page 393: ...uted Original IP Select the address object that represents the original destination address This is the address object for the remote network Mapped IP Select the address object that represents the desired destination address For example this is the address object for the mail server Protocol Select the protocol required to use this translation Choices are TCP UDP or All Original Port Start Origin...

Page 394: ...ry and click References to open a screen that shows which settings use the entry See Section 9 3 4 on page 230 for an example This field is a sequential value and it is not associated with a specific VPN gateway Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the VPN gateway My address This field display...

Page 395: ...Chapter 20 IPSec VPN ZyWALL ATP Series User s Guide 395 Figure 273 Configuration VPN IPSec VPN VPN Gateway Add Edit ...

Page 396: ...ace If you select Domain Name IP enter the domain name or the IP address of the Zyxel Device The IP address of the Zyxel Device in the IKE SA is the specified IP address or the IP address corresponding to the domain name 0 0 0 0 is not generally recommended as it has the Zyxel Device accept IPSec requests destined for any interface address on the Zyxel Device Peer Gateway Address Select how the IP...

Page 397: ...o access the same VPN gateway policy with one to one authentication and strong encryption Access can be denied on a per user basis thus allowing VPN SA user based policies Click User Based PSK then select a user or group object who is allowed VPN SA access using this VPN gateway policy This is for IKEv1 only Local ID Type This field is read only if the Zyxel Device and remote IPSec router use cert...

Page 398: ...lternative name field see the note at the end of this description DNS subject alternative name field E mail subject alternative name field Subject Name subject name maximum 255 ASCII characters including spaces Note If Peer ID Type is IP please read the rest of this section If you type 0 0 0 0 the Zyxel Device uses the IP address specified in the Secure Gateway Address field This is not recommende...

Page 399: ...e the encryption but also the longer it takes to encrypt and decrypt information Both routers must use the same DH key group NAT Traversal Select this if any of these conditions are satisfied This IKE SA might be used to negotiate IPSec SAs that use ESP as the active protocol There are one or more NAT routers between the Zyxel Device and remote IPSec router and these routers do not support IPSec p...

Page 400: ...II characters It is case sensitive but spaces are not allowed Retype to Confirm Type the exact same password again here to make sure an error was not made when typing it originally Extended Authentication Protocol This displays when using IKEv2 EAP uses a certificate for authentication Enable Extended Authentication Protocol Select this if one of the routers the Zyxel Device or the remote IPSec ro...

Page 401: ...oint so a VPN concentrator is not as appropriate if the connection between spoke routers cannot be down occasionally maintenance for example There is also more burden on the hub router It receives VPN traffic from one spoke decrypts it inspects it to find out to which spoke to route it encrypts it and sends it to the appropriate spoke Therefore a VPN concentrator is more suitable when there is a m...

Page 402: ...e or edit a VPN concentrator To access this screen go to the VPN Concentrator summary screen see Section 20 4 on page 401 and click either the Add icon or an Edit icon Table 159 Configuration VPN IPSec VPN Concentrator LABEL DESCRIPTION IPv4 IPv6 Configuration Choose to configure for IPv4 or IPv6 traffic Add Click this to create a new entry Edit Select an entry and click this to be able to modify ...

Page 403: ...H active protocol NULL encryption SHA512 authentication Table 160 VPN IPSec VPN Concentrator Add Edit LABEL DESCRIPTION Name Enter the name of the concentrator You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Member Select the concentrator s IPSec VPN connection policies Note You must disable policy enforcement...

Page 404: ...s using the Zyxel Device IPSec VPN client Client Authentication Method Choose how users should be authenticated They can be authenticated using the local database on the Zyxel Device or an external authentication database such as LDAP Active Directory or RADIUS default is a method you configured in Object Auth Method You may configure multiple methods there If you choose the local database on the ...

Page 405: ...ry click Move type the number where the entry should be moved press ENTER then click Apply Status This icon shows if the entry is active yellow or not gray VPN rule settings can only be retrieved when the entry is activated and Enable Configuration Provisioning is also selected Priority Priority shows the order of the entry in the list Entry order is important as the Zyxel Device searches entries ...

Page 406: ...e encryption algorithm authentication algorithm and Diffie Hellman DH key group that the Zyxel Device and remote IPSec router use in the IKE SA In main mode this is done in steps 1 and 2 as illustrated next Figure 278 IKE SA Main Negotiation Mode Steps 1 2 IKE SA Proposal The Zyxel Device sends one or more proposals to the remote IPSec router In some devices you can only set up one proposal Each p...

Page 407: ...e information about DH key groups Diffie Hellman DH Key Exchange The Zyxel Device and the remote IPSec router use DH public key cryptography to establish a shared secret The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA In main mode this is done in steps 3 and 4 as illustrated next Figure 279 IKE SA Main Negotiation Mode Steps 3 4 DH Key Exchange DH public key ...

Page 408: ... them must store two sets of information one for themselves and one for the other router Local ID type and content refers to the ID type and content that applies to the router itself and peer ID type and content refers to the ID type and content that applies to the other router Note The Zyxel Device s local and peer ID type and content must match the remote IPSec router s peer and local ID type an...

Page 409: ...a Diffie Hellman key exchange based on the accepted DH key group to establish a shared secret Steps 5 6 Finally the Zyxel Device and the remote IPSec router generate an encryption key from the shared secret encrypt their identities and exchange their encrypted identity information for authentication In contrast aggressive mode only takes three steps to establish an IKE SA Aggressive mode does not ...

Page 410: ...on the Zyxel Device and remote IPSec router Configure the NAT router to forward packets with the extra header unchanged See the field description for detailed information about the extra header The extra header may be UDP port 500 or UDP port 4500 depending on the standard s the Zyxel Device and remote IPSec router support X Auth Extended Authentication X Auth Extended authentication is often used...

Page 411: ...te Network In an IPSec SA the local network the one s connected to the Zyxel Device may be called the local policy Similarly the remote network the one s connected to the remote IPSec router may be called the remote policy Active Protocol The active protocol controls the format of each packet It also specifies how much of each packet is protected by the encryption and authentication algorithms IPS...

Page 412: ... exchange every time an IPSec SA is established This is called Perfect Forward Secrecy PFS If you enable PFS the Zyxel Device and remote IPSec router perform a DH key exchange every time an IPSec SA is established changing the root key from which encryption keys are generated As a result if one encryption key is compromised other encryption keys remain secure If you do not enable PFS the Zyxel Dev...

Page 413: ... in Outbound Packets Outbound Traffic Source NAT This translation lets the Zyxel Device route packets from computers that are not part of the specified local network local policy through the IPSec SA For example in Figure 283 on page 413 you have to configure this kind of translation if you want computer M to establish a connection with any computer in the remote network B If you do not configure ...

Page 414: ...his kind of NAT The Zyxel Device checks these rules similar to the way it checks rules for a security policy The first part of these rules define the conditions in which the rule apply Original IP the original destination address the remote network B Protocol the protocol TCP UDP or both used by the service requesting the connection Original Port the original destination port or range of destinati...

Page 415: ...layed on the remote user screen 21 1 2 What You Need to Know Full Tunnel Mode In full tunnel mode a virtual connection is created for remote users with private IP addresses in the same subnet as the local network This allows them to access network resources in the same way as if they were part of the internal network Figure 285 Network Access Mode Full Tunnel Mode SSL Access Policy An SSL access p...

Page 416: ...ion walkthroughs troubleshooting and other information Figure 286 VPN SSL VPN Access Privilege Table 164 Objects OBJECT TYPE OBJECT SCREEN DESCRIPTION User Accounts User Account User Group Configure a user account or user group to which you want to apply this SSL access policy Application SSL Application Configure an SSL application object to specify the type of application and the address of the ...

Page 417: ...ing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface References Select an entry and click References to open a screen that shows which settings use the entry Click ...

Page 418: ... in this screen Configuration Enable Policy Select this option to activate this SSL access policy Name Enter a descriptive name to identify this policy You can enter up to 31 characters a z A Z 0 9 with no spaces allowed Zone Select the zone to which to add this SSL access policy You use zones to apply security settings such as security policy and remote management Description Enter additional inf...

Page 419: ...pplications as defined by the VPN tunnel s selected SSL application settings and the remote user computers are not made to be a part of the local network Force all client traffic to SSL VPN tunnel Select this to send all traffic from the SSL VPN clients through the SSL VPN tunnel This replaces the default gateway of the SSL VPN clients with the SSL VPN gateway NetBIOS broadcast over SSL VPN Tunnel...

Page 420: ...ABEL DESCRIPTION Global Setting Network Extension Local IP Specify the IP address of the Zyxel Device or a gateway device for full tunnel mode SSL VPN access Leave this field to the default settings unless it conflicts with another interface Apply Click Apply to save the changes and or start the logo file upload process Reset Click Reset to return the screen to its last saved settings ...

Page 421: ...ttings Use the VPN Setup Wizard screen in Quick Setup Chapter 4 on page 70 to configure the Zyxel Device s L2TP VPN settings 22 1 2 What You Need to Know The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link layer to tunnel network traffic between two peers over another network like the Internet In L2TP VPN an IPSec VPN tunnel is established first and then an L2TP tunnel is built insi...

Page 422: ... of the traffic from the L2TP clients needs to go to the Internet you will need to create a policy route to send that traffic from the L2TP tunnels out through a WAN trunk This task can be easily performed by clicking the Allow L2TP traffic through WAN checkbox at Quick Setup VPN Setup Allow L2TP traffic through WAN Figure 290 Policy Route for L2TP VPN 22 2 L2TP VPN Screen Click Configuration VPN ...

Page 423: ...g this VPN connection or the VPN gateway that it uses disconnects any existing L2TP VPN sessions IP Address Pool Select the pool of IP addresses that the Zyxel Device uses to assign to the L2TP VPN clients Use Create new Object if you need to configure a new pool of IP addresses This should not conflict with any WAN LAN DMZ or WLAN subnet even if they are not in use Authentication Method Select ho...

Page 424: ...el Device sends a Hello message after waiting this long without receiving any traffic from the remote user The Zyxel Device disconnects the VPN tunnel if the remote user does not respond First DNS Server Second DNS Server Specify the IP addresses of DNS servers to assign to the remote users You can specify these IP addresses two ways Custom Defined enter a static IP address From ISP use the IP add...

Page 425: ...nection and click Add for IPv4 Configuration to create a new VPN connection 3 Select Remote Access Server Role as the VPN scenario for the remote client 4 Select the NAT router WAN IP address object as the Local Policy 5 Go to Configuration VPN L2TP VPN and select the VPN Connection just configured ...

Page 426: ...y routes has priority over TCP and UDP traffic policies If you want to use a service make sure both the security policy allow the service s packets to go through the Zyxel Device Note The Zyxel Device checks security policies before it checks bandwidth management rules for traffic going through the Zyxel Device Bandwidth management examines every TCP and UDP connection passing through the Zyxel De...

Page 427: ...ary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going Connection and Packet Directions Bandwidth management looks at the connection direction that i...

Page 428: ...on the LAN1 so outbound means the traffic traveling from the LAN1 to the WAN Each of the WAN zone s two interfaces can send the limit of 200 kbps of traffic Inbound traffic is limited to 500 kbs The connection initiator is on the LAN1 so inbound means the traffic traveling from the WAN to the LAN1 Figure 295 LAN1 to WAN Outbound 200 kbps Inbound 500 kbps Bandwidth Management Priority The Zyxel Dev...

Page 429: ... a larger portion of the unused bandwidth Bandwidth Management Behavior The following sections show how bandwidth management behaves with various settings For example you configure DMZ to WAN policies for FTP servers A and B Each server tries to send 1000 kbps but the WAN is set to a maximum outgoing speed of 1000 kbps You configure policy A for server A s traffic and policy B for server B s traff...

Page 430: ...rent priorities as shown here as a configuration error Even though the Zyxel Device still attempts to let all traffic get through and not be lost regardless of its priority server B gets almost no bandwidth with this configuration 23 2 The Bandwidth Management Configuration The Bandwidth management screens control the bandwidth allocation for TCP and UDP traffic You can use source interface destin...

Page 431: ...t an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To change an entry s position in the numbered list select it and click Move to display a field to type a number for where you want to put that entry and press ENTER to move the entry to the number that you typed Status The activate lig...

Page 432: ...nection s initiator If no displays here this policy does not apply bandwidth management for the inbound traffic Out This is how much outgoing bandwidth in kilobits per second this policy allows the matching traffic to use Outbound refers to the traffic the Zyxel Device sends out from a connection s initiator If no displays here this policy does not apply bandwidth management for the outbound traff...

Page 433: ...ation Bandwidth Management screen see Section 23 2 on page 430 and click either the Add icon or an Edit icon Figure 298 Configuration Bandwidth Management Edit For the Default Policy Table 174 Single Tagged 802 1Q Frame Format DA SA TPID Priority VID Len Etype Data FCS IEEE 802 1Q customer tagged frame Table 175 802 1Q Frame DA Destination Address Priority 802 1p Priority SA Source Address Len Ety...

Page 434: ...screen Configuration Enable Select this check box to turn on this policy Description Enter a description of this policy It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long Criteria Use this section to configure the conditions of traffic to which this policy applies BWM Type This field displays the below types of BWM rule Shared when the policy ...

Page 435: ...ually best effort traffic The af choices stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences User DefinedDSCP Code Use this field to specify a custom DSCP code point Service Type Select Service Object or Application Object if you want a specific service defined in a service object or application patrol service to which the polic...

Page 436: ...ffic with a lower priority The Zyxel Device uses a fairness based round robin scheduler to divide bandwidth between traffic flows with the same priority The number in this field is ignored if the incoming and outgoing limits are both set to 0 In this case the traffic is automatically treated as being set to the lowest priority 7 regardless of this field s configuration Maximize Bandwidth Usage Thi...

Page 437: ...Address objects Click Configuration BWM Add Create New Object Add User to see the following screen Figure 300 Configuration BWM Create New Object Add User The following table describes the fields in the above screen Table 178 Configuration BWM Create New Object Add User LABEL DESCRIPTION User Name Type a user or user group object name of the rule User Type Select a user type from the drop down men...

Page 438: ...d it can be up to 60 characters long Authentication Timeout Settings Choose either Use Default setting option which shows the default Lease Time of 1 440 minutes and Reauthentication Time of 1 440 minutes or you can enter them manually by choosing Use Manual Settings option Lease Time This shows the Lease Time setting for the user by default it is 1 440 minutes Reauthentication Time This shows the...

Page 439: ...the schedule object of the rule Type Select an option from the drop down menu for the schedule object It will show One Time or Recurring Start Date Click the icon menu on the right to choose a Start Date for the schedule object Start Time Click the icon menu on the right to choose a Start Time for the schedule object Stop Date Click the icon menu on the right to choose a Stop Date for schedule obj...

Page 440: ...guration BWM Create New Object Add Address LABEL DESCRIPTION Name Enter a name for the Address object of the rule Address Type Select an Address Type from the drop down menu on the right The Address Types are Host Range Subnet Interface IP Interface Subnet and Interface Gateway IP Address Enter an IP address for the Address object OK Click OK to save the setting Cancel Click Cancel to abandon the ...

Page 441: ...or Internet As soon as a user attempt to open a web page the Zyxel Device reroutes his her browser to a web portal page that prompts him her to log in Figure 303 Web Authentication Example The web authentication page only appears once per authentication session Unless a user session times out or he she closes the connection he or she generally will not see it again during the same session 24 1 1 W...

Page 442: ...e the Zyxel Device to display the Login screen automatically whenever it routes HTTP traffic for anyone who has not logged in yet Note This works with HTTP traffic only The Zyxel Device does not display the Login screen when users attempt to send other kinds of traffic The Zyxel Device does not automatically route the request that prompted the login however so users have to make this request again...

Page 443: ...cates with the Zyxel Device through the specifically designated web portal or user agreement page Web Portal General Setting Enable Session Page Select this to display a page showing information on the user session after s he logs in It displays remaining time with an option to renew or log out immediately Logout IP Specify an IP address that users can use to terminate their sessions manually by e...

Page 444: ...Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface This field is a sequential value showing the number of the profile The profile order is not important Status This icon...

Page 445: ...rvice Authentication This field displays the authentication requirement for users when their traffic matches this policy unnecessary Users do not need to be authenticated required Users need to be authenticated They must manually go to the login screen or user agreement page The Zyxel Device will not redirect them to the login screen force Users need to be authenticated The Zyxel Device automatica...

Page 446: ... a descriptive name of up to 60 printable ASCII characters for the policy Spaces are allowed This field is available for user configured policies User Authentication Policy Use this section of the screen to determine which traffic requires or does not require the senders to be authenticated in order to be routed Incoming Interface Select the interface on which packets for this policy are received ...

Page 447: ...on requirement for users when their traffic matches this policy unnecessary Users do not need to be authenticated required Users need to be authenticated If Force User Authentication is selected all HTTP traffic from unauthenticated users is redirected to a default or user defined login page Otherwise they must manually go to the login screen The Zyxel Device will not redirect them to the login sc...

Page 448: ... users to the user groups 1 Click Configuration Object User Group Group Click the Add icon 2 Enter the name of the group In this example it is Finance Then select Object Leo and click the right arrow to move him to the Member list This example only has one member in this group so click OK Of course you could add more members later Figure 309 Configuration Object User Group Group Add 3 Repeat this ...

Page 449: ... Object AAA Server RADIUS Double click the radius entry Configure the RADIUS server s address authentication port 1812 if you were not told otherwise and key Click OK Figure 310 Configuration Object AAA Server RADIUS Add 2 Click Configuration Object Auth Method Double click the default entry Click the Add icon Select group radius because the Zyxel Device should use the specified RADIUS server for ...

Page 450: ...r to log into the Zyxel Device before the Zyxel Device routes traffic for them 5 Select Enable Policy Enter a descriptive name default_policy for example Set the Authentication field to required and make sure Force User Authentication is selected Select an authentication type profile default web portal in this example Keep the rest of the default settings and click OK Note The users must log in at...

Page 451: ...roups distinguished by the value of a specific attribute you can make a couple of slight changes in the configuration to have the RADIUS server authenticate groups of user accounts defined in the RADIUS server 1 Click Configuration Object AAA Server RADIUS Double click the radius entry Besides configuring the RADIUS server s address authentication port and key set the Group Membership Attribute fi...

Page 452: ...ntify groups based on the group identifier values Set up one user account for each group of user accounts in the RADIUS server Click Configuration Object User Group User Click the Add icon Enter a user name and set the User Type to ext group user In the Group Identifier field enter Finance Engineer Sales or Boss and set the Associated AAA Server Object to radius ...

Page 453: ...iguration Web Authentication and then select the Authentication Type tab to display the screen Figure 316 Configuration Web Authentication Authentication Type The following table describes the labels in this screen Table 183 Configuration Web Authentication Authentication Type LABEL DESCRIPTION Add Click this to create a new entry Select an entry and click Add to create a new entry after the selec...

Page 454: ...fault web portal the default login page built into the Zyxel Device Note You can also customize the default login page built into the Zyxel Device in the System WWW Login Page screen default user agreement the default user agreement page built into the Zyxel Device Type This field displays the type of the web authentication page used by this profile Web Page This field displays whether this profil...

Page 455: ...ric characters A Z a z 0 9 and underscores _ Spaces are not allowed The first character must be a letter The following fields are available if you set Type to Web Portal Internal Web Portal Select this to use the web portal pages uploaded to the Zyxel Device The login page appears whenever the web portal intercepts network traffic preventing unauthorized users from gaining access to the network Pr...

Page 456: ...monitor how long each access user is logged in and idle in other words there is no traffic for this access user The Zyxel Device automatically logs out the access user once the Idle timeout has been reached Idle timeout This is applicable for access users This field is effective when Enable Idle Detection is checked Type the number of minutes each access user can be logged in and idle before the Z...

Page 457: ...uthentication Custom Web Portal File Welcome URL Specify the welcome page s URL for example http IIS server IP Address welcome html The Internet Information Server IIS is the web server on which the user agreement files are installed If you leave this field blank the Zyxel Device will use the welcome page of internal user agreement file Download Click this to download an example external user agre...

Page 458: ...net access for example Table 185 Configuration Web Authentication Custom Web Portal User Agreement File LABEL DESCRIPTION Remove Click a file s row to select it and click Remove to delete it from the Zyxel Device Download Click a file s row to select it and click Download to save the zipped file to your computer This column displays the index number for each file entry This field is a sequential v...

Page 459: ... an IPv4 network environment with Windows AD Active Directory authentication database You must enable Web Authentication in the Configuration Web Authentication screen Figure 321 SSO Overview Install the SSO Agent on one of the following platforms Windows 7 Professional 32 bit and 64 bit Windows Server 2008 Enterprise 32 bit and 64 bit Windows 2008 R2 64 bit Windows Server 2012 64 bit U User DC Do...

Page 460: ... On SSO agent Table 186 Zyxel Device SSO Agent Field Mapping ZYXEL DEVICE SSO SCREEN FIELD SCREEN FIELD Web Authentication SSO Listen Port Agent Configuration Page Gateway Setting Gateway Port Web Authentication SSO Primary Agent Port Agent Configuration Page Agent Listening Port Object User Group User Add Group Identifier Agent Configuration Page Configure LDAP AD Server Group Membership Object A...

Page 461: ...ypt communications between the Zyxel Device and the SSO agent Primary Agent Type the IPv4 address of the SSO agent The Zyxel Device and the SSO agent must be in the same domain and be able to communicate with each other Primary Agent Port Type the same port number here as in the Agent Listening Port field on the SSO agent Type a number ranging from 1025 to 65535 Secondary Agent Address Optional Ty...

Page 462: ...ion ZyWALL ATP Series User s Guide 462 Make sure you select Enable Policy Single Sign On and choose required in Authentication Do NOT select any as the source address unless you want all incoming connections to be authenticated ...

Page 463: ...for SSO traffic source and destination direction in order to prevent the security policy from blocking this traffic Go to Configuration Security Policy Policy Control and add a new policy if a default one does not cover the SSO web authentication traffic direction Configure the fields as shown in the following screen Configure the source and destination addresses according to the SSO web authentic...

Page 464: ... Authentication ZyWALL ATP Series User s Guide 464 24 4 5 Configure User Information Configure a User account of the ext group user type Configure Group Identifier to be the same as Group Membership on the SSO agent ...

Page 465: ...24 Web Authentication ZyWALL ATP Series User s Guide 465 24 4 6 Configure an Authentication Method Configure Active Directory AD for authentication with SSO Choose group ad as the authentication server for SSO ...

Page 466: ... to be the same as AD configured on the SSO agent The default AD server port is 389 If you change this make sure you make the same changes on the SSO Configure the Base DN exactly the same as on the Domain Controller and SSO Bind DN is a user name and password that allows the Zyxel Device to join the domain with administrative privileges It is a required field ...

Page 467: ...evice After you install the SSO agent you will see an icon in the system tray bottom right of the screen Right click the SSO icon and select Configure Zyxel SSO Agent Configure the Agent Listening Port AD server exactly as you have done on the Zyxel Device Add the Zyxel Device IP address as the Gateway Make sure the Zyxel Device and SSO agent are able to communicate with each other ...

Page 468: ... 468 Configure the Server Address Port Base DN Bind DN Login Name Attribute and Group Membership for the AD server settings exactly as you have done on the Zyxel Device Group Membership is called Group Identifier on the Zyxel Device LDAP AD Server Configuration ...

Page 469: ...el Device Configuration Web Authentication SSO screen If you want to use Generate Key to have the SSO create a random password select Check to show PreShareKey as clear Text so as to see the password then copy and paste it to the Zyxel Device After all SSO agent configurations are done right click the SSO icon in the system tray and select Enable Zyxel SSO Agent ...

Page 470: ...teria above to apply the actions configured in the profiles application patrol content filter IDP anti malware email security to traffic that matches the criteria above Note Security policies can be applied to both IPv4 and IPv6 traffic The security policies can also limit the number of user sessions The following example shows the Zyxel Device s default security policies behavior for a specific d...

Page 471: ...bsite with guidance on configuration walkthroughs troubleshooting and other information This is an example of a port forwarding configuration walkthrough Figure 324 Example of a Port Forwarding Configuration Walkthrough This is an example of L2TP over IPSec VPN Troubleshooting troubleshooting 1 2 3 4 ...

Page 472: ...Chapter 25 Security Policy ZyWALL ATP Series User s Guide 472 Figure 325 Example of L2TP over IPSec Troubleshooting 1 1 2 2 3 ...

Page 473: ...hroughs do not perform the actual configuring but just show you how to do it Device HA General Licensing Registration Network NAT Network Routing Policy Route Security Service App Patrol Security Service Content Filter Security Service IDP Security Service Anti Malware Security Service Email Security VPN IPSec VPN VPN SSL VPN VPN L2TP VPN Click this icon to go to a series of screens that guide you...

Page 474: ...rent zones based on your needs You can configure security policies for data passing between zones or even between interfaces Click this icon for more information on Application Patrol which identifies traffic that passes through the Zyxel Device so you can decide what to do with specific types of traffic Traffic not recognized by application patrol is ignored Security Service Application Patrol Cl...

Page 475: ...cluded in a zone The from any policies apply to traffic coming from the interface and the to any policies apply to traffic going to the interface Security Policy Rule Criteria The Zyxel Device checks the schedule user name user s login name on the Zyxel Device source IP address and object destination IP address and object IP protocol type of network traffic service and Security Service profile cri...

Page 476: ...ate gateway on the LAN has an IP address in the same subnet as the Zyxel Device s LAN IP address return traffic may not go through the Zyxel Device This is called an asymmetrical or triangle route This causes the Zyxel Device to reset the connection as the connection has not been acknowledged You can have the Zyxel Device permit the use of asymmetrical route topology on the network not reset the c...

Page 477: ...h zone packets travel to display only the policies specific to the selected direction Note the following Besides configuring the Security Policy you also need to configure NAT rules to allow computers on the WAN to access LAN devices The Zyxel Device applies NAT Destination NAT settings before applying the Security Policies So for example if you configure a NAT entry that sends WAN traffic to a LA...

Page 478: ...Chapter 25 Security Policy ZyWALL ATP Series User s Guide 478 Figure 328 Configuration Security Policy Policy Control ...

Page 479: ... address 172 16 6 7 An 128 bit IPv6 address is written as eight 16 bit hexadecimal blocks separated by colons This is an example IPv6 address 2001 0db8 1a2b 0015 0000 0000 1a2f 0000 Service View all security policies based the service object used User View all security policies based on user or user group object used Schedule View all security policies based on the schedule object used IPv4 IPv6 P...

Page 480: ... LAN to either another computer or subnet on the LAN From any displays all the Security Policies for traffic going to the selected To Zone To any displays all the Security Policies for traffic coming from the selected From Zone From any to any displays all of the Security Policies To ZyWALL policies are for traffic that is destined for the Zyxel Device and control which computers can manage the Zy...

Page 481: ...ion Enter a descriptive name of up to 60 printable ASCII characters for the Policy Spaces are allowed From To For through Zyxel Device policies select the direction of travel of packets to which the policy applies any means all interfaces Device means packets destined for the Zyxel Device itself Source Select an IPv4 IPv6 address or address group object including geographic address and FQDN group ...

Page 482: ...y Select deny to silently discard the packets without sending a TCP reset packet or an ICMP destination unreachable message to the sender Select reject to discard the packets and send a TCP reset packet or an ICMP destination unreachable message to the sender Select allow to permit the passage of the packets Log matched traffic Select whether to have the Zyxel Device generate a log log log and ale...

Page 483: ...DP General The following table describes the labels in this screen Table 192 Configuration Security Policy ADP General LABEL DESCRIPTION General Settings Enable Anomaly Detection and Prevention Select this to enable traffic anomaly and protocol anomaly detection and prevention Add Select an entry and click Add to append a new row beneath the one selected ADP policies are applied in order Priority ...

Page 484: ...Policy ADP Profile to view the following screen Priority This is the rank in the list of anomaly profile policies The list is applied in order of priority Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive From This is the direction of travel of packets to which an anomaly profile is bound Traffic direction is defined by the zone the traffic i...

Page 485: ...set to no and Action set to none by default all base profile sets all ADP entries to have Log set to log and Action set to block by default Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it References Select an entry and click References to open a screen that shows which settings use the entry Click Refresh to update information on this ...

Page 486: ...hat you can edit The name must be the same in the Traffic Anomaly and Protocol Anomaly screens for the same ADP profile You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive These are valid unique profile names MyProfile mYProfile Mymy12_3 4 These are invalid profile names 1mYProfile My Profile MyProfile Whatalongpr...

Page 487: ...on To edit what action the Zyxel Device takes when a packet matches a policy select the policy and use the Action icon none The Zyxel Device takes no action when a packet matches the policy block The Zyxel Device silently drops packets that matches the policy Neither sender nor receiver are notified This is the entry s index number in the list Status The activate light bulb icon is lit when the en...

Page 488: ...offset which defines the size of the fragment and the original packet A series of IP fragments with overlapping offset fields can cause some systems to crash hang or reboot when fragment reassembling is attempted at the destination IP Spoofing IP Spoofing is used to gain unauthorized access to network devices by modifying packet headers so that it appears that the packets originate from a host wit...

Page 489: ...Chapter 25 Security Policy ZyWALL ATP Series User s Guide 489 Figure 333 Configuration Security Policy ADP Profile Add Protocol Anomaly ...

Page 490: ... Select this action to return each rule in a service group to its previously saved configuration none Select this action to have the Zyxel Device take no action when a packet matches a policy drop Select this action to have the Zyxel Device silently drop a packet that matches a policy Neither sender nor receiver are notified reject sender Select this action to have the Zyxel Device send a reset to...

Page 491: ...the log options To edit this select an item and use the Log icon Action This is the action the Zyxel Device should take when a packet matches a policy To edit this select an item and use the Action icon OK Click OK to save your settings to the Zyxel Device complete the profile and return to the profile summary page Cancel Click Cancel to return to the profile summary page without saving any change...

Page 492: ...ick this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Ina...

Page 493: ...racters Spaces are allowed User Select a user name or user group to which to apply the rule The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out Otherwise select any and there is no need for user logging Note If you specified an IP address or address group instead of any in the field below the user s IP address should be withi...

Page 494: ...et the CEO use IRC You configure a LAN1 to WAN security policy that allows IRC traffic from the IP address of the CEO s computer You can also configure a LAN to WAN policy that allows IRC traffic from any computer through which the CEO logs into the Zyxel Device with his her user name In order to make sure that the CEO s computer always uses the same IP address make sure it either Has a static IP ...

Page 495: ...he IRC service on the WAN by logging into the Zyxel Device with the CEO s user name The second row blocks LAN1 access to the IRC service on the WAN The third row is the default policy of allowing allows all traffic from the LAN1 to go to the WAN The policy for the CEO must come before the policy that blocks all LAN1 to WAN IRC traffic If the policy that blocks all LAN1 to WAN IRC traffic came firs...

Page 496: ...olicies before it checks application patrol rules for traffic going through the Zyxel Device Application patrol examines every TCP and UDP connection passing through the Zyxel Device and identifies what application is using the connection Then you can specify whether or not the Zyxel Device continues to route the connection Traffic not recognized by the application patrol signatures is ignored App...

Page 497: ...IP traffic also configures the SIP ALG to use the same port numbers for SIP traffic Likewise configuring the SIP ALG to use custom port numbers for SIP traffic also configures application patrol to use the same port numbers for SIP traffic 26 2 Application Patrol Profile Use the application patrol screens to customize action and log settings for a group of application patrol signatures You then li...

Page 498: ...scription This displays the description of the App Patrol Profile Scan Option This field displays the scan options from the App Patrol profile Reference This displays the number of times an object reference is used in a profile Action Click this icon to apply the entry to a security policy Go to the Configuration Security Policy Policy Control screen to check the result Signature Information The f...

Page 499: ... to a Security Policy Click the icon in the Action field of an existing application patrol file to apply the profile to a security policy Go to the Configuration Security Policy Policy Control screen to check the result Figure 339 Configuration Security Service App Patrol Action ...

Page 500: ...e object used Priority This is the position of your Security Policy in the global policy list including all through Zyxel Device and to Zyxel Device policies The ordering of your policies is important as policies are applied in sequence Default displays for the default Security Policy behavior that the Zyxel Device performs on traffic that does not match any other Security Policy Status This icon ...

Page 501: ...cation deny permits the passage of packets allow or drops packets with notification reject Log Select whether to have the Zyxel Device generate a log log log and alert log alert or not no when the policy is matched to the criteria listed above Profile This field shows you which Security Service profiles application patrol content filter IDP anti malware email security apply to this Security policy...

Page 502: ...in this category forward the Zyxel Device routes packets that matches these signatures drop the Zyxel Device silently drops packets that matches these signatures without notification reject the Zyxel Device drops packets that matches these signatures and sends notification This field is a sequential value showing the number of the profile The profile order is not important Application This field d...

Page 503: ...his screen Table 204 Configuration Security Service App Patrol Add Edit Query Result LABEL DESCRIPTION General Settings Name Type the name of the profile You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive These are valid unique profile names MyProfile mYProfile Mymy12_3 4 These are invalid profile names 1mYProfil...

Page 504: ...tures in this category forward the Zyxel Device routes packets that matches these signatures drop the Zyxel Device silently drops packets that matches these signatures without notification reject the Zyxel Device drops packets that matches these signatures and sends notification Log Select whether to have the Zyxel Device generate a log log log and alert log alert or neither no by default when tra...

Page 505: ...fic categories of web site content You can create different content filter policies for different addresses schedules users or groups and content filter profiles For example you can configure one policy that blocks John Doe s access to arts and entertainment web pages during the workday and another policy that lets him access them after work Content Filtering Policies A content filtering policy al...

Page 506: ...ese categories HTTPS Domain Filter HTTPS Domain Filter works with the Content Filter category feature to identify HTTPS traffic and take appropriate action SSL Inspection identifies HTTPS traffic for all Security Service traffic and has higher priority than HTTPS Domain Filter HTTPS Domain Filter only identifies keywords in the domain name of an URL and matches it to a category For example if the ...

Page 507: ...ontent filtering see the Licensing Registration screens 27 2 Content Filter Profile Screen Click Configuration Security Service Content Filter Profile to open the Content Filter Profile screen Use this screen to enable content filtering view and order your list of content filter policies create a denial of access message or specify a redirect URL and check your external web filtering service regis...

Page 508: ... the network administrator It is also possible to leave this field blank if you have a URL specified in the Redirect URL field In this case if the content filter blocks access to a web page the Zyxel Device just opens the web page you specified without showing a denied access message Redirect URL Enter the URL of the web page to which you want to send users when their web access is blocked by cont...

Page 509: ...ction LABEL DESCRIPTION Show Filter Hide Filter Click Show Filter to display IPv4 and IPv6 if enabled security policy search filters IPv4 IPv6 Configuration Use IPv4 IPv6 search filters to find specific IPv4 and IPv6 if enabled security policies based on direction application user source destination and or schedule From To Select a zone to view all security policies from a particular zone and or t...

Page 510: ...ed based on the direction of travel of packets to which they apply For example from LAN to LAN means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN From any displays all the Security Policies for traffic going to the selected To Zone To any displays all the Security Policies for traffic coming from the selected From Zone From any to any displ...

Page 511: ...ser s Guide 511 27 2 2 Content Filter Add Profile Category Service Click Configuration Security Service Content Filter Profile Add or Edit to open the Add Filter Profile screen Figure 344 Content Filter Profile Add Filter Profile Category Service ...

Page 512: ...b page depending on the configuration of the rest of this page Log all web pages Select this to record attempts to access web pages when They match the other categories that you select below They are not categorized The external content filtering database is unavailable Action for Managed Web Pages Select Pass to allow users to access web pages that match the other categories that you select below...

Page 513: ...to control access to specific types of Internet content You must have the Category Service content filtering license to filter these categories See the next table for category details Test Web Site Category URL to test You can check which category a web page belongs to Enter a web site URL in the text box When the content filter is active you should see the web page s category The query fails if t...

Page 514: ...ne dating spousal introduction For example www i part com tw www imatchi com Download Sites Sites that contain downloadable software whether shareware freeware or for a charge Includes peer to peer sites For example www hotdl com toget pchome com tw www azroo com Education Sites sponsored by educational institutions and schools of all types including distance education Includes general educational...

Page 515: ... com www wretch cc blog xuite net Politics Sites that promote political parties or political advocacy or provide information about political parties interest groups elections legislation or lobbying Also includes sites that offer legal information and advice For example www kmt org tw www dpp org tw cpc people com cn Pornography Sexually Explicit Sites that contain explicit sexual content Includes...

Page 516: ...mes com tw Cults Sites relating to non traditional religious practice typically known as cults that is considered to be false unorthodox extremist or coercive with members often living under the direction of a charismatic leader For example www churchofsatan com www ccya org tw Fashion Beauty Sites concerning fashion jewelry glamour beauty modeling cosmetics or related products or services Include...

Page 517: ...n enterprises but are well defined within a certain enterprise For example 172 21 20 123 192 168 35 62 School Cheating Sites that promote unethical practices such as cheating or plagiarism by providing test answers written essays research papers or term papers For example www zydk788 com www huafengksw com Sex Education Sites relating to sex education including subjects such as respect for partner...

Page 518: ...ription Enter a description for the content filtering profile rule to help identify the purpose of rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive This field is optional Enable Custom Service Select this check box to allow trusted web sites and block forbidden web sites Content filter list customization m...

Page 519: ...e for LAN users to circumvent content filtering by pointing to this proxy server Allow Java ActiveX Cookies Web proxy to trusted web sites When this box is selected the Zyxel Device will permit Java ActiveX and Cookies from sites on the Trusted Web Sites list to the LAN In certain cases it may be desirable to allow Java ActiveX or Cookies from sites that are known and trusted Trusted Web Sites The...

Page 520: ... a wildcard to match any string The entry must contain at least one or it will be invalid Blocked URL Keywords This section allows you to block Web sites with URLs that contain certain keywords in the domain name or IP address Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This displays the index n...

Page 521: ...t you want to allow access to regardless of their content rating can be allowed by adding them to this list Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This displays the index number of the trusted web sites Trusted Web Site This column displays the trusted web sites already added Enter host nam...

Page 522: ... Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This displays the index number of the forbidden web sites Forbidden Web Sites This list displays the forbidden web sites already added Enter host names such as www bad site com into this text field Do not enter the complete URL of the site that is do not ...

Page 523: ...r Cache screen to configure how long a web site address remains in the cache as well as view those web site addresses All of the web site address records are also cleared from the local cache when the Zyxel Device restarts 4 If the Zyxel Device has no record of the web site it queries the external content filter database and simultaneously sends the request to the web server 5 The external content...

Page 524: ...e the Zyxel Device checks traffic coming from the WAN zone which includes two interfaces to the LAN zone Figure 349 Zyxel Device Anti Malware Example 28 1 1 What You Can Do in this Chapter Use the Anti Malware screen Section 28 2 on page 526 to turn anti malware on or off and check the anti malware signature status In addition you can set up anti malware black blocked and white allowed lists of ma...

Page 525: ...network based anti malware scanner the Zyxel Device helps stop threats at the network edge before they reach the local host computers You can set the Zyxel Device to examine files received through the following protocols FTP File Transfer Protocol HTTP Hyper Text Transfer Protocol SMTP Simple Mail Transfer Protocol POP3 Post Office Protocol version 3 How the Zyxel Device Anti Malware Scanner Works...

Page 526: ...wnloads of a file using multiple connections For example when you use FlashGet to download sections of a file simultaneously Encrypted traffic This could be password protected files or VPN traffic where the Zyxel Device is not the endpoint pass through VPN traffic Traffic through custom non standard ports The only exception is FTP traffic The Zyxel Device scans whatever port number is specified fo...

Page 527: ... detect EICAR test virus Select this option to have the Zyxel Device check for the EICAR test file and treat it in the same way as a real malware file The EICAR test file is a standardized test file for signature based anti malware scanners When the scanner detects the EICAR file it responds in the same way as if it found a real malware Besides straightforward detection the EICAR file can also be ...

Page 528: ... entry is active and dimmed when the entry is inactive This is the entry s index number in the list File Pattern This is the file name pattern If a file s name matches this pattern the Zyxel Device does not check the file for malware Check Black List Select this check box to log and delete files with names that match the black list patterns Add Click this to create a new entry Edit Select an entry...

Page 529: ...o limits to the number of ZIP files that the Zyxel Device can concurrently unzip Note The Zyxel Device s firmware package cannot go through the Zyxel Device with this check box enabled The Zyxel Device classifies the firmware package as not being able to be decompressed and deletes it Clear this check box when you download a firmware package from the Zyxel website It s OK to upload a firmware pack...

Page 530: ... that the Zyxel Device should log and then destroy For a white list entry specify a pattern to identify the names of files that the Zyxel Device should not scan for malware Use up to 80 characters Alphanumeric characters underscores _ dashes question marks and asterisks are allowed A question mark lets a single character in the file name vary For example use a zip without the quotation marks to sp...

Page 531: ... name of the anti malware signature Click the Name column heading to sort your search results in ascending or descending order according to the signature name Click a signature s name to see details about the malware Table 215 Common Malware Types TYPE DESCRIPTION File Infector This is a small program that embeds itself in a legitimate program A file infector is able to copy and attach itself to o...

Page 532: ...eats through real time traffic such as from the Internet HAM scanners may reduce computing performance as they also share the resources such as CPU time on the computer for file inspection You have to update the malware signatures and or perform malware scans on all computers in the network regularly A network based anti malware NAM scanner is often deployed as a dedicated security device such as ...

Page 533: ...ses When you register for and enable the botnet filtering service your Zyxel Device downloads signature files that contain known botnet domain names and IP addresses The Zyxel Device will also access an external database that has millions of web sites categorized based on content You can have the Zyxel Device allow block block and or log access to web sites or hosts based on these signatures and c...

Page 534: ...hen a packet contains a botnet IP address forward Select this action to have the Zyxel Device allow the packet to go through reject sender Select this action to have the Zyxel Device deny the packets and send a TCP RST to the sender when a packet contains a botnet IP address reject receiver Select this action to have the Zyxel Device deny the packets and send a TCP RST to the receiver when a packe...

Page 535: ...to the site is down the DNS server address record is wrong the DNS server has another problem the site has maintenance repair work going on or the site has been hacked Parked Domains Sites that are inactive typically reserved for later use They most often do not contain their own content may simply say under construction purchase this domain or display advertisements For example www moemoon com ar...

Page 536: ... botnet filter These signatures are continually updated as new malware evolves New signatures can be downloaded to the Zyxel Device periodically if you have subscribed for the botnet filter signatures service You need to create an account at myZyxel register your Zyxel Device and then subscribe for botnet filter service in order to be able to download new signatures from myZyxel see the Registrati...

Page 537: ...nature identifies a malicious or suspicious packet and specifies an action to be taken You can change the action in the profile screens Packet inspection signatures examine OSI Open System Interconnection layer 4 to layer 7 packet contents for malicious data Generally packet inspection signatures are created for known attacks while anomaly detection looks for abnormal behavior Applying Your IDP Co...

Page 538: ...maly detection looks for abnormal behavior Click Configuration Security Service IDP to open this screen Use this screen to view registration and signature information Note You must register in order to use packet inspection signatures See the Registration screens If you try to enable IDP when the IDP service has not yet been registered a warning screen displays and IDP is not enabled Click on the ...

Page 539: ...ed by traffic such as Ping trace route ICMP queries etc Classification Type Search for signatures by attack type s see Table 218 on page 540 Attack types are known as policy types in the group view screen Hold down the Ctrl key if you want to make multiple selections Platform Search for signatures created to prevent intrusions targeting specific operating system s Hold down the Ctrl key if you wan...

Page 540: ...nature Information The following fields display information on the current signature set that the Zyxel Device is using Current Version This field displays the IDP signature set version number This number gets larger as the set is enhanced Signature Number This field displays the number of IDP signatures in this set This number usually gets larger as the set is enhanced Older signatures and rules ...

Page 541: ... attacks are HTTP Response Smuggling HTTP Response Splitting and JSON Hijacking P2P Peer to peer P2P is where computing devices link directly to each other and can directly initiate communication with each other they do not need an intermediary A device can be both the client and the server In the Zyxel Device P2P refers to peer to peer applications such as e Mule e Donkey BitTorrent iMesh etc Sca...

Page 542: ...mate programs A worm is a program that is designed to copy itself from one computer to another on a network A worm s uncontrolled replication consumes system resources thus slowing or stopping other tasks Web Attack Web attacks refer to attacks on web servers such as IIS Internet Information Services Table 219 IDP Service Groups WEB_PHP WEB_MISC WEB_IIS WEB_FRONTPAGE WEB_CGI WEB_ATTACKS TFTP TELNE...

Page 543: ...ttacks or attacks peculiar to your network Custom signatures can also be saved to from your computer so as to share with others You need some knowledge of packet headers and attack types to create your own custom signatures IP Packet Header These are the fields in an Internet Protocol IP version 4 packet header Figure 356 IP v4 Packet Headers ...

Page 544: ...and the data Identification This is a 16 bit number which together with the source address uniquely identifies this packet It is used during reassembly of fragmented datagrams Flags Flags are used to control whether routers are allowed to fragment a packet and to indicate the parts of a packet to the receiver Fragment Offset This is a byte count from the start of the original sent packet Time To L...

Page 545: ...e The more specific your signature including packet contents then the fewer false positives the signature will trigger Try to write signatures that target a vulnerability for example a certain type of traffic on certain operating systems instead of a specific exploit Figure 357 Configuration Security Service IDP Custom Signatures Add Edit ...

Page 546: ...ing packets of the same type may indicate an attack Use the following field to indicate how many packets per how many seconds constitute an intrusion Threshold Select Threshold and then type how many packets that meet the criteria in this signature per how many seconds constitute an intrusion Header Options Network Protocol Configure signatures for IP version 4 Type Of Service Type of service in a...

Page 547: ...igned to cause devices to crash To Client The signature only checks for server responses from A to B To Server The signature only checks for client requests from B to A From Client The signature only checks for client requests from B to A From Servers The signature only checks for server responses from A to B No Stream The signature does not check rebuilt stream packets Only Stream The signature o...

Page 548: ...e Identifier URI is a string of characters for identifying an abstract or physical resource RFC 2396 A resource can be anything that has identity for example an electronic document an image a service today s weather report for Taiwan a collection of other resources An identifier is an object that can act as a reference to something that has identity Example URIs are ftp ftp is co za rfc rfc1808 tx...

Page 549: ... can The more specific your signature the less chance it will cause false positives As an example say you want to check if your router is being overloaded with DNS queries so you create a signature to detect DNS query traffic 30 3 2 2 Analyze Packets Use the packet capture screen and a packet analyzer also known as a network or protocol analyzer such as Wireshark or Ethereal to investigate some mo...

Page 550: ... should look like as shown in the following figure Figure 359 Example Custom Signature 30 3 3 Applying Custom Signatures After you create your custom signature it becomes available in an IDP profile Configuration Security Service IDP Profile Edit screen Custom signatures have an SID from 9000000 to 9999999 Search for then activate the signature configure what action to take when a packet matches i...

Page 551: ...contains some background information on IDP Host Intrusions The goal of host based intrusions is to infiltrate files on an individual computer or server in with the goal of accessing confidential information or destroying information on a computer You must install a host IDP directly on the system being protected It works closely with the operating system monitoring and intercepting system calls t...

Page 552: ...n the rule options section are the option keywords The rule header contains the rule s Action Protocol Source and destination IP addresses and netmasks Source and destination ports information The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken These are some equivalent Snort terms in the Z...

Page 553: ..._id Sequence Number icmp_seq Payload Options Snort rule options Payload Size dsize Offset relative to start of payload offset Relative to end of last match distance Content content Case insensitive nocase Decode as URI uricontent Table 222 Zyxel Device Snort Equivalent Terms continued ZYXEL DEVICE TERM SNORT EQUIVALENT TERM ...

Page 554: ... malware When a file with malicious or suspicious codes is detected the Zyxel Device can take specific actions on the threats 31 1 1 What You Can Do in this Chapter Use the Sandboxing screen Section 31 2 on page 554 to turn sandboxing on or off and specify the actions the Zyxel Device takes when malicious or suspicious files are detected 31 2 Sandboxing Screen Click Configuration Security Service ...

Page 555: ...rious events that may need more immediate attention Select this option to have the Zyxel Device send an alert when a malicious file is detected Action For Suspicious File Specify whether the Zyxel Device deletes destroy or forwards allow suspicious files Log For Suspicious File These are the log options for suspicious files no Do not create a log when a suspicious file is detected log Create a log...

Page 556: ...he email security feature checks an email against the white list entries before doing any other email security checking If the email matches a white list entry the Zyxel Device classifies the email as legitimate and does not perform any more email security checking on that individual email A properly configured white list helps keep important email from being incorrectly classified as spam The whi...

Page 557: ...eck for specific header fields with specific values Email programs usually only show you the To From Subject and Date header fields but there are others such as Received and Content Type To see all of an email s header you can select an email in your email program and look at its properties or details For example in Microsoft s Outlook Express select a mail and click File Properties Details This d...

Page 558: ...s screen to turn the email security feature on or off and manage email security policies You can also select the action the Zyxel Device takes when the mail sessions threshold is reached Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs troubleshooting and other information Figure 362 Configuration Security Service Email Security ...

Page 559: ... mail subject of emails that are determined to have an attached viruses This tag is only added if the email security policy is configured to forward spam mail with a spam tag Check Mail Phishing Phishing is an act of tricking you into providing login or personal information with malicious emails or website links Select this to identify emails sent from suspicious websites known for phishing Mail P...

Page 560: ...s email sessions without any spam filtering Select Drop Session to have the Zyxel Device drop mail connections to stop the excess email sessions The email client or server will have to re attempt to send or receive email later when the number of email sessions is under the threshold Query Timeout Settings SMTP Select how the Zyxel Device is to handle SMTP mail query timeout Select drop to discard ...

Page 561: ...the IP of the sender or the first server that forwarded the mail Select last N IPs to have the Zyxel Device start checking from the last IP address in the mail header This is the IP of the last server that forwarded the mail Apply Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen to its last saved settings Table 224 Configuration Security Service Emai...

Page 562: ...rvice Email Security Black White List Black White List Add LABEL DESCRIPTION Enable Rule Select this to have the Zyxel Device use this entry as part of the black or white list To actually use the entry you must also turn on the use of the list in the corresponding list screen enable the email security feature in the email security general screen and configure an email security policy to use the li...

Page 563: ...r or Mail Relay IP Address This field displays when you select the IP Address type Enter an IP address in dotted decimal notation Sender or Mail Relay IPv6 Address This field displays when you select the IPv6 Address type Enter an IPv6 address with prefix Netmask This field displays when you select the IP type Enter the subnet mask here if applicable Sender E Mail Address This field displays when ...

Page 564: ...ast one non spam reply for each of an email s routing IP addresses the Zyxel Device immediately classifies the email as legitimate and forwards it Any further DNSBL replies that come after the Zyxel Device classifies an email as spam or legitimate have no effect The Zyxel Device records DNSBL responses for IP addresses in a cache for up to 72 hours The Zyxel Device checks an email s sender and rel...

Page 565: ...ds a separate query to each of its DNSBL domains for IP address c c c c The Zyxel Device sends another separate query to each of its DNSBL domains for IP address d d d d 2 DNSBL B replies that IP address d d d d does not match any entries in its list not spam 3 DNSBL C replies that IP address c c c c does not match any entries in its list not spam 4 Now that the Zyxel Device has received at least ...

Page 566: ... A replies that IP address a b c d does not match any entries in its list not spam 3 While waiting for a DNSBL reply about IP address w x y z the Zyxel Device receives a reply from DNSBL B saying IP address a b c d is in its list 4 The Zyxel Device immediately classifies the email as spam and takes the action for spam that you defined in the email security policy In this example it was an SMTP mai...

Page 567: ...nspected by the Security Service profiles in the same security profile that matched the SSL Inspection profile If all is OK then the Zyxel Device re encrypts the traffic using SSL Inspection and forwards it to the destination server D SSL traffic could be in the opposite direction for other examples Figure 368 SSL Inspection Overview Note Email security cannot be applied to traffic decrypted by SS...

Page 568: ...on profile to a traffic flow s 33 1 3 Before You Begin If you don t want to use the default Zyxel Device certificate then create a new certificate in Object Certificate My Certificates Decide what destination servers to which traffic is sent directly without inspection This may be a matter of privacy and legality regarding inspecting an individual s encrypted session such as financial websites Thi...

Page 569: ...he entry Click Refresh to update information on this screen This is the entry s index number in the list Name This displays the name of the profile Description This displays the description of the profile CA Certificate This displays the CA certificate being used in this profile Reference This displays the number of times an object reference is used in a profile Action Click this icon to apply the...

Page 570: ...ction LABEL DESCRIPTION Show Filter Hide Filter Click Show Filter to display IPv4 and IPv6 if enabled security policy search filters IPv4 IPv6 Configuration Use IPv4 IPv6 search filters to find specific IPv4 and IPv6 if enabled security policies based on direction application user source destination and or schedule From To Select a zone to view all security policies from a particular zone and or t...

Page 571: ...ed based on the direction of travel of packets to which they apply For example from LAN to LAN means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN From any displays all the Security Policies for traffic going to the selected To Zone To any displays all the Security Policies for traffic coming from the selected From Zone From any to any displ...

Page 572: ...tion about this SSL Inspection entry You can enter up to 60 characters 0 9 a z A Z and _ CA Certificate This contains the default certificate and the certificates created in Object Certificate My Certificates Choose the certificate for this profile SSL TLS version supported minimum SSL Inspection supports SSLv3 TLS1 0 TLS1 1 and TLS1 2 to use Secure Sockets Layer SSL or Transport Layer Security TL...

Page 573: ... alert An alert is an emailed log for more serious events that may need more immediate attention They also appear in red in the Monitor Log screen Select this option to have the Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy Action for connection with untrusted cert chain A certificate chain is a certification process that involves the following certif...

Page 574: ...ollowing ways The Common Name CN of the certificate The common name of the certificate can be created in the Object Certificate My Certificates screen Type an IPv4 or IPv6 address For example type 192 168 1 35 or 2001 7300 3500 1 Type an IPv4 IPv6 in CIDR notation For example type 192 168 1 1 24 or 2001 7300 3500 1 64 Type an IPv4 IPv6 address range For example type 192 168 1 1 192 168 1 35 or 200...

Page 575: ...s 2 Z intercepts the response from D and checks if the certificate has been previously signed Z then replies to D 3 and also to U 4 D s latest certificate is stored at myZyxel M along with other server certificates and can be downloaded to the Zyxel Device Figure 373 SSL Inspection Certificate Update Overview Click Configuration Security Service SSL Inspection Certificate Update to display the fol...

Page 576: ...Inspection Certificate Update LABEL DESCRIPTION Certificate Information Current Version This displays the current certificate set version Released Date This field displays the date and time the current certificate set was released Certificate Update You should have Internet access and have activated SSL Inspection on the Zyxel Device at myZyxel Update Now Click this button to download the latest c...

Page 577: ...Chapter 33 SSL Inspection ZyWALL ATP Series User s Guide 577 3 From the main menu select Action All Tasks Import and run the Certificate Import Wizard to install the certificate on the PC ...

Page 578: ...using a Firefox browser in addition to the above you need to do the following to import a certificate into the browser Click Tools Options Advanced Encryption View Certificates click Import and enter the filename of the certificate you want to import See the browser s help for further information ...

Page 579: ...ity Service and remote management Zones cannot overlap Each Ethernet interface VLAN interface bridge interface PPPoE PPTP interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 375 Example Zones Use the Zone screens see Section 34 8 2 on page 633 to manage the Zyxel Device s zones 34 1 1 ...

Page 580: ...nd policy settings may apply to extra zone traffic especially if you can set the zone attribute in them to Any or All See the specific feature for more information 34 1 2 The Zone Screen The Zone screen provides a summary of all zones In addition this screen allows you to add edit and remove zones To access this screen click Configuration Object Zone Figure 376 Configuration Object Zone The follow...

Page 581: ...es an Object Reference is used in a policy Table 232 Configuration Object Zone continued LABEL DESCRIPTION Table 233 Configuration Object Zone Add Edit LABEL DESCRIPTION Name For a system default zone the name is read only For a user configured zone type the name used to refer to the zone You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number Th...

Page 582: ...wireless clients for MAC authentication using the local user database The OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device 34 2 1 What You Need To Know User Account A user account defines the privileges of a user logged into the Zyxel Device User accounts are used in security policies and application patrol in addition to controlling acces...

Page 583: ...unt Ext User in the Zyxel Device 3 Default user account for AD users ad users LDAP users ldap users or RADIUS users radius users in the Zyxel Device See Setting up User Attributes in an External Server for a list of attributes and how to set up the attributes in an external server Ext Group User Accounts Ext Group User accounts work are similar to ext user accounts but allow you to group users by ...

Page 584: ...re of the user who is logged in and you can create user aware policies that define what services they can use See Section 34 2 6 on page 596 for a user aware login example Finding Out More See Section 34 2 6 on page 596 for some information on users who use an external authentication server in order to log in The Zyxel Device supports TTLS using PAP so you can use the Zyxel Device s local user dat...

Page 585: ...the Zyxel Device uses admin this user can look at and change the configuration of the Zyxel Device limited admin this user can look at the configuration of the Zyxel Device but not to change it dynamic guest this user has access to the Zyxel Device s services but cannot look at the configuration user this user has access to the Zyxel Device s services and can also browse user mode commands CLI gue...

Page 586: ... but cannot look at the configuration ext user this user account is maintained in a remote server such as RADIUS or LDAP See Ext User Accounts on page 583 for more information about this type ext group user this user account is maintained in a remote server such as RADIUS or LDAP See Ext Group User Accounts on page 583 for more information about this type Password This field is not available if yo...

Page 587: ... is logged out You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Admin users renew the session every time the main screen refreshes in the Web Configurator Access users can renew the session by clicking the Renew button on their screen If you allow access users to renew time automatically see Section 34 2 4 on page 589 the users can select this check box on ...

Page 588: ...ate a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so Removing a group does not remove the user accounts in the group References Select an entry and click References to open a screen that shows which setting...

Page 589: ...es but the first character cannot be a number This value is case sensitive User group names have to be different than user names Description Enter the description of the user group if any You can use up to 60 characters punctuation marks and spaces Member List The Member list displays the names of the users and user groups that have been added to the user group The order of members is not importan...

Page 590: ...Timeout Settings Default Authentication Timeout Settings These authentication timeout settings are used by default when you create a new user account They also control the settings for any existing user accounts that are set to use the default settings You can still manually configure any user account s authentication timeout settings Edit Double click an entry or select it and click Edit to open ...

Page 591: ...nto the Zyxel Device in one session before having to log in again Unlike Lease Time the user has no opportunity to renew the session without logging out Miscellaneous Settings Allow renewing lease time automatically Select this check box if access users can renew lease time automatically as well as manually simply by selecting the Updating lease time automatically check box on their screen Enable ...

Page 592: ...s logins by each admin user Limit the number of simultaneous logons for access account Select this check box if you want to set a limit on the number of simultaneous logins by non admin users If you do not select this access users can login as many times as they want as long as they use different IP addresses Maximum number per access account This field is effective when Limit for access account i...

Page 593: ... maintained in a remote server such as RADIUS or LDAP See Ext Group User Accounts on page 583 for more information about this type guest manager this user can log in via the web configurator login screen and create dynamic guest accounts using the Account Generator screen that pops up Lease Time Enter the number of minutes this type of user account has to renew the current session before the user ...

Page 594: ...cess users can click this button to reset the lease time the amount of time remaining before the Zyxel Device automatically logs them out The Zyxel Device sets this amount of time according to the User defined lease time field in this screen Lease time field in the User Add Edit screen see Section 34 2 5 1 on page 595 Lease time field in the Setting screen see Section 34 2 4 on page 589 Updating l...

Page 595: ...g so MAC Address OUI This field displays the MAC address or OUI Organizationally Unique Identifier of computer hardware manufacturers of wireless clients using MAC authentication with the Zyxel Device local user database Description This field displays a description of the device identified by the MAC address or OUI Table 243 Configuration Object User Group MAC Address Add LABEL DESCRIPTION MAC Ad...

Page 596: ...the user accounts 34 3 AP Profile Overview This section shows you how to configure preset profiles for the Access Points APs connected to your Zyxel Device s wireless network The Radio screen Section 34 3 1 on page 597 creates radio configurations that can be used by the APs The SSID screen Section 34 3 2 on page 603 configures three different types of profiles for your networked APs 34 3 0 1 What...

Page 597: ...Device SSID The SSID Service Set IDentifier is the name that identifies the Service Set with which a wireless station is associated Wireless stations associating to the access point AP must have the same SSID In other words it is the name of the wireless network that clients use to connect to it WEP WEP Wired Equivalent Privacy encryption scrambles all data packets transmitted between the AP and t...

Page 598: ...lick Inactivate References Click this to view which other objects are linked to the selected radio profile This field is a sequential value and it is not associated with a specific profile Status This icon is lit when the entry is active and dimmed when the entry is inactive Profile Name This field indicates the name assigned to the radio profile Frequency Band This field indicates the frequency b...

Page 599: ...om the list and click the Edit button Figure 390 Configuration Object AP Profile Add Edit Radio Profile The following table describes the labels in this screen Table 246 Configuration Object AP Profile Add Edit Radio Profile LABEL DESCRIPTION Hide Show Advanced Settings Click this to hide or show the Advanced Settings in this window Create New Object Use this to configure any new settings objects ...

Page 600: ...nels to increase throughput A 80 MHz channel consists of two adjacent 40 MHz channels The wireless clients must also support 40 MHz or 80 MHz It is often better to use the 20 MHz setting in a location where the environment hinders the wireless signal Because not all devices support 40 MHz and or 80 MHz channels select 20 40MHz or 20 40 80MHz to allow the AP to adjust the channel bandwidth automati...

Page 601: ...hannel Selection to DCS and set 2 4 GHz Channel Selection Method to auto Select Three Channel Deployment to limit channel switching to channels 1 6 and 11 the three channels that are sufficiently attenuated to have almost no impact on one another In other words this allows you to minimize channel interference by limiting channel hopping to these three safe channels Select Four Channel Deployment t...

Page 602: ...ta collisions A wireless client sends an RTS for all packets larger than the number of bytes that you enter here Set the RTS CTS equal to or higher than the fragmentation threshold to turn RTS CTS off Beacon Interval When a wirelessly networked device sends a beacon it includes with it a beacon interval This specifies the time period before the device sends the beacon again The interval tells rece...

Page 603: ...AP Profile SSID List Station Retry Count Set the maximum number of times a wireless client can attempt to re connect to the AP Multicast Settings Use this section to set a transmission mode and maximum rate for multicast traffic Transmission Mode Set how the AP handles multicast traffic Select Multicast to Unicast to broadcast wireless multicast traffic to all of the wireless clients as unicast tr...

Page 604: ...Remove Click this to remove the selected SSID profile References Click this to view which other objects are linked to the selected SSID profile for example radio profile This field is a sequential value and it is not associated with a specific profile Profile Name This field indicates the name assigned to the SSID profile SSID This field indicates the SSID name as it appears to wireless clients Se...

Page 605: ...ork Certain categories such as video or voice are given a higher priority due to the time sensitive nature of their data packets QoS access categories are as follows disable Turns off QoS for this SSID All data packets are treated equally and not tagged with access categories WMM Enables automatic tagging of data packets The Zyxel Device assigns access categories to the SSID by examining data as i...

Page 606: ...is SSID VLAN ID If you selected Local Bridge forwarding mode enter the VLAN ID that will be used to tag all traffic originating from this SSID if the VLAN is different from the native VLAN All the wireless station s traffic goes through the associated AP s gateway VLAN Interface If you selected the Tunnel forwarding mode select a VLAN interface All the wireless station s traffic is forwarded to th...

Page 607: ...SCRIPTION Add Click this to add a new security profile Edit Click this to edit the selected security profile Remove Click this to remove the selected security profile References Click this to view which other objects are linked to the selected security profile for example SSID profile This field is a sequential value and it is not associated with a specific profile Profile Name This field indicate...

Page 608: ...ile or edit an existing one To access this screen click the Add button or select a security profile from the list and click the Edit button Note This screen s options change based on the Security Mode selected Only the default screen is displayed here Figure 394 Configuration Object AP Profile SSID Security Profile Add Edit Security Profile ...

Page 609: ...ion Primary Secondary Radius Server Activate Select this to have the Zyxel Device use the specified RADIUS server Radius Server IP Address Enter the IP address of the RADIUS server to be used for authentication Radius Server Port Enter the port number of the RADIUS server to be used for authentication Radius Server Secret Enter the shared secret password of the RADIUS server to be used for authent...

Page 610: ...anging from a z A Z and 0 9 for example MyKey for each Key used If you select WEP 128 Enter 26 hexadecimal digits in the range of A F a f and 0 9 for example 0x00112233445566778899AABBCC for each Key used or Enter 13 ASCII characters case sensitive ranging from a z A Z and 0 9 for example MyKey12345678 for each Key used Key 1 4 Based on your Key Length selection enter the appropriate length hexade...

Page 611: ...nagement frames This helps prevent wireless DoS attacks Select the check box to enable management frame protection MFP to add security to 802 11 management frames Select Optional if you do not require the wireless clients to support MFP Management frames will be encrypted if the clients support MFP Select Required and wireless clients must support MFP in order to join the AP s wireless network OK ...

Page 612: ...ers for the profile name This name is only visible in the Web Configurator and is only for management purposes Spaces and underscores are allowed Filter Action Select allow to permit the wireless client with the MAC addresses in this profile to connect to the network through the associated SSID select deny to block the wireless clients with the specified MAC addresses Add Click this to add a MAC a...

Page 613: ...4 4 2 Configuring MON Profile This screen allows you to create monitor mode configurations that can be used by the APs To access this screen login to the Web Configurator and click Configuration Object MON Profile Figure 397 Configuration Object MON Profile The following table describes the labels in this screen Table 253 Configuration Object MON Profile LABEL DESCRIPTION Add Click this to add a n...

Page 614: ...following table describes the labels in this screen Profile Name This field indicates the name assigned to the monitor profile Apply Click Apply to save your changes back to the Zyxel Device Reset Click Reset to return the screen to its last saved settings Table 253 Configuration Object MON Profile continued LABEL DESCRIPTION Table 254 Configuration Object MON Profile Add Edit MON Profile LABEL DE...

Page 615: ...available Country Code Select the country code of APs that are connected to the Zyxel Device to be the same as where the Zyxel Device is located installed The available channels vary depending on the country you selected Be sure to select the correct same country for both radios on an AP and all connected APs in order to prevent roaming failure and interference to other systems After changing the ...

Page 616: ...detected in your network as well as any others that you know are not a threat those from recognized networks for example It is recommended that you export save your list of friendly APs often especially if you have a network with a large number of access points 34 5 ZyMesh Overview This section shows you how to configure ZyMesh profiles for the Zyxel Device to apply to the managed APs ZyMesh is a ...

Page 617: ... managed APs are deployed to form a ZyMesh for the first time the root AP must be connected to an AP controller the Zyxel Device In the following example managed APs 1 and 2 act as a root AP and managed APs A B and C are repeaters The maximum number of hops the repeaters between a wireless client and the root AP you can have in a ZyMesh varies according to how many wireless clients a managed AP ca...

Page 618: ... enter the primary AP controller s ZyMesh Provision Group MAC address in the second AP controller s ZyMesh Provision Group field If you didn t change the second AP controller s MAC address managed APs in an existing ZyMesh can still access the networks through the second AP controller and communicate with each other But new managed APs will not be able to communicate with the managed APs in the ex...

Page 619: ...n Section 34 6 4 on page 626 to update the database of country to IP address mappings and to manually configure country to IP address mappings Profile Name This field indicates the name assigned to the profile ZyMesh SSID This field shows the SSID specified in this ZyMesh profile Table 255 Configuration Object ZyMesh Profile continued LABEL DESCRIPTION Table 256 Configuration Object ZyMesh Profile...

Page 620: ...ces INTERFACE SUBNET the object uses the subnet mask of one of the Zyxel Device s interfaces INTERFACE GATEWAY the object uses the gateway IP address of one of the Zyxel Device s interfaces GEOGRAPHY the object uses the IP addresses of a country to represent a country FQDN the object uses a FQDN Fully Qualified Domain Name An FQDN consists of a host and domain name For example www zyxel com is a f...

Page 621: ...The Zyxel Device confirms you want to remove it before doing so References Select an entry and click References to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific address Name This field displays the configured name of each address object Type This field displays the type of each address object INTERFACE means the obje...

Page 622: ...one of the Zyxel Device s interfaces IPv6 Address This field displays the IPv6 addresses represented by each address object If the object s settings are based on one of the Zyxel Device s interfaces the name of the interface displays first followed by the object s current address settings Reference This displays the number of times an object reference is used in a profile Table 258 Configuration O...

Page 623: ...ype use this field to select a country FQDN If you selected FQDN as the Address Type use this field to enter a fully qualified domain name OK Click OK to save your changes back to the Zyxel Device Cancel Click Cancel to exit this screen without saving your changes Table 259 Configuration Object Address GeoIP Address Add Edit IPv4 LABEL DESCRIPTION Table 260 Configuration Object Address GeoIP Addre...

Page 624: ...guration IP address SLAAC or is obtained from a DHCPv6 server DHCPv6 Country If you selected Geography as the Address Type use this field to select a country FQDN If you selected FQDN as the Address Type use this field to enter a fully qualified domain name OK Click OK to save your changes back to the Zyxel Device Cancel Click Cancel to exit this screen without saving your changes Table 260 Config...

Page 625: ...rms you want to remove it before doing so References Select an entry and click References to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific address group Name This field displays the name of each address group Description This field displays the description of each address group if any Reference This displays the numb...

Page 626: ...eway if the interface s IP address settings change For example if you change 1 s IP address the Zyxel Device automatically updates the corresponding interface based LAN subnet address object Member List The Member list displays the names of the address and address group objects that have been added to the address group The order of members is not important Select items from the Available list that...

Page 627: ...the Zyxel Device and replaces the current version if it is newer There are logs to show the update status You need to have a registered Content Filter Service license Auto Update If you want the Zyxel Device to check weekly for the latest country to IP address database version on myZyxel select the checkbox choose a day and time each week and then click Apply The default day and time displayed is ...

Page 628: ...ce or is missing TCP puts it in sequence or waits for the data to be re transmitted Then the connection is terminated In contrast computers use UDP to send short messages to each other There is no guarantee that the messages arrive in sequence or that the messages arrive at all Table 264 Geo IP Add LABEL DESCRIPTION Country Select the country or region that maps to this IP address Address Type Sel...

Page 629: ...ine IP protocols TCP applications UDP applications ICMP messages user defined services for other types of IP protocols These objects are used in policy routes security policies and IDP profiles Use service groups when you want to create the same rule for several services instead of creating separate rules for each service Service groups may consist of services and other service groups The sequence...

Page 630: ...ach service Content This field displays a description of each service Reference This displays the number of times an object reference is used in a profile Table 266 Configuration Object Service Service Edit LABEL DESCRIPTION Name Type the name used to refer to the service You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case ...

Page 631: ...ings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so References Select an entry and click References to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific service group Family This field displays the Server Group supported type which is according to your...

Page 632: ...te Schedules are based on the Zyxel Device s current date and time Table 268 Configuration Object Service Service Group Edit LABEL DESCRIPTION Name Enter the name of the service group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description Enter a description of the service group if any You can use up to 6...

Page 633: ...acation periods Recurring Schedules Recurring schedules begin at a specific start time and end at a specific stop time on selected days of the week Sunday Monday Tuesday Wednesday Thursday Friday and Saturday Recurring schedules always begin and end in the same day Recurring schedules are useful for defining the workday and off work hours 34 8 2 The Schedule Screen The Schedule screen provides a s...

Page 634: ... the date and time at which the schedule begins Stop Day Time This field displays the date and time at which the schedule ends Reference This displays the number of times an object reference is used in a profile Recurring Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and clic...

Page 635: ...o the one time schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Day Time StartDate Specify the year month and day when the schedule begins Year 1900 2999 Month 1 12 Day 1 31 it is not possible to specify illegal dates such as February 31 StartTime Specify the hour and minute when the schedule begins Ho...

Page 636: ...be a number This value is case sensitive Date Time StartTime Specify the hour and minute when the schedule begins each day Hour 0 23 Minute 0 59 StopTime Specify the hour and minute when the schedule ends each day Hour 0 23 Minute 0 59 Weekly Week Days Select each day of the week the recurring schedule is effective OK Click OK to save your changes back to the Zyxel Device Cancel Click Cancel to ex...

Page 637: ...ence is used in a profile Table 272 Configuration Object Schedule Schedule Group LABEL DESCRIPTION Table 273 Configuration Schedule Schedule Group Add LABEL DESCRIPTION Group Members Name Type the name used to refer to the recurring schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description Enter a d...

Page 638: ...tion procedure via an LDAP AD server 1 A user logs in with a user name and password pair 2 The Zyxel Device tries to bind or log in to the LDAP AD server 3 When the binding process is successful the Zyxel Device checks the user information in the directory against the user name and password pair 4 If it matches the user is allowed access Otherwise access is blocked 34 9 2 RADIUS Server RADIUS Remo...

Page 639: ...ectory or LDAP screens Section 34 9 5 on page 641 to configure Active Directory or LDAP server objects Use the Configuration Object AAA Server RADIUS screen Section 34 9 2 on page 638 to configure the default external RADIUS server to use for user authentication 34 9 4 What You Need To Know AAA Servers Supported by the Zyxel Device The following lists the types of authentication server the Zyxel D...

Page 640: ...The leftmost attribute is the Relative Distinguished Name RDN This provides a unique name for entries that have the same parent DN cn domain1 com ou Sales o MyCompany in the following examples cn domain1 com ou Sales o MyCompany c US cn domain1 com ou Sales o MyCompany c JP Base DN A base DN specifies a directory A base DN usually contains information such as the name of an organization a domain n...

Page 641: ...it icon to display the following screen Use this screen to create a new AD or LDAP entry or edit an existing one Table 274 Configuration Object AAA Server Active Directory or LDAP LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remov...

Page 642: ...bject AAA Server Active Directory or LDAP Add LABEL DESCRIPTION Name Enter a descriptive name up to 63 alphanumerical characters for identification purposes Description Enter the description of each server if any You can use up to 60 printable ASCII characters Server Address Enter the address of the AD or LDAP server Backup Server Address If the AD or LDAP server has a backup server enter its addr...

Page 643: ... type of identifier that the users can use to log in enter it here For example name or email address Group Membership Attribute An AD or LDAP server defines attributes for its accounts Enter the name of the attribute that the Zyxel Device is to check to determine to which group a user belongs The value for this attribute is called a group identifier it determines to which group a user belongs You ...

Page 644: ...ecified above to test if the configuration is correct Enter the account s user name in the Username field and click Test OK Click OK to save the changes Cancel Click Cancel to discard the changes Table 275 Configuration Object AAA Server Active Directory or LDAP Add continued LABEL DESCRIPTION Table 276 Configuration Object AAA Server RADIUS LABEL DESCRIPTION Add Click this to create a new entry E...

Page 645: ... the description of each server if any You can use up to 60 printable ASCII characters Server Address Enter the address of the RADIUS server Authentication Port Specify the port number on the RADIUS server to which the Zyxel Device sends authentication requests Enter a number between 1 and 65535 Backup Server Address If the RADIUS server has a backup server enter its address here Backup Authentica...

Page 646: ...able to use the primary RADIUS accounting server Specify the number of times the Zyxel Device should reattempt to use the primary RADIUS server before attempting to use the secondary RADIUS server This also sets how many times the Zyxel Device will attempt to use the secondary RADIUS server For example you set this field to 3 If the Zyxel Device does not get a response from the primary RADIUS serv...

Page 647: ...to authenticate VPN users for establishing a VPN connection Refer to the chapter on VPN for more information Follow the steps below to specify the authentication method for a VPN connection 1 Access the Configuration VPN IPSec VPN VPN Gateway Edit screen 2 Click Show Advance Setting and select Enable Extended Authentication 3 Select Server Mode and select an authentication method object from the d...

Page 648: ...object 1 Click Configuration Object Auth Method 2 Click Add Table 278 Configuration Object Auth Method LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so References ...

Page 649: ...save the settings or click Cancel to discard all changes and return to the previous screen Figure 427 Configuration Object Auth Method Add The following table describes the labels in this screen Table 279 Configuration Object Auth Method Add LABEL DESCRIPTION Name Specify a descriptive name for identification purposes You may use 1 31 alphanumeric characters underscores _ or dashes but the first c...

Page 650: ...nt device to the Zyxel Device Method List Select a server object from the drop down list box You can create a server object in the AAA Server screen The Zyxel Device authenticates the users using the databases in the local user database or the external authentication server in the order they appear in this screen If two accounts with the same username exist on two authentication servers you specif...

Page 651: ...iguration you must Set up the user s user name password and email address or mobile number in the Active Directory RADIUS server or local Zyxel Device database Configure the VPN tunnel for this user on the Zyxel Device Have an account with ViaNett to be able to send SMS email authorization requests Enable HTTP and or HTTPS in System WWW Service Control Configure SMS in System Notification SMS Add ...

Page 652: ...o Factor Authentication You should have configured the VPN tunnel first SSL VPN Access IPSec VPN Access L2TP IPSec VPN Access User Group This list displays the names of the users and user groups that can be selected for two factor authentication The order of members is not important Select users and groups from the Selectable User Group Objects list that require two factor authentication for VPN a...

Page 653: ...s people to verify whether data was signed by you or by someone else This process works as follows Deliver Authorize Link Method Select one or both methods SMS Object User Group User must contain a valid mobile telephone number A valid mobile telephone number can be up to 20 characters in length including the numbers 1 9 and the following characters in the square brackets Email Object User Group U...

Page 654: ...tion algorithm The certification authority uses its private key to sign certificates Anyone can then use the certification authority s public key to verify the certificates A certification path is the hierarchy of certification authority certificates that validate a certificate The Zyxel Device does not trust a certificate if any certificate on its path has expired or been revoked Certification au...

Page 655: ...ificates The private key in a PKCS 12 file is within a password encrypted envelope The file s password is not connected to your certificate s public or private passwords Exporting a PKCS 12 file creates this and you must provide it to decrypt the contents when you import the file into the Zyxel Device Note Be careful not to convert a binary file to text during the transfer process It is easy for t...

Page 656: ...rint fields The secure method may very based on your situation Possible examples would be over the telephone or through an HTTPS connection 34 11 3 The My Certificates Screen Click Configuration Object Certificate My Certificates to open the My Certificates screen This is the Zyxel Device s summary list of certificates and certification requests Figure 432 Configuration Object Certificate My Certi...

Page 657: ...ect an entry and click References to open a screen that shows which settings use the entry This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate It is recommended that you give each certificate a unique name Type This field displays what kind of certificate this is REQ represents a cert...

Page 658: ...to the subject information when it issues a certificate It is recommended that each certificate have unique subject information Select a radio button to identify the certificate s owner by IP address domain name or email address Type the IP address in dotted decimal notation domain name or email address in the field provided The domain name or email address is for identification purposes only and ...

Page 659: ...haracters the hyphen and the underscore Key Type Select RSA to use the Rivest Shamir and Adleman public key algorithm Select DSA to use the Digital Signature Algorithm public key algorithm Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Extended Ke...

Page 660: ...Click the Refresh button to have this read only text box display the hierarchy of certification authorities that validate the certificate and the certificate itself If the issuing certification authority is one that you have imported as a trusted certification authority it may be the only certification authority in the list along with the certificate itself If the certificate is a self signed cert...

Page 661: ...ithm Valid From This field displays the date that the certificate becomes applicable none displays for a certification request Valid To This field displays the date that the certificate expires The text displays in red and includes an Expired message if the certificate has expired none displays for a certification request Key Algorithm This field displays the type of algorithm that was used to gen...

Page 662: ...certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an email to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution via floppy disk for example Export Certificate Only Use this button to save a c...

Page 663: ...e the file s password that was created when the PKCS 12 file was exported OK Click OK to save the certificate on the Zyxel Device Cancel Click Cancel to quit and return to the My Certificates screen Table 285 Configuration Object Certificate Trusted Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the Zyxel Device s PKI storage space that is currently in ...

Page 664: ... or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This fiel...

Page 665: ...Chapter 34 Object ZyWALL ATP Series User s Guide 665 Figure 437 Configuration Object Certificate Trusted Certificates Edit ...

Page 666: ...II characters from the entity maintaining the OCSP server usually a certification authority LDAP Server Select this check box if the directory server uses LDAP Lightweight Directory Access Protocol LDAP is a protocol over TCP that specifies how clients access directories of certificates and lists of revoked certificates Address Type the IP address in dotted decimal notation of the directory server...

Page 667: ...ed to encrypt text Extended Key Usage This field displays the method that the Zyxel Device generates and stores a request for server authentication client authentication or IKE Intermediate authentication certificate Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority s certificate and Path Length C...

Page 668: ...rrent or unknown response 34 12 ISP Account Overview Use ISP accounts to manage Internet Service Provider ISP account information for PPPoE PPTP L2TP interfaces An ISP account is a profile of settings for Internet access using PPPoE PPTP or L2TP Use the Object ISP Account screens Section 34 12 1 on page 668 to create and manage ISP accounts in the Zyxel Device 34 12 1 ISP Account Summary This scre...

Page 669: ...ABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so References Select an entry and click References to open a screen that shows which settings use the entry This field is a sequential ...

Page 670: ... server information Options are pppoe This ISP account uses the PPPoE protocol pptp This ISP account uses the PPTP protocol l2tp This ISP account uses the L2TP protocol Authentication Type Use the drop down list box to select an authentication protocol for outgoing calls Options are CHAP PAP Your Zyxel Device accepts either CHAP or PAP when requested by this remote node Chap Your Zyxel Device acce...

Page 671: ...ification name for the PPTP server This field can be blank Service Name If this ISP account uses the PPPoE protocol type the PPPoE service name to access PPPoE uses the specified service name to identify and reach the PPPoE server This field can be blank If this ISP account uses the PPTP protocol this field is not displayed Compression Select On button to turn on stac compression and select Off to...

Page 672: ... doing so References Select an entry and click References to open a screen that shows which settings use the entry This field is a sequential value and it is not associated with a specific object Name This field displays the name of each request object Type This field displays the request type of each request object Interface This field displays the interface used for each request object Value Thi...

Page 673: ...ure 444 Configuration DHCPv6 Lease Add Table 292 Configuration Object DHCPv6 Lease LABEL DESCRIPTION Configuration Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so References Select...

Page 674: ...ease Type field select a request object or User Defined in the DNS Server field and enter the IP address of the DNS server in the User Defined Address field below Starting IP Address If you select Address Pool in the Lease Type field enter the first of the contiguous addresses in the IP address pool End IP Address If you select Address Pool in the Lease Type field enter the last of the contiguous ...

Page 675: ...e 675 to see the license status for Device HA Pro and see the status of the active and passive devices Use the Device HA Pro screen Section 35 3 on page 677 to configure Device HA Pro global settings monitored interfaces and synchronization settings Use the View Log screen Section 35 4 on page 680 to see logs of the active and passive devices 35 2 Device HA Status Use this screen to view Device HA...

Page 676: ...Device Passive Device Status This section displays information on the passive Zyxel Device with an activated Device HA Pro license Health Status This displays Off or On depending on whether Device HA Pro is disabled or enabled on the passive Zyxel Device S N This displays the serial number of the passive Zyxel Device Virtual MAC This displays the hardware MAC address of the passive Zyxel Device Sy...

Page 677: ...ration synchronization and troubleshooting All links on Zyxel Device B are down except for the dedicated heartbeat link Note The dedicated heartbeat link port must be the highest numbered port on each Zyxel Device for Device HA Pro to work Figure 447 Device HA Pro Failover from the active Zyxel Device to the passive Zyxel Device is activated when A monitored interface is down A monitored service d...

Page 678: ...o the active Zyxel Device using the highest numbered ports on both Zyxel Devices This is the heartbeat interface Make sure that this interface is not already configured for other features such as LAG VLAN Bridge 5 If both Zyxel Devices are turned on at the same time with Device HA enabled then they may send the heartbeat at the same time In this case the Zyxel Device with the bigger MAC address be...

Page 679: ...protect and certificates Note Only Zyxel Devices of the same model and firmware version can synchronize Serial Number of Licensed Device for License Synchronization Type the serial number of the Zyxel Device active or passive with the Device HA Pro subscribed license Active Device Management IP Type the IPv4 address of the highest numbered port on the active Zyxel Device the heartbeat dedicated li...

Page 680: ...ve Zyxel Device Monitor Interface Select an interface in Available Interfaces and click the right arrow button to move it to Monitor Interface to become a Device HA pro monitored interface To remove a Device HA pro monitored interface select it in Monitor Interface and click the left arrow button to move it to Available Interfaces Failover Detection Enable Failover When Interface Failure Option Se...

Page 681: ...table describes the labels in this screen Table 296 Configuration Device HA View Log LABEL DESCRIPTION Logs Active Device This displays Device HA Pro logs on the active Zyxel Device Passive Device This displays Device HA Pro logs on the passive Zyxel Device Refresh Click Refresh to update information in this screen ...

Page 682: ...oud CNM SecuReporter screen Section 36 3 on page 685 to enable SecuReporter logging on your Zyxel Device see license status type expiration date and access a link to the SecuReporter web portal The SecuReporter web portal collects and analyzes logs from your Zyxel Device in order to identify anomalies alert on potential internal external threats and report on network usage 36 2 Cloud CNM SecuManag...

Page 683: ...ation for events and alarms such as when a device goes down Graphically monitor individual devices and see related statistics Directly access a device for remote configuration Create four types of administrators with different privileges Perform Site to Site Hub Spoke Fully meshed and Remote Access VPN provisioning To allow Cloud CNM SecuManager management of your Zyxel Device You must have a Clou...

Page 684: ...nager server cannot access myZyxel CNM URL Select this if your VM server or Zyxel Device are in a private network or if the VM server is behind a NAT router You then need to manually enter the VM server URL into the Zyxel Device Enter the IPv4 IP address of the Cloud CNM SecuManager server followed by the port number default 7547 for HTTPS or 7549 for HTPP followed by the CNM ID from the license i...

Page 685: ... register it at myZyxel You must be a registered user at myZyxel You can access the portal from a web browser and also get notifications sent to an app on your mobile phone Interval Type how often the Zyxel Device should inform Cloud CNM SecuManager server of its presence HTTPS Authentication Select the check box if you have a HTTPs server certificate Server Certificate Select a certificate the HT...

Page 686: ...gure 452 Cloud CNM SecuReporter Application Scenario Your SecuReporter license displays in Configuration Licensing Registration Service after you purchase a license and register it at myZyxel The Zyxel Device must be able to communicate with the myZyxel server ...

Page 687: ...iguration Licensing Registration Service Click Configuration Cloud CNM SecuReporter to enable SecuReporter logging on your Zyxel Device see license status type expiration date and access a link to the SecuReporter web portal Figure 454 Configuration Cloud CNM SecuReporter ...

Page 688: ...ion usage analysis via this Zyxel Device This may cause an increase in traffic to SecuReporter from this Zyxel Device Clear the field if it impacts Zyxel Device performance SecuReporter Service License Status Service Status This field displays whether a service license is enabled at myZyxel Activated or not Not Activated or expired Expired It displays the remaining Grace Period if your license has...

Page 689: ...h IP address the access can come Use the System TELNET screen see Section 37 9 on page 728 to configure Telnet to access the Zyxel Device s command line interface Specify which zones allow Telnet access and from which IP address the access can come Use the System FTP screen see Section 37 10 on page 730 to specify from which zones FTP can be used to access the Zyxel Device You can also specify fro...

Page 690: ...7 3 USB Storage The Zyxel Device can use a connected USB device to store the system log and other diagnostic information Use this screen to turn on this feature and set a disk full warning limit Note Only connect one USB device It must allow writing it cannot be read only and use the FAT16 FAT32 EXT2 or EXT3 file system Table 299 Configuration System Host Name LABEL DESCRIPTION System Name Enter a...

Page 691: ...Zyxel Device s time based on your local time zone and date click Configuration System Date Time The screen displays as shown You can manually set the Zyxel Device s time and date or have the Zyxel Device get the date and time from a time server Table 300 Configuration System USB Storage LABEL DESCRIPTION Activate USB storage service Select this if you want to use the connected USB device s Disk fu...

Page 692: ... Device Time and Date Setup Manual Select this radio button to enter the time and date manually If you configure a new time and date time zone and daylight saving at the same time the time zone and daylight saving will affect the new time and date you entered When you enter the time settings manually the Zyxel Device uses the new setting once you click Apply New Time hh mm ss This field displays t...

Page 693: ...s is implemented in its time zone Start Date Configure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving The at field uses the 24 hour format Here are a couple of examples Daylight Saving Time starts in most parts of the United States on the second Sunday of March Each time zone in the United States starts using Daylight Saving Time at 2 A M local time So in ...

Page 694: ...Now button to get the time and date from the time server you specified in the Time Server Address field When the Loading screen appears you may have to wait up to one minute Figure 458 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful If the synchronization was not successful a log displays in the View Log...

Page 695: ...ate Time 2 Select Get from Time Server under Time and Date Setup 3 Under Time Zone Setup select your Time Zone from the list 4 As an option you can select the Enable Daylight Saving check box to adjust the Zyxel Device clock for daylight savings 5 Under Time and Date Setup enter a Time Server Address Table 302 on page 694 6 Click Apply 37 5 Console Port Speed This section shows you how to set the ...

Page 696: ...l Device sends to the specified DHCP client devices A name query begins at a client computer and is passed to a resolver a DNS client service for resolution The Zyxel Device can be a DNS client service The Zyxel Device can resolve a DNS query locally using cached Resource Records RR obtained from a previous query and kept for a period of time If the Zyxel Device does not have the requested informa...

Page 697: ... the DNS record response it is sent to the victim Attackers can request as much information as possible to maximize the amplification effect Configure the Security Option Control section in the Configuration System DNS screen click Show Advanced Settings to display it if you suspect the Zyxel Device is being used either by hackers or by a corrupted open DNS server in a DNS amplification attack Fig...

Page 698: ...er record The ordering of your rules is important as rules are applied in sequence A hyphen displays for the default domain zone forwarder record The default record is not configurable The Zyxel Device uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records Alias Name Enter an Alias name Use as prefix for a wildcard domain...

Page 699: ...y Option Control Click Show Advanced Settings to display this part of the screen There are two control policies Default and Customize Edit Click either control policy and then click this button to change allow or deny actions for Query Recursion and Additional Info from Cache Priority The Customize control policy is checked first and if an address object match is not found the Default control poli...

Page 700: ...v6 Address PTR Record table to add an IPv4 or IPv6 address PTR record Figure 461 Configuration System DNS Address PTR Record Edit This the index number of the service control rule The ordering of your rules is important as rules are applied in sequence The entry with a hyphen instead of a number is the Zyxel Device s non configurable default policy The Zyxel Device applies this to traffic that doe...

Page 701: ...ain domain zyxel com Edit the IP Address in record A and all subdomains will follow automatically This eliminates chances for errors and increases efficiency in DNS management 37 6 7 Adding a CNAME Record Click the Add icon in the CNAME Record table to add a record Use as a prefix for a wildcard domain name For example zyxel com Figure 462 Configuration System DNS CNAME Record Add Table 305 Config...

Page 702: ... Figure 463 Configuration System DNS Domain Zone Forwarder Add Table 306 Configuration System DNS CNAME Record Add LABEL DESCRIPTION Alias name Enter an Alias Name Use as a prefix in the Alias name for a wildcard domain name for example example com FQDN Type a Fully Qualified Domain Name FQDN of a server An FQDN starts with a host name and continues all the way up to the top level domain name For ...

Page 703: ... IP address Enter if all domain zones are served by the specified DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically assigns DNS server information You also need to select an interface through which the ISP provides the DNS server IP address es The interface should be activated and set to be a DHCP client The fields below display the read only DNS server IP address es tha...

Page 704: ... DNS servers identified by address objects and added as members in the customized policy 37 6 13 Editing a Security Option Control Click a control policy and then click Edit to change allow or deny actions for Query Recursion and Additional Info from Cache Figure 465 Configuration System DNS Security Option Control Edit Customize Table 308 Configuration System DNS MX Record Add LABEL DESCRIPTION D...

Page 705: ...List Specifying address objects is not available in the default policy as all addresses are included Available This box displays address objects created in Object Address Select one or more and click the arrow to have it them join the Member list of address objects that will apply to this rule For example you could specify an open DNS server suspect of sending compromised resource records by addin...

Page 706: ...one or the action is set to Deny 4 There is a security policy rule that blocks it 37 7 2 System Timeout There is a lease timeout for administrators The Zyxel Device automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling Each user is also forced to log in the Zyxel Device for ...

Page 707: ... to do so select Authenticate Client Certificates in the WWW screen Authenticate Client Certificates is optional and if selected means the HTTPS client must send the Zyxel Device a certificate You must apply for a certificate for the browser from a CA that is a trusted CA on the Zyxel Device Please refer to the following figure 1 HTTPS connection requests from an SSL aware web browser go to port 4...

Page 708: ...describes the labels in this screen Table 311 Configuration System WWW Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the Zyxel Device Web Configurator using secure HTTPs connections ...

Page 709: ...Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the service control rule The entry with a hyphen instead of a number is the Zyxel Devi...

Page 710: ...r uses to authenticate a client You must have configured the authentication methods in the Auth method screen Other When HTTPS Domain Filter blocks a page the connection is redirected to a local web server to display the blocking message HSTS HTTP Strict Transport Security may be activated in some browsers as the browser cached certificate is different to the one displayed by the local server In t...

Page 711: ...settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to communicate with the Zyxel Device using this service Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the Zyxel Device using this service Zone Select ALL to allow or prevent any Zyxel Device zones from being accessed u...

Page 712: ...Chapter 37 System ZyWALL ATP Series User s Guide 712 Figure 470 Configuration System WWW Login Page Desktop View ...

Page 713: ...Chapter 37 System ZyWALL ATP Series User s Guide 713 Figure 471 Configuration System WWW Login Page Mobile View The following figures identify the parts you can customize in the login and access pages ...

Page 714: ...n You can specify colors in one of the following ways Click Color to display a screen of web safe colors from which to choose Enter the name of the desired color Logo Title Message Note Message Background last line of text color of all text Logo Title Message Note Message Window last line of text color of all text Background ...

Page 715: ...the title for the top of the screen Use up to 64 printable ASCII characters Spaces are allowed Title Color Specify the color of the screen s title text Message Color Specify the color of the screen s text Note Message Enter a note to display at the bottom of the screen Use up to 64 printable ASCII characters Spaces are allowed Background Set how the screen background looks To use a graphic select ...

Page 716: ...s website to proceed to the Web Configurator login screen Otherwise select Click here to close this web page to block the access 37 7 7 2 Mozilla Firefox Warning Messages When you attempt to access the Zyxel Device HTTPS server a The Connection is Untrusted screen appears as shown in the following screen Click Technical Details if you want to verify more information about the certificate from the ...

Page 717: ...authorities The issuing certificate authority of the Zyxel Device s factory default certificate is the Zyxel Device itself since the certificate is a self signed certificate For the browser to trust a self signed certificate import the self signed certificate into your operating system as a trusted certificate To have the browser trust the certificates issued by a certificate authority import the ...

Page 718: ...Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the Zyxel Device see the Zyxel Device s Trusted CA Web Configurator screen Figure 478 Zyxel Device Trusted CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the perso...

Page 719: ...s shown earlier in this appendix 37 7 7 5 2 Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard ...

Page 720: ...e Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 481 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA ...

Page 721: ...Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 483 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process ...

Page 722: ...cate When Accessing the Zyxel Device Example Use the following procedure to access the Zyxel Device via HTTPS 1 Enter https Zyxel Device IP Address in your browser s web address field Figure 486 Access the Zyxel Device Via HTTPS 2 When Authenticate Client Certificates is selected on the Zyxel Device the following screen asks you to select a personal certificate to send to the Zyxel Device This scr...

Page 723: ...ss the Zyxel Device s command line interface Specify which zones allow SSH access and from which IP address the access can come SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network In the following figure computer A on the Internet uses SSH to securely connect to the WAN port of...

Page 724: ...ends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server The client automatically saves any new server public keys In subsequent connections the server public key is checked against the saved version on the client computer 2 Encryption Method...

Page 725: ...e Zyxel Device over SSH 37 8 4 Configuring SSH Click Configuration System SSH to change your Zyxel Device s Secure Shell settings Use this screen to specify from which zones SSH can be used to manage the Zyxel Device You can also specify from which IP addresses the access can come Figure 491 Configuration System SSH The following table describes the labels in this screen Table 314 Configuration Sy...

Page 726: ...click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the service control rule Zone This is the zone on the Zyxel Device the user is allowed or denied to access Address This is the object name of the IP address es with which the computer is allowed or denied to access Action This displays w...

Page 727: ...xample 1 Store Host Key Enter the password to log in to the Zyxel Device The CLI screen displays next 37 8 6 2 Example 2 Linux This section describes how to access the Zyxel Device using the OpenSSH client program that comes with most Linux distributions 1 Test whether the SSH service is available on the Zyxel Device Enter telnet 192 168 1 1 22 at a terminal prompt and press ENTER The computer att...

Page 728: ...pecify which zones allow Telnet access and from which IP address the access can come 37 9 1 Configuring Telnet Click Configuration System TELNET to configure your Zyxel Device for remote Telnet access Use this screen to specify from which zones Telnet can be used to manage the Zyxel Device You can also specify from which IP addresses the access can come telnet 192 168 1 1 22 Trying 192 168 1 1 Con...

Page 729: ...ce confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the service control rule The entry with...

Page 730: ...come Table 317 Configuration System TELNET Service Control Rule Add Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to communicate with the Zyxel Device using Telnet Select a predefined address object to just allow or deny the computer with the IP address that you spe...

Page 731: ...y after the selected entry Refer to Table 312 on page 711 for details on the screen that opens Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an ent...

Page 732: ...reen to its last saved settings Table 318 Configuration System FTP continued LABEL DESCRIPTION Table 319 Configuration System FTP Service Control Rule Add Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to communicate with the Zyxel Device using FTP Select a predefine...

Page 733: ...se MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the agent GetNext Allows...

Page 734: ...our SNMP settings including from which zones SNMP can be used to access the Zyxel Device You can also specify from which IP addresses the access can come Table 320 SNMP Traps OBJECT LABEL OBJECT ID DESCRIPTION Cold Start 1 3 6 1 6 3 1 1 5 1 This trap is sent when the Zyxel Device is turned on or an agent restarts linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp ...

Page 735: ...e password sent with each trap to the SNMP manager The default is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to Trap CAPWAP Event Select this option to have the Zyxel Device send a trap to the SNMP manager when a managed AP is connected to or disconnected from the Zyxel Device SNMPv2c Select the SNMP version for the Zyxel Device The SNMP v...

Page 736: ...Privilege This displays the access rights to MIBs Read Write The associated user can create and edit the MIBs on the Zyxel Device except the user account Read Only The associated user can only collect information from the Zyxel Device MIBs Service Control This specifies from which computers you can access which Zyxel Device zones Add Click this to create a new entry Select an entry and click Add t...

Page 737: ...thentication Select an authentication algorithm MD5 Message Digest 5 and SHA Secure Hash Algorithm are hash algorithms used to authenticate SNMP data SHA authentication is generally considered stronger than MD5 but is slower Privacy Specify the encryption method for SNMP communication from this user You can choose one of the following DES Data Encryption Standard is a widely used but breakable met...

Page 738: ...ON Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to communicate with the Zyxel Device using SNMP Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the Zyxel Device using SNMP Zone Select ALL to allow or prevent any Zyxel...

Page 739: ...n entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The Zyxel Device confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Activate To turn on an entry select it and clic...

Page 740: ...Report to configure what reports to send and to whom Click Configuration System Notification to display the Mail Server screen Table 325 Configuration System Auth Server Add Edit LABEL DESCRIPTION Activate Select this check box to make this profile active Profile Name Enter a descriptive name up to 31 alphanumerical characters for identification purposes IP Address Enter the IP address of the RADI...

Page 741: ...s option if the mail server uses SSL or TLS for encrypted communications between the mail server and the Zyxel Device Authenticate Server Select this if the Zyxel Device authenticates the mail server in the TLS handshake Mail From Type the email address from which the outgoing email is delivered This address is used in replies SMTP Authentication Select this check box if it is necessary to provide...

Page 742: ...n SMS The following table describes the labels in this screen Table 327 Configuration System Notification SMS LABEL DESCRIPTION General Settings Enable SMS Select the check box to turn on the SMS service Default country code for phone number Enter the default country code for the mobile phone number to which you want to send SMS messages ViaNett Configuration User Name Enter the user name for your...

Page 743: ...Click Configuration System IPv6 to open the following screen Use this screen to enable IPv6 support for the Zyxel Device s Web Configurator screens Figure 509 Configuration System IPv6 Table 328 Configuration System Language LABEL DESCRIPTION Language Setting Select a display language for the Zyxel Device s Web Configurator screens You also need to open a new browser session to display the screens...

Page 744: ...e sure it meets the requirements listed below Operating System At the time of writing the ZON Utility is compatible with Windows 7 both 32 bit 64 bit versions Windows 8 both 32 bit 64 bit versions Windows 8 1 both 32 bit 64 bit versions Window 10 both 32 bit 64 bit versions Note To check for your Windows operating system version right click on My Computer Properties You should see this information...

Page 745: ...d Devices and Versions If you want to check the supported models and firmware versions later you can click the Show information about ZON icon in the upper right hand corner of the screen Then select the Supported model and firmware version link If your device is not listed here see the device release notes for ZON utility support The release notes are in the firmware zip file on the Zyxel web sit...

Page 746: ...scovered Figure 514 ZON Utility Screen 6 Select a device and then use the icons to perform actions Some functions may not be available for your devices The following table describes the icons numbered from left to right in the ZON Utility screen 1 2 3 4 5 6 7 8 9 10 11 12 13 Table 330 ZON Utility Icons ICON DESCRIPTION 1 IP configuration Change the selected device s IP address 2 Renew IP Address U...

Page 747: ...clear the list and discover all devices on the connected network again 12 Save Configuration Use this icon to save configuration changes to permanent memory on a selected device 13 Settings Use this icon to select a network adaptor for the computer on which the ZON utility is installed and the utility language Table 331 ZON Utility Fields LABEL DESCRIPTION Type This field displays an icon of the k...

Page 748: ...e 332 Configuration System ZON LABEL DESCRIPTION ZDP Zyxel Discovery Protocol ZDP is the protocol that the Zyxel One Network ZON utility uses for discovering and configuring ZDP aware Zyxel devices in the same broadcast domain as the computer on which ZON is installed Enable Select to activate ZDP discovery on the Zyxel Device Smart Connect Smart Connect uses Link Layer Discovery Protocol LLDP for...

Page 749: ...og messages and alerts e mailing them storing them on a connected USB storage device and sending them to remote syslog servers 38 2 Email Daily Report Use the Email Daily Report screen to start or stop data collection and view various statistics about traffic passing through your Zyxel Device See Configuration System Notification to set up the mail server Note Data collection may decrease the Zyxe...

Page 750: ...t Email Daily Report The following table describes the labels in this screen Table 333 Configuration Log Report Email Daily Report LABEL DESCRIPTION Enable Email Daily Report Select this to send reports by email every day Mail Subject Type the subject line for outgoing email from the Zyxel Device ...

Page 751: ...he alerts The first Log Setting screen provides a settings summary Use the Edit screens to configure settings such as log categories email addresses and server names for any log Use the Log Category Settings screen to edit what information is included in the system log USB storage email profiles and remote servers 38 3 1 Log Setting Summary To access this screen click Configuration Log Report Log ...

Page 752: ...ick Inactivate This field is a sequential value and it is not associated with a specific log Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the type of log setting entry system log logs stored on a USB storage device connected to the Zyxel Device or one of the remote servers Log Format This field displays the forma...

Page 753: ...hapter 38 Log and Report ZyWALL ATP Series User s Guide 753 Figure 518 Configuration Log Report Log Setting Edit System Log E mail Servers Figure 519 Configuration Log Report Log Setting Edit System Log ...

Page 754: ...g is emailed weekly Select the day of the week the log is emailed Time for Sending Log This field is available if the log is emailed weekly or daily Select the time of day hours and minutes when the log is emailed Use 24 hour notation SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you select t...

Page 755: ...and debugging information from this category the Zyxel Device does not email debugging information however even if this setting is selected E mail Server 1 Select whether each category of events should be included in the log messages when it is emailed green check mark and or in alerts red exclamation point for the email settings specified in E Mail Server 1 The Zyxel Device does not email debuggi...

Page 756: ...ect this to have the Zyxel Device save a copy of its system logs to a connected USB storage device Use the Active Log section to specify what kinds of messages to include Enable log keep duration Select this checkbox to enter a value in the Keep Duration field Keep Duration Enter a number of days that the Zyxel Device keeps this log Active Log Selection Use the Selection drop down list to change t...

Page 757: ...ssages generated by open source software Selection Select what information you want to log from each Log Category except All Logs see below Choices are disable all logs red X do not log any information from this category enable normal logs green check mark log regular information and alerts from this category enable normal logs and debug logs yellow check mark log regular information alerts and de...

Page 758: ...Selection Use the Selection drop down list to change the log settings for all of the log categories disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server log messages and alerts for all log categories enable normal logs and debug logs yellow check mark send the remote server log messages alerts and debugging inform...

Page 759: ...w often log information is emailed or remote server names To access this screen go to the Log Settings Summary screen see Section 38 3 1 on page 751 and click the Log Category Settings button Figure 523 Log Category Settings AC Figure 524 Log Category Settings AP This screen provides a different view and a different way of indicating which messages are included in each log and each alert Please se...

Page 760: ... your email server 1 settings enable normal logs green check mark email log messages for all categories to email server 1 enable alert logs red exclamation point email alerts for all categories to email server 1 E mail Server 2 E mail Use the E Mail Server 2 drop down list to change the settings for emailing logs to email server 2 for all log categories Using the System Log drop down list to disab...

Page 761: ... 2 E mail Select whether each category of events should be included in log messages when it is emailed green check mark and or in alerts red exclamation point for the email settings specified in E Mail Server 2 The Zyxel Device does not email debugging information even if it is recorded in the System log Remote Server 1 4 Syslog For each remote server select what information you want to log from e...

Page 762: ... the Configuration File screen see Section 39 2 on page 764 to store and name configuration files You can also download configuration files from the Zyxel Device to your computer and upload configuration files from your computer to the Zyxel Device Use the Firmware Package screen see Section 39 3 on page 769 to check your current firmware version and upload firmware to the Zyxel Device Use the She...

Page 763: ... sub command mode Note exit or must follow sub commands if it is to make the Zyxel Device exit sub command mode Figure 525 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 23 37 240 255 255 255 0 ip gateway 172 23 37 254 metric 1 exit create addre...

Page 764: ... The Zyxel Device still generates a log for any errors 39 2 The Configuration File Screen Click Maintenance File Manager Configuration File to open the Configuration File screen Use the Configuration File screen to store run and name configuration files You can also download configuration files from the Zyxel Device to your computer and upload configuration files from your computer to the Zyxel De...

Page 765: ...e If there is an error the Zyxel Device generates a log and copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file If there isn t a lastgood conf configuration file or it also has an error the Zyxel Device applies the system default conf configuration file You can change the way the startup config ...

Page 766: ...duplicate of the configuration file Remove Click a configuration file s row to select it and click Remove to delete it from the Zyxel Device You can only delete manually saved configuration files You cannot delete the system default conf startup config conf and lastgood conf files A pop up window asks you to confirm that you want to delete the configuration file Click OK to delete the configuratio...

Page 767: ...figuration file generates error logs for all of the configuration file s errors and starts the Zyxel Device with a fully valid configuration file Click OK to have the Zyxel Device start applying the configuration file or click Cancel to close the screen This column displays the number for each configuration file entry This field is a sequential value and it is not associated with a specific addres...

Page 768: ...ood conf If you upload startup config conf it will replace the current configuration and immediately apply the new settings File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the conf file you want to upload The configuration file must use a conf filename extension You will receive an error message if you try to upload...

Page 769: ...upload the firmware package to the Zyxel Device with the option enabled so you only need to clear the Destroy compressed files that could not be decompressed option while you download the firmware package See Section 28 2 on page 526 for more on the anti malware Destroy compressed files that could not be decompressed option The firmware update can take up to five minutes Do not turn off or reset t...

Page 770: ...u need a Firmware Upgrade license to upgrade the firmware If you do not have a license Upgrade Now is grayed out If you have a license click Upgrade Now to directly upgrade firmware to the standby partition and have the Zyxel Device reboot automatically so that the new standby firmware becomes the running firmware The previous running firmware becomes the standby firmware If you haven t registered...

Page 771: ...age When firmware is downloading you can pause resume stop or retry the firmware download Local Firmware Use this if you have already downloaded the latest firmware from the Zyxel website to your computer and unzipped it Click the icon and then browse to the location of the unzipped files If you upload the latest firmware to the running partition the Zyxel Device will reboot automatically when it ...

Page 772: ...ware row and click Reboot Wait a few minutes until the login screen appears If the login screen does not appear clear your browser cache and refresh the screen or type the IP address of the Zyxel Device in your Web browser again You can also use the CLI command reboot to restart the Zyxel Device This displays the system space partition index number where the firmware is located The firmware can be...

Page 773: ...are Latest Version This displays the latest firmware version at the Cloud Helper Server Click Check Now to see if there is a later firmware at the Cloud Server Release Date This displays the date the latest firmware version was made available Release Note The release note contains details of latest firmware version such as new features and bug fixes Auto Update Select this check box to have the Zy...

Page 774: ... 3 Insert the USB stick into the Zyxel Device The firmware uploads to the standby system space 4 The SYS LED blinks when the Zyxel Device automatically reboots making the upgraded firmware in standby become the running firmware Note If the startup config conf configuration file has problems and you are upgrading to 4 25 or later firmware then the Zyxel Device will revert failover to the previously...

Page 775: ...hell script s row to select it and click Rename to open the Rename File screen Figure 535 Maintenance File Manager Shell Script Rename Specify the new name for the shell script file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Remove Click a shell script file s row to select it ...

Page 776: ...e use that shell script file You may need to wait awhile for the Zyxel Device to finish applying the commands File Name This column displays the label that identifies a shell script file Size This column displays the size in KB of a shell script file Last Modified This column displays the date and time that the individual shell script files were last changed or saved Upload Shell Script The bottom...

Page 777: ...stored on a connected USB storage device on the Zyxel Device Use the Remote Assistance screens see Section 40 6 on page 786 to configure and schedule external access to the Zyxel Device for troubleshooting Use the Network Tool screen see Section 40 7 on page 788 to ping an IP address or trace the route packets take to a host Use the Routing Traces screens see Section 40 8 on page 790 to configure ...

Page 778: ...cribes the labels in this screen debug interface ifconfig debug interface show event_sink debug interface show interface_obj debug switch table debug switch port_groupping show ping check status debug system netstat interface show interface all show port status show service register status all show myzyxel service get cloud timezone show cloud helper firmware show cloud helper remind Table 344 Mai...

Page 779: ...eady Select this to have the Zyxel Device create an extra copy of the diagnostic file to a connected USB storage device Select Upload the cmd file as the customized script to display the following fields Shell Scripts Filename This displays the names of the customized shell script you created Upload Shell Script File Path Click Browse to find the location of the file you want to upload in this fie...

Page 780: ... containing their configuration Select any managed APs that you want to prevent the Zyxel Device from generating a diagnostic file for them and click the left arrow button to remove them Copy the diagnostic file to USB storage if ready Select this to have the Zyxel Device create an extra copy of the diagnostic file to a connected USB storage device Apply Click Apply to save your changes Collect No...

Page 781: ... screen File Name This column displays the label that identifies the file Size This column displays the size in bytes of a file Last Modified This column displays the date and time that the individual files were saved Table 346 Maintenance Diagnostics Files continued LABEL DESCRIPTION Table 347 Maintenance Diagnostics Packet Capture LABEL DESCRIPTION Interfaces Enabled interfaces except for virtua...

Page 782: ...ther the file reaches this size or the time period specified in the Duration field expires Split threshold Specify a maximum size limit in megabytes for individual packet capture files After a packet capture file reaches this size the Zyxel Device starts another packet capture file Duration Set a time limit in seconds for the capture The Zyxel Device stops the capture and generates the capture fil...

Page 783: ...pace as a buffer Save data to ftp server available xx MB Select this to have the Zyxel Device store packet capture entries on the defined FTP site The available storage size is displayed as well Server Address Type the IP address of the FTP server Server Port Type the port this server uses for FTP traffic The default FTP port is 21 Name Type the login username to access the FTP server Password Typ...

Page 784: ... the Zyxel Device or the connected USB storage device Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The total number of packet capture files that you can save depends on the file siz...

Page 785: ...ted with any entry CPU This field displays the current CPU utilization percentage for each application used on the Zyxel Device Application This field displays the name of the application consuming the related processing power on the Zyxel Device Memory This field displays the current DRAM memory utilization percentage for each application used on the Zyxel Device Time This field displays each app...

Page 786: ...s the name of the application consuming the related memory on the Zyxel Device CPU This field displays the current CPU utilization percentage for each application used on the Zyxel Device Time This field displays each application s running time Refresh Click this to update the information in this screen Table 349 Maintenance Diagnostics CPU Memory Status LABEL DESCRIPTION Table 350 Maintenance Dia...

Page 787: ...e from a network outside the Zyxel Device local network for troubleshooting Remote Settings Select Use Random Settings to access the Zyxel Device remotely by using a randomly generated user name and password pair Select Use Manual Settings to access the Zyxel Device remotely by using a previously configured specific user account Generate This button is displayed when you select Use Random Settings...

Page 788: ...ol IP Address1 Enter the public IP address of the external user that is allowed to access the Zyxel Device remotely IP Address2 Enter the public IP address of the external user that is allowed to access the Zyxel Device remotely Schedule Name This field displays the name of the schedule for allowed external access The schedule must be first configured in Object Schedule Start Date This field displ...

Page 789: ...vance Click this to display the following fields Query Server Enter the IP address of a server to which the Zyxel Device sends queries for NSLOOKUP Interface Select the interface through which the Zyxel Device sends queries for PING or TRACEROUTE Extension Option Enter the extended option if you want to use an extended ping or traceroute command For example enter c count where count is the number ...

Page 790: ... replies Mail To Type the email address to which the outgoing email is delivered SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you select the SMTP Authentication check box Type the user name to provide to the SMTP server when the log is emailed Password This box is effective when you select t...

Page 791: ...that you want to trace any means any protocol Interval Enter a time interval in seconds for renewing a route trace The default time interval is 5 seconds Capture Click this button to have the Zyxel Device capture frames according to the settings configured in this screen You can configure the Zyxel Device while a frame capture is in progress although you cannot modify the frame capture settings Fl...

Page 792: ... stops the capture and generates the capture file when either the file reaches this size File Prefix Specify text to add to the front of the file name in order to help you identify frame capture files You can modify the prefix to also create new frame capture files each time you perform a frame capture operation Doing this does no overwrite existing frame capture files The file format is file pref...

Page 793: ... Capture Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the Zyxel Device Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The total number of packet ca...

Page 794: ...SNAT function s settings 41 2 The Routing Status Screen The Routing Status screen allows you to view the current routing flow and quickly link to specific routing settings Click a function box in the Routing Flow section the related routes activated will display in the Routing Table section To access this screen click Maintenance Packet Flow Explore Routing Status The order of the routing flow may...

Page 795: ...e 551 Maintenance Packet Flow Explore Routing Status Direct Route Figure 552 Maintenance Packet Flow Explore Routing Status Dynamic VPN Figure 553 Maintenance Packet Flow Explore Routing Status Policy Route Figure 554 Maintenance Packet Flow Explore Routing Status 1 1 SNAT ...

Page 796: ...ntenance Packet Flow Explore Routing Status SiteToSite VPN Figure 556 Maintenance Packet Flow Explore Routing Status Static Dynamic Route Figure 557 Maintenance Packet Flow Explore Routing Status Default WAN Trunk Figure 558 Maintenance Packet Flow Explore Routing Status Main Route ...

Page 797: ...ookup to fail B this is a route which discards packets L this is a recursive route Persist This is the remaining time of a dynamically learned route The Zyxel Device removes the route after this time period is counted down to zero The following fields are available if you click Policy Route in the Routing Flow section This field is a sequential value and it is not associated with any entry Incomin...

Page 798: ... IP address es Outgoing This is the outgoing interface that the SNAT rule uses to transmit packets Gateway This is the IP address of the gateway in the same network of the outgoing interface The following fields are available if you click Dynamic VPN or SiteToSite VPN in the Routing Flow section This field is a sequential value and it is not associated with any entry Source This is the IP address ...

Page 799: ...ore SNAT Status LABEL DESCRIPTION SNAT Flow This section shows you the flow of how the Zyxel Device changes the source IP address for a packet according to the rules you have configured in the Zyxel Device Click a function box to display the related settings in the SNAT Table section SNAT Table The table fields in this section vary depending on the function box you select in the SNAT Flow section ...

Page 800: ...his is the name of an activated NAT rule which uses SNAT and enables NAT loopback Source This is the original source IP address es any means any IP address Destination This is the original destination IP address es any means any IP address SNAT This indicates which source IP address the SNAT rule uses finally For example Outgoing Interface IP means that the Zyxel Device uses the IP address of the ...

Page 801: ...ng so can cause the firmware to become corrupt 42 1 1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes 42 2 The Shutdown Screen To access this screen click Maintenance Shutdown Figure 563 Maintenance Shutdown Click the Shutdown button to shut down the Zyxel Device Wait for the device to shut down before you manually turn off or remove the po...

Page 802: ...ries and then Command Prompt In the Command Prompt window type ping followed by the Zyxel Device s LAN IP address 192 168 1 1 is the default and then press ENTER The Zyxel Device should reply If you ve forgotten the Zyxel Device s password use the RESET button Press the button in for about 5 seconds or until the SYS LED starts to blink then release it It returns the Zyxel Device to the factory def...

Page 803: ...et The Zyxel Device does not have to reboot when you upload new signatures The content filter category service is not working Make sure your Zyxel Device has the content filter category service registered and that the license is not expired Purchase a new license if the license is expired Make sure your Zyxel Device is connected to the Internet I configured security settings but the Zyxel Device i...

Page 804: ...tor it is a sequential number You can specify the number after the colon if you use the CLI to set up a virtual interface I cannot set up a PPP interface virtual Ethernet interface or virtual VLAN interface on an Ethernet interface You cannot set up a PPP interface virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge You also cannot add an Ethern...

Page 805: ...t you use a more effective security mechanism Use the strongest security mechanism that all the wireless devices in your network support WPA2 or WPA2 PSK is recommended The wireless security is not following the re authentication timer setting I specified If a RADIUS server authenticates wireless stations the re authentication timer on the RADIUS server has priority Change the RADIUS server s conf...

Page 806: ...he Zyxel Device cannot unzip password protected ZIP files or a ZIP file within another ZIP file There are also limits to the number of ZIP files that the Zyxel Device can concurrently unzip The Zyxel Device is deleting some zipped files The anti malware policy may be set to delete zipped files that the Zyxel Device cannot unzip The Zyxel Device cannot unzip password protected ZIP files or a ZIP fi...

Page 807: ...l Device s performance The Zyxel Device routes and applies SNAT for traffic from some interfaces but not from others The Zyxel Device automatically uses SNAT for traffic it routes from internal interfaces to external interfaces For example LAN to WAN traffic You must manually configure a policy route to add routing and SNAT settings for an interface with the Interface Type set to General You can a...

Page 808: ...onnection as the connection has not been acknowledged You can set the Zyxel Device s security policy to permit the use of asymmetrical route topology on the network so it does not reset the connection although this is not recommended since allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the Zyxel Device A better solution is to use virtual in...

Page 809: ...cket sniffer Check the configuration for the following Zyxel Device features The Zyxel Device does not put IPSec SAs in the routing table You must create a policy route for each VPN tunnel See Chapter 10 on page 299 Make sure the To Zyxel Device security policies allow IPSec VPN traffic to the Zyxel Device IKE uses UDP port 500 AH uses IP protocol 51 and ESP uses IP protocol 50 The Zyxel Device su...

Page 810: ...able resource links vary depending on the SSL application object s configuration I cannot download the Zyxel Device s firmware package The Zyxel Device s firmware package cannot go through the Zyxel Device when you enable the anti malware Destroy compressed files that could not be decompressed option The Zyxel Device classifies the firmware package as not being able to be decompressed and deletes ...

Page 811: ...ccount The default admin account is always authenticated locally regardless of the authentication method setting The Zyxel Device fails to authentication the ext user user accounts I configured An external server such as AD LDAP or RADIUS must authenticate the ext user accounts If the Zyxel Device tries to use the local database to authenticate an ext user the authentication attempt will always fa...

Page 812: ...ently allows the importation of a PKS 7 file that contains a single certificate PEM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses lowercase letters uppercase letters and numerals to convert a binary PKCS 7 certificate into a printable form Binary PKCS 12 This is a format for transferring public key and private key certificates The private key in a PKCS 12 file is within a passw...

Page 813: ...Device restarts You could use multiple write commands in a long script Note exit or must follow sub commands if it is to make the Zyxel Device exit sub command mode See Chapter 39 on page 762 for more on configuration files and shell scripts I cannot get the firmware uploaded using the commands The Web Configurator is the recommended method for uploading firmware You only need to use the command l...

Page 814: ...ripts that you saved on the Zyxel Device should still be available afterwards Use the following procedure to reset the Zyxel Device to its factory default settings This overwrites the settings in the startup config conf file with the settings in the system default conf file Note This procedure removes the current configuration 1 Make sure the SYS LED is on and not blinking 2 Press the RESET button...

Page 815: ... information Please have the following information ready when you contact an office Required Information Product model and serial number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it Corporate Headquarters Worldwide Taiwan Zyxel Communications Corporation http www zyxel com Asia China Zyxel Communications Shanghai Corp Z...

Page 816: ...l com pk Philippines Zyxel Philippines http www zyxel com ph Singapore Zyxel Singapore Pte Ltd http www zyxel com sg Taiwan Zyxel Communications Corporation http www zyxel com tw zh Thailand Zyxel Thailand Co Ltd http www zyxel co th Vietnam Zyxel Communications Corporation Vietnam Office http www zyxel com vn vi Europe Austria Zyxel Deutschland GmbH http www zyxel de Belarus Zyxel BY http www zyx...

Page 817: ...g Czech Republic Zyxel Communications Czech s r o http www zyxel cz Denmark Zyxel Communications A S http www zyxel dk Estonia Zyxel Estonia http www zyxel com ee et Finland Zyxel Communications http www zyxel fi France Zyxel France http www zyxel fr Germany Zyxel Deutschland GmbH http www zyxel de Hungary Zyxel Hungary SEE http www zyxel hu Italy Zyxel Communications Italy http www zyxel it ...

Page 818: ...enelux http www zyxel nl Norway Zyxel Communications http www zyxel no Poland Zyxel Communications Poland http www zyxel pl Romania Zyxel Romania http www zyxel com ro ro Russia Zyxel Russia http www zyxel ru Slovakia Zyxel Communications Czech s r o organizacna zlozka http www zyxel sk Spain Zyxel Communications ES Ltd http www zyxel es Sweden Zyxel Communications http www zyxel se Switzerland St...

Page 819: ...Ukraine http www ua zyxel com Latin America Argentina Zyxel Communication Corporation http www zyxel com ec es Brazil Zyxel Communications Brasil Ltda https www zyxel com br pt Ecuador Zyxel Communication Corporation http www zyxel com ec es Middle East Israel Zyxel Communication Corporation http il zyxel com homepage shtml Middle East Zyxel Communication Corporation http www zyxel com me en ...

Page 820: ...s User s Guide 820 North America USA Zyxel Communications Inc North America Headquarters http www zyxel com us en Oceania Australia Zyxel Communications Corporation http www zyxel com au en Africa South Africa Nology Pty Ltd http www zyxel co za ...

Page 821: ...Max BGP Neighbors 5 5 5 BGP Max Network 16 16 16 Sessions Max TCP Concurrent Sessions Forwarding NAT Firewall 600 000 1 000 000 2 000 000 NAT Max Virtual Server Number 256 1024 1024 Firewall Secure Policy Max Firewall ACL Rule Number Secure Policy Number 500 2000 5000 Max Session Limit Per Host Rules 1000 1000 1000 ADP Max ADP Profile Number 32 32 32 Max ADP Rule Number 32 32 32 Application Patrol...

Page 822: ...x Zone Number User Define 16 16 32 Trunk Max Trunk Number System Default 1 1 1 Max Trunk Number User Define 8 16 32 Max Member Number Per Trunk 4 8 16 8 32 8 VPN Max VPN Tunnels Number 40 200 1000 Max VPN Concentrator Number 2 16 32 Max VPN Configuration Provision Rule Number 40 200 1000 Certificate Certificate Buffer Size 256k 512k 512k Built In Service A Record 64 128 128 NS Record DNS Domain Zo...

Page 823: ...ximum White List Rule Support 128 128 256 Maximum Black List Rule Support 128 128 256 Maximum DNSBL Domain Support 5 5 10 Concurrent Mail Session Scanning 200 200 200 Max Statistics Number 500 500 500 Max Statistics Ranking 10 10 10 Anti Malware Max AV Rule Profile 1 1 1 Max Statistics Number 500 500 500 Max Statistics Ranking 10 10 10 SandBoxing Support protocol HTTP SMTP POP3 FTP HTTP SMTP POP3 ...

Page 824: ...6 512 512 BWM Per Source IP Max 1024 1024 1024 SIP Maximum SIP Concurrent Call 100 100 100 Custom Web Portal Page Max Internal Web Portal Customize File 4 4 4 Upload Zip File Size Up to 2MB Up to 2MB Up to 2MB Unzip File Size Up to 5MB Up to 5MB Up to 5MB VERSION 4 32 4 32 4 32 MODEL NAME ATP200 ATP500 ATP800 ...

Page 825: ...een tested and complies with the specifications for a Class B digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This device generates uses and can radiate radio frequency energy and if not installed and used according to the instructions may cause harmful interference to radio co...

Page 826: ...to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Please use the provided or designated connection cables power cables adaptors Connect it to the right supply voltage for example 110V AC in North America or 230V AC in Europe If the power adaptor or cord is damaged it might cause electrocution Remove it from the device and the power...

Page 827: ...roducto y o su batería deberán depositarse como basura separada de la doméstica Cuando este producto alcance el final de su vida útil llévelo a un punto limpio Cuando llegue el momento de desechar el producto la recogida por separado éste y o su batería ayudará a salvar los recursos naturales y a proteger la salud humana y medioambiental Le symbole ci dessous signifie que selon les réglementations...

Page 828: ... abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose Zyxel shall in no event be held liable for indirect or consequential damages of any kind to the purchaser To o...

Page 829: ... 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a res...

Page 830: ...ble collection point for the recycling of electrical and electronic device For detailed information about recycling of this product please contact your local city office your household waste disposal service or the store where you purchased the product Use ONLY power wires of the appropriate wire gauge for your device Connect it to a power supply of the correct voltage Fuse Warning Replace a fuse ...

Page 831: ...sous signifie que selon les réglementations locales votre produit et ou sa batterie doivent être éliminés séparément des ordures ménagères Lorsque ce produit atteint sa fin de vie amenez le à un centre de recyclage Au moment de la mise au rebut la collecte séparée de votre produit et ou de sa batterie aidera à économiser les ressources naturelles et protéger l environnement et la santé humaine Il ...

Page 832: ...nd will be solely at the discretion of Zyxel This warranty shall not apply if the product has been modified misused tampered with damaged by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of...

Page 833: ...591 logging in 442 multiple logins 592 see also users 582 Web Configurator 593 access users see also force user authentication policies account user 582 671 accounting server 638 Active Directory see AD active protocol 411 AH 411 and encapsulation 411 ESP 411 active sessions 109 124 ActiveX 519 AD 638 640 641 643 directory structure 640 Distinguished Name see DN password 643 port 643 645 search ti...

Page 834: ...32 signatures 530 virus 525 worm 525 anti spam 556 559 561 action for spam mails 560 black list 556 559 561 concurrent e mail sessions 168 DNSBL 557 559 e mail header buffer 557 e mail headers 557 general settings 558 identifying legitimate e mail 556 identifying spam 556 POP2 557 POP3 557 regular expressions 563 SMTP 557 status 169 white list 556 559 562 anti virus EICAR 527 e mail virus 531 poly...

Page 835: ...les 764 bandwidth egress 246 255 ingress 246 255 bandwidth limit troubleshooting 805 bandwidth management 496 maximize bandwidth usage 310 430 see also application patrol 496 troubleshooting 805 Base DN 640 Batch import 683 BGP 325 Bind DN 640 643 BitTorrent 541 black list 559 561 anti spam 556 Blaster 552 boot sector virus 531 bridge interfaces 206 270 and virtual interfaces of members 271 basic ...

Page 836: ... computer virus 525 see also virus concurrent e mail sessions 168 configuration information 777 configuration file troubleshooting 813 configuration files 762 at restart 765 backing up 764 downloading 766 793 downloading with FTP 730 editing 762 how applied 763 lastgood conf 765 767 managing 764 startup config conf 767 startup config bad conf 765 syntax 763 system default conf 767 uploading 768 up...

Page 837: ... device access troubleshooting 802 Device HA 675 device HA virtual router 677 device High Availability see Device HA 675 DHCP 296 690 and DNS servers 297 and domain name 690 and interfaces 297 pool 297 static DHCP 297 DHCP Unique IDentifier 210 DHCPv6 671 DHCP Unique IDentifier 210 DHCPv6 Request 671 diagnostics 777 Differentiated Services Code Point DSCP 544 Diffie Hellman key group 407 DiffServ ...

Page 838: ...rotocol 406 DES 406 encryption method 670 end of IP list 544 enforcing policies in IPSec 389 ESP 390 411 and transport mode 412 Ethernet interfaces 206 and OSPF 213 and RIP 213 and routing protocols 211 basic characteristics 206 virtual 229 exceptional services 444 extended authentication and VPN gateways 384 IKE SA 410 Extended Service Set IDentification 597 ext user troubleshooting 811 F false n...

Page 839: ...nd interfaces 345 and policy routes 341 342 and security policy 341 packet flow 341 troubleshooting 808 HTTPS 707 and certificates 707 authenticating clients 707 avoiding warning messages 717 example 716 vs HTTP 707 with Internet Explorer 716 with Netscape Navigator 716 hub and spoke VPN see VPN concentrator HyperText Transfer Protocol over Secure Socket Layer see HTTPS I ICMP 629 code 547 sequenc...

Page 840: ...ysical ports 206 and policy routes 306 and static routes 309 and VPN gateways 384 and zones 206 as DHCP relays 297 as DHCP servers 297 690 auxiliary see also auxiliary interfaces backup see trunks bandwidth management 293 294 296 bridge see also bridge interfaces cellular 206 DHCP clients 295 Ethernet see also Ethernet interfaces gateway 296 general characteristics 205 IP address 295 metric 296 MT...

Page 841: ... site 389 transport encapsulation 390 tunnel encapsulation 390 VPN gateway 384 IPSec SA active protocol 411 and security policy 809 and to ZyWALL security policy 809 authentication algorithms 406 407 destination NAT for inbound traffic 414 encapsulation 411 encryption algorithms 406 local policy 411 NAT for inbound traffic 413 NAT for outbound traffic 413 Perfect Forward Secrecy PFS 412 proposal 4...

Page 842: ...e 189 LED troubleshooting 802 legitimate e mail 556 level 4 inspection 497 level 7 inspection 496 licensing 179 Lightweight Directory Access Protocol see LDAP Link Layer Discovery Protocol LLDP 135 LLDP Link Layer Discovery Protocol 135 load balancing 195 287 algorithms 288 292 294 DNS inbound 371 least load first 288 round robin 289 see also trunks 287 session oriented 288 spillover 289 weighted ...

Page 843: ...rosoft Challenge Handshake Authentication Protocol 670 MSCHAP V2 Microsoft Challenge Handshake Authentication Protocol Version 2 670 MTU 246 255 multicast 603 multicast rate 603 mutation virus 531 My Certificates see also certificates 656 MyDoom 552 myZyXEL 24 accounts creating 25 N NAT 310 332 ALG see ALG and address objects 307 and address objects HOST 336 and ALG 346 348 and interfaces 336 and ...

Page 844: ...eas 313 and Ethernet interfaces 213 backbone 313 Not So Stubby Area NSSA 313 stub areas 313 types of 313 OSPF routers 314 area border ABR 314 autonomous system boundary ASBR 314 backbone BR 314 backup designated BDR 315 designated DR 315 internal IR 314 link state advertisements priority 315 types of 314 OTP One Time Password 639 outgoing bandwidth 246 255 P P2P Peer to peer 541 attacks 541 see al...

Page 845: ...t interfaces 210 and physical ports 210 port translation see NAT Post Office Protocol see POP 557 power off 801 PPP 298 troubleshooting 804 PPP interfaces subnet mask 295 PPPoE 298 and RADIUS 298 TCP port 1723 298 PPPoE PPTP interfaces 206 233 and ISP accounts 234 668 basic characteristics 206 gateway 234 subnet mask 234 PPTP 298 and GRE 298 as VPN 298 prefix delegation 209 problems 802 product re...

Page 846: ...3 redistribute 311 RIP 2 broadcasting methods 213 versions 213 vs OSPF 311 Rivest Shamir and Adleman public key algorithm RSA 659 round robin 289 routing troubleshooting 807 Routing Information Protocol see RIP routing protocols 310 and Ethernet interfaces 211 RSA 659 661 667 RSSI threshold 602 RTLS 200 RTP 352 see also ALG 352 S same IP 547 sandboxing 554 scan attacks 541 scanner types 532 schedu...

Page 847: ...session limits 476 491 session monitor L2TP VPN 158 sessions 124 sessions usage 109 SHA1 407 shell script troubleshooting 813 shell scripts 762 and users 596 downloading 775 editing 774 how applied 763 managing 774 syntax 763 uploading 776 Short Message Service 742 shutdown 801 signal quality 132 133 signature categories access control 540 backdoor Trojan 540 buffer overflow 541 DoS DDoS 541 IM 54...

Page 848: ...and LDAP 643 computer names 419 connection monitor 158 full tunnel mode 419 global setting 419 IP pool 419 network list 419 see also SSL VPN 415 troubleshooting 810 WINS 419 SSL policy add 417 edit 417 objects used 416 SSL VPN 415 access policy 415 full tunnel mode 415 network access mode 27 see also SSL 415 troubleshooting 810 stac compression 671 startup config conf 767 if errors 765 missing at ...

Page 849: ...curity policy 479 vs virtual interfaces 476 Triple Data Encryption Standard see 3DES trojan attacks 540 troubleshooting 777 802 admin user 811 anti virus 803 806 anti virus signatures update 803 application patrol 803 808 811 application patrol signatures update 803 bandwidth limit 805 bandwidth management 805 cellular 804 805 certificate 812 configuration file 813 connection resets 808 content fi...

Page 850: ...content filtering 505 and policy routes 305 431 435 and security policy 482 493 user name rules 585 user objects 582 671 user sessions see sessions user aware 447 users 582 671 access see also access users admin type 582 admin see also admin users and AAA servers 583 and authentication method objects 583 and content filtering 505 and LDAP 583 and policy routes 305 431 435 and RADIUS 583 and securi...

Page 851: ...o IPSec SA troubleshooting 810 VPN concentrator 401 advantages 401 and IPSec SA policy enforcement 403 disadvantages 401 VPN connections and address objects 384 and policy routes 306 809 VPN gateways and certificates 384 and extended authentication 384 and interfaces 384 and to ZyWALL security policy 809 VRPT Vantage Report 752 758 W wall mounting 67 warranty 828 832 note 828 832 Web attack 542 We...

Page 852: ...ooting 806 ZON Utility 744 zones 579 and FTP 731 and interfaces 579 and security policy 474 480 500 510 571 and SNMP 736 and SSH 726 and Telnet 729 and VPN 579 and WWW 711 extra zone traffic 580 inter zone traffic 580 intra zone traffic 580 types of traffic 579 ZyMesh 616 auto provision 616 bridge loops 617 hop 617 profile 618 Repeater 617 repeater 616 Root AP 617 root AP 616 security 619 SSID 619...