ZyXEL Communications ZyWALL 35 Series User Manual Download | Manualshive

Page: 371 / 872

background image

Chapter 18 IPSec VPN

ZyWALL 5/35/70 Series User’s Guide

371

These modes are illustrated below.

In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP packet. As a
result, there are two IP headers:

• Outside header: The outside IP header contains the IP address of the ZyWALL or remote

IPSec router, whichever is the destination.

• Inside header: The inside IP header contains the IP address of the computer behind the

ZyWALL or remote IPSec router. The header for the active protocol (AH or ESP) appears
between the IP headers.

In transport mode, the encapsulation depends on the active protocol. With AH, the ZyWALL
includes part of the original IP header when it encapsulates the packet. With ESP, however,
the ZyWALL does not include the IP header when it encapsulates the packet, so it is not
possible to verify the integrity of the source IP address.

18.6.5 IPSec SA Proposal and Perfect Forward Secrecy

An IPSec SA proposal is similar to an IKE SA proposal (see

Section 18.3.1 on page 355

),

except that you also have the choice whether or not the ZyWALL and remote IPSec router
perform a new DH key exchange every time an IPSec SA is established. This is called Perfect
Forward Secrecy (PFS).

If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every
time an IPSec SA is established, changing the root key from which encryption keys are
generated. As a result, if one encryption key is compromised, other encryption keys remain
secure.

If you do not enable PFS, the ZyWALL and remote IPSec router use the same root key that
was generated when the IKE SA was established to generate encryption keys.

The DH key exchange is time-consuming and may be unnecessary for data that does not
require such security.

Figure 212

VPN: Transport and Tunnel Mode Encapsulation

Original Packet

IP Header

TCP
Header

Data

Transport Mode Packet

IP Header

AH/ESP
Header

TCP
Header

Data

Tunnel Mode Packet

IP Header

AH/ESP
Header

IP Header

TCP
Header

Data

«
...
369
370
371
372
373
...
»

Summary of Contents for ZyWALL 35 Series

Page 1: ...www zyxel com ZyWALL 5 35 70 Series Internet Security Appliance User s Guide Version 4 03 1 2008 Edition 1 DEFAULT LOGIN IP Address http 192 168 1 1 Password 1234 ...

Page 2: ......

Page 3: ...onfigurator Online Help Embedded web help for descriptions of individual screens and supplementary information CLI Reference Guide The CLI Reference Guide explains how to use the Command Line Interface CLI to configure the ZyWALL Supporting Disk Refer to the included CD for support documents ZyXEL Web Site Please refer to www zyxel com for additional support documentation and product certification...

Page 4: ...t A key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Log Log Setting means you first cl...

Page 5: ...ies User s Guide 5 Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyWALL icon is not an exact representation of your device ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ...

Page 6: ...C in North America or 230V AC in Europe Do NOT remove the plug and connect it to a power outlet by itself always attach the plug to the power adaptor first before connecting it to a power outlet Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as i...

Page 7: ...Safety Warnings ZyWALL 5 35 70 Series User s Guide 7 This product is recyclable Dispose of it properly ...

Page 8: ...Safety Warnings ZyWALL 5 35 70 Series User s Guide 8 ...

Page 9: ...Screens 167 DMZ Screens 203 WLAN 213 Security 241 Firewall 243 Intrusion Detection and Prevention IDP 275 Configuring IDP 279 Anti Virus 295 Anti Spam 307 Content Filtering Screens 321 Content Filtering Reports 343 IPSec VPN 351 Certificates 395 Authentication Server 425 Advanced 429 Network Address Translation NAT 431 Static Route 449 Policy Route 453 Bandwidth Management 459 DNS 475 Remote Manag...

Page 10: ... 629 DMZ Setup 635 Route Setup 639 Wireless Setup 643 Remote Node Setup 649 IP Static Route Setup 659 Network Address Translation NAT 663 Introducing the ZyWALL Firewall 683 Filter Configuration 685 SNMP Configuration 701 System Information Diagnosis 703 Firmware and Configuration File Maintenance 715 System Maintenance Menus 8 to 10 729 Remote Management 735 IP Policy Routing 739 Call Scheduling ...

Page 11: ... Habits for Managing the ZyWALL 56 1 5 Applications for the ZyWALL 57 1 5 1 Secure Broadband Internet Access via Cable or DSL Modem 57 1 5 2 VPN Application 57 1 5 3 3G WAN Application ZyWALL 5 Only 58 1 5 4 Front Panel Lights 58 Chapter 2 Introducing the Web Configurator 61 2 1 Web Configurator Overview 61 2 2 Accessing the ZyWALL Web Configurator 61 2 3 Resetting the ZyWALL 63 2 3 1 Procedure To...

Page 12: ...ng IKE Phase 2 100 3 7 VPN Wizard Status Summary 102 3 8 VPN Wizard Setup Complete 104 3 9 Anti Spam Wizard Email Server Location Setting 104 3 10 Anti Spam Wizard Direction Recommendations 105 3 11 Anti Spam Wizard Direction Configuration 106 3 12 Anti Spam Wizard Setup Complete 108 Chapter 4 Tutorials 109 4 1 Dynamic VPN Rule Configuration 109 4 1 1 Configure Bob s User Account 110 4 1 2 VPN Gat...

Page 13: ...t Filter Schedule 137 4 6 6 Block Categories of Web Content for Bob 138 Chapter 5 Registration 141 5 1 myZyXEL com overview 141 5 1 1 Subscription Services Available on the ZyWALL 141 5 2 Registration 142 5 3 Service 144 Part II Network 147 Chapter 6 LAN Screens 149 6 1 LAN WAN and the ZyWALL 149 6 2 IP Address and Subnet Mask 149 6 2 1 Private IP Addresses 150 6 3 DHCP 151 6 3 1 IP Pool Setup 151...

Page 14: ...2 8 7 WAN General 172 8 8 Configuring Load Balancing 176 8 8 1 Least Load First 176 8 8 2 Weighted Round Robin 177 8 8 3 Spillover 178 8 9 WAN IP Address Assignment 179 8 10 DNS Server Address Assignment 179 8 11 WAN MAC Address 180 8 12 WAN 180 8 12 1 WAN Ethernet Encapsulation 180 8 12 2 PPPoE Encapsulation 183 8 12 3 PPTP Encapsulation 186 8 13 3G WAN2 189 8 14 Traffic Redirect 194 8 15 Configu...

Page 15: ...Hide ZyWALL Identity 222 10 7 Security Parameters Summary 222 10 8 WEP Encryption 223 10 9 802 1x Overview 223 10 9 1 Introduction to RADIUS 223 10 9 2 EAP Authentication Overview 224 10 10 Dynamic WEP Key Exchange 225 10 11 Introduction to WPA 225 10 11 1 User Authentication 225 10 11 2 Encryption 225 10 12 WPA PSK Application Example 226 10 13 Introduction to RADIUS 227 10 14 WPA with RADIUS App...

Page 16: ... 11 8 Firewall Default Rule Bridge Mode 258 11 9 Firewall Rule Summary 259 11 9 1 Firewall Edit Rule 261 11 10 Anti Probing 264 11 11 Firewall Thresholds 265 11 11 1 Threshold Values 266 11 12 Threshold Screen 266 11 13 Service 268 11 13 1 Firewall Edit Custom Service 269 11 14 My Service Firewall Rule Example 270 Chapter 12 Intrusion Detection and Prevention IDP 275 12 1 Introduction to IDP 275 1...

Page 17: ... 1 How the ZyWALL Anti Virus Scanner Works 296 14 2 2 Notes About the ZyWALL Anti Virus 297 14 3 General Anti Virus Setup 298 14 4 Signature Searching 300 14 4 1 Signature Search Example 302 14 5 Signature Update 303 14 5 1 mySecurityZone 304 14 5 2 Configuring Anti virus Update 304 14 6 Backup and Restore 306 Chapter 15 Anti Spam 307 15 1 Anti Spam Overview 307 15 1 1 Anti Spam External Database ...

Page 18: ...g Activation 343 17 2 Viewing Content Filtering Reports 343 17 3 Web Site Submission 348 Chapter 18 IPSec VPN 351 18 1 IPSec VPN Overview 351 18 1 1 IKE SA Overview 352 18 2 VPN Rules IKE 353 18 3 IKE SA Setup 355 18 3 1 IKE SA Proposal 355 18 4 Additional IPSec VPN Topics 360 18 4 1 SA Life Time 360 18 4 2 IPSec High Availability 361 18 4 3 Encryption and Authentication Algorithms 361 18 5 VPN Ru...

Page 19: ...apter 19 Certificates 395 19 1 Certificates Overview 395 19 1 1 Advantages of Certificates 396 19 2 Self signed Certificates 396 19 3 Verifying a Certificate 396 19 3 1 Checking the Fingerprint of a Certificate on Your Computer 396 19 4 Configuration Summary 397 19 5 My Certificates 398 19 6 My Certificate Details 400 19 7 My Certificate Export 402 19 7 1 Certificate File Export Formats 402 19 8 M...

Page 20: ...us NAT 435 21 3 NAT Overview Screen 436 21 4 NAT Address Mapping 437 21 4 1 NAT Address Mapping Edit 439 21 5 Port Forwarding 440 21 5 1 Default Server IP Address 441 21 5 2 Port Forwarding Services and Port Numbers 441 21 5 3 Configuring Servers Behind Port Forwarding Example 441 21 5 4 NAT and Multiple WAN 442 21 5 5 Port Translation 442 21 6 Port Forwarding Screen 443 21 7 Port Triggering 445 C...

Page 21: ...age Example 462 24 8 Bandwidth Borrowing 463 24 8 1 Bandwidth Borrowing Example 463 24 9 Maximize Bandwidth Usage With Bandwidth Borrowing 464 24 10 Over Allotment of Bandwidth 465 24 11 Configuring Summary 465 24 12 Configuring Class Setup 467 24 12 1 Bandwidth Manager Class Configuration 468 24 12 2 Bandwidth Management Statistics 471 24 13 Bandwidth Manager Monitor 472 Chapter 25 DNS 475 25 1 D...

Page 22: ...g a Certificate When Accessing the ZyWALL Example 500 26 5 SSH 501 26 6 How SSH Works 501 26 7 SSH Implementation on the ZyWALL 502 26 7 1 Requirements for Using SSH 502 26 8 Configuring SSH 502 26 9 Secure Telnet Using SSH Examples 503 26 9 1 Example 1 Microsoft Windows 503 26 9 2 Example 2 Linux 504 26 10 Secure FTP Using SSH Example 505 26 11 Telnet 506 26 12 Configuring TELNET 506 26 13 FTP 50...

Page 23: ... 28 Custom Application 525 28 1 Custom Application 525 28 2 Custom Application Configuration 525 Chapter 29 ALG Screen 527 29 1 ALG Introduction 527 29 1 1 ALG and NAT 527 29 1 2 ALG and the Firewall 527 29 1 3 ALG and Multiple WAN 528 29 2 FTP 528 29 3 H 323 528 29 4 RTP 528 29 4 1 H 323 ALG Details 528 29 5 SIP 530 29 5 1 STUN 530 29 5 2 SIP ALG Details 530 29 5 3 SIP Signaling Session Timeout 5...

Page 24: ...75 32 1 Maintenance Overview 575 32 2 General Setup and System Name 575 32 2 1 General Setup 575 32 3 Configuring Password 576 32 4 Time and Date 577 32 5 Pre defined NTP Time Server Pools 579 32 5 1 Resetting the Time 580 32 5 2 Time Server Synchronization 580 32 6 Introduction To Transparent Bridging 581 32 7 Transparent Firewalls 582 32 8 Configuring Device Mode Router 582 32 9 Configuring Devi...

Page 25: ... Backup Setup 609 35 1 Introduction to WAN and Dial Backup Setup 609 35 2 WAN Setup 609 35 3 Dial Backup 610 35 3 1 Configuring Dial Backup in Menu 2 610 35 3 2 Advanced WAN Setup 611 35 3 3 Remote Node Profile Backup ISP 613 35 3 4 Editing TCP IP Options 615 35 3 5 Editing Login Script 616 35 3 6 Remote Node Filter 618 35 3 7 3G Modem Setup 619 35 3 8 Remote Node Profile 3G WAN 620 Chapter 36 LAN...

Page 26: ...ct 640 39 4 Route Failover 641 Chapter 40 Wireless Setup 643 40 1 Wireless LAN Setup 643 40 1 1 MAC Address Filter Setup 645 40 2 TCP IP Setup 646 40 2 1 IP Address 646 40 2 2 IP Alias Setup 647 Chapter 41 Remote Node Setup 649 41 1 Introduction to Remote Node Setup 649 41 2 Remote Node Setup 649 41 3 Remote Node Profile Setup 650 41 3 1 Ethernet Encapsulation 650 41 3 2 PPPoE Encapsulation 651 41...

Page 27: ...pter 44 Introducing the ZyWALL Firewall 683 44 1 Using ZyWALL SMT Menus 683 44 1 1 Activating the Firewall 683 Chapter 45 Filter Configuration 685 45 1 Introduction to Filters 685 45 1 1 The Filter Structure of the ZyWALL 686 45 2 Configuring a Filter Set 688 45 2 1 Configuring a Filter Rule 689 45 2 2 Configuring a TCP IP Filter Rule 690 45 2 3 Configuring a Generic Filter Rule 692 45 3 Example F...

Page 28: ... 3 5 File Maintenance Over WAN 718 48 3 6 Backup Configuration Using TFTP 718 48 3 7 TFTP Command Example 719 48 3 8 GUI based TFTP Clients 719 48 3 9 Backup Via Console Port 719 48 4 Restore Configuration 720 48 4 1 Restore Using FTP 721 48 4 2 Restore Using FTP Session Example 722 48 4 3 Restore Via Console Port 722 48 5 Uploading Firmware and Configuration Files 723 48 5 1 Firmware File Upload ...

Page 29: ...ary 739 51 2 IP Routing Policy Setup 740 51 2 1 Applying Policy to Packets 742 51 3 IP Policy Routing Example 743 Chapter 52 Call Scheduling 747 52 1 Introduction to Call Scheduling 747 Chapter 53 Troubleshooting 751 53 1 Power Hardware Connections and LEDs 751 53 2 ZyWALL Access and Login 752 53 3 Internet Access 754 53 4 Wireless Router AP Troubleshooting 755 53 5 UPnP 756 Chapter 54 Product Spe...

Page 30: ...ppendix D Setting up Your Computer s IP Address 781 Appendix E IP Addresses and Subnetting 803 Appendix F Common Services 813 Appendix G Wireless LANs 817 Appendix H Windows 98 SE Me Requirements for Anti Virus Message Display 831 Appendix I VPN Setup 835 Appendix J Importing Certificates 847 Appendix K Legal Information 853 Appendix L Customer Support 857 Index 863 ...

Page 31: ...igure 19 ISP Parameters Ethernet Encapsulation 88 Figure 20 ISP Parameters PPPoE Encapsulation 89 Figure 21 ISP Parameters PPTP Encapsulation 91 Figure 22 Internet Access Wizard Second Screen 92 Figure 23 Internet Access Setup Complete 93 Figure 24 Internet Access Wizard Registration 93 Figure 25 Internet Access Wizard Registration in Progress 94 Figure 26 Internet Access Wizard Status 95 Figure 2...

Page 32: ...ure 57 SECURITY VPN VPN Rules IKE Add Network Policy 126 Figure 58 SECURITY FIREWALL Rule Summary 127 Figure 59 SECURITY FIREWALL Rule Summary Edit Allow 128 Figure 60 SECURITY FIREWALL Rule Summary Allow 129 Figure 61 SECURITY FIREWALL Default Rule Block From VPN To LAN 130 Figure 62 Tutorial NETWORK WAN 3G WAN2 131 Figure 63 Tutorial Home 132 Figure 64 Tutorial NETWORK WAN General 133 Figure 65 ...

Page 33: ...RK WAN 3G WAN 2 191 Figure 101 Traffic Redirect WAN Setup 195 Figure 102 Traffic Redirect LAN Setup 195 Figure 103 NETWORK WAN Traffic Redirect 196 Figure 104 NETWORK WAN Dial Backup 197 Figure 105 NETWORK WAN Dial Backup Edit 200 Figure 106 NETWORK DMZ 204 Figure 107 NETWORK DMZ Static DHCP 206 Figure 108 NETWORK DMZ IP Alias 208 Figure 109 DMZ Public Address Example 209 Figure 110 DMZ Private an...

Page 34: ...ITY FIREWALL Default Rule Router Mode 256 Figure 144 SECURITY FIREWALL Default Rule Bridge Mode 258 Figure 145 SECURITY FIREWALL Rule Summary 260 Figure 146 SECURITY FIREWALL Rule Summary Edit 262 Figure 147 SECURITY FIREWALL Anti Probing 264 Figure 148 Three Way Handshake 265 Figure 149 SECURITY FIREWALL Threshold 266 Figure 150 SECURITY FIREWALL Service 268 Figure 151 SECURITY FIREWALL Service A...

Page 35: ... External Database 329 Figure 187 SECURITY CONTENT FILTER Policy Customization 336 Figure 188 SECURITY CONTENT FILTER Policy Schedule 338 Figure 189 SECURITY CONTENT FILTER Object 339 Figure 190 SECURITY CONTENT FILTER Cache 341 Figure 191 myZyXEL com Login 344 Figure 192 myZyXEL com Welcome 344 Figure 193 myZyXEL com Service Management 345 Figure 194 Blue Coat Login 345 Figure 195 Content Filteri...

Page 36: ...y Certificates 398 Figure 231 SECURITY CERTIFICATES My Certificates Details 400 Figure 232 SECURITY CERTIFICATES My Certificates Export 402 Figure 233 SECURITY CERTIFICATES My Certificates Import 404 Figure 234 SECURITY CERTIFICATES My Certificates Import PKCS 12 405 Figure 235 SECURITY CERTIFICATES My Certificates Create Basic 406 Figure 236 SECURITY CERTIFICATES My Certificates Create Advanced 4...

Page 37: ...ANCED DNS Insert Name Server Record 480 Figure 273 ADVANCED DNS Cache 481 Figure 274 ADVANCED DNS DHCP 482 Figure 275 ADVANCED DNS DDNS 484 Figure 276 Secure and Insecure Remote Management From the WAN 487 Figure 277 HTTPS Implementation 489 Figure 278 ADVANCED REMOTE MGMT WWW 490 Figure 279 Security Alert Dialog Box Internet Explorer 491 Figure 280 Security Certificate 1 Netscape 492 Figure 281 S...

Page 38: ...7 ADVANCED ALG 532 Figure 318 REPORTS SYSTEM REPORTS 536 Figure 319 REPORTS SYSTEM REPORTS Web Site Hits Example 537 Figure 320 REPORTS SYSTEM REPORTS Host IP Address Example 538 Figure 321 REPORTS SYSTEM REPORTS Protocol Port Example 539 Figure 322 REPORTS THREAT REPORTS IDP 540 Figure 323 REPORTS THREAT REPORTS IDP Source 542 Figure 324 REPORTS THREAT REPORTS IDP Destination 542 Figure 325 REPOR...

Page 39: ...er Mode 603 Figure 360 Menu 1 General Setup Bridge Mode 604 Figure 361 Menu 1 1 Configure Dynamic DNS 605 Figure 362 Menu 1 1 1 DDNS Host Summary 606 Figure 363 Menu 1 1 1 DDNS Edit Host 607 Figure 364 MAC Address Cloning in WAN Setup 609 Figure 365 Menu 2 Dial Backup Setup 611 Figure 366 Menu 2 1 Advanced WAN Setup 612 Figure 367 Menu 11 3 Remote Node Profile Backup ISP 613 Figure 368 Menu 11 3 2...

Page 40: ...et Encapsulation 657 Figure 401 Menu 11 1 4 Remote Node Filter PPPoE or PPTP Encapsulation 657 Figure 402 Menu 12 IP Static Route Setup 660 Figure 403 Menu 12 1 Edit IP Static Route 660 Figure 404 Menu 4 Applying NAT for Internet Access 664 Figure 405 Menu 11 1 2 Applying NAT to the Remote Node 664 Figure 406 Menu 15 NAT Setup 665 Figure 407 Menu 15 1 Address Mapping Sets 666 Figure 408 Menu 15 1 ...

Page 41: ...24 System Maintenance 703 Figure 447 Menu 24 1 System Maintenance Status 704 Figure 448 Menu 24 2 System Information and Console Port Speed 705 Figure 449 Menu 24 2 1 System Maintenance Information 706 Figure 450 Menu 24 2 2 System Maintenance Change Console Port Speed 707 Figure 451 Menu 24 3 System Maintenance Log and Trace 707 Figure 452 Examples of Error and Information Messages 708 Figure 453...

Page 42: ...uting 744 Figure 487 IP Routing Policy Example 1 744 Figure 488 IP Routing Policy Example 2 745 Figure 489 Schedule Setup 747 Figure 490 Schedule Set Setup 748 Figure 491 Applying Schedule Set s to a Remote Node PPPoE 749 Figure 492 Applying Schedule Set s to a Remote Node PPTP 750 Figure 493 WLAN Card Installation 762 Figure 494 Console Dial Backup Port Pin Layout 764 Figure 495 Attaching Rubber ...

Page 43: ...sh OS X Network 797 Figure 531 Red Hat 9 0 KDE Network Configuration Devices 798 Figure 532 Red Hat 9 0 KDE Ethernet Device General 798 Figure 533 Red Hat 9 0 KDE Network Configuration DNS 799 Figure 534 Red Hat 9 0 KDE Network Configuration Activate 799 Figure 535 Red Hat 9 0 Dynamic IP Address Setting in ifconfig eth0 800 Figure 536 Red Hat 9 0 Static IP Address Setting in ifconfig eth0 800 Figu...

Page 44: ... Office VPN Rule 839 Figure 564 Headquarters Network Policy Edit 840 Figure 565 Branch Office Network Policy Edit 841 Figure 566 VPN Rule Configured 842 Figure 567 VPN Dial 842 Figure 568 VPN Tunnel Established 842 Figure 569 VPN Log Example 844 Figure 570 IKE IPSec Debug Example 845 Figure 571 Security Certificate 847 Figure 572 Login Screen 848 Figure 573 Certificate General Information before I...

Page 45: ...istration 94 Table 16 VPN Wizard Gateway Setting 96 Table 17 VPN Wizard Network Setting 98 Table 18 VPN Wizard IKE Tunnel Setting 100 Table 19 VPN Wizard IPSec Setting 101 Table 20 VPN Wizard VPN Status 103 Table 21 Anti Spam Wizard Email Server Location Setting 105 Table 22 Anti Spam Wizard Direction Configuration 107 Table 23 Dynamic VPN Rule Tutorial Settings 109 Table 24 REGISTRATION 143 Table...

Page 46: ...tic WEP 231 Table 60 WIRELESS Wi Fi Wireless Card WPA PSK 232 Table 61 WIRELESS Wi Fi Wireless Card WPA 233 Table 62 WIRELESS Wi Fi Wireless Card 802 1x Dynamic WEP 234 Table 63 WIRELESS Wi Fi Wireless Card 802 1x Static WEP 235 Table 64 WIRELESS Wi Fi Wireless Card 802 1x No WEP 237 Table 65 WIRELESS Wi Fi Wireless Card No Access 802 1x Static WEP 238 Table 66 WIRELESS Wi Fi MAC Filter 239 Table ...

Page 47: ...364 Table 103 SECURITY VPN VPN Rules IKE Edit Network Policy 374 Table 104 SECURITY VPN VPN Rules IKE Edit Network Policy Port Forwarding 378 Table 105 SECURITY VPN VPN Rules IKE Move Network Policy 379 Table 106 SECURITY VPN VPN Rules Manual 381 Table 107 SECURITY VPN VPN Rules Manual Edit 382 Table 108 SECURITY VPN SA Monitor 385 Table 109 SECURITY VPN Global Setting 387 Table 110 Telecommuters ...

Page 48: ...ble 142 Fairness based Allotment of Unused and Unbudgeted Bandwidth Example 463 Table 143 Bandwidth Borrowing Example 464 Table 144 Over Allotment of Bandwidth Example 465 Table 145 ADVANCED BW MGMT Summary 466 Table 146 ADVANCED BW MGMT Class Setup 468 Table 147 ADVANCED BW MGMT Class Setup Add Sub Class 469 Table 148 Services and Port Numbers 471 Table 149 ADVANCED DNS Add Address Record 479 Tab...

Page 49: ...186 Wireless Logs 561 Table 187 IPSec Logs 562 Table 188 IKE Logs 562 Table 189 PKI Logs 565 Table 190 802 1X Logs 567 Table 191 ACL Setting Notes 568 Table 192 ICMP Notes 568 Table 193 IDP Logs 569 Table 194 AV Logs 570 Table 195 AS Logs 571 Table 196 Syslog Logs 573 Table 197 RFC 2408 ISAKMP Payload Types 574 Table 198 MAINTENANCE General Setup 576 Table 199 MAINTENANCE Password 577 Table 200 MA...

Page 50: ...33 Table 230 Menu 6 1 Route Assessment 640 Table 231 Menu 6 2 Traffic Redirect 640 Table 232 Menu 6 3 Route Failover 641 Table 233 Menu 7 1 Wireless Setup 644 Table 234 Menu 7 1 1 WLAN MAC Address Filter 646 Table 235 Menu 11 1 Remote Node Profile for Ethernet Encapsulation 650 Table 236 Fields in Menu 11 1 PPPoE Encapsulation Specific 653 Table 237 Menu 11 1 Remote Node Profile for PPTP Encapsula...

Page 51: ...ble ZyXEL WLAN Cards and Security Features 760 Table 272 3G Features Supported By Compatible 3G Cards 761 Table 273 North American Plug Standards 762 Table 274 European Plug Standards 763 Table 275 United Kingdom Plug Standards 763 Table 276 Australia And New Zealand Plug Standards 763 Table 277 Japan Plug Standards 763 Table 278 China Plug Standards 763 Table 279 Console Dial Backup Port Pin Assi...

Page 52: ...List of Tables ZyWALL 5 35 70 Series User s Guide 52 ...

Page 53: ...53 PART I Introduction Getting to Know Your ZyWALL 55 Introducing the Web Configurator 61 Wizard Setup 87 Tutorials 109 Registration 141 ...

Page 54: ...54 ...

Page 55: ...ZyWALL 35 and ZyWALL 5 provide the option to change port roles from LAN to DMZ You can also deploy the ZyWALL as a transparent firewall in an existing network with minimal configuration The ZyWALL provides bandwidth management NAT port forwarding policy routing DHCP server and many other powerful features You can add an IEEE 802 11b g compliant wireless LAN by either inserting a wireless LAN card ...

Page 56: ...Terminal is a text based configuration menu that you can use to configure your device FTP for firmware upgrades and configuration backup restore SNMP The device can be monitored by an SNMP manager See the SNMP chapter in this User s Guide Vantage CNM Centralized Network Management The device can be remotely managed using a Vantage CNM server 1 4 Good Habits for Managing the ZyWALL Do the following...

Page 57: ...he ZyWALL Here are some examples of what you can do with your ZyWALL 1 5 1 Secure Broadband Internet Access via Cable or DSL Modem You can connect a cable modem DSL or wireless modem to the ZyWALL for broadband Internet access via an Ethernet or wireless port on the modem The ZyWALL guarantees not only high speed Internet access but secure internal network protection and traffic management as well...

Page 58: ...3G so all 3G descriptions relate to ZyWALL 5 only See Section 8 13 on page 189 for more information about 3G With both the primary WAN physical WAN port and 3G WAN connections enabled you can use load balancing to improve quality of service and maximize bandwidth utilization or set one of the WAN connections as a backup Figure 3 3G WAN Application 1 5 4 Front Panel Lights Figure 4 ZyWALL 70 Front ...

Page 59: ...eceiving packets Orange On The ZyWALL has a successful 100Mbps Ethernet connection Flashing The 100M LAN is sending or receiving packets WAN1 2 10 100 or WAN 10 100 Off The WAN connection is not ready or has failed Green On The ZyWALL has a successful 10Mbps WAN connection Flashing The 10M WAN is sending or receiving packets Orange On The ZyWALL has a successful 100Mbps WAN connection Flashing The...

Page 60: ...Chapter 1 Getting to Know Your ZyWALL ZyWALL 5 35 70 Series User s Guide 60 ...

Page 61: ...vice Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See Appendix B on page 771 if you want to make sure these functions are allowed in Internet Explorer or Netscape Navigator 2 2 Accessing the ZyWALL Web Configurator By default the packets from WLAN to WLAN ZyWALL are dropped and users cannot configure th...

Page 62: ...o create a certificate using your ZyWALL s MAC address that will be specific to this device If you do not replace the default certificate here or in the CERTIFICATES screen this screen displays every time you access the web configurator Figure 8 Replace Certificate Screen 7 You should now see the HOME screen see Figure 11 on page 65 The management session automatically times out when the time peri...

Page 63: ...LL off 3 While pressing the RESET button turn the ZyWALL on 4 Continue to hold the RESET button The SYS LED will begin to blink and flicker very quickly after about 20 seconds This indicates that the defaults have been restored and the ZyWALL is now restarting 5 Release the RESET button and wait for the ZyWALL to finish restarting 2 3 2 Uploading a Configuration File Via Console Port 1 Download th...

Page 64: ...models Figure 10 HOME Screen As illustrated above the main screen is divided into these parts A title bar B navigation panel C main window D status bar 2 4 1 Title Bar The title bar provides some icons in the upper right corner The icons provide the following functions C D B A Table 3 Title Bar Web Configurator Icons ICON DESCRIPTION Wizards Click this icon to open one of the web configurator wiza...

Page 65: ...ion about the ZyWALL The ZyWALL is set to router mode by default Not all fields are available on all models WAN 2 refers to either the physical WAN 2 port on a ZyWALL with multiple WAN ports or the 3G card on a single WAN ZyWALL in router mode Figure 11 Web Configurator HOME Screen in Router Mode ZyWALL 5 The following table describes the labels in this screen Table 4 Web Configurator HOME Screen ...

Page 66: ...he screen where you can turn the firewall on or off System Resources Flash The first number shows how many megabytes of the flash the ZyWALL is using Memory The first number shows how many megabytes of the heap memory the ZyWALL is using Heap memory refers to the memory that is not used by ZyNOS ZyXEL Network Operating System and is thus available for running processes like NAT VPN and the firewal...

Page 67: ... backup is disabled and IPCP client when dial backup is enabled Renew If you are using Ethernet encapsulation and the WAN port is configured to get the IP address automatically from the ISP click Renew to release the WAN port s dynamically assigned IP address and get the IP address afresh Click Dial to dial up the PPTP PPPoE or dial backup connection Click Drop to disconnect the PPTP PPPoE 3G WAN ...

Page 68: ... the name of a signature for which the ZyWALL has detected matching packets The number in brackets indicates how many times the signature has been matched Click the hyperlink for more detailed information on the intrusion Virus Detected This is the name of the virus that the ZyWALL has detected 3G WAN Interface Status These fields display when a 3G card is inserted and the 3G connection is enabled...

Page 69: ...d you inserted this field displays allowing you to enter the correct PIN code Enter the PIN code four to eight digits for the inserted 3G card Apply Click Apply to save the correct PIN code and replace the one you specified in the 3G WAN 2 screen PUK Code If you enter the PIN code incorrectly three times the SIM card will be blocked by your ISP and you cannot use the account to access the Internet...

Page 70: ...ou enable budget control in the 3G WAN 2 screen This shows how much data in bytes can still be transmitted through the 3G connection before the ZyWALL takes the actions you specified in the 3G WAN 2 screen Note The budget counters will not be reset when you restore the factory defaults The budget counters are saved to the flash every hour or when the 3G connection is dropped If you restart the ZyW...

Page 71: ...gn your computer a static IP address in the same subnet as the ZyWALL s IP address in order to access the ZyWALL You can use the firewall and VPN in bridge mode See the user s guide for a list of other features that are available in bridge mode Figure 12 Web Configurator HOME Screen in Bridge Mode The following table describes the labels in this screen Table 5 Web Configurator HOME Screen in Bridg...

Page 72: ...yNOS ZyXEL Network Operating System and is thus available for running processes like NAT VPN and the firewall The second number shows the ZyWALL s total heap memory in megabytes The bar displays what percent of the ZyWALL s heap memory is in use The bar turns from green to red when the maximum is being approached Sessions The first number shows how many sessions are currently open on the ZyWALL Th...

Page 73: ...leased Click the field label to go to the screen where you can update the signatures N A displays when there is no Turbo Card installed or the service subscription has expired IDP Anti Virus Expiration Date This is the date the IDP anti virus service subscription expires Click the field label to go to the screen where you can update your service subscription Anti Spam Expiration Date This is the d...

Page 74: ... detected since it last started up Rank This is the ranking number of an intrusion or virus This is an intrusion s or virus s place in the list of most common intrusions or viruses Intrusion Detected This is the name of a signature for which the ZyWALL has detected matching packets The number in brackets indicates how many times the signature has been matched Click the hyperlink for more detailed ...

Page 75: ...hentication Server Y Y NAT Y Static Route Y Policy Route Y Bandwidth Management Y Y DNS Y Remote Management Y Y UPnP Y Custom Application Y Y ALG Y Y Reports Y Y Logs Y Y Maintenance Y Y Table 7 Screens Summary LINK TAB FUNCTION HOME This screen shows the ZyWALL s general device and network status information Use this screen to access the wizards statistics and DHCP table REGISTRATIO N Registratio...

Page 76: ... Traffic Redirect Use this screen to configure your traffic redirect properties and parameters Dial Backup Use this screen to configure the backup WAN dial up connection DMZ DMZ Use this screen to configure your DMZ connection Static DHCP Use this screen to assign fixed IP addresses on the DMZ IP Alias Use this screen to partition your DMZ interface into subnets Port Roles Use this screen to chang...

Page 77: ...he version number of the current signatures and configure the signature update schedule Backup Restore Use this screen to back up restore or revert to the default signatures actions ANTI SPAM General Use this screen to turn the anti spam feature on or off and set how the ZyWALL treats spam External DB Use this screen to enable or disable the use of the anti spam external database Lists Use this sc...

Page 78: ...ing Use this screen to configure network address translation mapping rules Port Forwarding Use this screen to configure servers behind the ZyWALL Port Triggering Use this screen to change your ZyWALL s port triggering settings STATIC ROUTE IP Static Route Use this screen to configure IP static routes POLICY ROUTE Policy Route Summary Use this screen to view a summary list of all the policies and c...

Page 79: ...is screen to configure and allow your ZyWALL to be managed by the Vantage CNM server UPnP UPnP Use this screen to enable UPnP on the ZyWALL Ports Use this screen to view the NAT port mapping rules that UPnP creates on the ZyWALL Custom APP Custom APP Use this screen to specify port numbers for the ZyWALL to monitor for FTP HTTP SMTP POP3 H323 and SIP traffic ALG ALG Use this screen to allow certai...

Page 80: ...nge your ZyWALL s time and date Device Mode Use this screen to configure and have your ZyWALL work as a router or a bridge F W Upload Use this screen to upload firmware to your ZyWALL Backup Restore Use this screen to backup and restore the configuration or reset the factory defaults to your ZyWALL Restart This screen allows you to reboot the ZyWALL without turning the power off Diagnosis Use this...

Page 81: ...uplex setting For the WLAN card this displays the transmission rate when a wireless LAN card is inserted and WLAN is enabled or Down when a wireless LAN is not inserted or WLAN is disabled TxPkts This is the number of transmitted packets on this port RxPkts This is the number of received packets on this port Tx B s This displays the transmission speed in bytes per second on this port Rx B s This d...

Page 82: ...r Figure 15 HOME Show DHCP Table The following table describes the labels in this screen Table 9 HOME Show Statistics Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen Port Select the check box es to display the throughput statistics of the corresponding interface s B s Specify the direction of the traffic for which you want to show throughput statistics in this ...

Page 83: ...ct the check box in the heading row to automatically select all check boxes or select the check box es in each entry to have the ZyWALL always assign the selected entry ies s IP address es to the corresponding MAC address es and host name s You can select up to 128 entries in this table After you click Apply the MAC address and IP address also display in the corresponding LAN DMZ or WLAN Static DH...

Page 84: ... VPN Status LABEL DESCRIPTION LABEL DESCRIPTION Interface Select an interface from the drop down list box to view the bandwidth usage of its bandwidth classes Class This field displays the name of the bandwidth class A Default Class automatically displays for all the bandwidth in the Root Class that is not allocated to bandwidth classes If you do not enable maximize bandwidth usage on an interface...

Page 85: ...tor ZyWALL 5 35 70 Series User s Guide 85 A If you allocate all the root class s bandwidth to the bandwidth classes the default class still displays a budget of 2 kbps the minimum amount of bandwidth that can be assigned to a bandwidth class ...

Page 86: ...Chapter 2 Introducing the Web Configurator ZyWALL 5 35 70 Series User s Guide 86 ...

Page 87: ...owing summarizes the wizards you can select Internet Access Setup Click this link to open a wizard to set up an Internet connection for WAN1 on a ZyWALL with multiple WAN ports or the WAN port on a ZyWALL with a single WAN port VPN Setup Use VPN Setup to configure a VPN connection that uses a pre shared key If you want to set the rule to use a certificate please go to the VPN screens for configura...

Page 88: ...e Encapsulation field 3 2 1 1 Ethernet For ISPs such as Telstra that send UDP heartbeat packets to verify that the customer is still online please create a WAN to WAN ZyWALL firewall rule for those packets Contact your ISP to find the correct port number Choose Ethernet when the WAN port is used as a regular Ethernet Figure 19 ISP Parameters Ethernet Encapsulation The following table describes the...

Page 89: ...ct Static If the ISP assigned a fixed IP address The fields below are available only when you select Static My WAN IP Address Enter your WAN IP address in this field My WAN IP Subnet Mask Enter the IP subnet mask in this field Gateway IP Address Enter the gateway IP address in this field First DNS Server Second DNS Server Enter the DNS server s IP address es in the field s to the right Leave the f...

Page 90: ...word Type the password associated with the user name above Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server The default time is 100 seconds WAN IP Address Assignment IP Address Assignment Select Dyna...

Page 91: ...ssword associated with the User Name above Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPTP server PPTP Configuration My IP Address Type the static IP address assigned to you by your ISP My IP Subnet Mask Ty...

Page 92: ...izard Second Screen WAN IP Address Assignment IP Address Assignment Select Dynamic If your ISP did not assign you a fixed IP address This is the default selection Select Static If the ISP assigned a fixed IP address The fields below are available only when you select Static My WAN IP Address Enter your WAN IP address in this field First DNS Server Second DNS Server Enter the DNS server s IP addres...

Page 93: ...2 on page 92 the following screen displays Use this screen to register the ZyWALL with myZyXEL com You must register your ZyWALL before you can activate trial applications of services like content filtering anti spam anti virus and IDP If you want to activate a standard service with your iCard s PIN number license key use the REGISTRATION Service screen Figure 24 Internet Access Wizard Registratio...

Page 94: ...his option and configure the following fields to create an account and register your ZyWALL Existing myZyXEL com account If you already have an account at myZyXEL com select this option and enter your user name and password in the fields below to register your ZyWALL User Name Enter a user name for your myZyXEL com account The name should be from six to 20 alphanumeric characters and the underscor...

Page 95: ...ack to the Device Registration screen and check your settings Figure 27 Internet Access Wizard Registration Failed 3 2 5 Internet Access Wizard Service Activation If the ZyWALL has been registered the Device Registration screen is read only and the Service Activation screen appears indicating what trial applications are activated after you click Next Figure 28 Internet Access Wizard Registered Dev...

Page 96: ...lick VPN Setup in the Wizard Setup Welcome screen Figure 18 on page 87 to open the VPN configuration wizard The first screen displays as shown next Figure 30 VPN Wizard Gateway Setting The following table describes the labels in this screen Table 16 VPN Wizard Gateway Setting LABEL DESCRIPTION Gateway Policy Property Name Type up to 32 characters to identify this VPN gateway policy You may use any...

Page 97: ...face operation mode is set to Active Active the ZyWALL uses the IP address static or dynamic of the primary highest priority WAN interface to set up the VPN tunnel as long as the corresponding WAN1 or WAN2 connection is up If the corresponding WAN1 or WAN2 connection goes down the ZyWALL uses the IP address of the other WAN port If both WAN connections go down the ZyWALL uses the dial backup IP ad...

Page 98: ... to specify IP addresses on a network by their subnet mask Starting IP Address When the Local Network field is configured to Single enter a static IP address on the LAN behind your ZyWALL When the Local Network field is configured to Range IP enter the beginning static IP address in a range of computers on the LAN behind your ZyWALL When the Local Network field is configured to Subnet this is a st...

Page 99: ... a range of computers on the network behind the remote IPSec router When the Remote Network field is configured to Subnet enter a static IP address on the network behind the remote IPSec router Ending IP Address Subnet Mask When the Remote Network field is configured to Single this field is N A When the Remote Network field is configured to Range IP enter the end static IP address in a range of co...

Page 100: ...ered stronger than MD5 but is slower Select MD5 for minimal security and SHA 1 for maximum security Key Group You must choose a key group for phase 1 IKE setup DH1 default refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number SA Life Time Seconds Define the length of time before an IKE SA automatically renegotiates in this field ...

Page 101: ...h sender and receiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throu...

Page 102: ... Forward Secret PFS Perfect Forward Secret PFS is disabled None by default in phase 2 IPSec SA setup This allows faster IPSec setup but is not so secure Select DH1 or DH2 to enable PFS DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number more secure yet slower Back Click Back to return to the previous screen Next Click Next ...

Page 103: ... mask on the LAN behind your ZyWALL Remote Network Starting IP Address This is a static IP address on the network behind the remote IPSec router Ending IP Address Subnet Mask When the remote network is configured for a single IP address this field is N A When the remote network is configured for a range IP address this is the end static IP address in a range of computers on the network behind the ...

Page 104: ...nable anti spam IPSec Protocol ESP or AH are the security protocols used for an SA Encryption Algorithm This is the method of data encryption Options can be DES 3DES AES or NULL Authentication Algorithm MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data SA Life Time Seconds This is the length of time before an IKE SA automatically renegotiates ...

Page 105: ...L Select WLAN if you have an e mail server s connected to the ZyWALL s WLAN Select WAN 1 if you have an e mail server s connected to the ZyWALL s WAN 1 Select LAN if you have an e mail server s connected to the ZyWALL s LAN Select WAN 2 if you have an e mail server s connected to the ZyWALL s WAN Select DMZ if you have an e mail server s connected to the ZyWALL s DMZ Internet These are the network...

Page 106: ...ocal users from the outside e mail server For e mail servers located at the other end of a VPN tunnel the ZyWALL recommends checking traffic that comes from the VPN to the LAN DMZ and WLAN zones This is to check for spam coming to the ZyWALL s local users from the e mail server at the VPN peer If you have your e mail server at the WAN zone the ZyWALL recommends having anti spam functionality insta...

Page 107: ...the same subnet From WAN1 To WAN1 means packets that come in through the WAN 1 interface and the ZyWALL routes back out through the WAN 1 interface From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the selected to interface For example From VPN To LAN specifies the VPN traffic that is going to the LAN or terminating at the ZyWALL s LAN interface The ZyWALL check...

Page 108: ... that the anti spam feature checks for spam This does not enable the anti spam feature See Section 15 1 on page 307 to use the SECURITY ANTI SPAM screens to enable anti spam Figure 39 Anti Spam Wizard Setup Complete Back Click Back to return to the previous screen Next Click Next to continue Table 22 Anti Spam Wizard Direction Configuration LABEL DESCRIPTION ...

Page 109: ...ly assigned WAN IP addresses represented by 0 0 0 0 so only ZyWALL B can initiate trigger the VPN tunnel ZyWALL B automatically initiates a VPN tunnel to ZyWALL A whenever Y tries to connect to an IP address from 10 0 0 2 to 10 0 0 64 and passes the identification authentication Figure 40 Dynamic VPN Rule Example This example uses the following settings Table 23 Dynamic VPN Rule Tutorial Settings ...

Page 110: ...1234 3 Click Apply 4 1 2 VPN Gateway and Network Policy Configuration This section covers how to configure the company s ZyWALL A and the telecommuter s ZyWALL B Local Network network behind the local ZyWALL Note Use static IP addresses or static DHCP to make sure the computers behind the ZyWALLs always use these IP addresses 10 0 0 2 10 0 0 64 192 168 167 2 Remote Network network behind the peer ...

Page 111: ...nfigure the VPN gateway policy that identifies the ZyWALLs The company s ZyWALL A and the telecommuter s ZyWALL B gateway policy edit screens are shown next The information that identifies the ZyWALL 70 A is circled in red The information that identifies the ZyWALL P1 B is circled in yellow Information that is the same in both is circled in orange Extended authentication settings are in green ...

Page 112: ...igure 41 VPN Gateway Policy Edit Screens 2 After you click Apply the A B_Gateways gateway policy displays as shown next Click SECURITY VPN and the A B_Gateways add network policy icon The following figure shows ZyWALL A s screen Remote Device B Company Device A ...

Page 113: ...cy identifies the devices behind the IPSec routers at either end of a VPN tunnel and specifies the authentication encryption and other settings needed to negotiate a phase 2 IPSec SA Here are the company s ZyWALL A and the telecommuter s ZyWALL B network policy edit screens The information that identifies network X is circled in red The information that identifies network Y is circled in yellow ...

Page 114: ...Chapter 4 Tutorials ZyWALL 5 35 70 Series User s Guide 114 Figure 43 VPN Network Policy Edit Screens Company Device A Telecommuter Device B ...

Page 115: ...works in the Activating VPN Rule field to activate the VPN rule The color of X Y_Networks VPN policy changes to pink Figure 44 Activate VPN Rule ZyWALL B 6 Review the settings on both ZyWALLs as shown next The information that identifies the ZyWALL 70 A and network X is circled in red The information that identifies the ZyWALL P1 B and network Y is circled in yellow ...

Page 116: ...ZyWALL P1 s zero configuration mode provides a simplified user mode for the web configurator interface The user uses this interface to configure the ZyWALL s Internet access settings and log into the VPN tunnel see Section 4 1 4 on page 117 Do the following to have the telecommuter s ZyWALL B use zero configuration mode 1 Log into ZyWALL B s web configurator 2 Go to MAINTENANCE and click the Devic...

Page 117: ...nnect ZyWALL B to the Internet Make sure it gets a public WAN IP You may have to take ZyWALL B to another location if it cannot get a public IP address at the company 2 Configure one computer to use IP address 192 168 167 2 24 behind ZyWALL B Use ipconfig in the command mode to ensure the IP address is properly configured Figure 46 Check The Telecommuter s Computer IP Address C ipconfig Windows 20...

Page 118: ... a computer on network X Here is an example Figure 47 Telecommuter Pinging a Network X IP Address Example If there is no reply to the ping the system log can help identify a configuration problem Click LOGS to see the system log See Section 31 3 1 on page 553 for information on the log messages You may need to click LOGS Log Settings in the advanced web configurator and make sure IKE and IPSec log...

Page 119: ...IPSec router in ZyWALL A s local user database or on a RADIUS server that ZyWALL A is configured to use Configure a gateway policy on each remote IPSec router Use the same MyZyWALL and Primary Remote Gateway address and Pre Shared Key settings on all of the remote IPSec routers but a different user name and password for each Configure a different network policy for each remote IPSec router Make su...

Page 120: ...ction of travel The following examples show how you do this for IDP and the firewall 4 2 1 IDP for From VPN Traffic Example You can apply security settings to the From VPN packet direction to protect your network from attacks intrusions viruses and spam that may come in through a VPN tunnel For example you can use IDP to protect your LAN from intrusions that might come in through any of the VPN tu...

Page 121: ...ly security settings to the To VPN packet direction to protect the remote networks from attacks intrusions viruses and spam originating from your own network For example you can use IDP to protect the remote networks from intrusions that might come in through your ZyWALL s VPN tunnels Figure 51 IDP for To VPN Traffic Here is how you would configure this example ...

Page 122: ...s for VPN packets Take the following example You have a LAN FTP server with IP address 192 168 1 4 behind device A You could configure a VPN rule to allow the network behind device B to access your LAN FTP server through a VPN tunnel Now if you don t want other services like chat or e mail going to the FTP server you can configure firewall rules that allow only FTP traffic to come from VPN tunnels...

Page 123: ...device A to let the network behind B access the FTP server You would also have to configure a corresponding rule on device B 1 Click Security VPN to open the following screen Click the Add Gateway Policy icon Figure 54 SECURITY VPN VPN Rules IKE 2 Use this screen to set up the connection between the routers Configure the fields that are circled as follows and click Apply ...

Page 124: ...Chapter 4 Tutorials ZyWALL 5 35 70 Series User s Guide 124 Figure 55 SECURITY VPN VPN Rules IKE Add Gateway Policy 3 Click the Add Network Policy icon ...

Page 125: ...xample does not specify the port numbers This is due to the following reasons While FTP uses a control session on port 20 the port for the data session is not fixed So this example uses the firewall s FTP application layer gateway ALG to handle this instead of specifying port numbers in this VPN network policy The firewall provides better security because it operates at layer 4 and checks traffic ...

Page 126: ...Chapter 4 Tutorials ZyWALL 5 35 70 Series User s Guide 126 Figure 57 SECURITY VPN VPN Rules IKE Add Network Policy ...

Page 127: ...ions show how to configure firewall rules to enforce these restrictions 4 3 2 1 Firewall Rule to Allow Access Example Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server 1 Click Security Firewall Rule Summary 2 Select VPN To LAN as the packet direction and click Refresh 3 Click the insert icon at the top of the Modify column Figure 58 SECURITY FIREWALL Rule Summa...

Page 128: ...Chapter 4 Tutorials ZyWALL 5 35 70 Series User s Guide 128 Figure 59 SECURITY FIREWALL Rule Summary Edit Allow 5 The rule displays in the summary list of VPN to LAN firewall rules ...

Page 129: ...ple Now you configure the default firewall rule to block all VPN to LAN traffic This blocks any other types of access from VPN tunnels to the LAN FTP server This means that you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN 1 Click SECURITY FIREWALL Default Rule 2 Configure the screen as follows and click Apply ...

Page 130: ...yWALL In this example you have set up WAN 1 and want the ZyWALL to use both of the WAN interfaces the physical WAN port and 3G card for Internet access at the same time 4 4 1 Inserting a 3G Card To enable and use the 3G WAN connection you need to insert a 3G card into the ZyWALL See Table 272 on page 761 for the 3G wireless cards you can use in the ZyWALL 5 1 Make sure the ZyWALL is off before ins...

Page 131: ...er the APN Internet for example provided by your service provider 4 If your service provider gave you a user name and password select CHAP PAP in the Authentication Type field and enter the user name and password in the fields below If they were not given set the authentication type to None 5 The Pin Code field displays with a GSM or HSDPA 3G card Enter the PIN code and phone number provided by yo...

Page 132: ...nal strength to the service provider s base station is not too low and can connect to a network Figure 63 Tutorial Home 4 5 Configuring Load Balancing In this example you have set up WAN 1 and WAN 2 and you want the ZyWALL to use both of the WAN interfaces at the same time You also balance the load between the two WAN interfaces using the weighted round robin method 1 Click NETWORK WAN General 2 S...

Page 133: ...ffic from Bob s computer The ordering of your policies is very important as the ZyWALL applies policies in the order they are listed The ZyWALL applies the content filter policies based on the source address and the schedule So for this example when the ZyWALL receives a request from the LAN for a web page it checks the request against the first policy If the traffic matches that is if it is from ...

Page 134: ...rnal content filtering service 1 Click SECURITY CONTENT FILTER 2 Enable the content filter and external database content filtering 3 Click Apply Figure 65 SECURITY CONTENT FILTER General 4 6 2 Block Categories of Web Content Here is how to block access to web pages by category of content 1 Click SECURITY CONTENT FILTER Policy and then the external database icon next to the default policy ...

Page 135: ...rials ZyWALL 5 35 70 Series User s Guide 135 Figure 66 SECURITY CONTENT FILTER Policy 2 Select Active 3 Select the categories to block 4 Click Apply Figure 67 SECURITY CONTENT FILTER Policy External Database Default ...

Page 136: ... Bob s computer and select the Reserve check box as shown next 3 Click Apply Figure 68 HOME Show DHCP Table 4 6 4 Create a Content Filter Policy for Bob Do the following to create a content filtering policy for traffic from Bob s computer 1 Click SECURITY CONTENT FILTER Policy and then the Insert button The ZyWALL applies the content filter policies in order so make sure you add the new policy bef...

Page 137: ...ut only during lunch So you configure a schedule to only apply the Bob policy from 12 00 to 13 00 For the rest of the time the ZyWALL applies the default content filter policy which blocks access to arts and entertainment web pages 1 Click SECURITY CONTENT FILTER Policy and then the Bob policy s schedule icon Figure 71 SECURITY CONTENT FILTER Policy 2 Select Everyday and enter 12 00 to 13 00 3 Cli...

Page 138: ...FILTER Policy Schedule Bob 4 6 6 Block Categories of Web Content for Bob Now you select the categories of web pages to block Bob from accessing 1 Click SECURITY CONTENT FILTER Policy and then the Bob policy s external database icon Figure 73 SECURITY CONTENT FILTER Policy 2 Select Active ...

Page 139: ...es User s Guide 139 3 Select the categories to block This is very similar to Section 4 6 2 on page 134 except you do not select the arts and entertainment category 4 Click Apply Figure 74 SECURITY CONTENT FILTER Policy External Database Bob ...

Page 140: ...Chapter 4 Tutorials ZyWALL 5 35 70 Series User s Guide 140 ...

Page 141: ...ALL 5 1 1 Subscription Services Available on the ZyWALL At the time of writing the ZyWALL can use content filtering anti spam anti virus and IDP Intrusion Detection and Prevention subscription services Content filtering allows or blocks access to web sites Subscribe to category based content filtering to block access to categories of web sites based on content Your ZyWALL accesses an external data...

Page 142: ... com See the chapters about content filtering anti virus anti spam and IDP for more information To update the signature file or use a subscription service you have to register and activate the corresponding service at myZyXEL com through the ZyWALL 5 2 Registration Click REGISTRATION in the navigation panel to open the screen as shown next Use this screen to register your ZyWALL with myZyXEL com a...

Page 143: ...d the underscore Spaces are not allowed Check Click this button to check with the myZyXEL com database to verify the user name you entered has not been used Password Enter a password of between six and 20 alphanumeric characters and the underscore Spaces are not allowed Confirm Password Enter the password again for confirmation E Mail Address Enter your e mail address You can use up to 80 alphanum...

Page 144: ...and enter your iCard s PIN number license key Click REGISTRATION Service to open the screen as shown next If you restore the ZyWALL to the default configuration file or upload a different configuration file after you register click the Service License Refresh button to update license information IDP AV 3 month Trial Select the check box to activate a trial The trial period starts the day you activ...

Page 145: ...plays whether you applied for a trial application Trial or registered a service with your iCard s PIN number Standard Expiration Day This field displays the date your service expires License Upgrade License Key Enter your iCard s PIN number and click Update to activate or extend a standard service subscription If a standard service subscription runs out you need to buy a new iCard specific to your...

Page 146: ...Chapter 5 Registration ZyWALL 5 35 70 Series User s Guide 146 ...

Page 147: ...147 PART II Network LAN Screens 149 Bridge Screens 161 WAN Screens 167 DMZ Screens 203 WLAN 213 ...

Page 148: ...148 ...

Page 149: ... networking devices in your home or office that you connect to the ZyWALL s LAN ports The Wide Area Network WAN is another network most likely the Internet that you connect to the ZyWALL s WAN port See Chapter 8 on page 167 for how to use the WAN screens to set up your WAN connection The LAN and the WAN are two separate networks The ZyWALL controls the traffic that goes between them The following ...

Page 150: ...no other device on your network is using that IP address The subnet mask specifies the network number portion of an IP address Your ZyWALL will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mask computed by the ZyWALL unless you are instructed to do otherwise 6 2 1 Private IP Addresses Every machine on the Internet must have a un...

Page 151: ...od of the RIP packets that the ZyWALL sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M send routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting ...

Page 152: ...AN Select None to disable IP multicasting on these interfaces 6 6 WINS WINS Windows Internet Naming Service is a Windows implementation of NetBIOS Name Server NBNS on Windows It keeps track of NetBIOS computer names It stores a mapping table of your network s computer names and IP addresses The table is dynamically updated for IP addresses assigned by DHCP This helps reduce broadcast traffic since...

Page 153: ...ulates the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL RIP Direction RIP Routing Information Protocol RFC1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out...

Page 154: ...er fill in the IP Pool Starting Address and Pool Size fields Select Relay to have the ZyWALL forward DHCP requests to another DHCP server When set to Relay fill in the DHCP Server Address field Select None to stop the ZyWALL from acting as a DHCP server When you select None you must have another DHCP server on your LAN or else the computers must be manually configured IP Pool Starting Address This...

Page 155: ...ewall rule that forwards NetBIOS traffic Clear this check box to block all NetBIOS packets going from the LAN to WAN 2 and from WAN 2 to the LAN Allow between LAN and DMZ Select this check box to forward NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN If your firewall is enabled with the default policy set to block DMZ to LAN traffic you also need to enable the default DMZ to L...

Page 156: ...e Ethernet interface Table 27 NETWORK LAN Static DHCP LABEL DESCRIPTION This is the index number of the static IP table entry row MAC Address Type the MAC address of a computer on your LAN IP Address Type the IP address that you want to assign to the computer on your LAN Alternatively click the right mouse button to copy and or paste the IP address Apply Click Apply to save your changes back to th...

Page 157: ...ical LAN Ethernet interface The ZyWALL itself is the gateway for each of the logical LAN networks When you use IP alias you can also configure firewall rules to control access between the LAN s logical networks subnets Make sure that the subnets of the logical networks do not overlap The following figure shows a LAN divided into subnets A B and C Figure 81 Physical Network Partitioned Logical Netw...

Page 158: ...subnetting use the subnet mask computed by the ZyWALL RIP Direction RIP Routing Information Protocol RFC 1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only None When set to Both or Out Only the ZyWALL will broadcast its routing table period...

Page 159: ...ait for few seconds until the following screen appears Click Return to go back to the Port Roles screen Figure 84 Port Roles Change Complete Table 29 NETWORK LAN Port Roles LABEL DESCRIPTION LAN Select a port s LAN radio button to use the port as part of the LAN The port will use the ZyWALL s LAN IP address and MAC address DMZ Select a port s DMZ radio button to use the port as part of the DMZ The...

Page 160: ...Chapter 6 LAN Screens ZyWALL 5 35 70 Series User s Guide 160 ...

Page 161: ...st traffic to circle the network endlessly resulting in possible throughput degradation and disruption of communications The following example shows the network topology that can lead to this problem If your ZyWALL in bridge mode is connected to a wired LAN while communicating with another bridge or a switch that is also connected to the same wired LAN as shown next Figure 85 Bridge Loop Bridge Co...

Page 162: ...he next table On each bridge the root port is the port through which this bridge communicates with the root It is the port on this switch with the lowest path cost to the root the root path cost If there is no root port then this bridge has been accepted as the root bridge of the spanning tree network For each LAN segment a designated bridge is selected This bridge has the lowest cost to the root ...

Page 163: ...ANCE Device Mode screen to have the ZyWALL function as a bridge In bridge mode the ZyWALL functions as a transparent firewall also known as a bridge firewall The ZyWALL bridges traffic traveling between the ZyWALL s interfaces and still filters and inspects packets You do not need to change the configuration of your existing network You can use the firewall and VPN in bridge mode Click NETWORK BRI...

Page 164: ...y IP Address Enter the gateway IP address First Second Third DNS Server DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it The ZyWALL uses a system DNS server in the order you specify here to resolve domain names for content fil...

Page 165: ...ple devices have the lowest priority the device with the lowest MAC address becomes the root The lower the numeric value you assign the higher the priority for this bridge Bridge Priority determines the root bridge which in turn determines Hello Time Max Age and Forward Delay Bridge Hello Time Enter an interval between 1 and 10 in seconds that the root bridge waits before sending a hello packet Br...

Page 166: ...ars Click Return to go back to the Port Roles screen Figure 88 Port Roles Change Complete Table 33 NETWORK Bridge Port Roles LABEL DESCRIPTION LAN Select a port s LAN radio button to use the port as part of the LAN DMZ Select a port s DMZ radio button to use the port as part of the DMZ WLAN Select a port s WLAN radio button to use the port as part of the WLAN Apply Click Apply to save your changes...

Page 167: ...L 5 is in router mode you can optionally insert a 3G card to add a second WAN interface The ZyWALL can balance the load between the two WAN interfaces see Section 8 3 on page 168 You can use policy routing to specify the WAN interface that specific services go through An ISP may give traffic from certain more expensive connections priority over the traffic from other accounts You could route delay...

Page 168: ...nterface the traffic for a session1 from the LAN uses The following sections describe each load balancing method The available bandwidth you configure on the ZyWALL refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to the bandwidth an interface is currently using 8 4 1 Least Load First The least load first algorithm uses the current or recent outbound and or inbo...

Page 169: ... 1 8 4 2 Weighted Round Robin Round Robin routes traffic on a rotating basis and is activated only when a WAN interface has more traffic than the configured available bandwidth On the ZyWALL with two WAN interfaces an amount of traffic is sent through the first interface The second interface is also given an equal amount of traffic and then the same amount of traffic is sent through the first inte...

Page 170: ...um allowable load is reached then the ZyWALL sends the excess network traffic of new sessions to the secondary WAN interface Configure the Route Priority metrics in the WAN General screen to determine the primary and secondary WANs In cases where the primary WAN interface uses an unlimited access Internet connection and the secondary WAN uses a per use timed access plan the ZyWALL will only use th...

Page 171: ...ple Figure 92 Incorrect WAN IP 1 LAN user A wants to download a file from a remote server on the Internet The ZyWALL is using active active load balancing and sends the request to an update server B through WAN 1 2 Update server B sends a file list to LAN user A The download address of the desired file is a file server C At the same time update server B informs file server C that a computer locate...

Page 172: ...ve passive meaning the ZyWALL uses the second highest priority WAN interface as a back up The WAN 1 route has a metric of 2 the WAN 2 route has a metric of 3 the traffic redirect route has a metric of 14 and the dial backup route has a metric of 15 In this case the WAN 1 route acts as the primary default route If the WAN 1 route fails to connect to the Internet the ZyWALL tries the WAN 2 route nex...

Page 173: ...Chapter 8 WAN Screens ZyWALL 5 35 70 Series User s Guide 173 Figure 93 NETWORK WAN General ...

Page 174: ...cal computer s traffic through the same WAN interface for the period of time that you specify 1 to 600 seconds This is useful when a redirect server forwards a local user s request for a file and informs the file server that a particular WAN IP address is requesting the file If the user s subsequent sessions came from a different WAN IP address the file server would deny the request This field is ...

Page 175: ...ckets from WAN 1 to the LAN port and from the LAN port to WAN1 If your firewall is enabled with the default policy set to block WAN 1 to LAN traffic you also need to enable the default WAN1 to LAN firewall rule that forwards NetBIOS traffic Clear this check box to block all NetBIOS packets going from WAN 1 to the LAN port and from LAN port to WAN1 Allow between WAN1 and DMZ Select this check box t...

Page 176: ...t Least Load First in the Load Balancing Algorithm field Figure 94 Load Balancing Least Load First The following table describes the related fields in this screen Allow Trigger Dial Select this option to allow NetBIOS packets to initiate calls Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 36 NETWORK WAN General continued L...

Page 177: ...ad Balancing Index es Specify the direction of the traffic utilization you want the ZyWALL to use in calculating the load balancing index Select Outbound Only Inbound Only or Outbound Inbound Interface This field displays the name of the WAN interface WAN 1 and WAN 2 Available Inbound Bandwidth This field is applicable when you select Outbound Inbound or Inbound Only in the Load Balancing Index es...

Page 178: ...address the file server would deny the request Interface This field displays the name of the WAN interface WAN 1 and WAN 2 Ratio Specify the weight for the interface Enter 0 to set the ZyWALL not to send traffic load to the interface The higher the number the bigger the weight the more traffic sent Table 38 Load Balancing Weighted Round Robin continued LABEL DESCRIPTION Table 39 Load Balancing Spi...

Page 179: ...ess assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 8 10 DNS Server Address Assignment Use DNS Domain Name System to map a domain name to its corresponding IP address and vice versa for instance the IP address of www zyxel com is 204 217 0 2 The DNS server is extremely important because without it you must know...

Page 180: ...f hexadecimal characters for example 00 A0 C5 00 00 02 You can configure the WAN port s MAC address by either using the factory default or cloning the MAC address from a computer on your LAN Once it is successfully configured the address will be copied to the rom file ZyNOS configuration file It will not change unless you change the setting or upload a different rom file 8 12 WAN To change your Zy...

Page 181: ...en the WAN port is used as a regular Ethernet Service Type Choose from Standard Telstra RoadRunner Telstra authentication method RR Manager Roadrunner Manager authentication method RR Toshiba Roadrunner Toshiba authentication method or Telia Login The following fields do not appear with the Standard service type User Name Type the user name given to you by your ISP Password Type the password assoc...

Page 182: ...nable NAT RIP Direction RIP Routing Information Protocol allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Choose Both None In Only or Out Only When set to Both or Out Only the ZyWALL will broadcast its routing table periodically When set to Both or In Only the ZyWALL will incorporate RIP information that it...

Page 183: ...or IGMP V2 IGMP Internet Group Management Protocol is a session layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about inter operability between IGMP version 2 and version 1 please see section...

Page 184: ...ser Name Type the user name given to you by your ISP Password Type the password associated with the user name above Retype to Confirm Type your password again to make sure that you have entered is correctly Authentication Type The ZyWALL supports PAP Password Authentication Protocol and CHAP Challenge Handshake Authentication Protocol CHAP is more secure than PAP however PAP is readily available o...

Page 185: ...nd any RIP packets and will ignore any RIP packets received By default RIP Direction is set to Both RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends it recognizes both formats when receiving Choose RIP 1 RIP 2B or RIP 2M RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most net...

Page 186: ...your LAN By default the ZyWALL uses the factory assigned MAC Address to identify itself on the WAN Otherwise select this option and enter the IP address of the computer on the LAN whose MAC you are cloning Once it is successfully configured the address will be copied to the rom file ZyNOS configuration file It will not change unless you change the setting or upload a different ROM file Clone the c...

Page 187: ...lation Set the encapsulation method to PPTP The ZyWALL supports only one PPTP server connection at any given time To configure a PPTP client you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection User Name Type the user name given to you by your ISP Password Type the password associated with the user name above Retype to Confirm Type...

Page 188: ...ss Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address This is the default selection Use Fixed IP Address Select this option If the ISP assigned a fixed IP address My WAN IP Address Enter your WAN IP address in this field if you selected Use Fixed IP Address Advanced Setup Enable NAT Network Address Translation Network Address Translation NAT ...

Page 189: ...bership in a Multicast group it is not used to carry user data Multicast Version Choose None default IGMP V1 or IGMP V2 IGMP Internet Group Management Protocol is a session layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to r...

Page 190: ...eneral Packet Radio Services High Speed Circuit Switched Data HSCSD etc CDMA2000 is a hybrid 2 5G 3G protocol of mobile telecommunications standards that use CDMA a multiple access scheme for digital radio CDMA2000 1xRTT 1 times Radio Transmission Technology is the core CDMA2000 wireless air interface standard It is also known as 1x 1xRTT or IS 2000 and considered to be a 2 5G or 2 75G technology ...

Page 191: ...L 5 35 70 Series User s Guide 191 Turn the ZyWALL off before you install or remove the 3G card The WAN 1 and WAN 2 IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets Figure 100 NETWORK WAN 3G WAN 2 ...

Page 192: ...starts ISP Parameters for Internet Access Access Point Name APN This field displays with a GSM or HSDPA 3G card Enter the APN Access Point Name provided by your service provider Connections with different APNs may provide different services such as Internet access or MMS Multi Media Messaging Service and charge method You can enter up to 31 ASCII printable characters Spaces are allowed Initial Str...

Page 193: ...otocol address used within one network for example a private IP address used in a local network to a different IP address known within another network for example a public IP address used on the Internet Select this checkbox to enable NAT For more information about NAT see Chapter 21 on page 431 Enable Multicast Select this check box to turn on IGMP Internet Group Management Protocol IGMP is a net...

Page 194: ...et Specify the actions the ZyWALL takes when the time or data limit is exceeded Select Log to create a log Select Alert to create an alert This option is available only when you select Log If you select Log you can also select recurring every to have the ZyWALL send a log and alert if selected for this event periodically Specify how often from 1 to 65535 minutes to send the log and alert if select...

Page 195: ...gateway in another subnet Subnet 2 Configure a LAN to LAN ZyWALL firewall rule that forwards packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 Figure 102 Traffic Redirect LAN Setup 8 15 Configuring Traffic Redirect To change your ZyWALL s traffic redirect settings click NETWORK WAN Traffic Redirect The screen appears as shown For the ZyWALL 5 if the traffic redirect feature do...

Page 196: ...l fields are available on all models Table 46 NETWORK WAN Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down Backup Gateway IP Address Type the IP address of your backup gateway in dotted decimal notation The ZyWALL automatically forwards traffic to this IP address if the ZyWALL s Internet connection termin...

Page 197: ... following table describes the labels in this screen Table 47 NETWORK WAN Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup Basic Settings Login Name Type the login name assigned by your ISP Password Type the password assigned by your ISP ...

Page 198: ...xed IP address then enter the IP address in the following field My WAN IP Address Leave the field set to 0 0 0 0 default to have the ISP or other remote router dynamically automatically assign your WAN IP address if you do not know it Type your WAN IP address here if you know it static This is the address assigned to your local ZyWALL not the remote router Enable NAT Network Address Translation Ne...

Page 199: ...v2 IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 Budget Always On Select this check box to have the dial backup connection on all of the time Configure Budget Select this check box to have...

Page 200: ...e drop command ATH 8 17 3 Response Strings The response strings tell the ZyWALL the tags or labels immediately preceding the various call parameters sent from the WAN device The response strings have not been standardized please consult the documentation of your WAN device to find the correct tags 8 18 Configuring Advanced Modem Setup Click the Edit button in the Dial Backup screen to display the ...

Page 201: ...e CLID is required for CLID authentication Called ID Type the keyword preceding the dialed number Speed Type the keyword preceding the connection speed Call Control Dial Timeout sec Type a number of seconds for the ZyWALL to try to set up an outgoing call before timing out stopping Retry Count Type a number of times for the ZyWALL to retry a busy or no answer phone number before blacklisting the n...

Page 202: ...Chapter 8 WAN Screens ZyWALL 5 35 70 Series User s Guide 202 ...

Page 203: ...It is also highly recommended that you keep all sensitive information off of the public servers connected to the DMZ port Store sensitive information on LAN computers 9 2 Configuring DMZ The DMZ and the connected computers can have private or public IP addresses When the DMZ uses public IP addresses the WAN and DMZ ports must use public IP addresses that are on separate subnets See Appendix E on p...

Page 204: ...net mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL 255 255 255 0 RIP Direction RIP Routing Information Protocol RFC1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out...

Page 205: ...des TCP IP configuration for the clients When set as a server fill in the IP Pool Starting Address and Pool Size fields Select Relay to have the ZyWALL forward DHCP requests to another DHCP server When set to Relay fill in the DHCP Server Address field Select None to stop the ZyWALL from acting as a DHCP server When you select None you must have another DHCP server on your LAN or else the computer...

Page 206: ... to forward NetBIOS packets from the DMZ to WAN 2 and from WAN 2 to the DMZ Clear this check box to block all NetBIOS packets going from the DMZ to WAN 2 and from WAN 2 to the DMZ Allow between DMZ and WLAN Select this check box to forward NetBIOS packets from the WLAN to the DMZ and from the DMZ to the WLAN If your firewall is enabled with the default policy set to block DMZ to WLAN traffic and W...

Page 207: ...cal DMZ interface is set to use a private or public IP address Use NAT if you want to make DMZ computers with private IP addresses publicly accessible see Chapter 21 on page 431 for more information When you use IP alias you can have the DMZ use both public and private IP addresses at the same time Make sure that the subnets of the logical networks do not overlap To change your ZyWALL s IP alias s...

Page 208: ...ALL will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends it recognizes both formats when receiving RIP 1 is ...

Page 209: ...ollowing figure shows a network setup with both private and public IP addresses on the DMZ Lower case letters represent public IP addresses like a b c d for example The LAN port and connected computers A through C use private IP addresses that are in one subnet The DMZ port and server F use private IP addresses that are in one subnet The private IP addresses of the LAN and DMZ are on separate subn...

Page 210: ...er connected to a LAN DMZ or WLAN port and changing the port s role 1 A port s IP address varies as its role changes make sure your computer s IP address is in the same subnet as the ZyWALL s LAN DMZ or WLAN IP address 2 Use the appropriate LAN DMZ or WLAN IP address to access the ZyWALL To change your ZyWALL s port role settings click NETWORK DMZ Port Roles The screen appears as shown The radio b...

Page 211: ...t of the LAN The port will use the ZyWALL s LAN IP address and MAC address DMZ Select a port s DMZ radio button to use the port as part of the DMZ The port will use the ZyWALL s DMZ IP address and MAC address WLAN Select a port s WLAN radio button to use the port as part of the WLAN The port will use the ZyWALL s WLAN IP address and MAC address Apply Click Apply to save your changes back to the Zy...

Page 212: ...Chapter 9 DMZ Screens ZyWALL 5 35 70 Series User s Guide 212 ...

Page 213: ...he WLAN role See Section 54 2 on page 761 for how to install a WLAN card See the WLAN appendix for more detailed information on WLANs 10 1 1 Additional Installation Requirements for Using 802 1x A computer with an IEEE 802 11b wireless LAN card A computer equipped with a web browser with JavaScript enabled and or Telnet A wireless station must be running IEEE 802 1x compliant software Currently th...

Page 214: ...all a WLAN card Insert a compatible wireless LAN card and enable the card in the WIRELESS Wi Fi screen see Figure 122 on page 229 Use the Port Roles screen see Figure 116 on page 220 to set a port to be part of the WLAN and connect an Access Point AP to the WLAN interface to extend the ZyWALL s wireless LAN coverage Click NETWORK WLAN to open the WLAN screen to configure the IP address for the ZyW...

Page 215: ...lticasting can reduce the load on non router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default RIP direction is set to Both and the Version set to RIP 1 Multicast Select IGMP V 1 or IGMP V 2 or None IGMP Internet Group Managem...

Page 216: ...on the WAN Allow between WLAN and LAN Select this check box to forward NetBIOS packets from the WLAN to the LAN and from the LAN to the WLAN Clear this check box to block all NetBIOS packets going from the LAN to the WLAN and from the WLAN to the LAN Allow between WLAN and WAN 1 Select this check box to forward NetBIOS packets from the WLAN to WAN 1 and from WAN 1 to the WLAN Clear this check box ...

Page 217: ...logical WLAN interfaces via its single physical WLAN Ethernet interface The ZyWALL itself is the gateway for each of the logical WLAN networks When you use IP alias you can also configure firewall rules to control access between the WLAN s logical networks subnets Table 54 NETWORK WLAN Static DHCP LABEL DESCRIPTION This is the index number of the static IP table entry row MAC Address Type the MAC ...

Page 218: ...ton to copy and or paste the IP address IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyWALL RIP Direction RIP Routing Information Protocol RFC 1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field contro...

Page 219: ...t port in the WLAN port role Figure 115 WLAN Port Role Example RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and R...

Page 220: ...s 1 to 4 are all LAN ports by default Your changes are also reflected in the LAN and or DMZ Port Roles screen Figure 116 NETWORK WLAN Port Roles The following table describes the labels in this screen After you change the LAN DMZ WLAN port roles and click Apply please wait for few seconds until the following screen appears Click Return to go back to the Port Roles screen Table 56 NETWORK WLAN Port...

Page 221: ...Dial In User Service server either on the WAN or your LAN to provide authentication service for wireless stations Figure 118 ZyWALL Wireless Security Levels If you do not enable any wireless security on your ZyWALL your network is accessible to any wireless networking device that is within range Use the ZyWALL web configurator to set up your wireless LAN security settings Refer to the chapter on u...

Page 222: ...ase 10 6 3 Restricted Access The MAC Filter screen allows you to configure the AP to give exclusive access to devices Allow Association or exclude them from accessing the AP Deny Association 10 6 4 Hide ZyWALL Identity If you hide the ESSID then the ZyWALL cannot be seen when a wireless client scans for local APs The trade off for the extra security of hiding the ZyWALL may be inconvenience for so...

Page 223: ...ication Dial In User Service server enables user authentication authorization and accounting RADIUS is based on a client sever model that supports authentication and accounting where access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks among others Authentication Determines the identity of the users Accounting Keeps track of the client s netw...

Page 224: ...ect the network from unauthorized access 10 9 2 EAP Authentication Overview EAP Extensible Authentication Protocol is an authentication protocol that runs on top of the IEEE 802 1x transport mechanism in order to support multiple types of user authentication By using EAP to interact with an EAP compatible RADIUS server the access point helps a wireless station and a RADIUS server perform authentic...

Page 225: ... EAP type is configured to one of the following EAP TLS EAP TTLS PEAP EAP MD5 cannot be used with dynamic WEP key exchange 10 11 Introduction to WPA Wi Fi Protected Access WPA is a subset of the IEEE 802 11i standard Key differences between WPA and WEP are user authentication and improved data encryption 10 11 1 User Authentication WPA applies IEEE 802 1x and Extensible Authentication Protocol EAP...

Page 226: ...re the MIC If they do not match it is assumed that the data has been tampered with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC TKIP makes it much more difficult to decode data on a Wi Fi network than WEP making it difficult for an intruder to break into the network The encryption mechanisms used for W...

Page 227: ...RADIUS server 10 14 WPA with RADIUS Application Example You need the IP address of the RADIUS server its port number default is 1812 and the RADIUS shared secret A WPA application example with an external RADIUS server looks as follows A is the RADIUS server DS is the distribution system 1 The AP passes the wireless client s authentication request to the RADIUS server 2 The RADIUS server then chec...

Page 228: ...IS client The Windows XP patch is a free download that adds WPA capability to Windows XP s built in Zero Configuration wireless client However you must run Windows XP to use it 10 16 Wireless Card Turn the ZyWALL off before you install or remove the wireless LAN card See the product specifications chapter for a list of compatible ZyXEL WLAN cards and the WLAN security features each card supports a...

Page 229: ...enabling it Select the check box to enable the wireless LAN Wireless Card This field displays whether or not a compatible ZyXEL wireless LAN card is installed ESSID Extended Service Set IDentity The ESSID identifies the Service Set with which a wireless station is associated Wireless stations associating to the access point AP must have the same ESSID Enter a descriptive name up to 32 printable 7 ...

Page 230: ... packets larger than the number of bytes that you enter here Set the RTS CTS equal to or higher than the fragmentation threshold to turn RTS CTS off Fragmentatio n Threshold This is the threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent Security Select one of the security settings No Security Static WEP WPA PSK WPA 8...

Page 231: ...ransmitted over the wireless network Select 64 bit WEP or 128 bit WEP to enable data encryption Key 1 to Key 4 If you chose 64 bit WEP in the WEP Encryption field then enter any 5 characters ASCII string or 10 hexadecimal characters 0 9 A F preceded by 0x for each key If you chose 128 bit WEP in the WEP Encryption field then enter 13 characters ASCII string or 26 hexadecimal characters 0 9 A F pre...

Page 232: ...period of inactivity The wireless station needs to send the username and password again before it can use the wireless network again Some wireless clients may prompt users for a username and password other clients may use saved login credentials In either case there is usually a short delay while the wireless client logs in to the wireless network again This value is usually smaller when the wirel...

Page 233: ...the wireless network again Some wireless clients may prompt users for a username and password other clients may use saved login credentials In either case there is usually a short delay while the wireless client logs in to the wireless network again This value is usually smaller when the wireless network is keeping track of how much time each wireless station is connected to the wireless network f...

Page 234: ... in order to stay connected Enter a time interval between 10 and 65535 seconds If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout Seconds The ZyWALL automatically disconnects a wireless station from the wireless network after a period of inactivity The wireless station needs to send the username and password ag...

Page 235: ... the ZyWALL to check an external RADIUS server Dynamic WEP Key Exchange Select 64 bit WEP or 128 bit WEP to enable data encryption Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 62 WIRELESS Wi Fi Wireless Card 802 1x Dynamic WEP LABEL DESCRIPTION Table 63 WIRELESS Wi Fi Wireless Card 802 1x Static WEP LABEL DESCRIPTION Secu...

Page 236: ...meout Seconds The ZyWALL automatically disconnects a wireless station from the wireless network after a period of inactivity The wireless station needs to send the username and password again before it can use the wireless network again Some wireless clients may prompt users for a username and password other clients may use saved login credentials In either case there is usually a short delay whil...

Page 237: ...eout Seconds The ZyWALL automatically disconnects a wireless station from the wireless network after a period of inactivity The wireless station needs to send the username and password again before it can use the wireless network again Some wireless clients may prompt users for a username and password other clients may use saved login credentials In either case there is usually a short delay while...

Page 238: ...EP Encryption WEP Wired Equivalent Privacy provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over the wireless network Select 64 bit WEP or 128 bit WEP to enable data encryption Key 1 to Key 4 If you chose 64 bit WEP in the WEP Encryption field then enter any 5 characters ASCII string or 10 hexadecimal characters 0 9 A F preceded by 0x for each key ...

Page 239: ...s menu Table 66 WIRELESS Wi Fi MAC Filter LABEL DESCRIPTION Active Select or clear the check box to enable or disable MAC address filtering Enable MAC address filtering to have the router allow or deny access to wireless stations based on MAC addresses Disable MAC address filtering to have the router not perform MAC filtering on the wireless stations Association Define the filter action for the li...

Page 240: ...WLAN ZyWALL 5 35 70 Series User s Guide 240 Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 66 WIRELESS Wi Fi MAC Filter LABEL DESCRIPTION ...

Page 241: ... Firewall 243 Intrusion Detection and Prevention IDP 275 Configuring IDP 279 Anti Virus 295 Anti Spam 307 Content Filtering Screens 321 Content Filtering Reports 343 IPSec VPN 351 Certificates 395 Authentication Server 425 ...

Page 242: ...242 ...

Page 243: ...he firewall to protect your LAN computers from attacks by hackers on the Internet and control access between the LAN DMZ WLAN and WAN By default the firewall allows traffic that originates from your LAN computers to go to all of the networks blocks traffic that originates on the other networks from going to the LAN allows traffic that originates on the WLAN to go to the WAN allows traffic that ori...

Page 244: ...n the order you list them When the traffic matches a rule the ZyWALL takes the action specified in the rule 11 2 Packet Direction Matrix The ZyWALL s packet direction matrix allows you to apply certain security settings like firewall IDP anti virus and anti spam to traffic flowing in specific directions For example click SECURITY FIREWALL to open the following screen This screen configures general...

Page 245: ...that do not match any of the firewall rules To set the ZyWALL to by default silently block traffic from WAN 1 from going to the DMZ interfaces you would find where the From WAN1 row and the To DMZ column intersect and set the field to Drop as shown Figure 133 Default Block Traffic From WAN1 to DMZ Example A specific interface or any of the ZyWALL s VPN connections A specific interface or any of th...

Page 246: ...can access which computers or services connected to WAN 1 See Section 11 5 on page 253 for an example WAN 1 to LAN These rules specify which computers connected to WAN 1 can access which computers or services on the LAN For example you may create rules to Allow certain types of traffic such as Lotus Notes database synchronization from specific hosts on the Internet to specific hosts on the LAN All...

Page 247: ... the traffic that is coming from the LAN and going out through any of the ZyWALL s VPN tunnels For example by default the From LAN To VPN default firewall rule allows traffic from the LAN computers to go out through any of the ZyWALL s VPN tunnels You could configure the From DMZ To VPN default rule to set the ZyWALL to silently block traffic from the DMZ computers from going out through any of th...

Page 248: ...ypts the VPN traffic and then applies the firewall rules From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the selected to interface For example by default the firewall allows traffic from any VPN tunnel to go to any of the ZyWALL s interfaces the ZyWALL itself and other VPN tunnels You could edit the From VPN To LAN default firewall rule to silently block traff...

Page 249: ...Chapter 11 Firewall ZyWALL 5 35 70 Series User s Guide 249 Figure 136 From VPN to LAN Example In order to do this you would configure the SECURITY FIREWALL Default Rule screen as follows ...

Page 250: ...through another of the ZyWALL s VPN tunnels this is called hub and spoke VPN see Section 18 17 on page 391 for details The ZyWALL decrypts the traffic and applies the firewall rules before re encrypting it or allowing the traffic to terminate at the ZyWALL In the following example the From VPN To VPN default firewall rule silently blocks the traffic that the ZyWALL receives from any VPN tunnel eit...

Page 251: ...Chapter 11 Firewall ZyWALL 5 35 70 Series User s Guide 251 Figure 138 From VPN to VPN Example You would configure the SECURITY FIREWALL Default Rule screen as follows ...

Page 252: ...Use caution when creating or deleting firewall rules and test your rules after you configure them Consider these security ramifications before creating a rule 1 Does this rule stop LAN users from accessing critical resources on the Internet For example if IRC is blocked are there users that require this service 2 Is it possible to modify the rule to be more specific For example if IRC is blocked f...

Page 253: ...wing figure shows the results of this rule Figure 140 Blocking All LAN to WAN IRC Traffic Example Your firewall would have the following configuration The first row blocks LAN access to the IRC service on the WAN The second row is the firewall s default policy that allows all traffic from the LAN to go to the WAN The ZyWALL applies the firewall rules in order So for this example when the ZyWALL re...

Page 254: ...ss to the IRC service on the WAN The third row is still the firewall s default policy of allowing all traffic from the LAN to go to the WAN The rule for the CEO must come before the rule that blocks all LAN to WAN IRC traffic If the rule that blocks all LAN to WAN IRC traffic came first the CEO s IRC traffic would match that rule and the ZyWALL would drop it and not check any other firewall rules ...

Page 255: ...AN and Gateway A in different subnets all returning network traffic must pass through the ZyWALL to your LAN The following steps describe such a scenario 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN 2 The ZyWALL reroutes the packet to Gateway A which is in Subnet 2 3 The reply from the WAN goes to the ZyWALL 4 The ZyWALL then sends it to t...

Page 256: ...yWALL s firewall rules storage space that is currently in use When the storage space is almost full you should consider deleting unnecessary firewall rules before adding more firewall rules Enable Firewall Select this check box to activate the firewall The ZyWALL performs access control and protects against Denial of Service DoS attacks when the firewall is activated Note When you activate the fir...

Page 257: ... through the selected from interface and goes out through any VPN tunnel For example From LAN To VPN specifies the traffic that is coming from the LAN and going out through a VPN tunnel The ZyWALL applies the firewall to the traffic before encrypting it From VPN To VPN means traffic that comes in through a VPN tunnel and goes out through another VPN tunnel or terminates at the ZyWALL This is the c...

Page 258: ...his screen Table 70 SECURITY FIREWALL Default Rule Bridge Mode LABEL DESCRIPTION 0 100 This bar displays the percentage of the ZyWALL s firewall rules storage space that is currently in use When the storage space is almost full you should consider deleting unnecessary firewall rules before adding more firewall rules Enable Firewall Select this check box to activate the firewall The ZyWALL performs...

Page 259: ...HTTP through a VPN tunnel to manage the ZyWALL The ZyWALL applies the firewall to the traffic after decrypting it Note The VPN connection directions apply to the traffic going to or from the ZyWALL s VPN tunnels They do not apply to other VPN traffic for which the ZyWALL is not one of the gateways VPN pass through traffic Use the drop down list box to set the firewall s default actions based on th...

Page 260: ...ress Destination Address and Service Type drop down lists for all of the displayed rules Default Policy This field displays the default action you selected in the Default Rule screen for the packet direction displayed The following fields summarize the rules you have created that apply to traffic traveling in the selected packet direction The firewall rules that you configure summarized below take...

Page 261: ...set packet or an ICMP destination unreachable message to the sender Reject or allows the passage of packets Permit Sch This field tells you whether a schedule is specified Yes or not No Log This field shows you whether a log is created when packets match this rule Yes or not No Modify Click the edit icon to go to the screen where you can edit the rule Click the delete icon to delete an existing fi...

Page 262: ...Chapter 11 Firewall ZyWALL 5 35 70 Series User s Guide 262 Figure 146 SECURITY FIREWALL Rule Summary Edit ...

Page 263: ...ailable Selected Services Highlight a service from the Available Services box on the left then click to add it to the Selected Service s box on the right To remove a service highlight it in the Selected Service s box on the right then click Custom services have an before the name Next to the name of a service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or I...

Page 264: ...g a TCP reset packet or an ICMP destination unreachable message to the sender Select Reject to deny the packets and send a TCP reset packet for a TCP packet or an ICMP destination unreachable message for a UDP packet to the sender Select Permit to allow the passage of the packets Note You also need to configure NAT port forwarding or full featured NAT address mapping rules if you want to allow com...

Page 265: ... Respond to PING on Select the check boxes of the interfaces that you want to reply to incoming Ping requests Clear an interface s check box to have the ZyWALL not respond to any Ping requests that come into that interface Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the ZyWALL by probing for unused ports If you select this option the ZyWA...

Page 266: ...og in your LAN network 3 The CPU power of servers in your LAN network 4 Network bandwidth 5 Type of traffic for certain servers Reduce the threshold values if your network is slower than average for any of these factors especially if you have servers that are slow or handle many tasks and are often busy If you often use P2P applications such as file sharing with eMule or eDonkey it s recommended t...

Page 267: ...r of existing half open sessions that causes the firewall to stop deleting half open sessions The ZyWALL continues to delete half open requests as necessary until the number of existing half open sessions drops below this number Maximum Incomplete High This is the number of existing half open sessions that causes the firewall to start deleting half open sessions When the number of existing half op...

Page 268: ... is the IP protocol type If you selected Custom this is the IP protocol value you entered Attribute This is the IP port number or ICMP type and code that defines the service Modify Click the edit icon to go to the screen where you can edit the service Click the delete icon to remove an existing service A window displays asking you to confirm that you want to delete the service Note that subsequent...

Page 269: ...ve name of up to 31 printable ASCII characters except Extended ASCII characters for the custom service You cannot use the character Spaces are allowed IP Protocol Choose the IP protocol TCP UDP TCP UDP ICMP or Custom that defines your customized service from the drop down list box If you select Custom specify the protocol s number For example ICMP is 1 TCP is 6 UDP is 17 and so on Port Range Enter...

Page 270: ...mple Service 2 Configure it as follows and click Apply Figure 153 My Service Firewall Rule Example Edit Custom Service 3 Click Rule Summary Select WAN1 to LAN from the Packet Direction drop down list boxes and click Refresh 4 In the Rule Summary screen type the index number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there ...

Page 271: ...ox and then click Delete 8 Configure the destination address fields as follows and click Add Figure 155 My Service Firewall Rule Example Rule Edit 9 In the Edit Rule screen use the arrows between Available Services and Selected Service s to configure it as follows Click Apply when you are done Custom services show up with an before their names in the Services list box and the Rule Summary list box...

Page 272: ...Chapter 11 Firewall ZyWALL 5 35 70 Series User s Guide 272 Figure 156 My Service Firewall Rule Example Rule Configuration ...

Page 273: ... Firewall ZyWALL 5 35 70 Series User s Guide 273 Rule 1 allows a My Service connection from the WAN to IP addresses 10 0 0 10 through 10 0 0 15 on the LAN Figure 157 My Service Firewall Rule Example Rule Summary ...

Page 274: ...Chapter 11 Firewall ZyWALL 5 35 70 Series User s Guide 274 ...

Page 275: ...d abnormal flows such as port scans Figure 158 on page 275 represents a typical business network consisting of a LAN a DMZ DeMilitarized Zone containing the company web FTP mail servers etc a firewall and or NAT router connected to a broadband modem M for Internet access Figure 158 Network Intrusions 12 1 1 Firewalls and Intrusions Firewalls are designed to block clearly suspicious traffic and for...

Page 276: ...directly on the system being protected It works closely with the operating system monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them Disadvantages of host IDPs are that you have to install them on each device that you want to protect in your network and due to the necessarily tight integration with the host operating system future operati...

Page 277: ...Web page containing an embedded JavaScript that automatically executes causing the same JavaScript code to propagate to all Web pages on that server As Microsoft Internet Explorer browsers version 5 01 or earlier visit sites at the infected Web server they unwittingly download pages with the JavaScript code that automatically executes causing the virus to be sent to other computers on the Internet...

Page 278: ...nd runs Notepad to display the contents which displays random characters W32 MyDoom A creates randomly chosen email addresses in the To and From fields as well as a randomly chosen subject line Attached files will have an extension of BAT CMD EXE PIF SCR or ZIP 12 1 6 ZyWALL IDP The ZyWALL Internet Security Appliance is designed to protect against network based intrusions See Section 13 2 on page ...

Page 279: ...etails Turn the ZyWALL off before you install or remove the ZyWALL Turbo card The ZyWALL Turbo Card does not have a MAC address 13 1 1 Interfaces The ZyWALL checks traffic going in the direction s you specify for signature matches If a packet matches a signature the action specified by the signature is taken You can change the default signature actions in the Signatures screen In the following fig...

Page 280: ...ng IDP to Interfaces 13 2 General Setup Use this screen to enable IDP on the ZyWALL and choose what traffic flows the ZyWALL checks for intrusions Click SECURITY IDP from the navigation panel General is the first screen as shown in the following figure Figure 160 SECURITY IDP General ...

Page 281: ...e of the ZyWALL The ZyWALL does not check packets traveling from a LAN computer to another LAN computer on the same subnet From WAN1 To WAN1 means packets that come in through the WAN 1 interface and the ZyWALL routes back out through the WAN 1 interface From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the selected to interface For example From VPN To LAN speci...

Page 282: ...arget thereby causing denial of service for users of the targeted system Buffer Overflow A buffer overflow occurs when a program or process tries to store more data in a buffer temporary data storage area than it was intended to hold The excess information can overflow into adjacent buffers corrupting or overwriting the valid data held in them Intruders could run codes in the overflow buffer regio...

Page 283: ...programs A worm is a program that is designed to copy itself from one computer to another on a network A worm s uncontrolled replication consumes system resources thus slowing or stopping other tasks The IDP VirusWorm category refers to network based viruses and worms The Anti Virus AV screen refers to file based viruses and worms Refer to the anti virus chapter for additional information on file ...

Page 284: ...ted but no action is taken Drop Packet The packet is silently discarded Drop Session When the firewall is enabled subsequent TCP IP packets belonging to the same connection are dropped Neither sender nor receiver are sent TCP RST packets If the firewall is not enabled only the packet that matched the signature is dropped Reset Sender When the firewall is enabled the TCP IP connection is silently t...

Page 285: ...ll entries and disable all signatures on the current page For example you could clear all check boxes for signatures that targets operating systems not in your network This would speed up the IDP signature checking process Alternatively you may select or clear individual entries The check box becomes gray when you select the check box If you edited any of the check boxes in this column on the curr...

Page 286: ...tton to begin configuring this screen afresh Table 81 SECURITY IDP Signature Group View continued LABEL DESCRIPTION Table 82 SECURITY IDP Signature Query View LABEL DESCRIPTION Back to group view Click this button to go to the IDP group view screen where IDP signatures are grouped by attack type Signature Search Select this to search for a specific signature name or ID that you already know Then s...

Page 287: ... com for more detailed information Severity This field displays the level of threat that the intrusion may pose See Table 79 on page 283 for more information on intrusion severity Platform This field displays the computer or network device operating system that the intrusion targets or is vulnerable to the intrusion These icons represent a Windows operating system a UNIX based operating system and...

Page 288: ...u change the Active Log Alert and or Action signature fields in the signatures found then click Apply to save the changes to the ZyWALL Alert You can only edit the Alert check box when the corresponding Log check box is selected Select this check box to have an e mail sent when a match is found for a signature Select the check box in the heading row to automatically select all check boxes or clear...

Page 289: ...uide 289 Figure 165 SECURITY IDP Signature Query by Partial Name Figure 166 SECURITY IDP Signature Query by Complete ID 13 3 5 2 Query Example 2 1 From the group view signature screen click the Switch to query view link 1 Select Signature Search By Attributes ...

Page 290: ...ate The ZyWALL comes with built in signatures created by the ZyXEL Security Response Team ZSRT These are regularly updated as new intrusions evolve Use the Update screen to immediately download or schedule new signature downloads You should have already registered the ZyWALL at myZyXEL com http www myzyxel com myzyxel and also have either activated the trial license or standard license iCard If yo...

Page 291: ...me when your network is least busy so as to minimize disruption to your network Your custom signature configurations are not over written when you download new signatures File based anti virus signatures see the anti virus chapter are included with IDP signatures When you download new signatures using the anti virus Update screen IDP signatures are also downloaded The version number changes both i...

Page 292: ...ense It displays License Active and an expiration date when you have activated your iCard license the expiration date is the date it will expire Update Server This is the URL of the signature server from which you download signatures Update Now Click this button to begin downloading signatures from the Update Server immediately Auto Update Select the check box to configure a schedule for automatic...

Page 293: ...e screen to Back up IDP signatures with your custom configured settings Click Backup and then choose a location and filename for the IDP configuration set Restore previously saved IDP signatures with your custom configured settings Type in the location where the previously saved file resides on your computer or click Browse to find it Click Upload Revert to the original ZSRT defined signature Acti...

Page 294: ...Chapter 13 Configuring IDP ZyWALL 5 35 70 Series User s Guide 294 ...

Page 295: ...other files and programs on the computer Table 84 Common Computer Virus Types TYPE DESCRIPTION File Infector This is a small program that embeds itself in a legitimate program A file infector is able to copy and attach itself to other programs that are executed on an infected computer Boot Sector Virus This type of virus infects the area of a hard drive that a computer reads and executes during st...

Page 296: ...edicated security device such as your ZyWALL on the network edge NAV scanners inspect real time data traffic such as E mail messages or web that tends to bypass HAV scanners The following lists some of the benefits of NAV scanners NAV scanners stops virus threats at the network edge before they enter or exit a network NAV scanners reduce computing loading on computers as the read time data traffic...

Page 297: ...ets for virus 4 If a virus pattern is matched the ZyWALL destroys the file by removing the infected portion of the file 5 If the send alert message function is enabled the ZyWALL sends an alert to the file s indented destination computer s Since the ZyWALL erases the infected portion of the file before sending it you may not be able to open the file 14 2 2 Notes About the ZyWALL Anti Virus To use ...

Page 298: ...ypes Simultaneous downloads of a file using multiple connections For example when you use FlashGet to download sections of a file simultaneously Encrypted traffic such as on a VPN or password protected files Traffic through custom none standard ports ZIP file s within a ZIP file 14 3 General Anti Virus Setup Click SECURITY ANTI VIRUS to display the configuration screen as shown next Before you use...

Page 299: ...e the ZyWALL scan a ZIP file with the zip gzip or gz file extension The ZyWALL first decompresses the ZIP file and then scans the contents for viruses Note The ZyWALL decompresses a ZIP file once The ZyWALL does NOT decompress any ZIP file s within the ZIP file Turbo Card This field displays whether or not a ZyWALL Turbo Card is installed Note You cannot configure and save the IDP and Anti Virus s...

Page 300: ...s traffic that came into the ZyWALL through a VPN tunnel and is going to the selected to interface For example From VPN To LAN specifies the VPN traffic that is going to the LAN or terminating at the ZyWALL s LAN interface The ZyWALL checks the traffic after decrypting it To VPN is traffic that comes in through the selected from interface and goes out through any VPN tunnel For example From LAN To...

Page 301: ...would like to search the signatures by the general attributes listed next Active Use this field to search for active enabled and or inactive disabled signatures here Log Search for signatures by log option here whether or not the ZyWALL is set to log packets that match the signature Alert Search for signatures by whether or not the ZyWALL is set to generate an alert mail when packets match the sig...

Page 302: ...create a log when packets match the signature Select or clear the check box in the column heading to select or clear the column s check boxes for all of the displayed anti virus signatures Alert This field is applicable only when you select Log Select Alert to create an alert when a virus is detected Select or clear the check box in the column heading to select or clear the column s check boxes fo...

Page 303: ...esponse Team ZSRT These are regularly updated as new intrusions evolve Use the Update screen to immediately download or schedule new signature downloads You should have already registered the ZyWALL at myZyXEL com http www myzyxel com myzyxel and also have either activated the trial license or standard license iCard If your license has expired you will have to renew it before updates are allowed ...

Page 304: ...and time when your network is least busy so as to minimize disruption to your network Your custom signature configurations are not over written when you download new signatures IDP signatures see the chapters on IDP are included with file based anti virus signatures When you download new signatures using the IDP Update screen anti virus signatures are also downloaded The version number changes bot...

Page 305: ...displays License Active and an expiration date when you have activated your iCard license the expiration date is the date it will expire Update Server This is the URL of the signature server from which you download signatures Update Now Click this button to begin downloading signatures from the Update Server immediately Auto Update Select the check box to configure a schedule for automatic signatu...

Page 306: ...e the Backup Restore screen to Back up anti virus signatures with your custom configured settings to a computer Click Backup and then choose a location and filename for the anti virus configuration set Restore previously saved anti virus signatures with your custom configured settings Type in the location where the previously saved file resides on your computer or click Browse to find it Click Upl...

Page 307: ...gines in checking each e mail SpamBulk This engine identifies e mail that has been sent in bulk or is similar to e mail that is sent in bulk SpamRepute This engine checks to see if most people want the e mail SpamContent This engine checks to see if the message would generally be considered offensive SpamTricks This engine checks to see if the e mail is formatted to be economical for spammers or t...

Page 308: ...mer s attempt to disguise the sender s identity The anti spam external database combines all of this data into a SpamRepute Index for calculating the reputation of the sender in order to guard against foreign language spam fraud and phishing 15 1 1 3 SpamContent Engine The SpamContent engine examines the e mail s content to decide if it would generally be considered offensive The vocabulary design...

Page 309: ...spam external database calculates a spam score for the e mail and sends the score back to the ZyWALL 4 The ZyWALL forwards the e mail if the spam score is at or below the ZyWALL s spam threshold If the spam score is higher than the spam threshold the ZyWALL takes the action that you configured for dealing with spam 15 1 3 Phishing Phishing is a scam where fraudsters send e mail claiming to be from...

Page 310: ...at matches a blacklist entry as spam and immediately takes the action that you configured for dealing with spam The ZyWALL does not perform any more anti spam checking on that individual e mail A properly configured blacklist helps catch spam e mail and increases the ZyWALL s anti spam speed and efficiency 15 1 6 SMTP and POP3 Simple Mail Transfer Protocol SMTP is the Internet s message transport ...

Page 311: ...he anti spam feature on or off choose what traffic flows the ZyWALL checks for spam and set how the ZyWALL treats spam Figure 178 SECURITY ANTI SPAM General The following table describes the labels in this screen Table 87 SECURITY ANTI SPAM General LABEL DESCRIPTION General Setup Enable Anti Spam Select this check box to check traffic for spam SMTP TCP port 25 and POP3 TCP port 110 e mail See Sect...

Page 312: ...To VPN means traffic that comes in through a VPN tunnel and goes out through another VPN tunnel This is the case when the ZyWALL is the hub in a hub and spoke VPN The ZyWALL checks the traffic after decrypting it before encrypting it again Note The VPN connection directions apply to the traffic going to or from the ZyWALL s VPN tunnels They do not apply to other VPN traffic for which the ZyWALL is...

Page 313: ...rd POP3 mail with tag in mail subject Select this radio button to have the ZyWALL discard spam SMTP e mail The ZyWALL will still forward spam POP3 e mail with the tag that you define Action taken when mail sessions threshold is reached The anti spam feature limits the number of concurrent e mail sessions An e mail session is when an e mail client and e mail server or two e mail servers connect thr...

Page 314: ...i spam external database checks an e mail s digest and sends back a score that rates how likely the e mail is to be spam The possible range for the spam score is 0 100 The closer the score is to 100 the more likely the e mail is to be spam Set the spam threshold from 0 to 100 for considering an e mail to be spam The ZyWALL classifies any e mail with a spam score greater than or equal to the thresh...

Page 315: ...n 100 5 The ZyWALL received an unknown response to the anti spam query Tag for No Spam Score Enter a message or label up to 16 ASCII characters to add to the mail subject of e mails that it forwards if a valid spam score was not received within ten seconds Forward SMTP POP3 mail with tag in mail subject Select this radio button to have the ZyWALL forward mail with the tag that you define Discard S...

Page 316: ...atches a whitelist entry without doing any more anti spam checking on that individual e mail Active This field shows whether or not an entry is turned on Type This field displays whether the entry is based on the e mail s source IP address source e mail address an MIME header or the e mail s subject Content This field displays the source IP address source e mail address MIME header or subject cont...

Page 317: ...M Lists Edit Use Blacklist Select this check box to have the ZyWALL treat e mail that matches a blacklist entry as spam Active This field shows whether or not an entry is turned on Type This field displays whether the entry is based on the e mail s source IP address source e mail address an MIME header or the e mail s subject Content This field displays the source IP address source e mail address ...

Page 318: ... specific content in the subject line IP Address This field displays when you select the IP type Enter an IP address in dotted decimal notation IP Subnet Mask This field displays when you select the IP type Enter the subnet mask here if applicable E Mail Address This field displays when you select the E Mail type Enter an e mail address or domain name up to 63 ASCII characters You can enter an ind...

Page 319: ...aracters of text to check for in the e mail headers Spaces are allowed You can use a wildcard For example if you configure good any e mail subject that ends in good matches So this is very good and this is not so good both match The wildcard can be anywhere in the text string and you can use more than one wildcard You cannot use two wildcards side by side there must be other characters between the...

Page 320: ...Chapter 15 Anti Spam ZyWALL 5 35 70 Series User s Guide 320 ...

Page 321: ...can select categories such as pornography or racial intolerance to block from a pre defined list 16 1 3 Customize Web Site Access You can specify URLs to which the ZyWALL blocks access You can alternatively block access to all URLs except ones that you specify You can also have the ZyWALL block access to URLs that contain key words that you specify 16 2 Content Filtering with an External Database ...

Page 322: ...he ZyWALL has no record of the web site it will query the external content filtering database and simultaneously send the request to the web server The external content filtering database may change a web site s category or categorize a previously uncategorized web site 5 The external content filtering server sends the category information back to the ZyWALL which then blocks and or logs access to...

Page 323: ...traffic that the ZyWALL sends out through a VPN tunnel or receives through a VPN tunnel The ZyWALL applies the content filter to the traffic before encrypting it or after decrypting it Note The ZyWALL can apply content filtering on the traffic going to or from the ZyWALL s VPN tunnels It does not apply to other VPN traffic for which the ZyWALL is not one of the gateways VPN pass through traffic Ex...

Page 324: ...ilter Server Unavailable Timeout Specify a number of seconds 1 to 30 for the ZyWALL to wait for a response from the external content filtering server If there is still no response by the time this period expires the ZyWALL blocks or allows access to the requested web page based on the setting in the Block When Content Filter Server Is Unavailable field Enable Report Service Select this option to r...

Page 325: ...17 3 on page 348 for how to submit the web site for review The ordering of your policies is very important as the ZyWALL applies policies in the order they are listed Message to display when a site is blocked Denied Access Message Enter a message to be displayed when a user tries to access a restricted web site The default message is Please contact your network administrator Redirect URL Enter the...

Page 326: ...s field displays whether a content filter policy is turned on Y or not N Click the setting to change it Group Address This drop down list box displays the source user addresses or ranges of addresses to which the content filter policy applies Please note that a blank source or destination address is equivalent to Any Modify Click the general icon to restrict web features and edit the source user a...

Page 327: ...lter policy becomes number 6 and the previous content filter policy 6 if there is one becomes content filter policy 7 Click Insert to display the screens where you configure the content filter policy Move Type a content filter policy s index number and the number for where you want to put that policy Click Move to move the policy to the number that you typed The ordering of your policies is import...

Page 328: ...rvice based on ID Web Proxy is a server that acts as an intermediary between a user and the Internet to provide security administrative control and caching service When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server Address Setup Address Type Do you want the policy to apply to packets from a particular single IP a ...

Page 329: ...estricted pages and a web page matches more than one category you selected you will see a log showing this page matches one category the first matched one only Select All Categories Select this check box to restrict access to all site categories listed below Clear All Categories Select this check box to clear the selected categories below Adult Mature Content Selecting this category excludes pages...

Page 330: ...sm It also includes pages that provide or sell questionable educational materials such as term papers Note This category includes sites identified as being malicious in any way such as having viruses spyware and etc Gambling Selecting this category excludes pages where a user can place a bet or participate in a betting pool including lotteries online It also includes pages that provide information...

Page 331: ...vents Illegal Drugs Selecting this category excludes pages that promote offer sell supply encourage or otherwise advocate the illegal use cultivation manufacture or distribution of drugs pharmaceuticals intoxicating plants or chemicals and their related paraphernalia Education Selecting this category excludes pages that offer educational information distance learning and trade school information o...

Page 332: ...formation This includes drive by downloads browser hijackers dialers intrusive advertising any program which modifies your homepage bookmarks or security settings and keyloggers It also includes any software which bundles spyware as defined above as part of its offering Information collected or reported is personal if it contains uniquely identifying data such as e mail addresses name social secur...

Page 333: ...ople to connect with others to form an online community Typically members describe themselves in personal web page policies and form interactive networks linking them with other members based on common interests or acquaintances Instant messaging file sharing and web logs blogs are common features of Social Networking sites Note These sites may contain offensive material in the community created c...

Page 334: ... online purchase of vehicles or parts Humor Jokes Selecting this category excludes pages that primarily focus on comedy jokes fun etc This may include pages containing jokes of adult or mature nature Pages containing humorous Adult Mature content also have an Adult Mature category rating Software Downloads Selecting this category excludes pages that are dedicated to the electronic download of soft...

Page 335: ...ry excludes pages of organizations that provide top level domain pages as well as web communities or hosting services Advanced Basic Click Advanced to see an expanded list of categories or click Basic to see a smaller list Test Web Site Attribute Test if Web site is blocked You can check whether or not the content filter policy currently blocks any given web page Enter a web site URL in the text b...

Page 336: ...k forbidden web sites Content filter list customization may be enabled and disabled without re entering these site names Disable all Web traffic except for trusted Web sites When this box is selected the ZyWALL only allows Web access to sites on the Trusted Web Site list If they are chosen carefully this is the most effective way to block objectionable material Don t block Java ActiveX Cookies Web...

Page 337: ... the ones you want this policy to block and use the arrow button to move them to the Forbidden Web Sites list Forbidden Web Sites This list displays web sites to which this content filtering policy blocks access Select an entry and use the arrow button to remove it from the list Keyword Blocking Keyword blocking allows you to block websites with URLs that contain certain keywords in the domain nam...

Page 338: ... web server data such as ActiveX Java Cookies and Web Proxy are not affected Always Select this option to have content filtering active all the time Everyday from to Select this option to have content filtering active during the specified time interval s of each day In the from and to fields enter the time period s in 24 hour format during which content filtering will be enforced Customization Sel...

Page 339: ...idual policies to add or remove specific sites or keywords for individual policies Figure 189 SECURITY CONTENT FILTER Object The following table describes the labels in this screen Table 97 SECURITY CONTENT FILTER Object LABEL DESCRIPTION Trusted Web Sites These are sites that you want to allow access to regardless of their content rating can be allowed by adding them to this list You can enter up...

Page 340: ...n the text field above Delete Select a web site name from the Forbidden Web Site list and then click this button to delete it from that list Keyword Blocking Keyword Blocking allows you to block websites with URLs that contain certain keywords in the domain name or IP address By default the ZyWALL checks the URL s domain name or IP address when performing keyword blocking This means that the ZyWAL...

Page 341: ...rized Figure 190 SECURITY CONTENT FILTER Cache The following table describes the labels in this screen Table 98 SECURITY CONTENT FILTER Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL Type the maximum time to live TTL 1 to 720 hours This sets how long the ZyWALL is to allow an entry to remain in the URL cache before discarding it Apply Click Apply to save your changes back to the ZyWALL Reset ...

Page 342: ...Chapter 16 Content Filtering Screens ZyWALL 5 35 70 Series User s Guide 342 ...

Page 343: ...e s web configurator s CONTENT FILTER Categories screen 2 Select at least one category and click Apply 3 Enter a valid URL or IP address of a web site in the Test if Web site is blocked field and click the Test Against Internet Server button When content filtering is active you should see an access blocked or access forwarded message An error message displays if content filtering is not active 17 ...

Page 344: ...LL s model name and or MAC address under Registered ZyXEL Products You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen see Figure 193 on page 345 Figure 192 myZyXEL com Welcome 4 In the Service Management screen click Content Filter in the Service Name field to open the Blue Coat login screen ...

Page 345: ...nt 5 Enter your ZyXEL device s MAC address in lower case in the Name field You can find this MAC address in the Service Management screen Figure 193 on page 345 Type your myZyXEL com account password in the Password field 6 Click Submit Figure 194 Blue Coat Login 7 In the Web Filter Home screen click the Reports tab ...

Page 346: ...rts Figure 196 Blue Coat Report Home 9 Select a time period in the Date Range field either Allowed or Blocked in the Action Taken field and a category or enter the user name if you want to view single user reports and click Run Report The screens vary according to the report type you selected in the Report Home screen 10 A chart and or list of requested web site categories display in the lower hal...

Page 347: ...ltering Reports ZyWALL 5 35 70 Series User s Guide 347 Figure 197 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested ...

Page 348: ...y categorized or that a web site s contents have changed and the content filtering category needs to be updated Use the following procedure to submit the web site for review 1 Log into the content filtering reports web site see Section 17 2 on page 343 2 In the Web Filter Home screen see Figure 195 on page 346 click Site Submissions to open the Web Page Review Process screen shown next ...

Page 349: ...hapter 17 Content Filtering Reports ZyWALL 5 35 70 Series User s Guide 349 Figure 199 Web Page Review Process Screen 3 Type the web site s URL in the field and click Submit to have the web site reviewed ...

Page 350: ...Chapter 17 Content Filtering Reports ZyWALL 5 35 70 Series User s Guide 350 ...

Page 351: ... control and auditing It is used to transport traffic over the Internet or any insecure network that uses TCP IP for communication Internet Protocol Security IPSec is a standards based VPN that offers flexible solutions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data int...

Page 352: ... networks Between routers X and Y the data is protected by tunneling encryption authentication and other security features of the IPSec SA The IPSec SA is established securely using the IKE SA that routers X and Y established first The rest of this section discusses IKE SA and IPSec SA in more detail 18 1 1 IKE SA Overview The IKE SA provides a secure connection between the ZyWALL and remote IPSec...

Page 353: ...outer for example telecommuters In this case you can still set up the IKE SA but only the remote IPSec router can initiate an IKE SA 18 2 VPN Rules IKE A VPN Virtual Private Network tunnel gives you a secure connection to another computer or network A gateway policy contains the IKE SA settings It identifies the IPSec routers at either end of a VPN tunnel A network policy contains the IPSec SA set...

Page 354: ...the IPSec routers at either end of a VPN tunnel My ZyWALL and Remote Gateway and specifies the authentication encryption and other settings needed to negotiate a phase 1 IKE SA click the edit icon to display the other settings My ZyWALL This represents your ZyWALL The WAN IP address domain name or dynamic domain name of your ZyWALL displays in router mode The ZyWALL s IP address displays in bridge...

Page 355: ...icy or move it to the recycle bin Click this icon to display a screen in which you can change the settings of a gateway or network policy Click this icon to delete a gateway or network policy When you delete a gateway the ZyWALL automatically moves the associated network policy ies to the recycle bin When you delete a network policy it is just deleted Click this icon to establish a VPN connection ...

Page 356: ...lman DH Key Exchange The ZyWALL and the remote IPSec router use a DH key exchange to establish a shared secret which is used to generate encryption keys for IKE SA and IPSec SA In main mode the DH key exchange is done in steps 3 and 4 as illustrated below Figure 206 IKE SA Main Negotiation Mode Steps 3 4 DH Key Exchange The DH key exchange is based on DH key groups Each key group is a fixed number...

Page 357: ...ec router each has its own identity so each one must store two sets of information one for itself and one for the other router Local ID type and ID content refers to the ID type and ID content that applies to the router itself and peer ID type and ID content refers to the ID type and ID content that applies to the other router in the IKE SA The ZyWALL s local and peer ID type and ID content must m...

Page 358: ...ecify the peer ID type and ID content You must set up the certificates for the ZyWALL and remote IPSec router before you can use certificates in IKE SA See Chapter 19 on page 395 for more information about certificates 18 3 1 3 Extended Authentication Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router For example this might...

Page 359: ...nds it back to the ZyWALL It also finishes the Diffie Hellman key exchange authenticates the ZyWALL and sends its unencrypted identity to the ZyWALL for authentication Step 3 The ZyWALL authenticates the remote IPSec router and confirms that the IKE SA is established Aggressive mode does not provide as much security as main mode because the identity of the ZyWALL and the identity of the remote IPS...

Page 360: ...ships between the topics are also highlighted 18 4 1 SA Life Time SAs have a lifetime that specifies how long the SA lasts until it times out When an SA times out the ZyWALL automatically renegotiates the SA in the following situations There is traffic when the SA life time expires The IPSec SA is configured on the ZyWALL as nailed up see below Otherwise the ZyWALL must re negotiate the SA the nex...

Page 361: ...vity check to this ZyWALL s WAN IP address If the remote IPSec router is not a ZyWALL you may also want to avoid setting the IPSec rule to nailed up 18 4 3 Encryption and Authentication Algorithms In most ZyWALLs you can select one of the following encryption algorithms for each proposal The encryption algorithms are listed here in order from weakest to strongest Data Encryption Standard DES is a ...

Page 362: ...8 5 VPN Rules IKE Gateway Policy Edit In the VPN Rule IKE screen click the add gateway policy icon or the edit icon to display the VPN Gateway Policy Edit screen Use this screen to configure a VPN gateway policy The gateway policy identifies the IPSec routers at either end of a VPN tunnel My ZyWALL and Remote Gateway and specifies the authentication encryption and other settings needed to negotiat...

Page 363: ...Chapter 18 IPSec VPN ZyWALL 5 35 70 Series User s Guide 363 Figure 210 SECURITY VPN VPN Rules IKE Edit Gateway Policy ...

Page 364: ...ddress when using traffic redirect Otherwise you can select My Domain Name and choose one of the dynamic domain names that you have configured in the DDNS screen to have the ZyWALL use that dynamic domain name s IP address When the ZyWALL is in bridge mode this field is read only and displays the ZyWALL s IP address The VPN tunnel has to be rebuilt if the My ZyWALL IP address changes after setup P...

Page 365: ...ot used on both ends Certificate Select the Certificate radio button to identify the ZyWALL by a certificate Use the drop down list box to select the certificate to use for this VPN tunnel You must have certificates already configured in the My Certificates screen Click My Certificates to go to the My Certificates screen where you can view the ZyWALL s list of certificates Local ID Type Select IP ...

Page 366: ...domain name or e mail address by which to identify the remote IPSec router Use up to 31 ASCII characters including spaces although trailing spaces are truncated The domain name or e mail address is for identification purposes only and can be any string It is recommended that you type an IP address other than 0 0 0 0 or use the DNS or E mail ID type in the following situations 1 When there is a NAT...

Page 367: ...gotiation mode Encryption Algorithm Select which key size and encryption algorithm to use in the IKE SA Choices are DES a 56 bit key with the DES encryption algorithm 3DES a 168 bit key with the DES encryption algorithm AES a 128 bit key with the AES encryption algorithm The ZyWALL and the remote IPSec router must use the same algorithms and keys Longer keys require more processing power resulting...

Page 368: ...re many remote networks using one VPN rule see Section 18 15 1 on page 389 for an example of telecommuters sharing one VPN rule Associated Network Policies The following table shows the policy ies you configure for this rule To add a VPN policy click the add network policy icon in the VPN Rules IKE screen see Figure 204 on page 354 Refer to Section 18 7 on page 372 for more information This field ...

Page 369: ...rlap You map the ZyWALL s local network addresses to virtual IP addresses and map the remote IPSec router s local IP addresses to other non overlapping virtual IP addresses The following diagram shows an example of using virtual address mapping to avoid overlapping local and remote IP addresses You can set up virtual address mapping on both IPSec routers to allow computers on network X to access n...

Page 370: ...cifies how much of each packet is protected by the encryption and authentication algorithms IPSec VPN includes two active protocols AH Authentication Header RFC 2402 and ESP Encapsulating Security Payload RFC 2406 The ZyWALL and remote IPSec router must use the same active protocol Usually you should select ESP AH does not support encryption and ESP is more suitable with NAT 18 6 4 Encapsulation T...

Page 371: ...oposal and Perfect Forward Secrecy An IPSec SA proposal is similar to an IKE SA proposal see Section 18 3 1 on page 355 except that you also have the choice whether or not the ZyWALL and remote IPSec router perform a new DH key exchange every time an IPSec SA is established This is called Perfect Forward Secrecy PFS If you enable PFS the ZyWALL and remote IPSec router perform a DH key exchange eve...

Page 372: ...network policy s edit icon in the VPN Rules IKE screen to display the VPN Network Policy Edit screen Use this screen to configure a network policy A network policy identifies the devices behind the IPSec routers at either end of a VPN tunnel and specifies the authentication encryption and other settings needed to negotiate a phase 2 IPSec SA ...

Page 373: ...Chapter 18 IPSec VPN ZyWALL 5 35 70 Series User s Guide 373 Figure 213 SECURITY VPN VPN Rules IKE Edit Network Policy ...

Page 374: ... to find computers on the remote network and vice versa Select this check box to send NetBIOS packets through the VPN connection Check IPSec Tunnel Connectivity Select the check box and configure an IP address in the Ping this Address field to have the ZyWALL periodically test the VPN tunnel to the remote IPSec router The ZyWALL pings the IP address every minute The ZyWALL starts the IPSec connect...

Page 375: ...e to One or Many to One in the Type field enter an IP address as the translated IP address Many to one rules are only for traffic going to the remote network Use port forwarding rules to allow incoming traffic from the remote network When you select Many One to One in the Type field enter the beginning IP address of a range of translated IP addresses Virtual Ending IP Address When you select Many ...

Page 376: ...nter the beginning static IP address in a range of computers on the network behind the remote IPSec router When the Address Type field is configured to Subnet Address enter a static IP address on the network behind the remote IPSec router Ending IP Address Subnet Mask When the Address Type field is configured to Single Address this field is N A When the Address Type field is configured to Range Ad...

Page 377: ...use for encryption Choices are NONE disable PFS DH1 enable PFS and use a 768 bit random number DH2 enable PFS and use a 1024 bit random number PFS changes the root key that is used to generate encryption keys for each IPSec SA It is more secure but takes more time Enable Replay Detection As a VPN setup is processing intensive the system is vulnerable to Denial of Service DOS attacks The IPSec rece...

Page 378: ...ate the port forwarding server entry Name Enter a descriptive name for identifying purposes Start Port Type a port number in this field To forward only one port type the port number again in the End Port field To forward a series of ports type the start port number here and the end port number in the End Port field End Port Type a port number in this field To forward only one port type the port nu...

Page 379: ...etwork Policy LABEL DESCRIPTION Network Policy Information The following fields display the general network settings of this VPN policy Name This field displays the policy name Local Network This field displays one or a range of IP address es of the computer s behind the ZyWALL Remote Network This field displays one or a range of IP address es of the remote network behind the remote IPsec router G...

Page 380: ...rithm and one authentication algorithm You cannot specify several proposals There is no DH key exchange so you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec router use The ZyWALL and remote IPSec router must use the same encryption key and authentication key 18 10 2 Authentication and the Security Parameter Index SPI For authentication the ZyWALL and rem...

Page 381: ...ocal Network Address Type field in the VPN Manual Key Edit screen is configured to Subnet Address Remote Network This is the IP address es of computer s on the remote network behind the remote IPSec router This field displays N A when the Remote Gateway Address field displays 0 0 0 0 In this case only the remote IPSec router can initiate the VPN The same static IP address is displayed twice when t...

Page 382: ...les Manual Edit The following table describes the labels in this screen Modify Click the edit icon to edit the VPN policy Click the delete icon to remove the VPN policy A window displays asking you to confirm that you want to delete the VPN rule When a VPN policy is deleted subsequent policies move up in the page list Add Click Add to add a new VPN policy Table 106 SECURITY VPN VPN Rules Manual co...

Page 383: ...k When the Address Type field is configured to Single Address this field is N A When the Address Type field is configured to Range Address enter the end static IP address in a range of computers on the LAN behind your ZyWALL When the Address Type field is configured to Subnet Address this is a subnet mask on the LAN behind your ZyWALL Remote Network Specify the IP addresses of the devices behind t...

Page 384: ...here you must select options from the Authentication Algorithm field described next Encryption Algorithm Select DES 3DES or NULL from the drop down list box When DES is used for data communications both sender and receiver must know the Encryption Key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 ...

Page 385: ... s IP addresses see Section 18 6 2 on page 369 For example you usually would not configure both with 192 168 1 0 However overlapping local and remote network IP addresses can occur with dynamic VPN rules or IP alias Table 108 SECURITY VPN SA Monitor LABEL DESCRIPTION This is the security association index number Name This field displays the identification name for this VPN policy Local Network Thi...

Page 386: ...work Figure 219 Overlap in a Dynamic VPN Rule Setting Local and Remote IP Address Conflict Resolution to The Local Network has the ZyWALL X check if a packet s destination is also at the local network before forwarding the packet If it is the ZyWALL sends the traffic to the local network Setting Local and Remote IP Address Conflict Resolution to The Remote Network disables the checking for local n...

Page 387: ...SECURITY VPN Global Setting The following table describes the labels in this screen Table 109 SECURITY VPN Global Setting LABEL DESCRIPTION Output Idle Timer The ZyWALL disconnects a VPN tunnel if the remote IPSec router does not reply for this number of seconds Input Idle Timer When no traffic is received from a remote IPSec router after the specified time period the ZyWALL disconnects the VPN tu...

Page 388: ... encrypts them for VPN The ZyWALL fragments packets that are larger than a connection s MTU Maximum Transmit Unit In most cases you should leave this set to Auto The ZyWALL automatically sets the Maximum Segment Size MSS of the TCP packets that are to be encrypted by VPN based on the encapsulation type Select Off to not adjust the MSS for the encrypted TCP packets If your network environment cause...

Page 389: ...Dynamic DNS to do this With aggressive negotiation mode see Section 18 3 1 4 on page 359 the ZyWALL can use the ID types and contents to distinguish between VPN rules Telecommuters can each use a separate VPN rule to simultaneously access a ZyWALL at headquarters They can use different IPSec parameters The local IP addresses or ranges of addresses of the rules configured on the ZyWALL at headquart...

Page 390: ...RS All Telecommuter Rules All Headquarters Rules My ZyWALL 0 0 0 0 My ZyWALL bigcompanyhq com Remote Gateway Address bigcompanyhq com Local Network Single IP Address 192 168 1 10 Remote Network Single IP Address 192 168 1 10 Local ID Type E mail Peer ID Type E mail Local ID Content bob bigcompanyhq com Peer ID Content bob bigcompanyhq com Telecommuter A telecommutera dydns org Headquarters ZyWALL ...

Page 391: ...te management must also be configured to allow HTTP access on the ZyWALL s LAN interface Figure 224 VPN for Remote Management Example 18 17 Hub and spoke VPN Hub and spoke VPN connects VPN tunnels to form one secure network Figure 225 on page 392 shows some example network topologies In the first fully meshed approach there is a VPN connection between every pair of routers In the second hub and sp...

Page 392: ...not use a hub and spoke VPN in every situation however The hub router is a single point of failure so a hub and spoke VPN may not be appropriate if the connection between the spoke routers cannot be down occasionally for maintenance for example In addition there is a significant burden on the hub router It receives VPN traffic from one spoke decrypts it inspects it to find out where to send it enc...

Page 393: ...quarters Rule 1 Remote Gateway 10 0 0 2 Local IP address 192 168 168 0 192 168 169 255 Remote IP address 192 168 167 0 255 255 255 0 Rule 2 Remote Gateway 10 0 0 3 Local IP address 192 168 167 0 192 168 168 255 Remote IP address 192 168 169 0 255 255 255 0 Branch Office B Remote Gateway 10 0 0 1 Local IP address 192 168 169 0 255 255 255 0 Remote IP address 192 168 167 0 192 168 168 255 18 17 3 Hu...

Page 394: ...ub and spoke networks with which the spoke is to be able to have a VPN tunnel This may require you to use more than one VPN rule If you want to have the spoke routers access the Internet through the hub and spoke VPN tunnel set the VPN rules in the spoke routers to use 0 0 0 0 any as the remote IP address Make sure that your From VPN and To VPN firewall rules do not block the VPN packets ...

Page 395: ...st be kept secure Public key encryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public private key pair What is encrypted with one key can only be decrypted using the other 2 Tim keeps the private key and makes the public key openly available 3 Tim uses his private key to encrypt the message and sends it to Jenny 4 Jenny receives the message and u...

Page 396: ...vate keys 19 2 Self signed Certificates You can have the ZyWALL act as a certification authority and sign its own certificates 19 3 Verifying a Certificate Before you import a trusted CA or trusted remote host certificate into the ZyWALL you should verify that you have the actual certificate This is especially true of trusted CA certificates since the ZyWALL also trusts any valid certificate signe...

Page 397: ...how to manage certificates on the ZyWALL Figure 229 Certificate Configuration Overview Use the My Certificate screens to generate and export self signed certificates or certification requests and import the ZyWALL s CA signed certificates Use the Trusted CA screens to save the certificates of trusted CAs to the ZyWALL You can also export the certificates to a computer Use the Trusted Remote Hosts ...

Page 398: ...the percentage of the ZyWALL s PKI storage space that is currently in use When the storage space is almost full you should consider deleting expired or unnecessary certificates before adding more certificates Replace This button displays when the ZyWALL has the factory default certificate The factory default certificate is common to all ZyWALLs that use certificates ZyXEL recommends that you use t...

Page 399: ...he certificate to a computer For a certification request click the export icon and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save Click the delete icon to remove the certificate or certification request A window displays asking you to confirm that you want to delete the certificate You cannot delete a certificate that one o...

Page 400: ...nformation and change the certificate s name If it is a self signed certificate you can also set the ZyWALL to use the certificate to sign the imported trusted remote host certificates Figure 231 SECURITY CERTIFICATES My Certificates Details Create Click Create to go to the screen where you can have the ZyWALL generate a certificate or a certification request Refresh Click Refresh to display the c...

Page 401: ... type of algorithm that was used to sign the certificate The ZyWALL uses rsa pkcs1 sha1 RSA public private key encryption algorithm and the SHA1 hash algorithm Some certification authorities may use rsa pkcs1 md5 RSA public private key encryption algorithm and the MD5 hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and include...

Page 402: ...S My Certificates Export Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste a certification request into a certification authority s web page an e mail that you send to the certification auth...

Page 403: ...be in one of these file formats Binary X 509 This is an ITU T recommendation that defines the formats for X 509 certificates Table 114 SECURITY CERTIFICATES My Certificates Export LABEL DESCRIPTION Export the certificate in binary X 509 format Binary X 509 is an ITU T recommendation that defines the formats for X 509 certificates Export the certificate along with the corresponding private key in P...

Page 404: ...file s password is not connected to your certificate s public or private passwords Exporting a PKCS 12 file creates this and you must provide it to decrypt the contents when you import the file into the ZyWALL Be careful to not convert a binary file to text during the transfer process It is easy for this to occur since many programs use text files by default Figure 233 SECURITY CERTIFICATES My Cer...

Page 405: ...y Certificate Create screen Use this screen to have the ZyWALL create a self signed certificate enroll a certificate with a certification authority or generate a certification request Table 116 SECURITY CERTIFICATES My Certificates Import PKCS 12 LABEL DESCRIPTION Password Type the file s password that was created when the PKCS 12 file was exported Apply Click Apply to save the certificate on the ...

Page 406: ...Chapter 19 Certificates ZyWALL 5 35 70 Series User s Guide 406 Figure 235 SECURITY CERTIFICATES My Certificates Create Basic ...

Page 407: ...characters not including spaces to identify this certificate Subject Information Use these fields to record information that identifies the owner of the certificate You do not have to fill in every field but the Common Name is mandatory if you click Basic The certification authority may add fields such as a serial number to the subject information when it issues a certificate It is recommended tha...

Page 408: ...aracters O organization select this and enter an organization to identify the owner of the certificate You can use up to 63 characters DC domain component select this and enter the domain component of a domain to identify the owner of the certificate For example if the domain is zyxel com the domain component is zyxel or com You can use up to 63 characters L locality name select this and enter the...

Page 409: ...or a certificate immediately online to have the ZyWALL generate a request for a certificate and apply to a certification authority for a certificate You must have the certification authority s certificate already imported in the Trusted CAs screen When you select this option you must select the certification authority s enrollment protocol and the certification authority s certificate from the dro...

Page 410: ...n RA select the CA s RA signing certificate from the drop down list box You must have the certificate already imported in the Trusted CAs screen Click Trusted CAs to go to the Trusted CAs screen where you can view and manage the ZyWALL s list of certificates of trusted certification authorities RA Encryption Certificate If you select Enrollment via an RA select the CA s RA encryption certificate f...

Page 411: ...ormation Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable The text displays in red and ...

Page 412: ... with an in depth list of information about the certificate Use the export icon to save the certificate to a computer Click the icon and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save Click the delete icon to remove the certificate A window displays asking you to confirm that you want to delete the certificates Note that su...

Page 413: ...ant to change the name type up to 31 characters to identify this key certificate You may use any character not including spaces Property Check incoming certificates issued by this CA against a CRL Select this check box to have the ZyWALL check incoming certificates that are issued by this certification authority against a Certificate Revocation List CRL Clear this check box to have the ZyWALL not ...

Page 414: ...uing certification authority such as Common Name Organizational Unit Organization and Country With self signed certificates this is the same information as in the Subject Name field Signature Algorithm This field displays the type of algorithm that was used to sign the certificate Some certification authorities use rsa pkcs1 sha1 RSA public private key encryption algorithm and the SHA1 hash algori...

Page 415: ...or example that this is actually their certificate SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually their certificate Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certificatio...

Page 416: ...the Trusted CAs screen You do not need to add any certificate that is signed by one of the certification authorities on the Trusted CAs screen since the ZyWALL automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy Table 120 SECURITY CERTIFICATES Trusted CAs Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload ...

Page 417: ...zation or company and C Country It is recommended that each certificate have unique subject information Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes ...

Page 418: ...thorities on the Trusted CAs screen since the ZyWALL automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy The trusted remote host certificate must be a self signed certificate and you must remove any spaces from its filename before you can import it Figure 241 SECURITY CERTIFICATES Trusted Remote Hosts Import The following table describes the...

Page 419: ...CATES Trusted Remote Hosts to open the Trusted Remote Hosts screen Click the details icon to open the Trusted Remote Host Details screen You can use this screen to view in depth information about the trusted remote host s certificate and or change the certificate s name Figure 242 SECURITY CERTIFICATES Trusted Remote Hosts Details ...

Page 420: ...This field displays information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O and Country C Issuer This field displays identifying information about the default self signed certificate on the ZyWALL that the ZyWALL uses to sign the trusted remote host certificates Signature Algorithm This field displays the type of algorithm that the ZyWA...

Page 421: ...or how to verify a remote host s certificate before you import it into the ZyWALL SHA1 Fingerprint This is the certificate s message digest that the ZyWALL calculated using the SHA1 algorithm The ZyWALL uses one of its own self signed certificates to sign the imported trusted remote host certificates This changes the fingerprint value displayed here so it does not match the original See Section 19...

Page 422: ...expired or unnecessary certificates before adding more certificates The index number of the directory server The servers are listed in alphabetical order Name This field displays the name used to identify this directory server Address This field displays the IP address or domain name of the directory server Port This field displays the port number that the directory server uses Protocol This field...

Page 423: ...ress in dotted decimal notation or the domain name of the directory server Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field You may change the server port number if needed however you must use the same server port number that the directory server uses 389 is the default server port number for LDAP Login Setting Login The Zy...

Page 424: ...Chapter 19 Certificates ZyWALL 5 35 70 Series User s Guide 424 ...

Page 425: ...14 on page 227 for more information about RADIUS 20 1 1 Local User Database By storing user profiles locally on the ZyWALL your ZyWALL is able to authenticate users without interacting with a network RADIUS server However there is a limit on the number of users you may authenticate in this way 20 1 2 RADIUS The ZyWALL can use an external RADIUS server to authenticate an unlimited number of users 2...

Page 426: ...Chapter 20 Authentication Server ZyWALL 5 35 70 Series User s Guide 426 Figure 245 SECURITY AUTH SERVER Local User Database ...

Page 427: ...word Enter a password up to 31 characters long for this user profile Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 127 SECURITY AUTH SERVER RADIUS LABEL DESCRIPTION Authentication Server Active Select the check box to enable user authentication through an external authentication server Clear the check box to enable user au...

Page 428: ...ddress of the external accounting server in dotted decimal notation Port Number The default port of the RADIUS server for accounting is 1813 You need not change this value unless your network administrator instructs you to do so with additional information Key Enter a password up to 31 alphanumeric characters as the key to be shared between the external accounting server and the ZyWALL The key is ...

Page 429: ...429 PART IV Advanced Network Address Translation NAT 431 Static Route 449 Policy Route 453 Bandwidth Management 459 DNS 475 Remote Management 487 UPnP 515 Custom Application 525 ...

Page 430: ...430 ...

Page 431: ...ocal address refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in...

Page 432: ...ervers to the DMZ port instead If you do not define any servers for Many to One and Many to Many Overload mapping NAT offers the additional benefit of firewall protection With no servers defined your ZyWALL filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 21 ...

Page 433: ...AT Works 21 1 4 NAT Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the ZyWALL can communicate with three distinct WAN networks More examples follow at the end of this chapter Figure 248 NAT Application With IP Alias ...

Page 434: ...ort D The ZyWALL changes the server s IP address to 2 and port to B Since 1 A has already sent packets to 3 C and 4 D they can send packets back to 2 B and the ZyWALL will perform NAT on them and send them to the server at IP address 1 port A Packets have not been sent from 1 A to 4 E or 5 so they cannot send packets to 1 A Figure 249 Port Restricted Cone NAT Example 21 1 6 NAT Mapping Types NAT s...

Page 435: ...rded through the ZyWALL 21 2 1 SUA Single User Account Versus NAT SUA Single User Account is a ZyNOS implementation of a subset of NAT that supports two types of mapping Many to One and Server The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Select either SUA or Full Feature in NAT Overview ...

Page 436: ... not your intention then select Full Feature NAT and don t configure NAT mapping rules to those computers with public IP addresses on the DMZ 21 3 NAT Overview Screen Click ADVANCED NAT to open the NAT Overview screen Figure 250 ADVANCED NAT NAT Overview The following table describes the labels in this screen Table 130 ADVANCED NAT NAT Overview LABEL DESCRIPTION Global Settings Max Concurrent Sess...

Page 437: ...s are configured on the ZyWALL The second number shows the maximum number of address mapping rules that can be configured on the ZyWALL Port Forwarding Rules The bar displays how many of the ZyWALL s possible port forwarding rules are configured The first number shows how many port forwarding rules are configured on the ZyWALL The second number shows the maximum number of port forwarding rules tha...

Page 438: ... have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Now if you delete rule 4 rules 5 to 7 will be pushed up by 1 rule so old rules 5 6 and 7 become new rules 4 5 and 6 Figure 251 ADVANCED NAT Address Mapping The following table describes the labels in this screen Table 131 ADVANCED NAT Address Map...

Page 439: ...Many to One and Server mapping types Global End IP This is the ending Inside Global Address IGA This field is N A for One to One Many to One and Server mapping types Type 1 One to One mode maps one local IP address to one global IP address Note that port numbers do not change for the One to One NAT mapping type 2 Many to One mode maps multiple local IP addresses to one global IP address This is eq...

Page 440: ...ature 3 Many to Many Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One Many One to One mode maps each local IP address to unique global IP addresses 5 Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting Inside Local IP A...

Page 441: ...ports a default server IP address A default server receives packets from ports that are not specified in this screen If you do not assign a Default Server IP address the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup 21 5 2 Port Forwarding Services and Port Numbers The ZyWALL provides the additional safety of the DMZ ports for connectin...

Page 442: ...utside world through a single WAN IP address When you use port translation with port forwarding multiple servers on the local network can use the same port number and still be accessible to the outside world through a single WAN IP address The following example has two web servers on a LAN Server A uses IP address 192 168 1 33 and server B uses 192 168 1 34 Both servers use port 80 The letters a b...

Page 443: ...t assign a Default Server IP address the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup Refer to Appendix F on page 813 for port numbers commonly used for particular services The last port forwarding rule is reserved for Roadrunner services The rule is activated only when you set the WAN Encapsulation to Ethernet and the Service Type to...

Page 444: ...ge from the drop down list box to display the corresponding summary page of the port forwarding servers This is the number of an individual port forwarding server entry Active Select this check box to enable the port forwarding server entry Clear this check box to disallow forwarding of these ports to an inside server without having to delete the entry Name Enter a name to identify this port forwa...

Page 445: ...ger port When the ZyWALL s WAN port receives a response with a specific port number and protocol incoming port the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the LAN can use the service in the same manner This way you do not need to configure a new IP address each time you want...

Page 446: ...configure address mapping rules This is the rule index number read only Name Type a unique name up to 15 characters for identification purposes All characters are permitted including spaces Incoming Incoming is a port or a range of ports that a server on the WAN uses when it sends out a particular service The ZyWALL forwards the traffic with this port or range of ports to the client computer on th...

Page 447: ...er s Guide 447 End Port Type a port number or the ending port number in a range of port numbers Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 134 ADVANCED NAT Port Triggering LABEL DESCRIPTION ...

Page 448: ...Chapter 21 Network Address Translation NAT ZyWALL 5 35 70 Series User s Guide 448 ...

Page 449: ...ces not reachable through the default gateway use static routes For example the next figure shows a computer A connected to the ZyWALL s LAN interface The ZyWALL routes most traffic from A to the Internet through the default gateway R1 You create one static route to connect to services offered by your ISP behind router R2 You create another static route to communicate with a separate network behin...

Page 450: ...f the screen s blank rows are not shown The first two static route entries are for default WAN 1 and WAN 2 routes on a ZyWALL with multiple WAN interfaces You cannot modify or delete a static default route The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address Figure 259 ADVANCED STATIC ROUTE IP Static Route ...

Page 451: ...is the IP address of the gateway The gateway is a router or switch on the same network segment as the ZyWALL s interface The gateway helps forward packets to their destinations Modify Click the edit icon to go to the screen where you can set up a static route on the ZyWALL Click the delete icon to remove a static route from the ZyWALL A window displays asking you to confirm that you want to delete...

Page 452: ...d networks Enter a number that approximates the cost for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number Private This parameter determines if the ZyWALL will include this route to a remote node in its RIP broadcasts Select this check box to keep this route private and not included in RIP broadcasts Clear this check box to propaga...

Page 453: ...o enable the backbone to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost paths for batch traffic Load Sharing Network administrators can use IPPR to distribute traffic among multiple paths 23 3 Routing Policy Individual routing policies are used as part of the overall IPPR process A policy defines th...

Page 454: ...s the existing packet filtering facility of RAS in style and in implementation 23 4 IP Routing Policy Setup Click ADVANCED POLICY ROUTE to open the Policy Route Summary screen some of the screen s blank rows are not shown Figure 261 ADVANCED POLICY ROUTE Policy Route Summary ...

Page 455: ...oute Summary LABEL DESCRIPTION This is the number of an individual policy route Active This field shows whether the policy is active or inactive Source Address Port This is the source IP address range and or port number range Destination Address Port This is the destination IP address range and or port number range Gateway Enter the IP address of the gateway The gateway is a router or switch on th...

Page 456: ...route IP Protocol Select Predefined and then the IP protocol from ALL 0 ICMP 1 IGMP 2 TCP 6 UDP 17 GRE 47 ESP 50 or AH 51 Otherwise select Custom and enter a number from 0 to 255 Type of Service Prioritize incoming network traffic by choosing from Any Normal Min Delay Max Thruput Max Reliable or Mix Cost Precedence Precedence value of the incoming packet Select a value from 0 to 7 or Any Packet Le...

Page 457: ... for UDP packets with a port 5060 destination Note If you select SIP make sure you also use the ALG screen to turn on the SIP ALG Source Interface Use the check box to select LAN DMZ WAN 1 WAN 2 and or WLAN Starting IP Address Enter the source starting IP address Ending IP Address Enter the source ending IP address Starting Port Enter the source starting port number This field is applicable only w...

Page 458: ...t available check box to have the ZyWALL send traffic that matches the policy route through the other WAN interface if it cannot send the traffic through the WAN interface you selected This option is only available when you select WAN Interface Converted Type of Service Set the new TOS value of the outgoing packet Prioritize incoming network traffic by choosing Don t Change Normal Min Delay Max Th...

Page 459: ...d packets at the next routing device For example you can set the WAN interface speed to 1024 kbps or less if the broadband device connected to the WAN port has an upstream speed of 1024 kbps 24 2 Bandwidth Classes and Filters Use bandwidth classes and sub classes to allocate specific amounts of bandwidth capacity bandwidth budgets Configure a bandwidth filter to define a bandwidth class or sub cla...

Page 460: ...sed Bandwidth Management You can create bandwidth classes based on subnets The following figure shows LAN subnets You could configure one bandwidth class for subnet A and another for subnet B Figure 263 Subnet based Bandwidth Management Example 24 6 Application and Subnet based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application The fo...

Page 461: ... not using among the bandwidth classes that require more bandwidth When you enable maximize bandwidth usage the ZyWALL first makes sure that each bandwidth class gets up to its bandwidth allotment Next the ZyWALL divides up an interface s available bandwidth bandwidth that is unbudgeted or unused by the classes depending on how many bandwidth classes require more bandwidth and on their priority le...

Page 462: ...Unbudgeted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets Suppose that all of the classes except for the administration class need more bandwidth Each class gets up to its budgeted bandwidth The administration class only uses 1024 kbps of its budgeted 2048 kbps The sales and marketing are first to get extra bandwidth bec...

Page 463: ...to allow the sub class to use its parent class s unused bandwidth A parent class s unused bandwidth is given to the highest priority sub class first The sub class can also borrow bandwidth from a higher parent class grandparent class if the sub class s parent class is also configured to borrow bandwidth from its parent class This can go on for as many levels as are configured to borrow bandwidth f...

Page 464: ...s bandwidth borrowing enabled 24 9 Maximize Bandwidth Usage With Bandwidth Borrowing If you configure both maximize bandwidth usage on the interface and bandwidth borrowing on individual sub classes the ZyWALL functions as follows 1 The ZyWALL sends traffic according to each bandwidth class s bandwidth budget 2 The ZyWALL assigns a parent class s unused bandwidth to its sub classes that have more ...

Page 465: ... 500 Kbps of bandwidth to each of them before it allocates any bandwidth to FTP As a result FTP can only use bandwidth when VoIP and OpenPhone do not use all of their allocated bandwidth Suppose you try to browse the web too In this case VoIP OpenPhone and FTP all have higher priority so they get to use the bandwidth first You can only browse the web when VoIP OpenPhone and FTP do not use all 1000...

Page 466: ...bandwidth budget of the interface s root class see Section 24 12 on page 467 The recommendation is to set this speed to match what the device connected to the port can handle For example set the WAN interface speed to 1000 kbps if the broadband device connected to the WAN port has an upstream speed of 1000 kbps The recommendation is to set this speed to match the interface s actual transmission sp...

Page 467: ...rs for the root class To add or delete child classes on an interface click ADVANCED BW MGMT Class Setup The screen is shown here with example classes Figure 265 ADVANCED BW MGMT Class Setup Maximize Bandwidth Usage Select this check box to have the ZyWALL divide up all of the interface s unallocated and or unused bandwidth among the bandwidth classes that require bandwidth Do not select this if yo...

Page 468: ...ou cannot edit the root class Delete Click Delete to delete the class and all its sub classes You cannot delete the root class Statistics Click Statistics to display the status of the selected class Enabled classes Search Order This list displays the interface s active bandwidth management classes the ones that have the bandwidth filter enabled The ZyWALL applies the classes in the order that they...

Page 469: ...en 0 and 7 to set the priority of this class The higher the number the higher the priority The default setting is 3 Borrow bandwidth from parent class Select this option to allow a sub class to borrow bandwidth from its parent class if the parent class is not using up its bandwidth budget Bandwidth borrowing is governed by the priority of the sub classes That is a sub class with the highest priori...

Page 470: ...ephony instant messaging events notification and conferencing The ZyWALL supports SIP traffic pass through Select SIP from the drop down list box to configure this bandwidth filter for UDP packets with a port 5060 destination This option makes it easier to manage bandwidth for SIP traffic and is useful for example when there is a VoIP Voice over Internet Protocol device on your LAN Note If you sel...

Page 471: ...bnet mask here Refer to Appendix E on page 803 for more information on IP subnetting Source Port Enter the starting and ending destination port numbers Enter the same port number in both fields to specify a single port number See Appendix F on page 813 for a table of services and port numbers Protocol ID Enter the protocol ID service type number for example 1 for ICMP 6 for TCP or 17 for UDP Apply...

Page 472: ... packets transmitted Tx Bytes This field displays the total number of bytes transmitted Dropped Packets This field displays the total number of packets dropped Dropped Bytes This field displays the total number of bytes dropped Bandwidth Statistics for the Past 8 Seconds t 8 to t 1 This field displays the bandwidth statistics in bps for the past one to eight seconds For example t 1 means one secon...

Page 473: ...dth class A Default Class automatically displays for all the bandwidth in the Root Class that is not allocated to bandwidth classes If you do not enable maximize bandwidth usage on an interface the ZyWALL uses the bandwidth in this default class to send traffic that does not match any of the bandwidth classes A A Budget kbps This field displays the amount of bandwidth allocated to the bandwidth cl...

Page 474: ...Chapter 24 Bandwidth Management ZyWALL 5 35 70 Series User s Guide 474 ...

Page 475: ...gives you DNS server addresses manually enter them in the DNS server fields 2 If your ISP dynamically assigns the DNS server IP addresses along with the ZyWALL s WAN IP address set the DNS server fields to get the DNS server address from the ISP 3 You can manually enter the IP addresses of other DNS servers These servers can be public or private A DNS server could even be behind a remote IPSec rou...

Page 476: ...liased to the same IP address as yourhost com This feature is useful if you want to be able to use for example www yourhost com and still reach your hostname 25 5 Name Server Record A name server record contains a DNS server s IP address The ZyWALL can query the DNS server to resolve domain names for features like VPN DDNS and the time server A domain zone may also be included A domain zone is a f...

Page 477: ...Intranet DNS server on the remote network then the VPN host must use IP addresses to access the computers on the remote private network 25 6 System Screen Click ADVANCED DNS to display the following screen Use this screen to configure your ZyWALL s DNS address and name server records Figure 270 ADVANCED DNS System DNS ...

Page 478: ...contains a DNS server s IP address The ZyWALL can query the DNS server to resolve domain names for features like VPN DDNS and the time server When the ZyWALL needs to resolve a domain name it checks it against the name server record entries in the order that they appear in this list A indicates a name server record without a domain zone The default record is grayed out The ZyWALL uses this default...

Page 479: ...is screen to insert a name server record Table 149 ADVANCED DNS Add Address Record LABEL DESCRIPTION FQDN Type a fully qualified domain name FQDN of a server An FQDN starts with a host name and continues all the way up to the top level domain name For example www zyxel com tw is a fully qualified domain name where www is the host zyxel is the second level domain and com tw is the top level domain ...

Page 480: ...address fields for which the ISP does not assign an IP address N A displays for all of the DNS server IP address fields if the ZyWALL has a fixed WAN IP address Select Public DNS Server if you have the IP address of a DNS server The IP address must be public or a private address on your local LAN Enter the DNS server s IP address in the field to the right Public DNS Server entries with the IP addr...

Page 481: ... If the DNS query matches a positive entry the ZyWALL responses with the IP address from the entry If the DNS query matches a negative entry the ZyWALL replies that the DNS query failed 25 8 Configure DNS Cache To configure your ZyWALL s DNS caching click ADVANCED DNS Cache The screen appears as shown Figure 273 ADVANCED DNS Cache The following table describes the labels in this screen LABEL DESCR...

Page 482: ...re discarding it Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh DNS Cache Entry Flush Click this button to clear the cache manually After you flush the cache the ZyWALL must query the DNS servers again for any domain names that had been previously resolved Refresh Click this button to reload the cache This is the index number of ...

Page 483: ... if your ISP dynamically assigns DNS server information and the ZyWALL s WAN IP address Use the drop down list box to select a DNS server IP address that the ISP assigns in the field to the right Select User Defined if you have the IP address of a DNS server Enter the DNS server s IP address in the field to the right If you chose User Defined but leave the IP address set to 0 0 0 0 User Defined ch...

Page 484: ...ourhost dyndns org and still reach your hostname If you have a private WAN IP address then you cannot use Dynamic DNS 25 10 2 High Availability A DNS server maps a domain name to a port s IP address If that WAN port loses its connection high availability allows the router to substitute another port s IP address for the domain name mapping 25 11 Configuring Dynamic DNS To change your ZyWALL s DDNS ...

Page 485: ...IP address Select Use User Defined and enter the IP address if you have a static IP address Select Let DDNS Server Auto Detect only when there are one or more NAT routers between the ZyWALL and the DDNS server This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP addre...

Page 486: ...Chapter 25 DNS ZyWALL 5 35 70 Series User s Guide 486 Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh LABEL DESCRIPTION ...

Page 487: ...mote Management From the WAN When you configure remote management to allow management from any network except the LAN you still need to configure a firewall rule to allow access See Chapter 11 on page 243 for details on configuring firewall rules You can also disable a service on the ZyWALL by not allowing access for the service protocol through any of the ZyWALL interfaces You may only have one r...

Page 488: ...nt session does not time out when a statistics screen is polling You can change the timeout period in the MAINTENANCE General screen 26 2 WWW HTTP and HTTPS HTTPS HyperText Transfer Protocol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web pages Secure Socket Layer SSL is an application level protocol that enables secure transactions of data by ensuring co...

Page 489: ... 2 HTTP connection requests from a web browser go to port 80 by default on the ZyWALL s WS web server Figure 277 HTTPS Implementation If you disable the HTTP service in the REMOTE MGMT WWW screen then the ZyWALL blocks all HTTP connection attempts 26 3 WWW Click ADVANCED REMOTE MGMT to open the WWW screen Use this screen to configure the ZyWALL s HTTP and HTTPS management settings ...

Page 490: ...HTTPS proxy server listens on port 443 by default If you change the HTTPS proxy server port to a different number on the ZyWALL for example 8443 then you must notify people who need to access the ZyWALL web configurator to use https ZyWALL IP Address 8443 as the URL Server Access Select the interface s through which a computer may access the ZyWALL using this service You can allow only secure web ...

Page 491: ... 279 Security Alert Dialog Box Internet Explorer 26 4 2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate Click Examine Certificate if you want to verify that the certificate is from the ZyWALL Server Access Select the interface s through which a computer may a...

Page 492: ...sages The following describes the main reasons that your browser displays warnings about the ZyWALL s HTTPS server certificate and what you can do to avoid seeing the warnings The issuing certificate authority of the ZyWALL s HTTPS server certificate is not one of the browser s trusted certificate authorities The issuing certificate authority of the ZyWALL s factory default certificate is the ZyWA...

Page 493: ...re 284 on page 494 for an example Use this procedure to have the ZyWALL use a certificate with a common name that matches the ZyWALL s actual IP address You cannot use this procedure if you need to access the WAN port and it uses a dynamically assigned IP address 2a Create a new certificate for the ZyWALL that uses the IP address of the ZyWALL s port that you are trying to access as the certificat...

Page 494: ... your ZyWALL s MAC address that will be specific to this device Click CERTIFICATES to open the My Certificates screen You will see information similar to that shown in the following figure Figure 284 Device specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate You will then see this information in the My Certificates screen ...

Page 495: ... a certificate if Authenticate Client Certificates is selected on the ZyWALL You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the ZyWALL see the ZyWALL s Trusted CA web configurator screen ...

Page 496: ... CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s 26 4 5 1 Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen similar to the one shown next ...

Page 497: ... in this appendix 26 4 5 2 Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard Figure 288 Personal Certificate Import Wizard 1 ...

Page 498: ...text box Click Browse if you wish to import a different certificate Figure 289 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA Figure 290 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location ...

Page 499: ...Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process Figure 292 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer Figure 293 Personal Certificate Import Wizard 6 ...

Page 500: ...owser s web address field Figure 294 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL the following screen asks you to select a personal certificate to send to the ZyWALL This screen displays even if you only have a single certificate as in the example Figure 295 SSL Client Authentication 3 You next see the web configurator login screen Figure 296 Secur...

Page 501: ...ted text SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network In the following figure computer A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session Figure 297 SSH Communication Over the WAN Example 26 6 How SSH Works The following...

Page 502: ...d and data encryption activated a secure tunnel is established between the client and the server The client then sends its authentication information user name and password to the server to log in to the server 26 7 SSH Implementation on the ZyWALL Your ZyWALL supports SSH version 1 5 using RSA authentication and three encryption methods DES 3DES and Blowfish The SSH server is implemented on the Z...

Page 503: ...ntinue Table 151 ADVANCED REMOTE MGMT SSH LABEL DESCRIPTION Server Host Key Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 19 on page 395 for details Server Port You may change the server port number for a service if need...

Page 504: ...ess ENTER The computer attempts to connect to port 22 on the ZyWALL using the default IP address of 192 168 1 1 A message displays indicating the SSH protocol version supported by the ZyWALL Figure 301 SSH Example 2 Test 2 Enter ssh 1 192 168 1 1 This command forces your computer to connect to the ZyWALL using SSH version 1 If this is the first time you are connecting to the ZyWALL using SSH a mes...

Page 505: ...WALL 3 Use the put command to upload a new firmware to the ZyWALL Figure 303 Secure FTP Firmware Upload Example ssh 1 192 168 1 1 The authenticity of host 192 168 1 1 192 168 1 1 can t be established RSA1 key fingerprint is 21 6c 07 25 7e f4 75 80 ec af bd d4 3d 80 53 d1 Are you sure you want to continue connecting yes no yes Warning Permanently added 192 168 1 1 RSA1 to the list of known hosts Ad...

Page 506: ...es the labels in this screen Table 152 ADVANCED REMOTE MGMT Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Secure Client IP Address A secure client is a...

Page 507: ...MGMT FTP The following table describes the labels in this screen Table 153 ADVANCED REMOTE MGMT FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interface s through which a computer may access the ZyWALL using this service Secure Clien...

Page 508: ...f two main types of component agents and a manager An agent is a management software module that resides in a managed device the ZyWALL An agent translates the local management information from the managed device into a form compatible with SNMP The manager is the console through which network administrators perform network management functions It executes applications that control and monitor man...

Page 509: ...istical data and monitor status and performance 26 14 2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs 26 14 3 REMOTE MANAGEMENT SNMP To change your ZyWALL s SNMP settings click ADVANCED REMOTE MGMT SNMP The screen appears as shown Table 154 SNMP Traps TRAP TRAP NAME DESCRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting powe...

Page 510: ...ap to the SNMP manager The default is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to SNMP Service Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Access Select the interface s through which a computer may access the ZyWALL...

Page 511: ...onfigure manage monitor and troubleshoot ZyXEL devices located worldwide See the Vantage CNM User s Guide for details If you allow your ZyWALL to be managed by the Vantage CNM server then you should not do any configurations directly to the ZyWALL using either the web configurator SMT menus or commands without notifying the Vantage CNM administrator Table 156 ADVANCED REMOTE MGMT DNS LABEL DESCRIP...

Page 512: ...nue to display Registering until it successfully registers with the Vantage CNM server It will not be able to register with the Vantage CNM server if The Vantage CNM server is down The Vantage CNM server IP address is incorrect The Vantage CNM server is behind a NAT router or firewall that does not forward packets through to the Vantage CNM server The encryption algorithms and or encryption keys d...

Page 513: ...ALL and is behind a NAT router enter the WAN IP address of the NAT router here Encryption Algorithm The Encryption Algorithm field is used to encrypt communications between the ZyWALL and the Vantage CNM server Choose from None no encryption DES or 3DES The Encryption Key field appears when you select DES or 3DES The ZyWALL must use the same encryption algorithm as the Vantage CNM server Encryptio...

Page 514: ...Chapter 26 Remote Management ZyWALL 5 35 70 Series User s Guide 514 ...

Page 515: ...r as a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 27 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate through NAT UPnP network devices can automatically configure network addressing announce their presence in the network to other UPnP devices and enable exchange of simple p...

Page 516: ...e following table describes the fields in this screen Table 158 ADVANCED UPnP LABEL DESCRIPTION UPnP Setup Device Name This identifies the ZyXEL device in UPnP applications Enable the Universal Plug and Play UPnP feature Select this check box to activate UPnP Be aware that anyone could use a UPnP application to open the web configurator s login screen without entering the ZyWALL s IP address altho...

Page 517: ... applications Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Table 158 ADVANCED UPnP LABEL DESCRIPTION Table 159 ADVANCED UPnP Ports LABEL DESCRIPTION Reserve UPnP NAT rules in flash after system bootup Select this check box to have the ZyWALL retain UPnP created NAT rules even after restarting If you use UPnP and you set a port ...

Page 518: ... value and forwards requests on all external port numbers that are otherwise unmapped to the Internal Client Protocol This field displays the protocol of the NAT mapping rule TCP or UDP Internal Port This field displays the port number on the Internal Client to which the ZyWALL should forward incoming connection requests Internal Client This field displays the DNS host name or IP address of a clie...

Page 519: ...ntrol Panel Double click Add Remove Programs 2 Click on the Windows Setup tab and select Communication in the Components selection box Click Details 3 In the Communications window select the Universal Plug and Play check box in the Components selection box 4 Click OK to go back to the Add Remove Programs Properties window and click Next 5 Restart the computer when prompted ...

Page 520: ... LAN port of the ZyXEL device Turn on your computer and the ZyXEL device 1 Click Start Settings and Control Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components The Windows Optional Networking Components Wizard window displays 4 Select Networking Service in the Components selection box and click Detai...

Page 521: ...trol Panel Double click Network Connections An icon displays under Internet Gateway 2 Right click the icon and select Properties 3 In the Internet Connection Properties window click Settings to see the port mappings that were automatically created You may edit or delete the port mappings or click Add to manually add port mappings ...

Page 522: ...cess With UPnP you can access the web based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first This is helpful if you do not know the IP address of the ZyXEL device 4 Select the Show icon in notification area when connected check box and click OK An icon displays in the system tray 5 Double click the icon to display your current Internet connection status...

Page 523: ... Click Start and then Control Panel 2 Double click Network Connections 3 Select My Network Places under Other Places 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click the icon for your ZyXEL device and select Invoke The web configurator login screen displays ...

Page 524: ...Chapter 27 UPnP ZyWALL 5 35 70 Series User s Guide 524 6 Right click the icon for your ZyXEL device and select Properties A properties window displays with basic information about the ZyXEL device ...

Page 525: ...orts in addition to the default ports By default these ZyWALL features monitor traffic for the following protocols on these port numbers FTP 21 SIP 5060 H 323 1720 SMTP 25 POP3 110 HTTP 80 Changes in the Custom APP screen do not apply to the firewall 28 2 Custom Application Configuration Click ADVANCED Custom APP to open the Custom Application screen This screen only specifies what port numbers th...

Page 526: ... more than one entry To remove an entry select Select a Type Description Enter information about the reason for monitoring custom port numbers for this protocol Start Port Enter the starting port for the range that the ZyWALL is to monitor for this application If you are only entering a single port number enter it here End Port Enter the ending port for the range that the ZyWALL is to monitor for ...

Page 527: ...ess inside the data stream to a public IP address It also records session port numbers and dynamically creates implicit NAT port forwarding and firewall rules for the application s traffic to come in from the WAN to the LAN See Section 28 1 on page 525 if you need to use the ALG for SIP H 323 or FTP traffic on custom ports 29 1 1 ALG and NAT The ZyWALL dynamically creates an implicit NAT session f...

Page 528: ... send commands to the server for uploading and downloading files If the FTP server is located on the LAN you must also configure NAT port forwarding and firewall rules if you want to allow access to the server from the WAN 29 3 H 323 H 323 is a standard teleconferencing protocol suite that provides audio data and video conferencing It allows for real time point to point and multipoint communicatio...

Page 529: ...ort forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2 You configure corresponding policy routes to have calls from LAN IP address A go out through WAN IP address 1 and calls from LAN IP address B go out through WAN IP address 2 Figure 314 H 323 with Multiple WAN IP Addresses When you configure the firewall and port forwarding to allow calls from the WAN to...

Page 530: ...orks 29 5 1 STUN STUN Simple Traversal of User Datagram Protocol UDP through Network Address Translators allows the VoIP device to find the presence and types of NAT routers and or firewalls between it and the public Internet STUN also allows the VoIP device to find the public IP address that NAT assigned so the VoIP device can embed it in the SIP data stream See RFC 3489 for details on STUN You d...

Page 531: ...e ZyWALL SIP ALG drops any incoming calls after the timeout period 29 5 4 SIP Audio Session Timeout If no voice packets go through the SIP ALG before the timeout period default 5 minutes expires the SIP ALG does not drop the call but blocks all voice traffic and deletes the audio session You cannot hear anything and you will need to make a new call to continue your conversation 29 6 ALG Screen Cli...

Page 532: ...nable SIP ALG Select this check box to allow SIP sessions to pass through the ZyWALL SIP is a signaling protocol used in VoIP Voice over IP the sending of voice signals over Internet Protocol SIP Timeout Most SIP clients have an expire mechanism indicating the lifetime of signaling sessions The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in ...

Page 533: ...533 PART V Reports Logs and Maintenance Reports 535 Logs Screens 547 Maintenance 575 ...

Page 534: ...534 ...

Page 535: ...lay the following network usage details Web sites visited the most often Number of times the most visited web sites were visited The most used protocols or service ports The amount of traffic for the most used protocols or service ports The LAN DMZ or WLAN IP addresses to and or from which the most traffic has been sent How much traffic has been sent to and from the LAN DMZ or WLAN IP addresses to...

Page 536: ... configuring this screen afresh Interface Select on which interface LAN DMZ or WLAN the logs will be collected The logs on the DMZ LAN or WLAN IP alias 1 and 2 are also recorded Report Type Use the drop down list box to select the type of reports to display Web Site Hits displays the web sites that have been visited the most often from the LAN and how many times they have been visited Protocol Por...

Page 537: ...e The following table describes the label in this screen Table 163 REPORTS SYSTEM REPORTS Web Site Hits Report LABEL DESCRIPTION Web Site This column lists the domain names of the web sites visited most often from computers on the LAN DMZ or WLAN The names are ranked by the number of visits to each web site and listed in descending order with the most visited web site listed first The ZyWALL count...

Page 538: ...REPORTS Host IP Address LABEL DESCRIPTION IP Address This column lists the LAN DMZ or WLAN IP addresses to and or from which the most traffic has been sent The LAN DMZ or WLAN IP addresses are listed in descending order with the LAN DMZ or WLAN IP address to and or from which the most traffic was sent listed first Direction This field displays Incoming to denote traffic that is coming in from the ...

Page 539: ...tocols or service ports for which the most traffic has gone through the ZyWALL The protocols or service ports are listed in descending order with the most used protocol or service port listed first Direction This field displays Incoming to denote traffic that is coming in from the WAN to the LAN DMZ or WLAN This field displays Outgoing to denote traffic that is going out from the LAN DMZ or WLAN t...

Page 540: ...n This screen displays IDP Intrusion Detection and Prevention statistics Figure 322 REPORTS THREAT REPORTS IDP Table 166 Report Specifications LABEL DESCRIPTION Number of web sites protocols or ports IP addresses listed 20 Hit count limit Up to 232 hits can be counted per web site The count starts over at 0 if it passes four billion Bytes count limit Up to 264 bytes can be counted per protocol por...

Page 541: ...most common signatures that the ZyWALL has detected Select Source to list the source IP addresses from which the ZyWALL has detected the most intrusion attempts Select Destination to list the most common destination IP addresses for intrusion attempts that the ZyWALL has detected This field displays the entry s rank in the list of the top entries Signature Name This column displays when you displa...

Page 542: ...ay as follows when you display the top entries by destination Figure 324 REPORTS THREAT REPORTS IDP Destination 30 4 Anti Virus Threat Reports Screen Click REPORTS THREAT REPORTS Anti Virus to display the Threat Reports Anti Virus screen This screen displays anti virus statistics Figure 325 REPORTS THREAT REPORTS Anti Virus ...

Page 543: ...s by Virus Name Source or Destination Select Virus Name to list the most common viruses that the ZyWALL has detected Select Source to list the source IP addresses from which the ZyWALL has detected the most virus infected files Select Destination to list the most common destination IP addresses for virus infected files that ZyWALL has detected This field displays the entry s rank in the list of th...

Page 544: ...m LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect anti spam statistics The collection starting time displays after you click Apply All of the statistics in this screen are for the time period starting at the time displayed here The format is year month day and hour minute second Collecting starts over and a new collection start time displays if you restart the...

Page 545: ...as checked This field displays the entry s rank in the list of the top entries Sender Mail Address This column displays when you display the entries by Sender Mail Address This column displays the e mail addresses from which the ZyWALL has detected the most spam Source IP This column displays when you display the entries by Source It shows the source IP address of spam e mails that the ZyWALL has ...

Page 546: ...ALL 5 35 70 Series User s Guide 546 Figure 329 REPORTS THREAT REPORTS Anti Spam Source The statistics display as follows when you display the score distribution Figure 330 REPORTS THREAT REPORTS Anti Spam Score Distribution ...

Page 547: ...w Log screen Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see Section 31 3 on page 550 Options include logs about system maintenance system errors access control allowed or blocked web sites blocked web features such as ActiveX controls java and cookies attacks such as DoS and IPSec Log entries in red indicate system error logs The log wra...

Page 548: ... Settings page make sure that you have first filled in the E mail Log Settings fields in Log Settings see Section 31 3 on page 550 Refresh Click Refresh to renew the log screen Clear Log Click Clear Log to delete all the logs The logs display in the table Click a column s heading to sort the log entries by that criteria This field displays the log number Time This field displays the time the log w...

Page 549: ...0 default configuration file you can download a CA certificate signed by VeriSign from myZyXEL com and import it into the ZyWALL as a trusted CA This will stop the ZyWALL from generating this log every time it attempts to connect with myzyxel com and the update server Follow the steps below to download the certificate from myZyXEL com 1 Go to http www myZyXEL com and log in with your account 2 Cli...

Page 550: ...ert is a type of log that warrants more serious attention They include system errors attacks access control and attempted access to blocked web sites or web sites with restricted web features such as cookies active X and so on Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display...

Page 551: ...Chapter 31 Logs Screens ZyWALL 5 35 70 Series User s Guide 551 Figure 334 LOGS Log Settings ...

Page 552: ...lso specify which day of the week the E mail should be sent If you select When Log is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Log Use the drop down list box to select which day of the week to send the logs Time for Sending Log Enter the time of the day in 24 hour format for example 23 00 equals 11 00 pm to send the logs SMTP Authentic...

Page 553: ...ime calibration failed The router failed to get information from the time server WAN interface gets IP s A WAN interface got a new IP address from the DHCP PPPoE PPTP or dial up server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an IP address to a client Successful SMT login Someone has logged on to the router s SMT interface SMT log...

Page 554: ...g to last 32 consecutive queries The specified DNS server did not respond to the last 32 consecutive queries DDNS update IP s host d successfully The device updated the IP address of the specified DDNS host name SMTP successfully The device sent an e mail myZyXEL com registration successful Registration of the device with myZyXEL com was successful Trial service registration successful Registratio...

Page 555: ...icate with the SMTP server error message included Table 175 Access Control Logs LOG MESSAGE DESCRIPTION Firewall default policy TCP UDP IGMP ESP GRE OSPF Packet Direction Attempted TCP UDP IGMP ESP GRE OSPF access matched the default policy and was blocked or forwarded according to the default policy s setting Firewall rule NOT match TCP UDP IGMP ESP GRE OSPF Packet Direction rule d Attempted TCP ...

Page 556: ... timeout 10 seconds Exceed MAX incomplete sent TCP RST The router sent a TCP reset packet when the number of incomplete connections TCP and UDP exceeded the user configured threshold Incomplete count is for all TCP and UDP connections through the firewall Note When the number of incomplete connections TCP UDP Maximum Incomplete High the router sends TCP RST packets for TCP connections and destroys...

Page 557: ...PPPoE PPTP or dial up call was disconnected Table 180 PPP Logs LOG MESSAGE DESCRIPTION ppp LCP Starting The PPP connection s Link Control Protocol stage has started ppp LCP Opening The PPP connection s Link Control Protocol stage is opening ppp CHAP Opening The PPP connection s Challenge Handshake Authentication Protocol stage is opening ppp IPCP Starting The PPP connection s Internet Protocol Con...

Page 558: ...is not activated 3G Modem is locked The internal modem on the inserted 3G card is blocked SIM card not inserted or damaged There is no SIM card in the inserted GSM 3G card or the SIM card is damaged 3G connection has been dropped s The 3G connection has been dropped due to the specific reason such as idle timeout manual disconnection failure to get an IP address switching to WAN 1 ping check failu...

Page 559: ...d s Not in trusted web list The web site is not in a trusted domain and the router blocks all traffic except trusted domain sites s Forbidden Web site The web site is in the forbidden web site list s Contains ActiveX The web site contains ActiveX s Contains Java applet The web site contains a Java applet s Contains cookie The web site contains a cookie s Proxy mode detected The router detected pro...

Page 560: ...p spoofing WAN ICMP type d code d The firewall detected an ICMP IP spoofing attack on the WAN port icmp echo ICMP type d code d The firewall detected an ICMP echo attack syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port scan attack teardrop TCP The firewall detected a TCP teardrop attack teardrop UDP The firewall detected an UDP teardrop att...

Page 561: ...management settings Remote Management TELNET denied Attempted use of TELNET service was blocked according to remote management settings Remote Management HTTP or UPnP denied Attempted use of HTTP or UPnP service was blocked according to remote management settings Remote Management WWW denied Attempted use of WWW service was blocked according to remote management settings Remote Management HTTPS de...

Page 562: ...d as 0 0 0 0 when the WAN IP address changed Inbound packet decryption failed Please check the algorithm configuration Cannot find outbound SA for rule d A packet matches a rule but there is no phase 2 SA for outbound traffic Rule s sends an echo request to peer The device sent a ping packet to check the specified VPN tunnel s connectivity Rule s receives an echo reply from peer The device receive...

Page 563: ...y local My local The displayed ID information did not match between the two ends of the connection Send packet A packet was sent Recv packet IKE uses ISAKMP to transmit data Each ISAKMP packet contains many different types of payloads All of them show in the LOG Refer to RFC2408 ISAKMP for a list of all ISAKMP payload types Recv Main or Aggressive Mode request from IP The router received an IKE ne...

Page 564: ...od mismatch The listed rule s IKE phase 1 authentication method did not match between the router and the peer Rule d Phase 1 key group mismatch The listed rule s IKE phase 1 key group did not match between the router and the peer Rule d Phase 2 protocol mismatch The listed rule s IKE phase 2 protocol did not match between the router and the peer Rule d Phase 2 encryption algorithm mismatch The lis...

Page 565: ... be deleted The listed tunnel will be deleted because the remote gateway s IP address changed My ZyWALL Addr has changed tunnel s will be deleted The listed tunnel will be deleted because the ZyWALL s IP address changed Table 189 PKI Logs LOG MESSAGE DESCRIPTION Enrollment successful The SCEP online certificate enrollment was successful The Destination field records the certification authority ser...

Page 566: ... Authority Revocation List from the LDAP server whose address and port are recorded in the Source field Rcvd data size too large Max size allowed max size The router received directory data that was too large the size is listed from the LDAP server whose address and port are recorded in the Source field The maximum size of directory data that the router allows is also recorded Cert trusted subject...

Page 567: ...assword Local User Database does not find user s credential A user was not authenticated by the local user database because the user is not listed in the local user database RADIUS accepts user A user was authenticated by the RADIUS Server RADIUS rejects user Pls check RADIUS Server A user was not authenticated by the RADIUS Server Please check the RADIUS Server Local User Database does not suppor...

Page 568: ...Z to LAN ACL set for packets traveling from the DMZ to the LAN D to W DMZ to WAN ACL set for packets traveling from the DMZ to the WAN W to D WAN to DMZ ACL set for packets traveling from the WAN to the DMZ L to D LAN to DMZ ACL set for packets traveling from the LAN to the DMZ L to L ZW LAN to LAN ZyWALL ACL set for packets traveling from the LAN to the LAN or the ZyWALL W to W ZW WAN to WAN ZyWA...

Page 569: ...d Network 3 Redirect datagrams for the Type of Service and Host 8 Echo 0 Echo message 11 Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Information request message 16 Information Reply 0 Information r...

Page 570: ...te The device updated the signature file successfully The signature file s version and release date are included The turbo card is not ready please insert the card and reboot The turbo card is not installed Table 194 AV Logs LOG MESSAGE DESCRIPTION HTTP Virus infected s The device detected a virus in an HTTP connection The format of s is ID Virus ID number virus name filename For example ID 30001 ...

Page 571: ...ile Table 195 AS Logs LOG MESSAGE DESCRIPTION Mail is in the Black List Mail From EMAIL_ADDRESS Subject MAIL_SUBJECT An e mail with the listed source and subject matched an anti spam blacklist entry Mail score is higher or equal than threshold Spam Score d Mail From EMAIL_ADDRESS Subject MAIL_SUBJECT The spam score listed for the e mail with the listed source and subject was higher than or equal t...

Page 572: ...Mail Parser buffer is overflow There were too many characters in a single line of an e mail header that the device was attempting to parse There is no available HTTP session for external database There was not an HTTP session available to query the external database Mail From Email address Subject Mail Subject This is the source and subject of an e mail for which there was not an HTTP session avai...

Page 573: ...sentBytes rcvd receiveBytes dir from to protoID IPProtocolID proto serviceName trans IPSec Normal This message is sent by the device when the connection session is closed The facility is defined in the Log Settings screen The severity is the traffic log type The message and note always display Traffic Log The proto field lists the service name The dir field lists the incoming and outgoing interfac...

Page 574: ... IDP log descriptions Event Log Facility 8 Severity Mon dd hr mm ss hostname src srcIP srcPort dst dstIP dstPort ob 0 1 ob_mac mac address msg msg note note devID mac address cat Anti Spam 1stReIP IP This message is sent by the device RAS displays as the system name if you haven t configured one at the time when this syslog is generated The facility is defined in the web MAIN MENU LOGS Log Setting...

Page 575: ...In Windows 95 98 click Start Settings Control Panel Network Click the Identification tab note the entry for the Computer Name field and enter it as the System Name In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the System Name In Windows XP...

Page 576: ... clients on the LAN If you leave this blank the domain name obtained by DHCP from the ISP is used While you must enter the host name System Name the domain name can be assigned from the ZyWALL via DHCP Enter the domain name if you know it here If you leave this field blank the ISP may assign a domain name via DHCP The domain name entered by you is given priority over the ISP assigned domain name A...

Page 577: ...e ZyWALL s time based on your local time zone Figure 337 MAINTENANCE Time and Date Table 199 MAINTENANCE Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field If you forget the password you may have to use the hardware RESET button This restores the default password of 1234 New Password Type your new system password up...

Page 578: ...the time and date from the time server you specified below Time Protocol Select the time service protocol that your time server uses Not all time servers support all protocols so you may have to check with your ISP network administrator or use trial and error to find a protocol that works The main difference between them is the format Daytime RFC 867 format is day month year time zone of the serve...

Page 579: ...ylight Saving Time at 2 A M local time So in the United States you would select Second Sunday March and 2 00 Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the o clock field d...

Page 580: ...n to get the time and date from the predefined time server or the time server you specified in the Time Server Address field When the System Time and Date Synchronization in Process screen appears wait up to one minute Figure 338 Synchronization in Process Click the Return button to go back to the Time and Date screen after the time and date is updated successfully Figure 339 Synchronization is Su...

Page 581: ...st A with port 1 When the bridge receives another frame on one of its ports with destination address 00a0c5123478 it forwards the frame directly through port 1 after checking the internal table The bridge takes one of these actions after it checks the destination address of an incoming frame with its internal table If the table contains an association between the destination address and any of the...

Page 582: ...nch offices since the setups at these offices are often the same and it s likely that one design can be used for many of the networks A bridging firewall could be configured at HQ sent to the branches and then installed directly without additional configuration 32 8 Configuring Device Mode Router Click MAINTENANCE Device Mode to open the following screen Use this screen to configure your ZyWALL as...

Page 583: ... Device Mode This displays whether the ZyWALL is functioning as a router or a bridge Device Mode Setup Router When the ZyWALL is in router mode there is no need to select or clear this radio button IP Address Click LAN WAN DMZ or WLAN to go to the LAN WAN DMZ or WLAN screen where you can view and or change the corresponding settings Bridge Select this radio button and configure the following field...

Page 584: ... a router or a bridge Device Mode Setup Router Select this radio button and click Apply to set the ZyWALL to router mode LAN Interface IP Address Enter the IP address of your ZyWALL s LAN port in dotted decimal notation 192 168 1 1 is the factory default LAN Interface Subnet Mask Enter the IP subnet mask of the ZyWALL s LAN port DHCP DHCP Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 a...

Page 585: ...ridge mode there is no need to select or clear this radio button IP Address Click Bridge to go to the Bridge screen where you can view and or change the bridge settings Apply Click Apply to save your changes back to the ZyWALL After you click Apply please wait for one minute and use the IP address you configured in the LAN Interface IP Address field to access the ZyWALL again Reset Click Reset to ...

Page 586: ... Upload In Process The ZyWALL automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 345 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the HOME screen If the upload was not successful the following screen will appear Click Return to go back to...

Page 587: ...hly recommended that you back up your configuration file before making configuration changes The backup configuration file will be useful in case you need to return to your previous settings Click Backup to save the ZyWALL s current configuration to your computer 32 11 2 Restore Configuration Load a configuration file from your computer to your ZyWALL 1 Do not turn off the ZyWALL while configurati...

Page 588: ...If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address 192 168 1 1 See your Quick Start Guide for details on how to set up your computer s IP address If the upload was not successful the following screen will appear Click Return to go back to the Configuration screen Figure 350 Configur...

Page 589: ...ot Restart is different to reset see Section 32 11 3 on page 588 reset returns the device to its default configuration Figure 352 MAINTENANCE Restart 32 13 Diagnostics Use the Diagnostics screen to have the ZyWALL generate and send diagnostic files by e mail and or the console port The diagnostics files contain the ZyWALL s configuration and diagnostic information You may need to generate this fil...

Page 590: ... level Periodic Diagnostics Use these fields to set the ZyWALL to generate and send diagnostic e mails at regular intervals Even if you enable both CPU utilization based and periodic diagnostics the ZyWALL only sends one diagnostic e mail within five minutes unless you click Perform Diagnostics Now Diagnostics Frequency Set how often the ZyWALL generates and sends diagnostic files Hourly Daily Wee...

Page 591: ...nter the e mail address that you want to be in the from sender line of the diagnostic e mail message that the ZyWALL sends If you activate SMTP authentication the e mail address must be able to be authenticated by the mail server as well Send Log to Diagnostic files are sent to the e mail address specified in this field If this field is left blank diagnostic files will not be sent via e mail SMTP ...

Page 592: ...Chapter 32 Maintenance ZyWALL 5 35 70 Series User s Guide 592 ...

Page 593: ...tup 639 Wireless Setup 643 Remote Node Setup 649 IP Static Route Setup 659 Network Address Translation NAT 663 Introducing the ZyWALL Firewall 683 Filter Configuration 685 SNMP Configuration 701 System Information Diagnosis 703 Firmware and Configuration File Maintenance 715 System Maintenance Menus 8 to 10 729 Remote Management 735 IP Policy Routing 739 Call Scheduling 747 ...

Page 594: ...594 Troubleshooting 751 Product Specifications 757 ...

Page 595: ... menus via console port how to navigate the SMT and how to configure SMT menus 33 2 Accessing the SMT via the Console Port Make sure you have the physical connection properly set up as described in the Quick Start Guide When configuring using the console port you need a computer equipped with communications software configured to the following parameters VT100 terminal emulation 9600 Baud No parit...

Page 596: ...efore you attempt to modify the configuration are listed in the table below Copyright c 1994 2007 ZyXEL Communications Corp initialize ch 0 ethernet address 00 A0 C5 01 23 45 initialize ch 1 ethernet address 00 A0 C5 01 23 46 initialize ch 2 ethernet address 00 A0 C5 01 23 47 initialize ch 3 ethernet address 00 A0 C5 01 23 48 initialize ch 4 ethernet address 00 00 00 00 00 00 AUX port init done Mo...

Page 597: ... fields All fields with the symbol must be filled in order be able to save the new configuration N A fields N A Some of the fields in the SMT will show a N A This symbol refers to an option that is Not Applicable Save your configuration ENTER Save your configuration by pressing ENTER at the message Press ENTER to confirm or ESC to cancel Saving the data on the screen will take you in most cases to...

Page 598: ...n etc with this menu 5 DMZ Setup Use this menu to apply DMZ filters and configure DHCP and TCP IP settings for the DMZ port 6 Route Setup Use this menu to configure your WAN route assessment traffic redirect properties and failover parameters 7 Wireless Setup Use this menu to configure wireless security WLAN DHCP and TCP IP settings for the wireless LAN interface 11 Remote Node Setup Use this menu...

Page 599: ... IP and DHCP Ethernet Setup 5 2 1 IP Alias Setup 6 Route Setup 6 1 Route Assessment 6 2 Traffic Redirect 6 3 Route Failover 7 Wireless Setup 7 1 Wireless Setup 7 1 1 WLAN MAC Address Filter 7 2 TCP IP and DHCP Ethernet Setup 7 2 1 IP Alias Setup 11 Remote Node Setup 11 1 Remote Node Profile 11 1 2 Remote Node Network Layer Options 11 1 4 Remote Node Filter 11 2 Remote Node Profile 11 2 2 Remote No...

Page 600: ...4 2 System Information and Console Port Speed 24 2 1 System Information 24 2 2 Console Port Speed 24 3 Log and Trace 24 3 1 View Error Log 24 3 2 Syslog Logging 24 3 4 Call Triggering Packet 24 4 Diagnostic 24 5 Backup Configuration 24 6 Restore Configuration 24 7 Upload Firmware 24 7 1 Upload System Firmware 24 7 2 Upload System Configuration File 24 8 Command Interpreter Mode 24 9 Call Control 2...

Page 601: ...assword and press ENTER 4 Re type your new system password for confirmation and press ENTER Note that as you type a password the screen displays an x for each character you type 33 5 Resetting the ZyWALL See Section 2 3 on page 63 for directions on resetting the ZyWALL Menu 23 System Password Old Password New Password Retype to confirm Enter here to CONFIRM or ESC to CANCEL ...

Page 602: ...Chapter 33 Introducing the SMT ZyWALL 5 35 70 Series User s Guide 602 ...

Page 603: ...evice Mode Router Mode Edit Dynamic DNS No Press ENTER to Confirm or ESC to Cancel Table 210 Menu 1 General Setup Router Mode FIELD DESCRIPTION System Name Choose a descriptive name for identification purposes It is recommended you enter your computer s Computer name in this field This name can be up to 30 alphanumeric characters long Spaces are not allowed but dashes and underscores _ are accepte...

Page 604: ...Name Device Mode Bridge Mode IP Address 192 168 1 1 Network Mask 255 255 255 0 Gateway 0 0 0 0 First System DNS Server IP Address 0 0 0 0 Second System DNS Server IP Address 0 0 0 0 Third System DNS Server IP Address 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 211 Menu 1 General Setup Bridge Mode FIELD DESCRIPTION Device Mode Press SPACE BAR and then ENTER to select Bridge Mode IP Addres...

Page 605: ...up 3 Press SPACE BAR to select Yes in the Edit Dynamic DNS field Press ENTER to display Menu 1 1 Configure Dynamic DNS 4 Press SPACE BAR and then ENTER to select Yes in the Edit Host field Press ENTER to display Menu 1 1 1 DDNS Host Summary Menu 1 1 Configure Dynamic DNS Service Provider WWW DynDNS ORG Active No Username Password Edit Host No Press ENTER to Confirm or ESC to Cancel Table 212 Menu ...

Page 606: ...__ _______________________________________________________ Select Command None Select Rule N A Press ENTER to Confirm or ESC to Cancel Table 213 Menu 1 1 1 DDNS Host Summary FIELD DESCRIPTION This is the DDNS host index number Summary This displays the details about the DDNS host Select Command Press SPACE BAR to choose from None Edit Delete Next Page or Previous Page and then press ENTER You must...

Page 607: ...eld is only available when CustomDNS is selected in the DDNS Type field Press SPACE BAR and then ENTER to select Yes When Yes is selected http www dyndns org traffic is redirected to a URL that you have previously specified see www dyndns org for details Bind WAN Enter the WAN to use for updating the IP address of the domain name HA Press SPACE BAR and then ENTER to select Yes to enable the high a...

Page 608: ...e one or more NAT routers between the ZyWALL and the DDNS server Press SPACE BAR to select Yes and then press ENTER to have the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server Use User Defined Press SPACE...

Page 609: ... to configure settings for your a dial backup connection using the SMT menus 35 2 WAN Setup From the main menu enter 2 to open menu 2 Figure 364 MAC Address Cloning in WAN Setup Menu 2 WAN Setup WAN 1 MAC Address Assigned By Factory default IP Address N A WAN 2 MAC Address Assigned By Factory default IP Address N A Dial Backup Active No Port Speed 115200 AT Command String Init at fs0 0 Edit Advanc...

Page 610: ...alternate backup WAN connection 35 3 1 Configuring Dial Backup in Menu 2 From the main menu enter 2 to open menu 2 Table 215 MAC Address Cloning in WAN Setup FIELD DESCRIPTION WAN 1 2 MAC Address Assigned By Press SPACE BAR and then ENTER to choose one of two methods to assign a MAC Address Choose Factory Default to select the factory assigned default MAC Address Choose IP address attached on LAN ...

Page 611: ...SCRIPTION Dial Backup Active Use this field to turn the dial backup feature on Yes or off No Port Speed Press SPACE BAR and then press ENTER to select the speed of the connection between the Dial Backup port and the external device Available speeds are 9600 19200 38400 57600 115200 or 230400 bps AT Command String Init Enter the AT command string to initialize the WAN device Consult the manual of y...

Page 612: ...tup AT Commands Fields FIELD DESCRIPTION AT Command Strings Dial Enter the AT Command string to make a call Drop Enter the AT Command string to drop a call represents a one second wait e g ath can be used if your modem has a slow response time Answer Enter the AT Command string to answer a call Drop DTR When Hang Up Press the SPACE BAR to choose either Yes or No When Yes is selected the default th...

Page 613: ...number Retry Interval sec Enter a number of seconds for the ZyWALL to wait before trying another call after a call has failed This applies before a phone number is blacklisted Drop Timeout sec Enter a number of seconds for the ZyWALL to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation Call Back Delay sec Enter a number of seconds for the ZyWALL to wait ...

Page 614: ...mation Edit Script Options Press SPACE BAR to select Yes and press ENTER to edit the AT script for the dial backup remote node Menu 11 3 3 Remote Node Script See Section 35 3 5 on page 616 for more information Telco Option Allocated Budget Enter the maximum number of minutes that this remote node may be called within the time period configured in the Period field The default for this field is 0 me...

Page 615: ...n None Version N A Multicast None Enter here to CONFIRM or ESC to CANCEL Table 220 Menu 11 3 2 Remote Node Network Layer Options FIELD DESCRIPTION IP Address Assignment If your ISP did not assign you a fixed IP address press SPACE BAR and then ENTER to select Dynamic otherwise select Static and enter the IP address and subnet mask in the following fields Rem IP Address Enter the fixed IP address a...

Page 616: ...T Lookup Set If you select SUA Only in the Network Address Translation field it displays 255 and indicates the SMT will use the pre configured Set 255 read only in menu 15 1 If you select Full Feature or None in the Network Address Translation field it displays 1 2 or 3 and indicates the SMT will use the pre configured Set 1 in menu 15 1 for the first WAN port Set 2 in menu 15 1 for the second WAN...

Page 617: ...ore it proceeds to set 2 and so on for the rest of the script When both the Expect and the Send fields of the current set are empty the ZyWALL will terminate the script processing and start PPP negotiation This implies two things first the sets must be contiguous the sets after an empty one are ignored Second the last set should match the final message sent by the server For instance if the server...

Page 618: ...tched wireless technology Bandwidth usage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data It allows fast transfer of voice and non voice data and provides broadband Internet access to mobile devices See Section 8 13 on page 189 for more information To set up a 3G connection you need to configure 1 Menu 2 WAN Setup 2 Menu 11 2 Remot...

Page 619: ...ncel Table 222 3G Modem Setup in WAN Setup ZyWALL 5 FIELD DESCRIPTION 3G Modem Setup Init Press SPACE BAR and then ENTER to select Configure directly if your ISP provides the initial string or you know how to configure it Only use this option with a GSM 3G card Select Configure APN if your ISP gave you an APN Access Point Name to use Init This field displays when you select Configure directly in t...

Page 620: ...When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Table 222 3G Modem Setup in WAN Setup ZyWALL 5 continued FIELD DESCRIPTION Menu 11 2 Remote Node Profile 3G WAN Rem Node Name WAN 2 Active Yes Edit IP No Outgoing Edit Script Options No My Login test My Password Retype to Confirm Authen CHAP PAP Pri Phone...

Page 621: ...tion Edit Script Options Press SPACE BAR to select Yes and press ENTER to edit the AT script for the dial backup remote node Menu 11 3 3 Remote Node Script See Section 35 3 5 on page 616 for more information Always On Press SPACE BAR to select Yes to set this connection to be on all the time regardless of whether or not there is any traffic Select No to have this connection act as a dial up connec...

Page 622: ...Chapter 35 WAN and Dial Backup Setup ZyWALL 5 35 70 Series User s Guide 622 ...

Page 623: ...essing the LAN Menus From the main menu enter 3 to open Menu 3 LAN Setup Figure 373 Menu 3 LAN Setup 36 3 LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic You seldom need to filter the LAN traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Menu 3 LAN Setup 1 LAN Port Filt...

Page 624: ...nd DHCP Setup From menu 3 select the submenu option TCP IP and DHCP Setup and press ENTER The screen now displays Menu 3 2 TCP IP and DHCP Ethernet Setup as shown next Not all fields are available on all models Menu 3 1 LAN Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Press ENTER to Confirm or ESC to Cancel Menu 3 LAN Setup ...

Page 625: ...u 3 2 DHCP Ethernet Setup Fields FIELD DESCRIPTION DHCP This field enables disables the DHCP server If set to Server your ZyWALL will act as a DHCP server If set to None the DHCP server will be disabled If set to Relay the ZyWALL acts as a surrogate DHCP server and relays requests and responses between the remote server and the clients When set to Server the following items need to be set Client I...

Page 626: ... ENTER to select the RIP version Options are RIP 1 RIP 2B or RIP 2M Multicast IGMP Internet Group Management Protocol is a session layer protocol used to establish membership in a Multicast group The ZyWALL supports both IGMP version 1 IGMP v1 and version 2 IGMP v2 Press SPACE BAR and then ENTER to enable IP Multicasting or select None default to disable it Edit IP Alias The ZyWALL supports three ...

Page 627: ...enting subnetting use the subnet mask computed by the ZyWALL RIP Direction Press SPACE BAR and then ENTER to select the RIP direction Options are Both In Only Out Only or None Version Press SPACE BAR and then ENTER to select the RIP version Options are RIP 1 RIP 2B or RIP 2M Incoming Protocol Filters Enter the filter set s you wish to apply to the incoming traffic between this node and the ZyWALL ...

Page 628: ...Chapter 36 LAN Setup ZyWALL 5 35 70 Series User s Guide 628 ...

Page 629: ...r ZyWALL to access the Internet There are three different menu 4 screens depending on whether you chose Ethernet PPTP or PPPoE Encapsulation Contact your ISP to determine what encapsulation type you should use This menu configures WAN 1 on a ZyWALL with multiple WAN ports Configure the WAN 2 port in Menu 11 2 Remote Node Profile or in the WAN WAN 2 screen via the web configurator 37 2 Ethernet Enc...

Page 630: ...our ISP is Time Warner s RoadRunner otherwise choose Standard Note DSL users must choose the Standard option only The My Login My Password and Login Server fields are not applicable in this case My Login Enter the login name given to you by your ISP My Password Type your password again for confirmation Retype to Confirm Enter your password again to make sure that you have entered is correctly Logi...

Page 631: ...in one network for example a private IP address used in a local network to a different IP address known within another network for example a public IP address used on the Internet Choose None to disable NAT Choose SUA Only if you have a single public IP address SUA Single User Account is a subset of NAT that supports two types of mapping Many to One and Server Choose Full Feature if you have multi...

Page 632: ...on PPTP Service Type N A My Login My Password Retype to Confirm Idle Timeout 100 IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation SUA Only Press ENTER to Confirm or ESC to Cancel Table 228 New Fields in Menu 4 PPTP Screen FIELD DESCRIPTION Encapsulation Press SPACE BAR and then press ENTER to choose PPTP The encapsulation method inf...

Page 633: ...rom the Internet You may deactivate the firewall in menu 21 2 or via the ZyWALL embedded web configurator You may also define additional firewall rules or modify existing ones but please exercise extreme caution in doing so See the chapters on firewall for more information on the firewall Menu 4 Internet Access Setup ISP s Name WAN_1 Encapsulation PPPoE Service Type N A My Login My Password Retype...

Page 634: ...Chapter 37 Internet Access ZyWALL 5 35 70 Series User s Guide 634 ...

Page 635: ...Setup 38 2 DMZ Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to your public server s traffic Figure 382 Menu 5 1 DMZ Port Filter Setup Menu 5 DMZ Setup 1 DMZ Port Filter Setup 2 TCP IP and DHCP Setup Enter Menu Selection Number Menu 5 1 DMZ Port Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filte...

Page 636: ...e 384 Menu 5 2 TCP IP and DHCP Ethernet Setup The DHCP and TCP IP setup fields are the same as the ones in Menu 3 2 TCP IP and DHCP Ethernet Setup Each public server will need a unique IP address Refer to Section 36 4 on page 624 for information on how to configure these fields Menu 5 DMZ Setup 1 DMZ Port Filter Setup 2 TCP IP and DHCP Setup Enter Menu Selection Number Menu 5 2 TCP IP and DHCP Eth...

Page 637: ...R to open Menu 5 2 1 IP Alias Setup as shown next Use this menu to configure the second and third networks Figure 385 Menu 5 2 1 IP Alias Setup Refer to Table 226 on page 627 for instructions on configuring IP alias parameters Menu 5 2 1 IP Alias Setup IP Alias 1 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Incoming protocol filters N A Outgoing protocol filters N A IP Alias ...

Page 638: ...Chapter 38 DMZ Setup ZyWALL 5 35 70 Series User s Guide 638 ...

Page 639: ... traffic redirect properties Figure 387 Menu 6 1 Route Assessment Menu 6 Route Setup 1 Route Assessment 2 Traffic Redirect 3 Route Failover Enter Menu Selection Number Menu 6 1 Route Assessment Probing WAN 1 Check Point Yes Use Default Gateway as Check Point Yes Check Point N A Probing WAN 2 Check Point Yes Use Default Gateway as Check Point Yes Check Point N A Probing Traffic Redirection Check Po...

Page 640: ... a domain name or IP address of a reliable nearby computer for example your ISP s DNS server address in the Check Point field the ZyWALL will use the default gateway IP address When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Menu 6 2 Traffic Redirect Active No Configuration Backup Gateway IP Address 0 ...

Page 641: ... field of menu 6 1 or the default gateway Allow more time if your destination IP address handles lots of traffic Timeout Type the number of seconds for your ZyWALL to wait for a ping response from the IP address in the Check Point field of menu 6 1 before it times out The WAN connection is considered down after the ZyWALL times out the number of times specified in the Fail Tolerance field Use a hi...

Page 642: ...Chapter 39 Route Setup ZyWALL 5 35 70 Series User s Guide 642 ...

Page 643: ...he wireless settings of your computer to match the ZyWALL s new settings From the main menu enter 7 to open Menu 7 WLAN Setup to configure the Wireless LAN setup To edit the wireless LAN configuration enter 1 to open Menu 7 1 Wireless Setup as shown next Figure 390 Menu 7 1 Wireless Setup Menu 7 1 Wireless Setup Enable Wireless LAN No Bridge Channel WLAN ESSID ZyXEL Hide ESSID No Channel ID CH06 2...

Page 644: ...characters for the wireless LAN Hide ESSID Press SPACE BAR to select Yes to hide the ESSID in the outgoing beacon frame so a station cannot obtain the ESSID through passive scanning Channel ID This allows you to set the operating frequency channel depending on your particular region Use the SPACE BAR to select a channel RTS Threshold Use RTS CTS to reduce data collisions on the wireless network if...

Page 645: ...n field then enter any 5 ASCII characters or 10 hexadecimal characters 0 9 A F If you chose 128 bit WEP in the WEP Encryption field then enter 13 ASCII characters or 26 hexadecimal characters 0 9 A F Note Enter 0x before the key to denote a hexadecimal key Don t enter 0x before the key to denote an ASCII key Edit MAC Address Filter Press SPACE BAR to select Yes and then press ENTER to display menu...

Page 646: ...s SPACE BAR to select Yes and press ENTER Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table To deny access to the ZyWALL press SPACE BAR to select Deny Association and press ENTER MAC addresses not listed will be allowed to access the router The default action Allowed Association permits association with the ZyWALL MAC addresses not listed will be...

Page 647: ...T for the WLAN port see Chapter 43 on page 663 in menus 15 1 and 15 2 40 2 2 IP Alias Setup You must use menu 7 2 to configure the first network Move the cursor to the Edit IP Alias field press SPACE BAR to choose Yes and press ENTER to configure the second and third network Pressing ENTER opens Menu 7 2 1 IP Alias Setup as shown next Menu 7 2 TCP IP and DHCP Ethernet Setup DHCP None TCP IP Setup ...

Page 648: ...Refer to Table 226 on page 627 for instructions on configuring IP alias parameters Menu 7 2 1 IP Alias Setup IP Alias 1 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A IP Alias 2 No IP Address N A IP Subnet Mask N A RIP Direction N A Version N A Enter here to CONFIRM or ESC to CANCEL ...

Page 649: ... menu option 11 to open Menu 11 Remote Node Setup shown below On a ZyWALL with multiple WAN ports enter 1 or 2 to open Menu 11 x Remote Node Profile and configure the setup for your first or second WAN port Enter 3 to open Menu 11 3 Remote Node Profile Backup ISP and configure the setup for your Dial Backup port connection see Chapter 35 on page 609 On a ZyWALL with a single WAN port and a 3G card...

Page 650: ... N A Retype to Confirm N A Server N A Relogin Every min N A Press ENTER to Confirm or ESC to Cancel Table 235 Menu 11 1 Remote Node Profile for Ethernet Encapsulation FIELD DESCRIPTION Rem Node Name Enter a descriptive name for the remote node This field can be up to eight characters Active Press SPACE BAR and then ENTER to select Yes activate remote node or No deactivate remote node Encapsulation...

Page 651: ...le when you select Telia Login in the Service Type field The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically Type the number of minutes from 1 to 59 30 recommended for the ZyWALL to wait between logins Route This field refers to the protocol that will be routed by your ZyWALL IP is the only option for the ZyWALL Edit IP This field leads to a hidden menu Press SPACE BAR ...

Page 652: ... dial up line where the connection is always up regardless of traffic demand The ZyWALL does two things when you specify a nailed up connection The first is that idle timeout is disabled The second is that the ZyWALL will try to bring up the connection when turned on and whenever the connection is down A nailed up connection can be very expensive for obvious reasons Do not specify a nailed up conn...

Page 653: ...ted Budget The field sets a ceiling for outgoing call time for this remote node The default for this field is 0 meaning no budget control Period hr This field is the time period that the budget should be reset For example if we are allowed to call this remote node for a maximum of 10 minutes every hour then the Allocated Budget is 10 minutes and the Period hr is 1 hour Schedules You can apply up t...

Page 654: ...255 255 0 Idle Timeout sec 100 Server IP Addr 10 0 0 138 Connection ID Name Press ENTER to Confirm or ESC to Cancel Table 237 Menu 11 1 Remote Node Profile for PPTP Encapsulation FIELD DESCRIPTION Encapsulation Press SPACE BAR and then ENTER to select PPTP You must also go to menu 11 3 to check the IP Address setting once you have selected the encapsulation method My IP Addr Enter the IP address o...

Page 655: ...ernet encapsulation only Enter the gateway IP address assigned to you if you are using a static IP address My WAN Addr This field is applicable to PPPoE and PPTP encapsulations only Some implementations especially the UNIX derivatives require the WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number If this is the case ente...

Page 656: ...ber from 1 to 15 to set this route s priority among the ZyWALL s routes see Section 8 6 on page 172 The smaller the number the higher priority the route has Private This field is valid only for PPTP PPPoE encapsulation This parameter determines if the ZyWALL will include the route to this remote node in its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcast I...

Page 657: ...lation Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL Menu 11 1 4 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filters device filters Enter here to CONFIRM or ESC to CANCEL ...

Page 658: ...Chapter 41 Remote Node Setup ZyWALL 5 35 70 Series User s Guide 658 ...

Page 659: ... of the IP static routes as shown next to configure IP static routes in menu 12 1 The first two static route entries are for default WAN1 and WAN2 routes on a ZyWALL with multiple WAN interfaces You cannot modify or delete a static default route The default route is disabled after you change the static WAN IP address to a dynamic WAN IP address The before a route name indicates the static route is...

Page 660: ... ________ 37 ________ 8 ________ 23 ________ 38 ________ 9 ________ 24 ________ 39 ________ 10 ________ 25 ________ 40 ________ 11 ________ 26 ________ 41 ________ 12 ________ 27 ________ 42 ________ 13 ________ 28 ________ 43 ________ 14 ________ 29 ________ 44 ________ 15 ________ 30 ________ 45 ________ Enter selection number Menu 12 1 Edit IP Static Route Route 3 Route Name Active No Destinati...

Page 661: ... LAN the gateway must be a router on the same segment as your ZyWALL over the WAN the gateway must be the IP address of one of the remote nodes Metric Enter a number from 1 to 15 to set this route s priority among the ZyWALL s routes see Section 8 6 on page 172 The smaller the number the higher priority the route has Private This parameter determines if the ZyWALL will include the route to this re...

Page 662: ...Chapter 42 IP Static Route Setup ZyWALL 5 35 70 Series User s Guide 662 ...

Page 663: ...ng Many to One and Server See Section 43 2 1 on page 666 for a detailed description of the NAT set for SUA The ZyWALL also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Choose SUA Only if you have just one public WAN IP address for your ZyWALL Choose Full Feature if you have multiple public WAN IP addres...

Page 664: ...ng NAT to the Remote Node Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A Relogin Every min N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation SUA Only Press ENTER to Confirm or ESC to Cancel Menu 11 1 2 Remote Node Ne...

Page 665: ...up the following screen On a ZyWALL with two WAN interfaces you can configure port forwarding and trigger port rules for the first WAN interface and separate sets of rules for the second WAN interface Figure 406 Menu 15 NAT Setup Table 240 Applying NAT in Menus 4 11 1 2 FIELD DESCRIPTION OPTIONS Network Address Translation When you select this option the SMT will use Address Mapping Set 1 menu 15 ...

Page 666: ...pping Set Enter 255 to display the next screen see also Section 43 1 1 on page 663 The fields in this menu cannot be changed Figure 408 Menu 15 1 255 SUA Address Mapping Rules The following table explains the fields in this menu Menu 15 1 Address Mapping Sets 1 NAT_SET 2 example 255 SUA read only Enter Menu Selection Number Menu 15 1 255 Address Mapping Rules Set Name SUA Idx Local Start IP Local ...

Page 667: ...he name of the set you selected in menu 15 1 or enter the name of a new set you want to create Idx This is the index or rule number Local Start IP Local Start IP is the starting local IP address ILA Local End IP Local End IP is the ending local IP address ILA If the rule is for all local IPs then the start IP is 0 0 0 0 and the end IP is 255 255 255 255 Global Start IP This is the starting global ...

Page 668: ...s the corresponding action and the remaining rules are ignored If there are any empty rules before your new configured rule your configured rule will be pushed up by that number of empty rules For example if you have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Menu 15 1 1 Address Mapping Rules S...

Page 669: ...lds in Menu 15 1 1 FIELD DESCRIPTION Set Name Enter a name for this set of rules This is a required field If this field is left blank the entire set will be deleted Action Press SPACE BAR to choose from None Edit Insert Before Delete Go To Rule Next Page or Previous Page and then press ENTER You must select a rule in the next field when you choose the Edit Insert Before Delete or Go To Rule comman...

Page 670: ...n page 675 for an example Local IP Only local IP fields are N A for server Global IP fields MUST be set for Server Start Enter the starting local IP address ILA End Enter the ending local IP address ILA If the rule is for all local IPs then put the Start IP as 0 0 0 0 and the End IP as 255 255 255 255 This field is N A for One to One and Server types Global IP Start Enter the starting global IP ad...

Page 671: ...Sets 3 Enter 1 or 2 to go to Menu 15 2 x NAT Server Setup and configure the address mapping rules for the WAN 1 or WAN 2 interface on a ZyWALL with multiple WAN interfaces Figure 412 Menu 15 2 x NAT Server Sets Menu 15 2 NAT Server Sets 1 Server Set 1 2 Server Set 2 Enter Set Number to Edit Menu 15 2 1 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 No 0 0 0 0 0...

Page 672: ...press ESC at any time to cancel 15 2 1 2 NAT Server Configuration Wan 1 Index 2 Name 1 Active Yes Start port 21 End port 25 IP Address 192 168 1 33 Press ENTER to Confirm or ESC to Cancel Table 244 15 2 x x NAT Server Configuration FIELD DESCRIPTION WAN On a ZyWALL with two WAN ports you can configure port forwarding and trigger port rules for the first WAN port and separate sets of rules for the ...

Page 673: ...on 43 4 1 Internet Access Only In the following Internet access example you only need one rule where all your ILAs Inside Local addresses map to one dynamic IGA Inside Global Address assigned by your ISP Menu 15 2 1 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 No 0 0 0 0 0 0 002 Yes 21 25 192 168 1 33 003 No 0 0 0 0 0 0 004 No 0 0 0 0 0 0 005 No 0 0 0 0 0 0 0...

Page 674: ...43 4 on page 673 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this case Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Retype to Confirm N A Login Server N A Relogin Every min N A IP Address Assignment Dynamic IP Address N A IP Subnet ...

Page 675: ...ve one IGA for each department with an FTP server and all departments use the other IGA Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA Map the third IGA to an inside web server and mail server Four rules need to be configured two bi directional and two uni directional as follows 1 Map the first IGA to the first inside FTP server for FTP traffic in both dir...

Page 676: ...Mapping Set 1 from Menu 15 1 Address Mapping Sets Therefore you must choose the Full Feature option from the Network Address Translation field in menu 4 or menu 11 3 in Figure 421 on page 677 2 Then enter 15 from the main menu 3 Enter 1 to configure the Address Mapping Sets 4 Enter 1 to begin configuring this new set Enter a Set Name choose the Edit Action and then enter 1 for the Select Rule fiel...

Page 677: ...ayer Options IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Addr N A Network Address Translation SUA Only NAT Lookup Set 255 Metric 1 Private N A RIP Direction None Version N A Multicast None Enter here to CONFIRM or ESC to CANCEL Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start 192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Server Mapping Set...

Page 678: ... Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4 10 132 50 3 Server 5 6 7 8 9 10 Action Edit Select Rule Press ENTER to Confirm or ESC to Cancel Menu 15 2 1 NAT Server Setup Default Server 0 0 0 0 Rule Act Start Port End Port IP Address 001 Yes 80 80 192 168 1 21 00...

Page 679: ...s such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream These applications won t work through NAT even when using One to One and Many One to One mapping types Follow the steps outlined in example 3 above to configure these two menus as follows Figure 426 Example 4 Menu 15 1 1 1 Address Mapping Rule After you ve configured your rule you should ...

Page 680: ...that sends traffic to the WAN to request a service with a specific port number and protocol a trigger port When the ZyWALL s WAN port receives a response with a specific port number and protocol incoming port the ZyWALL forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the LAN can use the se...

Page 681: ...el HTTP 80 FTP 21 Telnet 23 SMTP 25 POP3 110 PPTP 1723 Table 245 Menu 15 3 1 Trigger Port Setup FIELD DESCRIPTION Rule This is the rule index number Name Enter a unique name for identification purposes You may enter up to 15 characters in this field All characters are permitted including spaces Incoming Incoming is a port or a range of ports that a server on the WAN uses when it sends out a partic...

Page 682: ... Guide 682 End Port Enter a port number or the ending port number in a range of port numbers Press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC at any time to cancel Table 245 Menu 15 3 1 Trigger Port Setup continued FIELD DESCRIPTION ...

Page 683: ...the screen shown next Figure 429 Menu 21 Filter and Firewall Setup 44 1 1 Activating the Firewall Enter option 2 in this menu to bring up the following screen Press SPACE BAR and then ENTER to select Yes in the Active field to activate the firewall The firewall must be active to protect against Denial of Service DoS attacks Use the web configurator to configure firewall rules Menu 21 Filter and Fi...

Page 684: ...protects against Denial of Service DoS attacks when it is active Your network is vulnerable to attacks when the firewall is turned off Refer to the User s Guide for details about the firewall default policies You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so Active Yes You can use the Web Configurator to configure the firewall Press ENTE...

Page 685: ...ass Data filters are divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the LAN side Call filtering is used to determine if a packet should be allowed to trigger a call Remote node call filtering is only applicable when using PPPoE encapsulation Outgoing packets must undergo data filtering b...

Page 686: ...ilter rules and protocol filter rules within the same set You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port Sets of factory default filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming tel...

Page 687: ...eries User s Guide 687 Figure 432 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port ...

Page 688: ... ENTER 5 Press ENTER at the message Press ENTER to confirm to open Menu 21 1 x Filter Rules Summary This screen shows the summary of the existing rules in the filter set The following tables contain a brief description of the abbreviations used in the previous menus Menu 21 Filter and Firewall Setup 1 Filter Setup 2 Firewall Setup Enter Menu Selection Number Menu 21 1 Filter Set Configuration Filt...

Page 689: ...ary Menu FIELD DESCRIPTION A Active Y means the rule is active N means the rule is inactive Type The type of filter rule GEN for Generic IP for TCP IP Filter Rules These parameters are displayed here M More Y means there are more rules to check which form a rule chain with the present rule An action cannot be taken until the rule chain is complete N means there are no more rules to check You can s...

Page 690: ...Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Table 248 Menu 21 1 1 1 TCP IP Filter Rule FIELD DESCRIPTION Active Press SPACE BAR and then ENTER to select Yes to activate the filter rule or No to deactivate it IP Protocol Protocol refers to the upper layer protocol e g TCP is 6 UDP is 17 and ICMP is 1 Type a value between 0 and 2...

Page 691: ...o establish a TCP connection SYN 1 and ACK 0 if No it is ignored More Press SPACE BAR and then ENTER to select Yes or No If Yes a matching packet is passed to the next filter rule before an action is taken if No the packet is disposed of according to the action fields If More is Yes then Action Matched and Action Not Matched will be N A Log Press SPACE BAR and then ENTER to select a logging option...

Page 692: ...692 Figure 436 Executing an IP Filter 45 2 3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule The purpose of generic rules is to allow you to filter non IP packets For IP it is generally easier to use the IP rules directly ...

Page 693: ... Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Table 249 Generic Filter Rule Menu Fields FIELD DESCRIPTION Filter This is the filter set filter rule co ordinates i e 2 3 refers to the second filter set and the third rule of that set Filter Type Use SPACE BAR and then ENTER to select a rule type Parameters displayed below each type will be different TCP IP filter rules ...

Page 694: ...et Make the entries in this menu as shown in the following figure Log Select the logging option from the following None No packets will be logged Action Matched Only packets that match the rule parameters will be logged Action Not Matched Only packets that do not match the rule parameters will be logged Both All packets will be logged Action Matched Select the action for a packet matching the rule...

Page 695: ...ction is to drop the packet m D if the action is matched and to forward the packet immediately n F if the action is not matched no matter whether there are more rules to be checked there aren t in this example Menu 21 1 3 1 TCP IP Filter Rule Filter 3 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 23 Port Comp Equal Sou...

Page 696: ... number are replaced on a connection by connection basis which makes it impossible to know the exact address and port on the wire Therefore the ZyWALL applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets On the other hand the generic or device filters are applied to the raw packets that appear on the wire They are ...

Page 697: ...se to a nonexistent outbound request can be blocked The firewall uses session filtering i e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session The firewall provides e mail service to notify you of routine reports and when alerts occur 45 5 2 1 When To Use The Firewall 1 To prevent DoS attacks and prevent hackers cracki...

Page 698: ...ng DMZ Filters DMZ traffic filter sets may be useful to block certain packets reduce traffic and prevent security breaches Go to menu 5 1 shown next and enter the number s of the filter set s that you want to apply as appropriate You can choose up to four filter sets from twelve by entering their numbers separated by commas e g 3 4 6 11 Input filter sets filter incoming traffic to the ZyWALL and o...

Page 699: ...as appropriate You can cascade up to four filter sets by entering their numbers separated by commas The ZyWALL already has filters to prevent NetBIOS traffic from triggering calls and block incoming telnet FTP and HTTP connections Figure 444 Filtering Remote Node Traffic Menu 11 1 4 Remote Node Filter Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters devic...

Page 700: ...Chapter 45 Filter Configuration ZyWALL 5 35 70 Series User s Guide 700 ...

Page 701: ... 0 0 0 0 Trap Community public Destination 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Table 250 SNMP Configuration Menu Fields FIELD DESCRIPTION Get Community Type the Get community which is the password for the incoming Get and GetNext requests from the management station Set Community Type the Set community which is the password for incoming Set requests from the management station Trusted ...

Page 702: ...E DESCRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community password 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before r...

Page 703: ... of your system firmware and the status and statistics of the ports as shown in the next figure System Status is a tool that can be used to monitor your ZyWALL Specifically it gives you information on your system firmware version number of packets sent and number of packets received To get to the System Status 1 Enter number 24 to go to Menu 24 System Maintenance 2 In this menu enter 1 to open Men...

Page 704: ... AA 77 89 25 192 168 1 1 255 255 255 0 Server WLAN 00 00 AA 77 89 29 0 0 0 0 0 0 0 0 None DMZ 00 00 AA 77 89 27 0 0 0 0 0 0 0 0 None System up Time 0 52 46 Press Command COMMANDS 1 2 Drop WAN1 2 9 Reset Counters ESC Exit Table 252 System Maintenance Status Menu Fields FIELD DESCRIPTION Port This field identifies an interface WAN1 WAN2 LAN WCRD wireless LAN card DMZ or WLAN on the ZyWALL Status For...

Page 705: ...ollisions on this port Tx B s This field shows the transmission speed in Bytes per second on this port Rx B s This field shows the reception speed in Bytes per second on this port Up Time This is the total amount of time the line has been up Ethernet Address This is the MAC address of the port listed on the left IP Address This is the IP address of the port listed on the left IP Mask This is the I...

Page 706: ...13 49 00 00 02 IP Address 192 168 1 1 IP Mask 255 255 255 0 DHCP Server Press ESC or RETURN to Exit Table 253 Fields in System Maintenance Information FIELD DESCRIPTION Name This is the ZyWALL s system name domain name assigned in menu 1 For example System Name xxx Domain Name baboo mickey com Name xxx baboo mickey com Routing Refers to the routing protocol used ZyNOS F W Version Refers to the ver...

Page 707: ...m the main menu to open Menu 24 System Maintenance 2 From menu 24 select option 3 to open Menu 24 3 System Maintenance Log and Trace 3 Select the first option from Menu 24 3 System Maintenance Log and Trace to display the error log in the system After the ZyWALL finishes displaying you will have the option to clear the error log Figure 451 Menu 24 3 System Maintenance Log and Trace Examples of typ...

Page 708: ... 57 Thu Jul 1 05 54 56 2004 PP0d INFO LAN promiscuous mode 1 58 Thu Jul 1 05 54 56 2004 PINI INFO Last errorlog repeat 1 Times 59 Thu Jul 1 05 54 56 2004 PINI INFO main init completed 60 Thu Jul 1 05 55 26 2004 PSSV WARN SNMP TRAP 0 cold start 61 Thu Jul 1 05 56 56 2004 PINI INFO SMT Session Begin 62 Thu Jul 1 07 50 58 2004 PINI INFO SMT Session End 63 Thu Jul 1 07 53 28 2004 PINI INFO SMT Session...

Page 709: ...0 40002 Jul 19 11 19 32 192 168 102 2 ZyXEL board 0 line 0 channel 0 call 1 C02 OutCall Connected 64000 40002 Jul 19 11 20 06 192 168 102 2 ZyXEL board 0 line 0 channel 0 call 1 C02 Call Terminated Packet triggered Message Format SdcmdSyslogSend SYSLOG_PKTTRI SYSLOG_NOTICE String String Packet trigger Protocol xx Data xxxxxxxxxx x Protocol 1 IP 2 IPX 3 IPXHC 4 BPDU 5 ATALK 6 IPNG Data We will send...

Page 710: ...1mF Mar 03 10 41 34 202 132 155 97 ZyXEL IP Src 192 168 2 33 Dst 202 132 155 93 ICMP S04 R01mF Mar 03 11 59 20 202 132 155 97 ZyXEL GEN 00a0c5f502fnord010080 S05 R01mF Mar 03 12 00 52 202 132 155 97 ZyXEL GEN ffffffffffff0080 S05 R01mF Mar 03 12 00 57 202 132 155 97 ZyXEL GEN 00a0c5f502010080 S05 R01mF Mar 03 12 01 06 202 132 155 97 ZyXEL IP Src 192 168 2 33 Dst 202 132 155 93 TCP spo 01170 dpo 00...

Page 711: ...ss spo Source port empty means no source port information Dst Destination Address dpo Destination port empty means no destination port information prot Protocol TCP UDP ICMP IGMP GRE ESP rule a b where a means set number b means rule number Action nothing N block B forward F 08 01 200011 48 41Local1 Notice192 168 10 10RAS FW 172 21 1 80 137 172 21 1 80 137 UDP default permit 2 0 B 08 01 200011 48 ...

Page 712: ...l open Menu 24 4 System Maintenance Diagnostic IP Frame ENET0 RECV Size 44 44 Time 17 02 44 262 Frame Type IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 Identification 0x0002 2 Flags 0x00 Fragment Offset 0x00 Time to Live 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 192 168 1 1 Destination IP 0x00000000 0 0 0 0 TCP Header Sour...

Page 713: ...ation field in menu 4 or menu 11 is Ethernet or None when you have a static IP The WAN Release and Renewal fields in menu 24 4 conveniently allow you to release and or renew the assigned WAN IP address subnet mask and default gateway in a fashion similar to winipcfg Figure 456 WAN LAN DHCP The following table describes the diagnostic tests available in menu 24 4 for your ZyWALL and associated conn...

Page 714: ...er 4 to test the Internet setup You can also test the Internet setup in Menu 4 Internet Access Please refer to Chapter 37 on page 629 for more details This feature is only available for a 3G connection or dial up connections using PPPoE or PPTP encapsulation Reboot System Enter 11 to reboot the ZyWALL WAN If you entered 2 3 or 4 in the Enter Menu Selection Number field enter the number of the WAN ...

Page 715: ... your ZyWALL s performance 48 2 Filename Conventions The configuration file often called the romfile or rom 0 contains the factory default settings in the menus such as password DHCP Setup TCP IP Setup etc It arrives from ZyXEL with a rom filename extension Once you have customized the ZyWALL s settings they can be saved back to your computer under a filename of your choosing ZyNOS ZyXEL Network O...

Page 716: ...rent ZyWALL configuration to your computer Backup is highly recommended once your ZyWALL is functioning properly FTP is the preferred method for backing up your current configuration to your computer since it is faster You can also perform backup and restore using menu 24 through the console port Any serial communications program should work fine however you must use Xmodem protocol to perform the...

Page 717: ...t the ftp prompt 48 3 3 Example of FTP Commands from the Command Line Figure 458 FTP Session Example Menu 24 5 Backup Configuration To transfer the configuration file to your workstation follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type admin and SMT password as requested 3 Locate the rom 0 file 4 Type get rom 0 to back u...

Page 718: ...nts To backup the configuration file follow the procedure shown next 1 Use telnet from your computer to connect to the ZyWALL and log in Because TFTP does not have any security checks the ZyWALL records the IP address of the telnet client and accepts TFTP requests only from this address 2 Put the SMT in command interpreter CI mode by entering 8 in Menu 24 System Maintenance 3 Enter command sys std...

Page 719: ...om 0 name of the configuration file on the ZyWALL to the file destination on the computer and renames it config rom 48 3 8 GUI based TFTP Clients The following table describes some of the fields that you may see in GUI based TFTP clients Refer to Section 48 3 5 on page 718 to read about configurations that disallow TFTP and FTP over WAN 48 3 9 Backup Via Console Port Back up configuration via cons...

Page 720: ...one Choose the Xmodem protocol Then click Receive 4 After a successful backup you will see the following screen Press any key to return to the SMT menu Figure 462 Successful Backup Confirmation Screen 48 4 Restore Configuration This section shows you how to restore a previously saved configuration Note that this function erases the current configuration before restoring a previous back up configur...

Page 721: ...r computer that you want to restore to your ZyWALL 7 Use put to transfer files from the ZyWALL to the computer for example put config rom rom 0 transfers the configuration file config rom on your computer to the ZyWALL See earlier in this chapter for more information on filename conventions 8 Enter quit to exit the ftp prompt The ZyWALL will automatically restart after a successful restore process...

Page 722: ...ystem Maintenance Restore Configuration 2 The following screen indicates that the Xmodem download has started Figure 466 System Maintenance Starting Xmodem Download Screen 3 Run the HyperTerminal program by clicking Transfer then Send File as shown in the following screen Figure 467 Restore Configuration Example ftp put config rom rom 0 200 Port command okay 150 Opening data connection for STOR ro...

Page 723: ...configuration files by following the procedure in Section 48 4 on page 720 or by following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File for console port 1 Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL 48 5 1 Firmware File Upload FTP is the preferred method for uploading the firmware and configuration To use this feature...

Page 724: ...on FTP commands please consult the documentation of your FTP client program For details on uploading system firmware using TFTP note that you must remain on this menu to upload system firmware using TFTP please see your manual Press ENTER to Exit Menu 24 7 2 System Maintenance Upload System Configuration File To upload the system configuration file follow the procedure below 1 Launch the FTP clien...

Page 725: ...to exit the ftp prompt 48 5 4 FTP Session Example of Firmware File Upload Figure 471 FTP Session Example of Firmware File Upload More commands found in GUI based FTP clients are listed earlier in this chapter Refer to Section 48 3 5 on page 718 to read about configurations that disallow TFTP and FTP over WAN 48 5 5 TFTP File Upload The ZyWALL also supports the uploading of firmware files using TFT...

Page 726: ...8 5 6 TFTP Upload Command Example The following is an example TFTP command tftp i host put firmware bin ras Where i specifies binary image transfer mode use this mode when transferring binary files host is the ZyWALL s IP address put transfers the file source on the computer firmware bin name of the firmware on the computer to the file destination on the remote host ras name of the firmware on the...

Page 727: ...firmware upload process has completed the ZyWALL will automatically restart 48 5 10 Uploading Configuration File Via Console Port 1 Select 2 from Menu 24 7 System Maintenance Upload Firmware to display Menu 24 7 2 System Maintenance Upload System Configuration File Follow the instructions as shown in the next screen Menu 24 7 1 System Maintenance Upload System Firmware To upload system firmware 1 ...

Page 728: ...pload process has completed restart the ZyWALL by entering atgo Menu 24 7 2 System Maintenance Upload System Configuration File To upload system configuration file 1 Enter y at the prompt below to go into debug mode 2 Enter atlc after Enter Debug Mode message 3 Wait for Starting XMODEM upload message before activating Xmodem upload on your terminal 4 After successful firmware upload enter atgo to ...

Page 729: ...l connection to the console port although some commands are only available with a serial connection See the CLI Reference Guide for information on the commands Enter 8 from Menu 24 System Maintenance Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable Figure 476 Command Mode in Menu 24 Menu 24 System Maintenance 1 System Status 2 System Information ...

Page 730: ...ronicles preceding incoming and outgoing calls To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in the next table Figure 477 Call Control 49 2 1 Budget Management Menu 24 9 1 shows the budget management statistics for outgoing calls Enter 1 from Menu 24 9 System Maintenance Call Control to bring up the following menu Not all fie...

Page 731: ...to bring up the following menu Figure 479 Call History The following table describes the fields in this screen Table 259 Budget Management FIELD DESCRIPTION EXAMPLE Remote Node Enter the index number of the remote node you want to reset just one in this case 1 Connection Time Total Budget This is the total connection time that has gone by within the allocated budget that you set in menu 11 1 5 10 ...

Page 732: ...and Date Setting to update the time and date settings of your ZyWALL as shown in the following screen Rate This is the transfer rate of the call call This is the number of calls made to or received from that telephone number Max This is the length of time of the longest telephone call Min This is the length of time of the shortest telephone call Total This is the total length of time of all the te...

Page 733: ...zone of the server Time RFC 868 format displays a 4 byte integer giving the total number of seconds since 1970 1 1 at 0 0 0 The default NTP RFC 1305 is similar to Time RFC 868 Select Manual to enter the new time and new date manually Time Server Address Enter the IP address or domain name of your timeserver Check with your ISP network administrator if you are unsure of this information Current Tim...

Page 734: ... one hour ahead of GMT or UTC GMT 1 End Date mm nth week hr Configure the day and time when Daylight Saving Time ends if you selected Yes in the Daylight Saving field The hr field uses the 24 hour format Here are a couple of examples Daylight Saving Time ends in the United States on the first Sunday of November Each time zone in the United States stops using Daylight Saving Time at 2 A M local tim...

Page 735: ...igure remote management to allow management from any network except the LAN you still need to configure a firewall rule to allow access See Chapter 11 on page 243 for details on configuring firewall rules You can also disable a service on the ZyWALL by not allowing access for the service protocol through any of the ZyWALL interfaces To disable remote management of a service select Disable in the c...

Page 736: ...ble 262 Menu 24 11 Remote Management Control FIELD DESCRIPTION Telnet Server FTP Server SSH Server HTTPS Server HTTP Server SNMP Service DNS Service Each of these read only labels denotes a service that you may use to remotely manage the ZyWALL Port This field shows the port number for the service or protocol You may change the port number if needed but you must use the same port number to access ...

Page 737: ...ote management session with an equal or higher priority running You may only have one remote management session running at one time 6 There is a firewall rule that blocks it Authenticate Client Certificates Select Yes by pressing SPACE BAR then ENTER to require the SSL client to authenticate itself to the ZyWALL by sending the ZyWALL a certificate To do that the SSL client must have a CA signed ce...

Page 738: ...Chapter 50 Remote Management ZyWALL 5 35 70 Series User s Guide 738 ...

Page 739: ... 1 1 1 1 1 1 1 DA 2 2 2 2 2 2 2 5 SP 20 25 DP 20 25 P 6 T NM PR 0 GW 192 168 1 1 T MT PR 0 002 N _______________________________________________________ _______________________________________________________ 003 N _______________________________________________________ _______________________________________________________ 004 N _______________________________________________________ ___________...

Page 740: ... sure you are on the correct page When a rule is deleted subsequent rules do not move up in the page list Use Go To Rule to view the page where your desired rule is listed Select Next Page or Previous Page to view the next or previous page of rules respectively Select Rule Type the policy index number you wish to edit or delete and then press ENTER When you have completed this menu press ENTER at ...

Page 741: ...ESC to Cancel Table 265 Menu 25 1 IP Routing Policy Setup FIELD DESCRIPTION Rule Index This is the index number of the routing policy selected in Menu 25 IP Routing Policy Summary Active Press SPACE BAR and then ENTER to select Yes to activate the policy Criteria IP Protocol Enter a number that represents an IP layer 4 protocol for example UDP 17 TCP 6 ICMP 1 and Don t care 0 Type of Service Prior...

Page 742: ...ress The gateway must be on the same subnet as the ZyWALL if it is on the LAN otherwise the gateway must be the IP address of a remote node The default gateway is specified as 0 0 0 0 Remote Node Idx This field displays if you selected Remote Node in the Gateway Type field Type 1 for WAN port 1 or 2 for WAN port 2 Redirect Packet This field applies if you selected Remote Node in the Gateway Type f...

Page 743: ... the configured IP route Menu 25 1 1 IP Routing Policy Setup Apply policy to packets received from LAN No DMZ No WLAN No ALL WAN Yes Selected Remote Node index N A Press ENTER to Confirm or ESC to Cancel Table 266 Menu 25 1 1 IP Routing Policy Setup FIELD DESCRIPTION LAN DMZ WLAN ALL WAN Press SPACE BAR to select Yes or No Choose Yes and press ENTER to apply the policy to packets received on the s...

Page 744: ...own next Figure 487 IP Routing Policy Example 1 Menu 25 1 IP Routing Policy Setup Rule Index 1 Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 10 Precedence Don t Care Len Comp Equal Source addr start 192 168 1 33 end 192 168 1 64 port start 0 end N A Destination addr start 0 0 0 0 end N A port start 80 end 80 Action Matched Gateway Type IP Address Gateway addr 192 168 1...

Page 745: ...elect Yes in the LAN field in menu 25 1 1 to apply the policy to packets received on the LAN port 6 Check Menu 25 IP Routing Policy Summary to see if the rule is added correctly Menu 25 1 IP Routing Policy Setup Rule Index 2 Active No Criteria IP Protocol 6 Type of Service Don t Care Packet length 10 Precedence Don t Care Len Comp Equal Source addr start 0 0 0 0 end N A port start 0 end N A Destin...

Page 746: ...Chapter 51 IP Policy Routing ZyWALL 5 35 70 Series User s Guide 746 ...

Page 747: ... numbered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 are applied in the remote node then set 1 will take precedence over set 2 3 and 4 as the ZyWALL by default applies the lowest numbered set first Set 2 will take precedence over set 3 and 4 and so on You can design up to 12 schedule sets but you can only apply up to four sc...

Page 748: ...y N A Thursday N A Friday N A Saturday N A Start Time hh mm 00 00 Duration hh mm 00 00 Action Forced On Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Table 267 Schedule Set Setup FIELD DESCRIPTION Active Press SPACE BAR to select Yes or No Choose Yes and press ENTER to activate the schedule set How Often Should this schedule set recur weekly or be used just once only Press SPAC...

Page 749: ... the action configured in the Action field Enter the maximum length of time in hour minute format Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field Forced Down means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means...

Page 750: ...te IP Active Yes Encapsulation PPTP Edit IP No Service Type Standard Telco Option Allocated Budget min 0 Outgoing Period hr 0 My Login Schedules 1 2 3 4 My Password Nailed up Connections No Retype to Confirm Authen CHAP PAP PPTP Session Options My IP Addr Edit Filter Sets No My IP Mask Idle Timeout sec 100 Server IP Addr Connection ID Name Press ENTER to Confirm or ESC to Cancel ...

Page 751: ...he ZyWALL 3 Make sure the power adaptor or cord is connected to the ZyWALL and plugged in to an appropriate power source Make sure the power source is turned on 4 Turn the ZyWALL off and on or disconnect and re connect the power adaptor or cord to the ZyWALL 5 If the problem continues contact the vendor V One of the LEDs does not behave as expected 1 Make sure you understand the normal behavior of...

Page 752: ...ice to its factory defaults See Section 2 3 on page 63 V I cannot see or access the Login screen in the web configurator 1 Make sure you are using the correct IP address The default IP address is 192 168 1 1 Use the ZyWALL s LAN IP address when configuring from the LAN Use the ZyWALL s WAN IP address when configuring from the WAN If you changed the LAN IP address Section 6 7 on page 152 use the ne...

Page 753: ... the pop up window select the Delete all offline content check box and click OK Click OK in the Internet Options screen to close it If you disconnect your computer from one device and connect it to another device that has the same IP address your computer s ARP Address Resolution Protocol table may contain an entry that maps the management IP address to the previous device s MAC address In Windows...

Page 754: ...only Make sure that you have entered the correct Service Type User Name and Password be sure to use the correct casing Refer to the WAN setup chapter web configurator or SMT 2 Disconnect all the cables from your device and follow the directions in the Quick Start Guide again 3 If the problem continues contact your ISP V I cannot access the Internet 1 Check the hardware connections and make sure th...

Page 755: ...ially peer to peer applications 2 Check the signal strength If the signal strength is low try moving the ZyWALL closer to the AP if possible and look around to see if there are any devices that might be interfering with the wireless network for example microwaves other wireless networks and so on 3 Reboot the ZyWALL 4 If the problem continues contact the network administrator or vendor or try one ...

Page 756: ...AN interface Check your remote management settings 53 5 UPnP V When using UPnP and the ZyWALL reboots my computer cannot detect UPnP and refresh My Network Places Local Network 1 Disconnect the Ethernet cable from the ZyWALL s LAN port or from your computer 2 Re connect the Ethernet cable V The Local Area Connection icon for UPnP disappears in the screen Restart your computer V I cannot open speci...

Page 757: ...ting auto MDI MDI X 10 100 Mbps RJ 45 Ethernet ports ZyWALL 5 One auto negotiating auto MDI MDI X 10 100 Mbps RJ 45 Ethernet port DMZ ZyWALL 70 Four DMZ WLAN auto negotiating auto MDI MDI X 10 100 Mbps RJ 45 Ethernet ports ZyWALL 5 and 35 Four LAN DMZ WLAN auto negotiating auto MDI MDI X 10 100 Mbps RJ 45 Ethernet ports Reset Button Restores factory default settings Console RS 232 DB9F Dial Backup...

Page 758: ...figuration Protocol Use this feature to have the ZyWALL assign IP addresses an IP default gateway and DNS servers to computers on your network Dynamic DNS Support With Dynamic DNS Domain Name System support you can use a fixed URL www zyxel com for example with a dynamic IP address You must register for this service with a Dynamic DNS service provider IP Multicast IP multicast is used to send traf...

Page 759: ...e expense of leased site to site lines The ZyWALL VPN is based on the IPSec standard and is fully interoperable with other IPSec based VPN products Bandwidth Management You can efficiently manage traffic on your network by reserving bandwidth and giving priority to certain types of traffic and or to particular computers Remote Management This allows you to decide whether a service HTTP or FTP traf...

Page 760: ...gure is less than 450 3 072 Kb Individual entries my vary in size The total number you can configure is less than 220 Firewall Throughput with NAT 80Mbps 75Mbps 60Mbps VPN 3DES Throughput 40Mbps 35Mbps 30Mbps User Licenses Unlimited Unlimited Unlimited Table 270 Feature and Performance Specifications continued FEATURE ZYWALL 70 ZYWALL 35 ZYWALL 5 Table 271 Compatible ZyXEL WLAN Cards and Security ...

Page 761: ...mum Speed Downstream Upstream 3 1 Mbps 1 8 Mbps 1 8 Mbps 384 Kbps 3 6 Mbps 384 Kbps 384 Kbps 1 8 Mbps 384 Kbps 7 2 Mbps 384 Kbps Interface 32 bit CardBus Type II PC Card 16 bit PC Card 32 bit CardBus Type II PC Card 32 bit CardBus Type II PC Card 32 bit CardBus Type II PC Card 32 bit CardBus Type II PC Card SIM card authentication via the web configurator Y Y Y Y Y Enabling of the internal modem o...

Page 762: ...ly certain ZyXEL wireless LAN cards or 3G card are compatible with the ZyWALL Only the ZyWALL 5 can use a 3G card Do not force bend or twist the wireless LAN card 3G card or ZyWALL Turbo Card Figure 493 WLAN Card Installation 54 3 Power Adaptor Specifications Table 273 North American Plug Standards AC POWER ADAPTOR MODEL PSA18R 120P ZA R INPUT POWER 100 240VAC 50 60HZ 0 5A OUTPUT POWER 12VDC 1 5A ...

Page 763: ...United Kingdom Plug Standards AC POWER ADAPTOR MODEL PSA18R 120P ZK R INPUT POWER 100 240VAC 50 60HZ 0 5A OUTPUT POWER 12VDC 1 5A POWER CONSUMPTION 18 W MAX SAFETY STANDARDS TUV BS EN 60950 1 Table 276 Australia And New Zealand Plug Standards AC POWER ADAPTOR MODEL PSA18R 120P ZS R INPUT POWER 100 240VAC 50 60HZ 0 5A OUTPUT POWER 12VDC 1 5A POWER CONSUMPTION 18 W MAX SAFETY STANDARDS AS NZ60950 Ta...

Page 764: ... 3 DTE TXD Pin 4 DTE DTR Pin 5 GND Pin 6 DTE DSR Pin 7 DTE RTS Pin 8 DTE CTS PIN 9 NON The CON AUX port also has these pin assignments The CON AUX switch changes the setting in the firmware only and does not change the CON AUX port s pin assignments ZyWALLs with a CON AUX port also have a 9 pin adaptor for the console cable with these pin assignments on the male end Table 280 Ethernet Cable Pin As...

Page 765: ...771 Removing and Installing a Fuse 779 Setting up Your Computer s IP Address 781 IP Addresses and Subnetting 803 Common Services 813 Wireless LANs 817 Windows 98 SE Me Requirements for Anti Virus Message Display 831 VPN Setup 835 Importing Certificates 847 Legal Information 853 Customer Support 857 Index 863 ...

Page 766: ...766 ...

Page 767: ...allow at least 4 inches 10 cm of clearance at the front and two sides and 3 4 inches 8 cm at the back of the ZyWALL This is especially important for enclosed rack installations Desktop Installation 1 Make sure the ZyWALL is clean and dry 2 Set the ZyWALL on a smooth level surface strong enough to support the weight of the ZyWALL and the connected cables Make sure there is a power outlet nearby 3 M...

Page 768: ... wiring closet with other equipment Follow the steps below to mount your ZyWALL on a standard EIA rack using a rack mounting kit Make sure the rack will safely support the combined weight of all the equipment it contains Make sure the position of the ZyWALL does not make the rack unstable or top heavy Take all necessary precautions to anchor the rack securely before installing the unit Use a 2 Phi...

Page 769: ...racket screws smaller than the rack mounting screws 2 Attach the other bracket in a similar fashion Figure 496 Attaching Mounting Brackets and Screws 3 After attaching both mounting brackets position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack Secure the ZyWALL to the rack with the rack mounting screws Figure 497 Rack Mounting ...

Page 770: ...Appendix A Hardware Installation ZyWALL 5 35 70 Series User s Guide 770 ...

Page 771: ...y Internet Explorer Pop up Blockers You may have to disable pop up blocking to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking and create an exception for your device s IP address Disable Pop up Blockers 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 498 Pop up Blocker...

Page 772: ...s any web pop up blockers you may have enabled Figure 499 Internet Options Privacy 3 Click Apply to save this setting Enable Pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab 2 Select Settings to open the Pop up Blocker Settings screen ...

Page 773: ... s Guide 773 Figure 500 Internet Options Privacy 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 167 1 4 Click Add to move the IP address to the list of Allowed sites Figure 501 Pop up Blocker Settings ...

Page 774: ...t display properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab Figure 502 Internet Options Security 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default ...

Page 775: ...ty Settings Java Scripting Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected 5 Click OK to close the window Figure 504 Security Settings Java ...

Page 776: ...ions and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window Figure 505 Java Sun Mozilla Firefox Mozilla Firefox 2 0 screens are used here Screens for other versions may vary You can enable Java Javascripts and pop ups in one screen Click Tools then click Options in the screen that appears ...

Page 777: ...and Java Permissions ZyWALL 5 35 70 Series User s Guide 777 Figure 506 Mozilla Firefox Tools Options Click Content to show the screen below Select the check boxes as shown in the following screen Figure 507 Mozilla Firefox Content Security ...

Page 778: ...Appendix B Pop up Windows JavaScripts and Java Permissions ZyWALL 5 35 70 Series User s Guide 778 ...

Page 779: ...d the power port Use a small flat head screwdriver to carefully pry out the fuse housing 4 A burnt out fuse is blackened darkened or cloudy inside its glass casing A working fuse has a completely clear glass casing Pull gently but firmly to remove the burnt out fuse from the fuse housing Dispose of the burnt out fuse Installing a Fuse 1 The ZyWALL is shipped from the factory with one spare fuse in...

Page 780: ...Appendix C Removing and Installing a Fuse ZyWALL 5 35 70 Series User s Guide 780 ...

Page 781: ...urchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that your computers ha...

Page 782: ...and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft from the list of manufacturers 4 Select TCP IP from the list of network protocols and then click OK If you need Client for Microsoft Networks 1 Click Add 2 Select Client and then click Add 3 Sel...

Page 783: ...amic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 509 Windows 95 98 Me TCP IP Properties IP Address 3 Click the DNS Configuration tab If you do not know your DNS information select Disable DNS If you know your DNS information select Enable DNS and type the informati...

Page 784: ...and close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyWALL and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your computer s IP address subnet mask and defa...

Page 785: ...0 Series User s Guide 785 Figure 511 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 512 Windows XP Control Panel 3 Right click Local Area Connection and then click Properties ...

Page 786: ...ral tab in Win XP and then click Properties Figure 514 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically If you have a static IP address click Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields Click Adv...

Page 787: ...lick Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the numbe...

Page 788: ...ndow the General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them ...

Page 789: ...twork Connections window Network and Dial up Connections in Windows 2000 NT 11 Turn on your ZyWALL and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab ...

Page 790: ...e 518 Windows Vista Start Menu 2 In the Control Panel double click Network and Internet Figure 519 Windows Vista Control Panel 3 Click Network and Sharing Center Figure 520 Windows Vista Network And Internet 4 Click Manage network connections Figure 521 Windows Vista Network and Sharing Center ...

Page 791: ... and then click Properties During this procedure click Continue whenever Windows displays a screen saying that it needs your permission to continue Figure 522 Windows Vista Network and Sharing Center 6 Select Internet Protocol Version 4 TCP IPv4 and click Properties Figure 523 Windows Vista Local Area Connection Properties ...

Page 792: ...ys in the IP Settings tab and click OK Do one or more of the following if you want to configure additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by c...

Page 793: ... Properties window the General tab Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them ...

Page 794: ...Properties window 12 Close the Network Connections window 13 Turn on your ZyWALL and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Macintosh OS 8 9 1...

Page 795: ... 527 Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 528 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP Server from the Configure list 4 For statically assigned settings do the following From the Configure box select Manually ...

Page 796: ...our configuration 7 Turn on your ZyWALL and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window Figure 529 Macintosh OS X Apple Menu 2 Click Network in the icon bar Select Automatic from the Location list Select Built in Ethernet ...

Page 797: ... subnet mask in the Subnet mask box Type the IP address of your ZyWALL in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyWALL and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window Linux This section shows you how to configure your computer s TCP IP settings in Red Hat Linux 9 0 Procedure screens and file location...

Page 798: ...ps below to configure your computer IP address using the KDE 1 Click the Red Hat button located on the bottom left corner select System Setting and click Network Figure 531 Red Hat 9 0 KDE Network Configuration Devices 2 Double click on the profile of the network card you wish to configure The Ethernet Device General screen displays as shown Figure 532 Red Hat 9 0 KDE Ethernet Device General ...

Page 799: ...Hat 9 0 KDE Network Configuration DNS 5 Click the Devices tab 6 Click the Activate button to apply the changes The following screen displays Click Yes to save the changes in all screens Figure 534 Red Hat 9 0 KDE Network Configuration Activate 7 After the network card restart process is complete make sure the Status is Active in the Network Configuration screen Using Configuration Files Follow the...

Page 800: ...le in the etc directory The following figure shows an example where two DNS server IP addresses are specified Figure 537 Red Hat 9 0 DNS Settings in resolv conf 3 After you edit and save the configuration files you must restart the network card Enter network restart in the etc rc d init d directory The following figure shows an example Figure 538 Red Hat 9 0 Restart Ethernet Card DEVICE eth0 ONBOO...

Page 801: ...rties root localhost ifconfig eth0 Link encap Ethernet HWaddr 00 50 BA 72 5B 44 inet addr 172 23 19 129 Bcast 172 23 19 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 717 errors 0 dropped 0 overruns 0 frame 0 TX packets 13 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 100 RX bytes 730412 713 2 Kb TX bytes 1570 1 5 Kb Interrupt 10 Base address 0...

Page 802: ...Appendix D Setting up Your Computer s IP Address ZyWALL 5 35 70 Series User s Guide 802 ...

Page 803: ...reet share a common street name the hosts on a network share a common network number Similarly as each house has its own house number each host on the network has its own unique identifying number the host ID Routers use the network number to send packets to the correct network while the host ID determines to which host on the network the packets are delivered Structure An IP address is made up of...

Page 804: ...ress is part of the host ID The following example shows a subnet mask identifying the network number in bold text and host ID of an IP address 192 168 1 2 in decimal By convention subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Subnet masks can be referred to by the siz...

Page 805: ...llowed by a continuous number of zeros for the remainder of the 32 bit mask you can simply specify the number of ones instead of writing the value of each octet This is usually specified by writing a followed by the number of bits in the mask after the address For example 192 1 1 0 25 is equivalent to saying 192 1 1 0 with subnet mask 255 255 255 128 The following table shows some possible subnet ...

Page 806: ...ure shows the company network before subnetting Figure 541 Subnetting Example Before Subnetting You can borrow one of the host ID bits to divide the network 192 168 1 0 into two separate sub networks The subnet mask is now 25 bits 255 255 255 128 or 25 The borrowed host ID bit can have a value of either 0 or 1 allowing two subnets 192 168 1 0 25 and 192 168 1 128 25 The following figure shows the ...

Page 807: ...192 168 1 254 Example Four Subnets The previous example illustrated using a 25 bit subnet mask to divide a 24 bit address into two subnets Similarly to divide a 24 bit address into four subnets you need to borrow two host ID bits to give four possible combinations 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits g...

Page 808: ...287 Subnet 3 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 191 Highest Host ID 192 168 1 190 Table 288 Subnet 4 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 1...

Page 809: ...ED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 255 128 25 2 126 2 255 255 255 192 26 4 62 3 255 255 255 224 27 8 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 6 255 255 255 252 30 64 2 7 255 255 255 254 31 128 1 Table 291 16 bit Network Number Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255 255 192 0 18 ...

Page 810: ...entered You don t need to change the subnet mask computed by the ZyWALL unless you are instructed to do otherwise Private IP Addresses Every machine on the Internet must have a unique address If your networks are isolated from the Internet running only between two branch offices for example you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authorit...

Page 811: ...gns to computer B which is a DHCP client Neither can access the Internet This problem can be solved by assigning a different static IP address to computer A or setting computer A to obtain an IP address automatically Figure 543 Conflicting Computer IP Addresses Example Conflicting Router IP Addresses Example Since a router connects different networks it must have interfaces using different network...

Page 812: ...evice can not use the same IP address In the following example the computer and the router s LAN port both use 192 168 1 1 as the IP address The computer cannot access the Internet This problem can be solved by assigning a different IP address to the computer or the router s LAN port Figure 545 Conflicting Computer and Router IP Addresses Example ...

Page 813: ... Protocol is USER this is the IP protocol number Description This is a brief explanation of the applications that use this service or the situations in which this service is used Table 292 Commonly Used Services NAME PROTOCOL PORT S DESCRIPTION AH IPSEC_TUNNEL User Defined 51 The IPSEC AH Authentication Header tunneling protocol uses this service AIM New ICQ TCP 5190 AOL s Internet Messenger servi...

Page 814: ...An Internet chat program NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transparent file sharing for network environments NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service PING User Defined 1 Packet INternet Groper is a protocol that sends out ICMP echo requ...

Page 815: ...ncluding mainframes midrange systems UNIX systems and network servers SSH TCP UDP 22 Secure Shell Remote Login Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Syslog allows you to send system logs to a UNIX server TACACS UDP 49 Login Host Protocol used for Terminal Access Controller Access Control System TELNET TCP 23 Telnet is the login and terminal emulation protocol common on t...

Page 816: ...Appendix F Common Services ZyWALL 5 35 70 Series User s Guide 816 ...

Page 817: ... Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 546 Peer to Peer Communication in an Ad hoc Network BSS A Basic Service Set BSS exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point AP Intra BSS traffic ...

Page 818: ...his wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless clients within ...

Page 819: ...s partially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and an adjacent AP is using channel 1 then you need to select a channel between 6 or 11 RTS CTS A hidden node occurs when two stations are within range of the same access point but are not ...

Page 820: ... the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes exists on your network and the cost of resending large frames is more than the extra network overhead involved in the RTS Request To Send CTS Clear to Send handshak...

Page 821: ...ork support it and to provide more efficient communications Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it otherwise the ZyWALL uses long preamble The wireless devices MUST use the same preamble mode in order to communicate IEEE 802 11g Wireless LAN IEEE 802 11g is fully compatible with the IEEE 802 11b standard This means an IEEE 80...

Page 822: ...es of IEEE 802 1x are User based identification that allows for roaming Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting management on a network RADIUS server Support for EAP Extensible Authentication Protocol RFC 2486 that allows additional authentication methods to be deployed with no changes to the access point or the wirele...

Page 823: ...ss point and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the access point and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition ...

Page 824: ...d the wireless clients for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exchange of certificates is done in the open before a secured tunnel is created This makes user identity vulnerable to passive attacks A digital certificate is an electronic ID card that authenticates...

Page 825: ...d that defines stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both an AP and the wireless clients support WPA2 and you have an external RADIUS server use WPA2 for stronger data encryption If you don t have an external RADIUS server you should use WPA2 PSK WPA2 Pre Shared Key that onl...

Page 826: ...pered with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more difficult to decrypt data on a Wi Fi network than WEP and difficult for an intruder to break into the network The encryption mechanisms used for WPA 2 and WPA 2 PSK are the same The only difference between the two is t...

Page 827: ...less client s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly 3 A 256 bit Pairwise Master Key PMK is derived from the authentication process by the RADIUS server and the client 4 The RADIUS server distributes the PMK to the AP The AP then sets up a key hierarchy and management...

Page 828: ...Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type MAC address filters are not dependent on how you configure these security features Table 296 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY MANAGEMENT PROTOCOL ENCRYPTIO N METHOD ENTER MANUAL KEY IEEE 802 1X Open None No Disable Enable without...

Page 829: ...d outdoor site each 1dB increase in gain results in a range increase of approximately 5 Actual results may vary depending on the network environment Antenna gain is sometimes specified in dBi which is how much the antenna increases the signal power compared to using an isotropic antenna An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all direction...

Page 830: ...ght and in a direct line of sight to each other to attain the best performance For omni directional antennas mounted on a table desk and so on point the antenna up For omni directional antennas mounted on a wall or ceiling point the antenna down For a single AP application place omni directional antennas as close to the center of the coverage area as possible For directional antennas point the ant...

Page 831: ...up window in order to view real time alert messages For Windows 2000 and later versions a message window automatically displays when an alert is received Click Start Run and enter winpopup in the field provided and click OK The WinPopup window displays as shown Figure 552 Windows 98 SE WinPopup If you want to display the WinPopup window at startup follow the steps below for Windows 98 SE steps are...

Page 832: ...ALL 5 35 70 Series User s Guide 832 Figure 553 WIndows 98 SE Program Task Bar 2 Click the Start Menu Programs tab and click Advanced Figure 554 Windows 98 SE Task Bar Properties 3 Double click Programs and click StartUp 4 Right click in the StartUp pane and click New Shortcut ...

Page 833: ... 5 35 70 Series User s Guide 833 Figure 555 Windows 98 SE StartUp 5 A Create Shortcut window displays Enter winpopup in the Command line field and click Next Figure 556 Windows 98 SE Startup Create Shortcut 6 Specify a name for the shortcut or accept the default and click Finish ...

Page 834: ...s Guide 834 Figure 557 Windows 98 SE Startup Select a Title for the Program 7 A shortcut is created in the StartUp pane Restart the computer when prompted Figure 558 Windows 98 SE Startup Shortcut The WinPopup window displays after the computer finishes the startup process see Figure 552 on page 831 ...

Page 835: ...ally create any static IP routes for the remote VPN site They are not required Dynamic IPSec Rule Create a dynamic rule by setting the Remote Gateway Address to 0 0 0 0 A single dynamic rule can support multiple simultaneous incoming IPSec connections All users of a dynamic rule have the same pre shared key You may need to change the pre shared key if one of the users leaves See the support notes ...

Page 836: ...ing IP Address settings with your own values VPN Configuration This section gives a VPN rule configuration example using the web configurator 1 Click VPN to display the following screen Click the add gateway policy icon to add an IPSec rule or gateway policy Figure 559 VPN Rules 2 Configure the screens in the headquarters and the branch office as follows and click Apply The pre shared key must be ...

Page 837: ...Appendix I VPN Setup ZyWALL 5 35 70 Series User s Guide 837 Figure 560 Headquarters Gateway Policy Edit The IP address of the branch office IPSec router ...

Page 838: ... I VPN Setup ZyWALL 5 35 70 Series User s Guide 838 Figure 561 Branch Office Gateway Policy Edit 3 Click the add network policy icon next to the BRANCH gateway policy to configure a VPN policy The IP address of ...

Page 839: ...I VPN Setup ZyWALL 5 35 70 Series User s Guide 839 Figure 562 Headquarters VPN Rule Figure 563 Branch Office VPN Rule 4 Configure the screens in the headquarters and the branch office as follows and click Apply ...

Page 840: ...Appendix I VPN Setup ZyWALL 5 35 70 Series User s Guide 840 Figure 564 Headquarters Network Policy Edit IP addresses on different subnets Activate the network ...

Page 841: ...click the dial icon in the VPN Rules IKE screen to have the IPSec routers set up the tunnel If you find a disconnect icon next to the rule you just created in the VPN Rules IKE screen the ZyWALL automatically built the VPN tunnel Go to the SA Monitor screen to view a list of connected VPN tunnels See Section 18 13 on page 385 for more information IP addresses on different subnets Activate the netw...

Page 842: ...een displays later if the IPSec routers can build the VPN tunnel Figure 568 VPN Tunnel Established VPN Troubleshooting If the IPSec tunnel does not build properly the problem is likely a configuration error at one of the IPSec routers Log into the web configurators of both ZyXEL IPSec routers Check the settings in each field methodically and slowly ...

Page 843: ...iguration problem Use the web configurator LOGS Log Settings screen to enable IKE and IPSec logging at both ends clear the log and then build the tunnel View the log via the web configurator LOGS View Log screen or type sys log disp from SMT Menu 24 8 See Section 31 3 1 on page 553 for information on the log messages ...

Page 844: ...7 17 5 6 7 8 5 1 2 3 IKE The cookie pair is 0xDAC0B43FBDE154F5 0xC5156C099C3F7DCA 11 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE Start Phase 2 Quick Mode 12 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE The cookie pair is 0xDAC0B43FBDE154F5 0xC5156C099C3F7DCA 13 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE Phase 1 IKE SA process done 14 01 11 2001 18 47 17 5 6 7 8 5 1 2 3 IKE The cookie pair is 0xDAC0B43FBDE154F...

Page 845: ... 6 All ras ipsec debug level 0 None 1 User 2 Low 3 High ras ipsec debug type 1 on ras ipsec debug type 2 on ras ipsec debug level 3 ras ipsec dial 1 get_ipsec_sa_by_policyIndex Start dialing for tunnel rule 1 ikeStartNegotiate saIndex 0 peerIp 5 1 2 3 protocol IPSEC_ESP 3 peer Ip 5 1 2 3 initiator type IPSEC_ESP exch Main initiator protocol IPSEC_ESP exchange mode Main mode find_ipsec_sa find ipse...

Page 846: ... if you were at the office instead of connected through the Internet FTP Example The following example shows a text based login from a branch office computer to an FTP server behind the remote IPSec router at headquarters The server s IP address 192 168 10 33 is in the subnet configured in the Local Policy fields in Figure 560 on page 837 C Documents and Settings Administrator ftp 192 168 10 33 Co...

Page 847: ...ate Permanently in the following screen to do this Figure 571 Security Certificate Importing the ZyWALL s Certificate into Internet Explorer For Internet Explorer to trust a self signed certificate from the ZyWALL simply import the self signed certificate into your operating system as a trusted certification authority To have Internet Explorer trust a ZyWALL certificate issued by a certificate aut...

Page 848: ...1 In Internet Explorer double click the lock shown in the following screen Figure 572 Login Screen 2 Click Install Certificate to open the Install Certificate wizard Figure 573 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard ...

Page 849: ... 5 35 70 Series User s Guide 849 Figure 574 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next Figure 575 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard ...

Page 850: ...J Importing Certificates ZyWALL 5 35 70 Series User s Guide 850 Figure 576 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store Figure 577 Root Certificate Store E X A M P L E ...

Page 851: ...Appendix J Importing Certificates ZyWALL 5 35 70 Series User s Guide 851 Figure 578 Certificate General Information after Import ...

Page 852: ...Appendix J Importing Certificates ZyWALL 5 35 70 Series User s Guide 852 ...

Page 853: ... it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Your use of the ZyWALL is subject to the terms and conditions of your service provider Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL C...

Page 854: ... on a circuit different from that to which the receiver is connected 4 Consult the dealer or an experienced radio TV technician for help FCC Radiation Exposure Statement This transmitter must not be co located or operating in conjunction with any other antenna or transmitter IEEE 802 11b or 802 11g operation of this product in the U S A is firmware limited to channels 1 through 11 To comply with F...

Page 855: ...ered with damaged by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or conse...

Page 856: ...Appendix K Legal Information ZyWALL 5 35 70 Series User s Guide 856 ...

Page 857: ...ort E mail support zyxel com tw Sales E mail sales zyxel com tw Telephone 886 3 578 3942 Fax 886 3 578 2439 Web www zyxel com www europe zyxel com FTP ftp zyxel com ftp europe zyxel com Regular Mail ZyXEL Communications Corp 6 Innovation Road II Science Park Hsinchu 300 Taiwan Costa Rica Support E mail soporte zyxel co cr Sales E mail sales zyxel co cr Telephone 506 2017878 Fax 506 2015098 Web www...

Page 858: ... 4780 8448 Web www zyxel fi Regular Mail ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland France E mail info zyxel fr Telephone 33 4 72 52 97 97 Fax 33 4 72 52 19 20 Web www zyxel fr Regular Mail ZyXEL France 1 rue des Vergers Bat 1 C 69760 Limonest France Germany Support E mail support zyxel de Sales E mail sales zyxel de Telephone 49 2405 6909 69 Fax 49 2405 6909 99 Web www zyxel de...

Page 859: ...a Shinagawa ku Tokyo 141 0022 Japan Kazakhstan Support http zyxel kz support Sales E mail sales zyxel kz Telephone 7 3272 590 698 Fax 7 3272 590 689 Web www zyxel kz Regular Mail ZyXEL Kazakhstan 43 Dostyk Ave Office 414 Dostyk Business Centre 050010 Almaty Republic of Kazakhstan Malaysia Support E mail support zyxel com my Sales E mail sales zyxel com my Telephone 603 8076 9933 Fax 603 8076 9833 ...

Page 860: ...s ul Okrzei 1A 03 715 Warszawa Poland Russia Support http zyxel ru support Sales E mail sales zyxel ru Telephone 7 095 542 89 29 Fax 7 095 542 89 25 Web www zyxel ru Regular Mail ZyXEL Russia Ostrovityanova 37a Str Moscow 117279 Russia Singapore Support E mail support zyxel com sg Sales E mail sales zyxel com sg Telephone 65 6899 6678 Fax 65 6899 8887 Web http www zyxel com sg Regular Mail ZyXEL S...

Page 861: ...lar Mail ZyXEL Thailand Co Ltd 1 1 Moo 2 Ratchaphruk Road Bangrak Noi Muang Nonthaburi 11000 Thailand Ukraine Support E mail support ua zyxel com Sales E mail sales ua zyxel com Telephone 380 44 247 69 78 Fax 380 44 494 49 32 Web www ua zyxel com Regular Mail ZyXEL Ukraine 13 Pimonenko Str Kiev 04050 Ukraine United Kingdom Support E mail support zyxel co uk Sales E mail sales zyxel co uk Telephone...

Page 862: ...Appendix L Customer Support ZyWALL 5 35 70 Series User s Guide 862 ...

Page 863: ...eshold 309 314 anti virus 295 alert message 831 online update 303 packet scan 296 831 real time alert message 831 scanner types 296 Windows 98 Me requirements 831 anti virus scan packet types 297 AP 644 AP access point 819 Application Layer Gateway See ALG applications 57 asymmetrical routes 255 vs virtual interfaces 255 AT command 611 716 authentication 652 authentication algorithms 356 361 and a...

Page 864: ...95 infection and prevention 295 types 295 concurrent e mail sessions 313 configuration backup 587 716 TFTP 718 configuration information 589 configuration restore 587 720 via console port 727 connection ID name 654 console port 595 705 configuration upload 727 data bits 595 file backup 719 file upload 726 flow control 595 parity 595 restoring files 722 settings 595 speed 705 706 stop bit 595 conta...

Page 865: ...ncryption algorithms 356 361 and active protocol 356 entering information 597 ESP 370 and transport mode 371 ESS 818 ESSID 229 644 755 Ethernet encapsulation 88 629 650 extended authentication 358 Extended Service Set IDentification See ESSID Extended Service Set See ESS 818 Extensible Authentication Protocol See EAP external database 307 313 F F W version 706 factory defaults 588 factory default ...

Page 866: ...ello BPDU 163 hidden menus 596 hidden node 819 HTTPS 488 example 491 HyperTerminal 719 722 727 728 I IANA 150 810 IBSS 817 iCard 144 identifying legitimate e mail 310 spam 310 identity theft 309 idle timeout 614 621 652 653 IDP policy query 285 IEEE 802 11g 821 IGMP 151 152 version 151 IKE SA aggressive mode 352 359 and certificates 358 and RADIUS 358 authentication algorithms 356 361 Diffie Hellm...

Page 867: ...te policy 368 SA life time 360 Security Parameter Index SPI manual keys 380 transport mode 370 tunnel mode 370 when IKE SA is disconnected 360 368 IPSec SA See also VPN IPSec See also VPN ISP parameters 88 J junk e mail 307 L LAN 152 port filter setup 623 setup 623 legitimate e mail 310 levels of severity of intrusions 283 license key 144 link type 73 loading a configuration file 587 log 707 log a...

Page 868: ...gation panel 74 NBNS 152 154 NetBIOS 154 NetBIOS Name Server See NBNS Network Address Translation See NAT Network Basic Input Output System See NetBIOS Nimda 276 277 Nmap 282 NTP time protocol 578 O one minute high 267 one minute low 267 online services center 141 outgoing protocol filter 627 overlap in VPN 369 P packet filtering 696 packet scan 296 831 Pairwise Master Key PMK 826 828 PAP 614 621 ...

Page 869: ...35 CNM 512 DNS 511 FTP 507 how SSH works 501 HTTPS 488 HTTPS example 491 limitations 488 737 secure FTP using SSH 505 secure telnet using SSH 503 SNMP 508 SSH 501 SSH implementation 502 system timeout 488 Telnet 506 WWW 489 remote node 649 filter 618 656 removing and installing fuses 779 reports 535 host IP address 536 538 protocol port 536 539 web site hits 536 537 required fields 597 reset butto...

Page 870: ...30 RTP 528 SIP ALG 527 skip VPN overlap 369 SMT 595 changing the password 600 entering information 597 general setup 603 hidden menus 596 initial screen 595 login screen 596 main menu commands 596 menu overview 599 navigation 596 password 596 required fields 597 SMTP 310 313 315 SNMP 508 community 701 configuration 701 Get 509 GetNext 509 manager 508 MIB 508 509 password 701 Set 509 Trap 509 trust...

Page 871: ...l See TFTP trojan horse 282 troubleshooting 589 Type of Service See ToS U unicast 151 Universal Plug and Play See UPnP unsolicited commercial e mail 87 307 upgrading firmware 585 upload 727 firmware 723 UPnP 515 516 examples 518 forum 516 NAT traversal 515 port mapping 517 UPnP Implementers Corp 516 user authentication 225 user profiles 425 V Vantage CNM 511 virtual address mapping 369 virtual add...

Page 872: ...ndow 831 WINS 152 154 WINS server 154 wireless channel 755 wireless client WPA supplicants 827 wireless LAN 755 wireless security 755 821 wizard setup 87 WLAN interference 819 IP alias 647 MAC address filter 646 security parameters 828 setup 643 646 TCP IP setup 647 worm 277 283 295 Blaster 277 SQL Slammer 277 WPA 225 825 key caching 826 pre authentication 826 user authentication 826 vs WPA PSK 82...

Reviews:

No comments

Related manuals for ZyWALL 35 Series

Brand: Watchguard Pages: 2

Brand: Draytek Pages: 1

Brand: Tosibox Pages: 44

SecPath T9000 IPS Series

Brand: H3C Pages: 17

Brand: IBASE Technology Pages: 16

Vigor2830 Series

Brand: Draytek Pages: 472

Brand: Nexcom Pages: 73

VPN Firewall Brick Portfolio

Brand: Alcatel-Lucent Pages: 2

Brand: Global Technology Pages: 28

Brand: Meraki Pages: 5

Brand: Lindy Pages: 4

Brand: Freecom Pages: 58

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands